• AceKat@lemmy.ml
    link
    fedilink
    arrow-up
    19
    ·
    edit-2
    3 years ago

    Since it doesn’t have any encryption the only advantage I see is the fact that it’s open source and that there won’t be (hopefully) any data collection, but conversations will still be completely unencrypted, which is not that great. Nothing tells me that whenever this revolt’s userbase grows in size, they won’t start collecting data, including every message previously sent. Encryption exists so you don’t have to trust anyone to keep your messages safe, I hope they implement some sort of e2ee protocol at least for DMs

          • Helix 🧬@feddit.de
            link
            fedilink
            arrow-up
            3
            ·
            3 years ago

            That blog post is not about Element and doesn’t include any of the ways Element stores data and sets up encryption. Basically they’re just saying ‘there’s no sane defaults and websites want to spy on you’, which I totally agree to, but which still misses the point. It is doable, it’s just not done well. To just send everything in plaintext is definitely not the solution here.

            • Dreeg Ocedam@lemmy.ml
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              3 years ago

              there’s no sane default and websites want to spy on you

              If you’re considering E2EE you’re already considering that the server cannot be trusted (AKA it wants to spy on you).

              It’s not about defaults, it’s about the fact that you’re doing crypto to protect yourself from the server, using code that the server just sent you.

              This is the key point of the post:

              Where installation of native code is increasingly restrained through the use of cryptographic signatures and software update systems which check multiple digital signatures to prevent compromise (not to mention the browser extension ecosystems which provide similar features), the web itself just grabs and implicitly trusts whatever files it happens to find on a given server at a given time.

              It is doable, it’s just not done well. To just send everything in plaintext is definitely not the solution here.

              If you’re serious about security, the only good way to do it is to not do it at all. It really pisses me off that even password manager don’t care.

              • Dreeg Ocedam@lemmy.ml
                link
                fedilink
                arrow-up
                2
                ·
                3 years ago

                By “not doing it at all” I mean redirect people towards full blown apps that can do proper crypto.

              • Helix 🧬@feddit.de
                link
                fedilink
                arrow-up
                0
                ·
                3 years ago

                it’s about the fact that you’re doing crypto to protect yourself from the server, using code that the server just sent you

                Ah, yes, makes sense. Solutions to this may be to use client applications, local storage in browsers or checksumming.

                • Dreeg Ocedam@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  3 years ago

                  There are still many issues with that. This stackoverflow discussion shows that it is not really possible to do. Some of the points are irrelevant, but the general takeway is that local storage, caches and all are not designed for security but for performance.

                  The thing is that the browser is absolutely not designed for this kinds of uses.

          • poVoq@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            3 years ago

            This post specifically says that browser crypto can be great to protect the interest of the website owner… well if you self-host your own Element or e2ee encrypted xmpp webclient you are the owner of the website.

            The entire argument against javascript and webapps is always serverly distorted by all sort of false assumptions and compared to random binary only apps downloaded and run on MS Windows, I would take a modern browser and webapp in most cases.

            • Dreeg Ocedam@lemmy.ml
              link
              fedilink
              arrow-up
              2
              ·
              3 years ago

              if you self-host your own Element or e2ee encrypted xmpp webclient you are the owner of the website

              That’s 0.01% of the general population, and even here, I guess very few people self-host their email or Matrix or XMPP. And it still doesn’t protect you against someone breaking the TLS connection between you and your server. This is a serious security concern, there have been multiple cases of certificate authorities issuing bad certificates.

              The entire argument against javascript and webapps is always serverly distorted by all sort of false assumptions and compared to random binary only apps downloaded and run on MS Windows, I would take a modern browser and webapp in most cases

              I mostly agree, but because proprietary, windows only apps are not generally designed with security as the number 1 concern. For FLOSS apps that do highly value security (like Matrix), this is not an acceptable compromise to me. Signal doesn’t have a web client for this exact reason. As I said in another comment, even password managers don’t care about this issue, which is really disappointing.

              • Helix 🧬@feddit.de
                link
                fedilink
                arrow-up
                1
                ·
                3 years ago

                I guess very few people self-host their email or Matrix or XMPP.

                You don’t need to self host email, Matrix or XMPP to use E2EE. I meant self hosting the web clients.

                And it still doesn’t protect you against someone breaking the TLS connection between you and your server.

                HSTS, Certificate Pinning, …

                Every communication method suffers from this, it’s not exclusive to web-based communication.

                proprietary, windows only apps are not generally designed with security as the number 1 concern

                Yeah, Open Source software down to the OS itself is important for security. But even then, who audits their own software? It’s probably 0.01% of the 0.01% of the general population you mentioned.

                • Dreeg Ocedam@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  3 years ago

                  You don’t need to self host email, Matrix or XMPP to use E2EE. I meant self hosting the web clients.

