Conversation

Apparently Matrix (the federated chat system, see matrix.org) uses a directed acyclic graph to enforce permissions, and it just works reasonably well. I love that for us. No need for a blockchain.

matrix.org

Matrix.org

Matrix is an open standard for interoperable, decentralised, real-time communication

174

est (Spooky DLC)

@emilyst

Dec 27, 2021

Spaces have come a long way, and the whole thing looks like a really compelling alternative to Discord or Slack now. Thanks,

@zkat__

, for sharing your space

Quote Tweet

kat

@zkat__

Nov 21, 2021

hi, if this is you, and you're interested in getting to know some new folks, I've made a new community over on Matrix to see if we can make this kind of space happen for us. Interested? Make a Matrix account and DM me your handle either here, or at @kat:zkat.tech

Show this thread

est (Spooky DLC)

@emilyst

Dec 27, 2021

It's also a good alternative to things like Signal or Telegram or whatever. Supports E2EE from the client side (even in a browser). Doesn't require your phone number or rummage through your contacts. Completely safe and private.

Replying to

Do you know any good explanation of how it's supposed to do meaningful e2ee without trusting some server operator you're using? (Especially for web version where the client app would be delivered by them, I guess..?)

Replying to

and

Matrix only has E2EE for message content. Servers can see all the events and metadata for rooms including invite, join, leave, kick and ban events. They can see who sent each event, the time it was sent and all the configuration for the rooms. Only message content field is E2EE.

Replying to

and

You can see this for yourself by logging in with a new client and looking at one of the E2EE rooms where you're a member. You can see everything other than the message content. Even reactions are not currently encrypted although there isn't any particular reason they haven't yet.

Replying to

and

Matrix web clients work the same way for E2EE as desktop / mobile clients. State events and history for the rooms are stored on the servers and synced between them. Clients lazily download portion of it they need. Cross-verifying or restoring via recovery code gives E2EE keys.

Replying to

and

When you log in with a new client, it gets you to cross-verify on both sides via a series of emojis or one of the other approaches (QR code or manual). When you send a message in a room, by default it makes it so that all current sessions of all members of the room can see it.

Replying to

and

If you verify someone, then it will stop you accidentally sending messages to their unverified sessions. Can also toggle on enforcing not sending messages to unverified users/sessions for a room (or globally) to outright prevent. The (cross-)verification stuff is all great.

11:57 PM · Dec 27, 2021Twitter Web App

Replying to

and

The fatal flaw preventing it from being a serious secure messaging system is the massive amount of metadata that's not encrypted. Literally only encrypts message content and there's a ton of metadata, all stored persistently on the servers since clients are only caching that.

Replying to

and

TL;DR AIUI it's a decent IRC alternative but not a good private one-on-one or tight-trusted-group communication platform.

Show replies