Depends on what you consider to be important for being “safe”.
Using matrix as is out of the box is relatively secure but you need to be aware that a lot of metadata ends up on the servers of a UK based for-profit & venture capital funded company (New Vector).
Xmpp on the other hand requires a bit more research to find a good server and client, but it can be made to be extremely secure, especially when self-hosting and/or using Tor for connecting to it.
IMHO there is no silver-bullet and every option comes with trade-offs. Depending on you needs other options like Threema, Signal and Telegram with their e2ee & open-source clients but centralized servers can also be worthwhile to look at.
Using matrix as is out of the box is relatively secure but you need to be aware that a lot of metadata ends up on the servers of a UK based for-profit & venture capital funded company (New Vector).
Using 3rd party clients should really be encouraged.
Mostly no, but the best way to deal with such meta-data is not to store it, or at least delete it as soon as possible. Which is the exact opposite of what Matrix does.
Sadly that isn’t the case. Most of the metadata on XMPP is also exchanged only TLS transport encrypted and is thus available on the server in clear text. The main difference to Matrix is that it generates and exchanges much less metadata and most XMPP servers are configured to delete all the metadata after a relatively short period of time.
Depends on what you consider to be important for being “safe”.
Using matrix as is out of the box is relatively secure but you need to be aware that a lot of metadata ends up on the servers of a UK based for-profit & venture capital funded company (New Vector).
Xmpp on the other hand requires a bit more research to find a good server and client, but it can be made to be extremely secure, especially when self-hosting and/or using Tor for connecting to it.
IMHO there is no silver-bullet and every option comes with trade-offs. Depending on you needs other options like Threema, Signal and Telegram with their e2ee & open-source clients but centralized servers can also be worthwhile to look at.
Using 3rd party clients should really be encouraged.
metadata is not encrypted as per matrix protocol, it’s not the client’s fault
Would it even be possible to encrypt some basic metadata? I doubt that.
Mostly no, but the best way to deal with such meta-data is not to store it, or at least delete it as soon as possible. Which is the exact opposite of what Matrix does.
What kind of metadata are we talking about?
This issue has a general overview.
Thanks for the link. Will be reading it
xmpp encrypts everything, metadata included
it’s not easy and makes the protocol really hard to implement but it is possible
Sadly that isn’t the case. Most of the metadata on XMPP is also exchanged only TLS transport encrypted and is thus available on the server in clear text. The main difference to Matrix is that it generates and exchanges much less metadata and most XMPP servers are configured to delete all the metadata after a relatively short period of time.
🤔 that does seem to be the case, maybe i was thinking of signal (it truly encrypts all metadata)