                  Nobody does that

                  HSTS, Certificate Pinning, …

                  HSTS is great but doesn’t protect you against maliciously issued certificates, and Certificate pinning is deprecated on the Web.

                  Yeah, Open Source software down to the OS itself is important for security. But even then, who audits their own software? It’s probably 0.01% of the 0.01% of the general population you mentioned.

                  That’s why you stick to software under high scrutiny and highly visible for security sensible stuff, and avoid using software with a broken security model for sensible stuff.

    • peppermint@lemmy.ml
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      3 years ago

      It’s meant to be for large groups, isn’t it? Why would the threat model of discord users require each of 120 users to keep their chats secret from the server?

      • AceKat@lemmy.ml
        link
        fedilink
        arrow-up
        8
        ·
        edit-2
        3 years ago

        For the same reason facebook is one of the biggest companies in the world. Having access to thousands of users’ chat history is very useful for ad personalization and could be worth a lot of money. To fight this decentalization and encryption are crucial, you can’t trust that they will never use that data for advertisement purposes, maybe introduced in a privacy police change. Solid encryption algorithms are feasable for smaller groups, but as I said, at least DMs could be encrypted

        • peppermint@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          3 years ago

          I suppose it would prevent automation on some level indeed, but ironically I feel like this is nothing to do with the threat model.

        • Dreeg Ocedam@lemmy.ml
          link
          fedilink
          arrow-up
          3
          arrow-down
          2
          ·
          edit-2
          3 years ago

          There is absolutely no reason to believe that chats in discord are used for ad targeting. There privacy policy is actually not that bad. The only issue is that it’s not open source so they might get bought in the future by someone that changes that. Their app also uses facebook’s SDK, so it does collect some data, but not the chat history.

          Also, if you use it to talk to random people and have no way of checking identities/keys, E2EE doesn’t serve any purpose…

          • adrianmalacoda@lemmy.ml
            link
            fedilink
            arrow-up
            7
            ·
            edit-2
            3 years ago

            The only issue is that it’s not open source so they might get bought in the future by someone that changes that.

            A proprietary centralized chat service is a bad thing, regardless of privacy policy. Revolt is already superior to Discord on that front.

            • Dreeg Ocedam@lemmy.ml
              link
              fedilink
              arrow-up
              5
              arrow-down
              2
              ·
              3 years ago

              I said in my comment that the fact that they’re not FLOSS is an issue.

              Not everything that isn’t FLOSS is a conspiracy to get your data, similarly not everything that is FLOSS takes proper care of your data. FLOSS is a good thing, but it’s not the only thing that can protect you. There are laws, and they can’t put anything in their privacy policy and not respect it.

              We can convince people to use the better FLOSS alternative without having to make unfounded claims, this kind of thing only makes us look like tinfoil hat nutjobs. That’s not who we are (or at least, who I am), and I’m not going to support claims without a shred of evidence.

              • adrianmalacoda@lemmy.ml
                link
                fedilink
                arrow-up
                3
                ·
                edit-2
                3 years ago

                I said in my comment that the fact that they’re not FLOSS is an issue.

                I think we may be on the same page, then.

                Not everything that isn’t FLOSS is a conspiracy to get your data

                This is why I think framing free software as a privacy issue is inherently flawed. Free software is a good thing because it gives you control over your technology. The fact that free software is generally more privacy respecting is probably a side effect of that, but some proprietary software companies at least nominally claim to respect privacy too. Discord can have the best privacy policy in the world, and actually stand by it, and I would still denounce it because it is a locked-down proprietary silo platform.

                similarly not everything that is FLOSS takes proper care of your data

                This is technically true, in that a free software license is not a magical ward against bugs or spyware, but in cases where a free software project becomes spyware - such as Audacity - a spyware-free fork often pops up soon after. This is why I value the four freedoms of the free software movement.

                • Dreeg Ocedam@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  4
                  arrow-down
                  1
                  ·
                  edit-2
                  3 years ago

                  Discord can have the best privacy policy in the world, and actually stand by it, and I would still denounce it because it is a locked-down proprietary silo platform.

                  I agree, but claiming that it uses it’s users chat history for selling advertisement is absolutely unfounded and is not valid criticism.

      • Bilb!@lemmy.ml
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        3 years ago

        I agree that encrypting a group chat beyond a small group of trusted individuals is pointless. It’s nice to have the option, though.

  • tmpodA
    link
    fedilink
    arrow-up
    12
    ·
    3 years ago

    Indeed it does. I still think Matrix/XMPP/any other federated protocol will be better in the long run, but this is really nice nonetheless. Still very early stages but has potential as a more Discord-like rocket.chat alternative.

  • marmulak@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    3 years ago

    I have to admit that this does look cool, even though I already enjoy XMPP and Matrix. I guess I’ll give this a try sometime.

    • flbn@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      3 years ago

      how are you hosting XMPP and Matrix? i’ve been struggling to get an efficient server for Matrix on my pi so i’ve been looking at Prosody for XMPP.

