(no title)

Matrix project lead here; fwiw we’re aiming to turn on E2E by default for private rooms by end of Jan. It’s not really a non-standard add-on; it’s in the core of the protocol and has been designed for from the outset. It’s a pain in the ass to get right in a decentralised world though, hence the delay in forcing it on for everyone.

p.s. support for ephemeral msgs was released on the server in RC yesterday.

Never seems a bit strong? Surely over the next decades we could have a Matrix 2.0 that is still federated, but mandates e2e (especially with Signal doing some of the research)?

True. On the other hand, there are some aspects in which Signal will never be as safe as Matrix. The big one is SMS verification. If someone loses their keys and has to reauthenticate over SMS, Signal notifies their conversation partners, but legitimate users do this all the time (in part because Signal lacks good key migration mechanisms), so said partners usually don’t see this as suspicious and often don’t bother reverifying the user’s identity. On Matrix’s side, I’m not sure how well it handles key migration (I don’t use it, for unrelated reasons), but it’s almost certainly less vulnerable to account theft in the first place. Matrix’s identity servers could of course be hacked or legally compromised, but they’re probably not as willing as cellular carriers are to hand over accounts to random people on request! Signal could improve its situation by getting better key migration support, but as long as it’s rooted in phone number identities, it will ‘never’ be as resistant to account theft.

Another aspect is that Matrix, if you’re technical enough, lets you set up a custom server for your secret group, which is somewhat less vulnerable to centralized metadata interception (though there are holes, like centralized mobile notification relays). Admittedly, this is mostly out of scope for Signal, which focuses on security for non-technical users.

Finally, to state the obvious, for many use cases, pseudonymity is safety. Along the lines of the “$5 wrench” XKCD, in practice the single most likely way for your secure messages to be disclosed is not through some clever protocol hack, but by their being pulled at rest from some conversation participant’s device – often with their active cooperation. Similarly, Signal’s deniability feature is cool, intentionally allowing users to forge cryptographically valid messages supposedly sent to them by others. But in practice, messages are typically leaked via screenshots, with no attempt made to detect forgery in the first place.

In such an environment, the most effective defense overall is probably self-destructing messages, which Matrix... apparently doesn’t support, but will soon. (Yikes – like I said, I don’t use it.) But in cases where the people you’re talking to don’t need to know your real identity, pseudonymity is a close second. Its weakness is that people are bad at separating identities and maintaining opsec, but it’s still better than nothing. It’s strongest in cases where you’re part of a large group (say, of protesters): this greatly increases the chance that the adversary will be able to read your messages (with a mole in the group), but also means that they probably don’t care about you personally and would prefer to go after low-hanging fruit. Or even if everyone is equally protected, it increases the amount of time they have to spend going after each person, reducing the number of people they can find.

Anyway, I don’t want to be too negative. The world is certainly better off for Signal’s existence. Maybe Signal will add non-phone-number account support someday, solving two of the issues I mentioned in one blow. Maybe it won’t, but it’ll still be useful to many people, and its continuing cryptographic research will strengthen other messengers, including ones that target use cases Signal does not.

Still, I feel like there’s some dissonance. From a cryptographer’s perspective, Signal is head and shoulders above the pack; they really know what they’re doing, to an extent that practically nobody else does. But in other areas, Signal is just okay. Not bad, often better than average, but rarely outstanding. And that includes areas that impact security, like key transfer and the other things I mentioned.

Keybase is awesome, it's really improved over the years.

I have the same experience. The only chat I've managed to get people on and keep for a longer period of time - no dealbreakers so far.