You must log in or # to comment.
I’m completely afraid of logging into fedora.im now. It’s so engulfed in spam, not even normal phishing spam. Absolutely horrifying spam, like gore and killing and other deranged shit.
I had to move back to matrix.org and abandon my account.
Don’t get your hopes up, I deleted my account on matrix.org because of that same spam, and there’s no way to mass ignore invites to the hundreds of rooms from all the spam accounts they let run rampant.
https://github.com/matrix-construct/tuwunel
Plug for tuwunnel.
Easy to set up, and just works. I can’t share any of the OP’s annoyances - everything is fast. Admittedly, I don’t really use the web client. Just the Android app from F-Droid and the linux AUR package element-desktop.
Does this come with fewer mental health issues than conduwuit? Because I remember the latter had an author that was a… Mtf puppydog? And had 4 years of work experience at like 19? Who claimed that the entirety of the nix, queer and some other communities were waging a conspiracy against her and her users?
Subjectivr experience against another. I switched an peer group from skype to matrix when matrix went offline. It was way better than i would have expected. Perhaps the timing was better. The element client seems really good, beside some minor jank(like screen share doesn’t work) that was probably waylands fault, its a very good experience.
I did not enjoy finding out only at the end that the images in this blog post are generated/made using AI.
The protocol is bloated to hell so third-party clients stand no chance, and the foundation spends more time bikeshedding or pissing away money than they do developing. It’s a doomed project.
You can interact with Matrix server through basic curl commands… and I thought the documentation was pretty good. There are plenty of third-party clients.
Sure, E2EE, keys and cross-signing is not trivial, but I don’t know where it is.
I didn’t imply that you can’t strip the protocol down to its bare essentials and still use it, but what’s the point of a protocol if everyone is on their own personalized version of it? Version / Feature fragmentation is a massive problem and basically none of the third party clients are up to snuff. Synapse is a massive bowl of lukewarm dog water, and most alternatives to it die in a year because it’s impossible to keep up. There’s too much shit in the protocol.
What specific version/feature fragmentation and clients are you referring to? As is common now, newer Synapse drops support for older Postgres (for example). Voice and video calls is the only feature that I can think of that is half-assed in Element/ElementX or not implemented in some clients.
Otherwise, Element, Element X, FluffyChat, Fractal, freaking Cinny on Ubuntu Touch (!), and terminal-based gomuks all support basic functionality, DMs, rooms, encryption, and attachments.
So what’s left? Jabber?
Back to IRC we go…
It is entirely insecure.
Define secure. You can run your own network.
xmpp isn’t.
(Ok I get xmpp alone is but every modern client supports the same two encryption methods so judge for yourself)
Not when the entirety of your conversations are jargon and in-jokes!
/s
The argument has always been, if when chat rooms are public, anyone can join and start logging the chats, encryption does nothing.
It has the ability to connect over TLS, but that’s about it.
I loved using it for its simplicity, except when using all the different flavours of nick registration (Q, NickServ, …).
My friends created a telegram group and invited in a couple of bots that do stupid things like posting images or vulgarities when they detect certain words, or perform actions on request.
I tried to convince them to get rid of the bots but they’re in the “we have nothing to hide” camp.
Depends what your goal is. Revolt seems pretty cool, but I don’t think it has any kind of encryption. It is based in Europe, though, so it gets GDPR protection, and it’s open source, so it could be forked to fit other needs and uses.
No, Revolt checks neither of my boxes unfortunately.
Slrpnk hosts an XMPP/Jabber for our users, mods and admins to communicate. Its worked pretty darn well for the past couple years, with very low resource needs.
The clients are pretty slick now too, such as Cheogram or Monocles for mobile, and movim is an excellent web app with support for group calls.
I’d certainly recommend it over Matrix/element.
The clients are pretty slick now too, such as Cheogram or Monocles
I wouldn’t call either of those, or any other XMPP clients “slick” and it’s my biggest complaint about the protocol.
Not to mention you can run a server on anything pretty much and for surprisingly big amount of users. Toaster or potatoes will do just fine.
What’s the protection in the clients assuming compromised infrastructure, like e.g. in https://notes.valdikss.org.ru/jabber.ru-mitm/ ?
https://www.devever.net/~hl/xmpp-incident
This article discusses some mitigations.
