Matrix vs. XMPP, Security, Privacy, Apps, Efficiency ?
I recently saw Alex's video about XMPP and I got curious.
I am using Element and Schildichat a bit, trying Element X and curious about the new Development here. It seems vibrant, they rewrite stuff in rust, the Apps are fancy and all.
But I tried Conversations and it seems based too, has transparent encryption, it is damn fast, usable, supports groups and files and all. Probably doesnt use the latest fancy Android SDKs but it seems solid.
I was surprised about how fast it was, as Matrix drastically varies per server. But also I found many dead communities, and in general I dont see XMPP at all, while many Projects (if not using Discord, bruh...) have a Matrix room.
How secure is OMEMO in todays standards? Or OpenPGP, compared to Matrix or Signal Encryption? I heard it also has rotating keys and all.
There are other things, like permission systems, chosen federation, privacy, bridge support and more, that are interesting. Are there advanced modern WebUIs for XMPP you like?
I saw that it uses up waaay less resources, why is that? Really, is "simply encrypted mail" somehow worse in an important way?
Similar to IRC, where I never found nice usable apps for my taste, I thought XMPP was deprecated, but that doesnt seem so?
What can you tell me about XMPP, is it modern, secure, privacy friendly?
I think that XMPP is obviously the superior choice here. Matrix is funded by venture capitalists that need to make money some way and they are actually recollecting users' data for that.
I didn't say it was ultimately what funds matrix, they sell servers too, but they recollect data that's for sure.
Quoting the article here:
matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot that do not promote privacy, and by specific choices made by their developers to not disclose, inform users or resolve in a timely manner several known behaviors of the software.
Data sent on a potential regular basis based on a common web/desktop+smartphone usage even with a self-hosted client and Homeserver:
The Matrix ID of users, usually including their username.
Email addresses, phone numbers of the user and their contacts.
Associations of Email, phone numbers with Matrix IDs.
Usage patterns of the user.
IP address of the user, which can give more or less precise geographical location information.
The user’s devices and system information.
The other servers that users talks to.
Room IDs, potentially identifying the Direct chat ones and the other user/server.
With default settings, they allow unrestricted, non-obfuscated public access to the following potentially personal data/info:
Matrix IDs mapped to Email addresses/phone numbers added to a user’s settings.
Every file, image, video, audio that is uploaded to the Homeserver.
Profile name and avatar of users.
I did, yes. TBH it is very anti-Matrix right out of the gate, makes a mountain out of a molehill and it even admits that it contains FUD.
There's a couple of things that are misleading in it (for example the section on bridges) and the critique basically boils down to "if you use the identity servers that are run by Matrix.org with your self-hosted homeserver they can see the info you send to them" and "Google Analytics in Element is bad".
All in all I didn't find it very convincing, and very lacking in nuance.