I use Matrix; XMPP; Session; Jami; and am looking into Briar. Some of what the article says is valid but other parts are weird such as when they list Riot as “the Matrix client”. Matrix has many clients. I don’t use Riot at all. I use Fluffy Chat and Cinny Mainly. A lot of their list of issues don’t apply to me. For instance my phone number isn’t tied to my Matrix account and while they may get my IP I am usually on a VPN so that limits what they get. They talk of Matrix being centralized but that only really applies if you use the Matrix home server, there are many alternatives.
In the end they have some valid concerns but it really depends on what Matrix is being compared to. Even with these issues is it betetr than Discord for privacy and security ? Yes it is. Discord is clsoed source so nobody knows what it gives up or does in the background. No closed source program can be trusted over a FOSS option. If you want to trust any of the options I mentioned over Matrix then feel free to but don’t trust Discord over it.
is it betetr than Discord for privacy and security ?
100% Discord has no privacy no encryption, the company sees absolutely everything.
Discord is clsoed source so nobody knows what it gives up or does in the background
That doesn’t necessarily impact privacy, and we know exactly what it does in the background based on their privacy policy, which in itself is quite ambiguous in parts. They’re quite happy there to admit they will tie identities together if you use social media logins and features like that.
No closed source program can be trusted over a FOSS option
I would say be careful here, because something is open source doesn’t necessarily mean anyone cares about what the code is actually doing. In the case of Matrix it is a very active project with a lot of community engagement and a well thought out specification so that everyone can “get up to speed”. That is extremely important. Nobody is going to sift through a tarball of source code “it’s open source”, if the development is not. It’s also totally possible for a patched version to be running in production that doesn’t reflect the source code.
That is why it’s very important not to confuse FOSS with privacy.
You can say how FOSS programs don’t equate to privacy because people may not catch things or be watching but with closed source options nobody gets to audit the code at all outside the project. How is that better for privacy ? FOSS at least gives us a chance at privacy.
If the audits are public and they are actually funded with proper scope that may very well be better than some very small project nobody can be bothered looking at. I’m not saying having source is a bad thing, quite the opposite. Privacy is generally gained through security controls, and just because something is open source doesn’t mean it is secure, likewise if something is closed source that doesn’t necessarily mean it is insecure as this post describes.
My issue with closed source is we don’t know if it is insecure or secure because nobody can find out. It’s a pandora’s box of privacy and security. It may be the most private and secure code known to man or it may be sending anything and everything about you somewhere but we’ll never really know. As for public audits who picks who gets to audit the code ? The company who made it ? You can do as you please but I refuse to trust closed source code. I’m not saying all open source code is good but at least we can find out if it’s good or not through independant means rather than trusting people that the company who made it picks to tell us.
I use Matrix; XMPP; Session; Jami; and am looking into Briar. Some of what the article says is valid but other parts are weird such as when they list Riot as “the Matrix client”. Matrix has many clients. I don’t use Riot at all. I use Fluffy Chat and Cinny Mainly. A lot of their list of issues don’t apply to me. For instance my phone number isn’t tied to my Matrix account and while they may get my IP I am usually on a VPN so that limits what they get. They talk of Matrix being centralized but that only really applies if you use the Matrix home server, there are many alternatives.
In the end they have some valid concerns but it really depends on what Matrix is being compared to. Even with these issues is it betetr than Discord for privacy and security ? Yes it is. Discord is clsoed source so nobody knows what it gives up or does in the background. No closed source program can be trusted over a FOSS option. If you want to trust any of the options I mentioned over Matrix then feel free to but don’t trust Discord over it.
It isn’t for anyone using any client unless they optionally decide to provide it.
Indeed: https://joinmatrix.org/servers/ and that’s not even getting started on the private ones or unlisted ones.
100% Discord has no privacy no encryption, the company sees absolutely everything.
That doesn’t necessarily impact privacy, and we know exactly what it does in the background based on their privacy policy, which in itself is quite ambiguous in parts. They’re quite happy there to admit they will tie identities together if you use social media logins and features like that.
I would say be careful here, because something is open source doesn’t necessarily mean anyone cares about what the code is actually doing. In the case of Matrix it is a very active project with a lot of community engagement and a well thought out specification so that everyone can “get up to speed”. That is extremely important. Nobody is going to sift through a tarball of source code “it’s open source”, if the development is not. It’s also totally possible for a patched version to be running in production that doesn’t reflect the source code.
That is why it’s very important not to confuse FOSS with privacy.
You can say how FOSS programs don’t equate to privacy because people may not catch things or be watching but with closed source options nobody gets to audit the code at all outside the project. How is that better for privacy ? FOSS at least gives us a chance at privacy.
If the audits are public and they are actually funded with proper scope that may very well be better than some very small project nobody can be bothered looking at. I’m not saying having source is a bad thing, quite the opposite. Privacy is generally gained through security controls, and just because something is open source doesn’t mean it is secure, likewise if something is closed source that doesn’t necessarily mean it is insecure as this post describes.
My issue with closed source is we don’t know if it is insecure or secure because nobody can find out. It’s a pandora’s box of privacy and security. It may be the most private and secure code known to man or it may be sending anything and everything about you somewhere but we’ll never really know. As for public audits who picks who gets to audit the code ? The company who made it ? You can do as you please but I refuse to trust closed source code. I’m not saying all open source code is good but at least we can find out if it’s good or not through independant means rather than trusting people that the company who made it picks to tell us.
@PublicLewdness @dngray
The concept of security by obscurity in general is just absurd. It’s maddening that this is the preferred option in Enterprise.