You an also use a platform like simplex or the tor routing ones, but they aren’t going to offer the features of XMPP. It’s better to just not worry about it. This kind of attack is so difficult to defend against that it should be out of the threat model of the vast majority of users.
I’m afraid that’s quite outside my field of expertise. I can only report how my experience on XMPP has been as a user, though perhaps @poVoq@slrpnk.net, who hosts it, may be able to weigh in on that. Edit: ah, I see you already have 😄
Though from my untrained eye, it seems that Jabber.ru was compromised due to not enabling a particular feature on their server
“Channel binding” is a feature in XMPP which can detect a MiTM even if the interceptor present a valid certificate. Both the client and the server must support SCRAM PLUS authentication mechanisms for this to work. Unfortunately this was not active on jabber.ru at the time of the attack.
And it seems that hosting it externally on paid hosting service (hetzner and linode) left them particularly vulnerable to this attack, and tgat it could’ve been mitigated by self hosting the XMPP locally, as well as activating that feature.
Significant improvements to certificate pinning and validation have been added to all major XMPP clients as a result of this incident, but it should also be clear that hosting a server on infrastructure under control by an antagonist government (see also Signal) is a very bad idea and hard to mitigate against.
Signal is under control by the government? 🤔
Their server infrastructure is (run by Pentagon and NSA best buddies AWS).
And that means the government controls it?
So Signal does not have reproducible builds, which are very concerning securitywise. I talk about it in this comment: https://programming.dev/post/33557941/18030327 . The TLDR is that no reproducible builds = impossible to detect if you are getting an unmodified version of the client.
Centralized servers compound these security issues and make it worse. If the client is vulnerable to some form of replacement attack, then they could use a much more subtle, difficult to detect backdoor, like a weaker crypto implementation, which leaks meta/userdata.
With decentralized/federated services, if a client is using other servers other than the “main” one, you either have to compromise both the client and the server, or compromise the client in a very obvious way that causes the client to send extra data to server’s it shouldn’t be sending data too.
A big part of the problem comes with what Github calls “bugdoors”. These are “accidental” bugs that are backdoors. With a centralized service, it becomes much easier to introduce “bugdoors” because all the data routes through one service, which could then silently take advantage of this bug on their own servers.
This is my concern with Signal being centralized. But mostly I’d say don’t worry about it, threat model and all that.
I’m just gonna @ everybody who was in the conversation. I posted this top level for visibility.
@Ulrich@feddit.org @rottingleaf@lemmy.world @jet@hackertalks.com @eleitl@lemmy.world @Damage@feddit.it
EDIT: elsewhere in the thread it is talked about what is probably a nation state wiretapping attempt on an XMPP service: https://www.devever.net/~hl/xmpp-incident
For a similar threat model, signal is simply not adequate for reasons I mentioned above, and that’s probably what poqVoq was referring to when he mentioned how it was discussed here.
The only timestamps shared are when they signed up and when they last connected. This is well established by court documents that Signal themselves share publicly.
This of course, assumes I trust the courts. But if I am seeking maximum privacy/security, I should not have to do that.
They do have reproducible builds for android though? https://signal.org/blog/reproducible-android/
They can’t for iOS because it’s just not a feature there
Else, there’s Molly you can use, but yea, Signal doesn’t like it
Signal’s reproducible builds are broken: https://github.com/signalapp/Signal-Android/issues/13565
End to end encryption between clients (also for groups) seems to partly address the issue of a bad server. As for self-hosting, any rented or cloud sevices are very vulnerable to an evil maid. So either in-house hosting or locked cages with tamper-proof hardware remain an option.
Signal doesn’t suffer anything worse than DoS if a hostile party controls the central service. That’s its point and role. It’s based on the assumption that such hostile parties as governments don’t like DoS’ing central services, they prefer to be invisible.
For other points and roles other solutions exist. One can’t make an application covering them all, that never happens.
Briar again (I’ve finally read on it and installed it, and I love how it works and also the authors’ plans on the future possibilities based on the same protocols, but not for IM, say, there’s an article discussing possibility of RPC over those, which, for example, can give us something like the Web ; I mean, those plans are ambitious and if I want them to succeed so much, I should look for ways to defeat my executive dysfunction and distractions and learn Java). Except it would be cool if it allowed to toss data over untrusted parties, say, now if two Briar users in the same group are not in each other’s range, but there’s a third Briar user not in that group between them, their group won’t synchronize (provided they don’t have Internet connectivity). If one could allow allocating some space for such piggybacked data, or create some mesh routing functionality, then it would become a bit cooler.