      • ninchuka@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        3 years ago

        dendrite or conduit are alot lighter to run compared to synapse so if you have a pi4 with at least 2GB of ram maybe even 1GB if you join small rooms they will probably be fine

      • marmulak@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        3 years ago

        I don’t host Matrix, but I enjoy using it anyway. For XMPP I use ejabberd, but for a personal server you could use that or prosody. The protocol is light enough on resources that you should be able to run it easily on any machine.

    • Zach777@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      3 years ago

      This is my thoughts exactly. Zulip even has really good threading as a feature above Discord.

      Where is the federated version of Discord? Without that you might as well stick with Discord and Zulip imo.

    • marmulak@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      3 years ago

      Who has time to actually try all of these things? I tried RocketChat once and its main server seemed as dead as a doornail, and it otherwise seemed to not have such a great UI. As for the rest, I don’t know what makes them useful or unique. (Maybe you could give a quick run-down.)

  • marmulak@lemmy.ml
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    3 years ago

    OK I actually went ahead and tried this because I thought it looks cool. It does look cool. That’s about it. Aside from copying Discord’s UI to a T, it otherwise doesn’t seem to do hardly anything, and what it does do it seems to do poorly.

    I want to like this since FOSS alternative to Discord are always welcome, but Matrix+Element is just light-years ahead of this. Like why even bother when Element exists and it’s amazing? (I know people who don’t like Element, but actually it’s amazing.)

    Also, I get the sneaking impression it’s only named Revolt because of the name Riot, which Element used to be called.

    • Ferk@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      3 years ago

      I got all excited because I thought it was a new Matrix client designed to be more Discord-like (using Matrix Spaces and so). But I was disappointed when I discovered it’s implementing yet another different protocol (it’s not even federated?)…

      They do have a Matrix bridge though. I do hope they come together and further work with Matrix, since I believe the Matrix protocol can do most (all?) of what they are already doing, it’d be easier to migrate discord communities to Matrix if the UI transition was as seemless as it seems to be with Revolt. Revolt could have potential to be the host of a new big Matrix instance to further move people away from depending on matrix.org central instance.

      I guess if they do have an officially maintained Server-to-server bridge then it would be equivalent of it acting as a Matrix instance. And that would be great. But it’s unclear if that’s what they are doing / planning to do. The Matrix website claims to not be aware of any server-to-server bridging having been done before, which makes me think Revolt might be doing a “bridge bot” bridge (can someone confirm?), which wouldn’t be as interesting.

  • IngrownMink4@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    3 years ago

    I must say that I love it, it has a nice modern design and many features that remind me of Discord. It has the potential to surpass Discord. I hope that happens someday :)

  • 0x90@lemmy.ml
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    edit-2
    3 years ago

    I tried it and it’s promising because the call quality is very good compared to Mumble, and push notifications means low battery usage.

    It’s OPUS Codec (same used by Discord), and with very low latency, when they will add the Matrix bridge and e2ee (as stated in the roadmap), i think it will become a very good free as in freedom tool everyone can self-host!

    Of course XMPP is a better protocol and every new messenger feels like reinventing the wheel, but at the moment all clients UI feels dated, and even worse, the good old IRC lack support for mobile internet reconnections, so everyone ends up using Telegram or Discord at the moment.

    In conclusion I think Revolt has good potential, and it could even become a good alternative to all the above, eventually.

    • poVoq@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      3 years ago

      the call quality is very good compared to Mumble

      You must have mis-configured your Mumble client. Mumble usually also uses the OPUS codec and voice quality is superior to Discord by far in most cases due to better noise cancellation and microphone calibration.

      Edit: IRC does not lack support for mobile connections. It is just that the most popular IRC networks use terribly outdated IRC servers forcing everyone to use bouncers that in turn again do support mobile networks just fine. However a modern IRC server does it even without a bouncer.

      • 0x90@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 years ago

        I swear with Mumble I had issues with echo and feedback noise, both on PC with v.1.3.4 and also on Android (with Mumla). I tried it on various devices and i wasn’t happy with the result, but maybe that’s just my experience.

        But i also have to say that v.1.4.0beta has risoved all issues and has a very good quality.

        Can you tell me one of those new IRC servers that do not disconnect when changing IP using mobile conntection? I’d love to try one just out of curiosity (at the moment i’m using matrix bride on Libera)

      • Echedenyan@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        3 years ago

        Bandwidth and online data-exchange usage.

        50 MB for a mail bag valid for internet is about 1 dollar where a lot of Cubans have a salary of 20-30 dollars average.

        Mumble can use 3 KB/s over UDP while speaking as minimum which is good enough.

  • murky@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    3 years ago

    I tried joining some communities, but somehow it took ages to join after like the 5th one or so… otherwise, everything I tried is running smoothly so far

  • remram@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    3 years ago

    Does it have any instructions on deployment? Or is only their hosted version released in beta?