You are very naive if you think that is all the US government can do in regards to Signal, but suit yourself 🤷
Anything that’s been proven/confirmed?
OK, so what else in your opinion can it do?
What about delta?
I tried it, joined a couple rooms. Wanted to leave those public rooms but I kept getting notifications of rooms I already left.
Very wonky experience, so I dropped it and I use deltaChat now for my Tech-aware contacts
From an outsiders perspective, element has never worked for me and never been stable enough to get anywhere close to discord. Joining servers is buggy AF and Element X is severely hobbied on mobile.
I’ve been refusing to use discord for about 6-8 months and am often invites to join various discords by IRL friends and online communities. I wish Matrix / Element was a viable alternative but I’ve never been able to get it working for anythung other than DMs, and I’m already happy with Signal for that honestly.
As a non developer I want to be sensitive to the amount of work involves, and the number of cooks in the kitchen, but the fact that we don’t have a FOSS- federated slack / discord killer app is leaving so much interaction on the table.
I’ve heard of Revolt but it doesn’t seem to be there with encryption
You got PeerSuite as a newcomer, and a pretty promising one with the concept of not having any servers tied to it at all, at that.
I always liked the concept of Matrix, and still actively use it, but there’s some serious jank. Synapse is generally bloated and not fun to run an instance, Dendrite is perpetually in Beta, and the clients themselves range from adequate to awful. The default Element client on Android is so broken for me that I’m forced to use Element X, because I can’t even log in with Element.
It’s disappointing, but there’s a ton of issues that aren’t so easy to resolve. New Vector and the Element Foundation are basically two separate entities that have some kind of hard split between them, neither of which seems to have the money necessary to support comprehensive development. The protocol is said to be bloated and overtly complex, and trying to develop a client or a server implementation is something of a nightmare.
I want to see Matrix succeed, I think a lot of people see the potential of what it could be. I’m not sure it’ll ever get there.
I always liked the concept of Matrix, and still actively use it, but there’s some serious jank.
I use Element as well as Beeper, which is at its core an Element client based on network bridging. I’m a big fan of Matrix, but it isn’t as approachable as other messaging services and requires some technical know-how to use effectively.
It seems like the Linux of messaging services.
i want 90s era icq and 2000s era msn back :(
But they both closed source protocols locked down to specific corp
What would you propose, then?
How about jabber/XMPP
I wish xmpp was p2p. I can self-host but it could be way simpler if people didn’t have to.
How active are communities on these nowadays?
XMPP works, but there are no video calls. Matrix has those, and they are very good. But since it is not possible there to see the online state of my friends (turned off everywhere due to horrible performance), it defeats the purpose. I want to see if they are at their computer, not if they own a mobile phone. 😉
I do 1:1 videocalls on XMPP. Quite some clients implement that now. But there were no videoconferences until very recently. That’s changing, though. See Movim right now, for example.
Main 2 issues with XMPP are inconsistent clients (in terms of GUI but also features wise) and the incredibly, astonishingly, ridiculously sloooooooooooooooow evolution of the protocol through the XSF. Nothing can get in there until it’s “perfect”. Clients devs are reluctant to implement things until the extension is stable. And the best part is this approach hardly work: the best way to figure if something works is to deploy it in larger and larger scales and improve it on the way as you identify corner cases you didn’t think about. Not to review the description for months/year until it qualifies as literature…
Are video calls really that important? I almost never do that.
Almost never, but when they are: very much so yes
I just use dedicated software for video calls, it’s easy enough to ask the other person to jump on a video call on something else.
A/S/L?
400/F/krynn oh sorry i was in the red dragon inn room :3
Who was 400 years old from Krynn? Sylvara? It’s been a long time since I’ve read those books.
it’s been a while so i just picked random names for the bit but now i kinda wanna go back and read the dragons o autumn twilight series (mostly to get to time of the twins)
For me Matrix is fine, I can use IRC, Whatsapp and Discord with it. But Element is not my cup of tea, especially with Firefox as it doesn’t play any videos other users are sharing. The same videos work fine with Cinny.
I can use IRC
The fact that many Discord and IRC channels (servers?) block Matrix connections has drastically reduced its usefulness for me. When I was running my own Matrix server, I could have gotten around it by using a puppet, but Synapse is such a hog I had to shut it down, and most of the IRC rooms I want to use don’t allow Matrix proxies.
The IRC (Biboumi) and Discord bridges (slidge.im) for XMPP work still fine and running your own server is super lightweight.
running your own server is super lightweight.
Not IME. Are you running Synapse? Gigabytes of disk usage and memory leaks requiring restarts.
They’re taking about switching to Jabber/XMPP, which is what those two bridges are for, and they’re saying XMPP servers are lightweight.
It’s a bit confusing in context, I’ll admit.
I am talking about xmpp servers 🤷
I’ve been running the same matrix instance since ubuntu 18.04lts, just upgraded the virtual machine along the ride, so that has to be +6 years it’s been running 24/7.
I have not once rebooted my server due to performance reasons (like a mem leak). And like last 4 years I’ve ran the instance virtualized on a hp thin client, lately on a hp t640.
While I understand the criticism towards synapse being a complex and slow, and element being slow-ish, I don’t feel justified saying synapse would need any restarts in general. At least I have never restarted it in 6+ years and my instance has been working without those required restarts.
Yeah, I miss the irc, too. I still use it via my matrix instance.
I agree with all this. The thing which caused me to uninstall was suddenly being pushed lots of abusive message with disturbing contents.
When I complained about it, Matrix told me that my public complaints were hurting the ecosystem and I should be quiet.
Oh fuck that culty nonsense!
I had a wild ride with matrix, originally wanting to run a node on my server. That did not turn out well, because I was a bit stupid and just assumed there would be more admin/mod tools out of the box. As it turned out, I had inadvertently allowed spam/abuse accounts on my node without even noticing, because naive as I was, I assumed my admin-level account would get informed of stuff like user registrations and abuse reports in the standard Element frontend. As a bonus, when I checked what was supposedly the official matrix support channel, it was repeatedly getting spammed with CSAM and gore at the time. That was when I realised, that it definitely was not the ecosystem for me, and running a node without experience had been a pretty stupid idea on my end.
I have to wonder if there is a major commercial interest in that though.
The CSAM spam is so annoying. I don’t understand who is doing this or why.
Yeah. I an hosting a homeserver for my ttrpg groups, but it doesn’t have any federation enwbled at all, and sign ups are invite-only.
The amount of work needed to moderate a public instance, especially with the lacking tools available, seems crazy. Also, I don’t love it that New Vector has an implementation for an admin console, that seems to be available exclusively for paying subscribers to the enterprise version of their element server suite.
When I complained about it, Matrix told me that my public complaints were hurting the ecosystem and I should be quiet.
Weird. I think they did some improvement to prevent those abusive messages but it took a while and it was embarrassing. Maybe it’s hard to prevent them with a federated network but still, the abusive messages where basically a copy paste.
I am glad someone can admit it failed and we have to learn from this. I am just wondering what it takes to succeed.
start with a discord clone
make it e2ee
make it federated
i feel like it shouldnt be this hard, but I’m not the one developing matrix, nor XMPP, nor the 3rd smaller option you the reader is wanting me to list that I am unaware of
Don’t fucking clone the godaweful mess that is Discord. Please, for the love of God start with something else.
Discord is what people like and are used to though. If you want the average user to switch it needs to be somewhat familiar.
Discord is where people are at. You start with something else you’re asking for another Matrix or XMPP because people will not understand a new interface
Suppose for text messages, sharing files, contacts and such we have solutions, and with a set of libraries solving the hard parts, that can be done relatively easily. Encryption is hard, but suppose we are not even doing E2EE yet, that we are fine with TLS till the server, mutual TLS between servers, and additional something like OTR or PGP for 1-on-1 conversations.
Voice/video calls, and especially group voice/video calls, are a different matter entirely. You have to think, solve latency problems, congestion problems, so that those were usable at all.
Discord UI is not very nice.
I agree that the UI for discord sucks shit, however my thinking is aligned with what another commenter said, its what people already know and are used to. Trying to make anything new will turn users off. I’m very open to being proven wrong about that assumption though. I’d love for a foss project to have better UI/UX than discord.
The UI is not that important. Something a bit similar to Discord in appearance and experience is doable in plenty of available UI toolkits and libraries and frameworks and whatever.
The system itself is important, so that it would be functional with federation, yet not as prone to fragmentation as XMPP, yet efficient.
Self hosted matrix works great. /thread
Yeah, I finally pulled the trigger and moved to my own domain from
matrix.org. Man, it is just so much faster. Which is sad, because the performance is pretty bad. (Element Web seems to do some per-room request as part of the initial loading screen which is obviously not scalable) but getting off ofmatrix.orgis a huge performance improvement.That being said there is nothing really wrong with
matrix.org. The problem is really public rooms. People will join and spam. It is true of any protocol (have you heard about email?) but Matrix definitely needs to (and they are slowly working on) make it more expensive for spammers.I’ve been hosting a server without much problems for several years now.
Synapse and Riot.im (now Element) became much better around 2019 or 2020. But not too long ago, I also found out that Synapse also bloats the DB with state_groups_state table. There are a handful of commands that come with synapse, but no built-in admin tool or panel, so I wrote my own. Moving server to another host has been seamless for my (few) users. TURN/STUN for calls seems to work okay (I don’t really use it though).
I appreciate Element being uniform across platforms (which I cannot say about XMPP clients), but the sign-in is pretty tedious, and registration with a token is still impossible last time I checked (which is either a hassle for the user to use another client and then their smart device, or a security issue if you open registration to anyone). Most normal people probably don’t care and don’t want to deal with keys, cross-verification, and all that jazz.
I am still mad that are no mobile clients that supports multiple accounts. So I am ending up installing for each account a different client.
Edit: added mobile.
NeoChat on KDE allows me to choose which account to login to when I start it.
Does it let you be logged in as both ?
If I want to send and receive messages from another account, I have to press 2 buttons to switch to it. Otherwise, I still get desktop notifications from all of them, I think.
I see what you did here. Say something wrong on the internet to get multiple helpful tips.
Element Desktop has profiles. But sadly there are no profiles on the mobile app.
Fluffy chat allows multiple accounts
I like this client. Thanks for the tip.
We really need to stop abandoning existing foss projects and thinking a whole new thing needs to be invented. Free and open-source software is not a product, it doesn’t abide by the same rules and relationships that proprietary tech does.
It’s more organic. It’s also a commons that we can continue to draw on, and reshape. If I recall correctly, there were something like three different vector graphic editors from the same codebase before Inkscape managed to be the one that gained traction.
Matrix isn’t perfect, but abandoning it just to reinvent it all over again just because some people really need a thing that works like Discord, even though Discord is absolute hot garbage; is just going to re-create all the same problems. Matrix today is better than it was two years ago. And Matrix in a year will be better from now.
What I don’t like about Matrix is that it’s most visible homeserver and client implementations feel like they are being developed as a product by New Vector Ltd., not a community project.
How so?
Often, the problem is that projects get to a point where they’re happy and the maintainer doesn’t want to add any new features. So people then are forced to build a new project to get those features.
Sometimes, but my point is you don’t have to start from scratch. It’s free software. You are allowed to make extensions or even fork it.
Can’t agree on Discord being hot garbage, unless you’re specifically talking about how monetisation has creeped its way into it.
However, with Vencord I don’t have to see any of that shit, while also having a far more functional and feature rich client.
Of course, a FOSS, potentially federated alternative would be greatly preferred, but it must have at least the basic functions of Discord.
None of the popular/successful apps are bad.
They usually have great ui/ux and are being actively developed or at least maintained. Think google maps, apple wallet, or of course discord. What is hot garbage, however, is having to accept massive privacy violations if you use them. Vencord unfortunately does not mitigate that. :(
I agree with you, my main issue with Matrix is that it is a pain to self-host at the moment.
https://github.com/spantaleev/matrix-docker-ansible-deploy
Honestly, with this, it is easier than ever. Great documentation !
Isn’t everything a pain to selfhost?
Most things are super easy, like 2-5 minutes of set up and it’s running and working.
Such as?
Most of the stuff I run on my server is just a basic
docker-compose.yamlfile and it’s up and running in a minute or two. Some random examples:- Immich
- Peertube
- Pinchflat
- Vaultwarden
- Mealie
So, going from Mealie’s instructions, having to learn how to work with Docker, whatever underlying server you’re working with, and a database system is easy 2-5 minutes?
