Comment by maqp

Matthew outlined much of the Matrix problems but not in the context of the latter part of his idealistic thoughts.

Just going to point out that if agreeing on spec is six time slower, that's just the first car of traffic jam slowing down. The next car has to slow down more: The feature needs to move into SDKs. Then the next car, the client vendors need to actually implement and test their implementation of the feature and write documentation. That's even more slow.

"HOWEVER: all of this completely ignores one critical thing - the value of freedom."

I really value freedom. To me freedom means a non-technical dissident doesn't have to sit in jail when their messages weren't E2EE. It doesn't mean I can choose a value from a list of servers and have faceless entity #1, #2 or #3, or worse, Mike - the creepy IT guy from my peers - observe my metadata with everybody, and content with Karen who refuses to switch to Matrix client that supports E2EE.

"Freedom to run your own server (perhaps invisibly in your app, in a P2P world)."

Now this is something I can get behind. Which is why I've spent the last eight years working on P2P messaging system. Perhaps Matrix should move their efforts into being the change they want to see in the world instead of defending a bad solution of decentralization by saying they're thinking about implementing a better solution of P2P.

"Freedom to pick which country your server runs in"

Which you can't do if you're running P2P server on your device. I think every faceless service provider from Signal to any XMPP server has the same guarantee of privacy in practice. The only difference is Signal has to abide by the GDPR, independent users hosting servers don't. Before anyone screams about PRISM, I will point out that coercing insertion of a backdoor is the same as compelled speech, which would violate the constitution.

"Freedom to select how much metadata and history to keep."

We have precedence of Signal keeping none of that. With Matrix servers the server has access to all metadata by default, the server program doesn't attempt to hide anything, there's no sealed sender etc. Your only hope is to run your own server, somehow convince your peers you're the one they should trust with their metadata (there's a third party on every decentralized server with more than two users), and hope you don't grow enough to get hacked by nation state actors or criminals.

"Freedom to choose which apps to use - while still having the freedom to talk to anyone you like. Freedom to connect your own functionality - bots, bridges, integrations etc"

A nice idea, but everyone needs to have same features for it to work, so what you get is differences in UI, implementation language, and platform support. What matters most here is the programming language: Matrix client written in Rust is more secure that one written in C. But unless everyone uses the Rust version, the group chat is as secure as the weakest link. Same goes with bridges. You'll never have security because of this guy who likes to re-live their youth through irssi: https://xkcd.com/1782/

Also, what happens when Facebook implements their own Matrix client that steals your metadata from the endpoint, and what happens when they start bundling their app on every Samsung smartphone? Perhaps it's not your idealistic Riot client that's the problem, perhaps it's the bundled spyware on every peers' device used by people who just, don't care. I'm not saying Signal fixes the problem of user laziness, I'm saying it's better to know what's on the receiving end.

"Freedom to select which identifiers (if any) to use to register your account."

Which is kind of pointless considering the IP-address still leaks to the server by default. And the UUID means all your metadata can be tied together. The social graph is revealed to the server so unless everyone keeps rolling their IDs and exchanging them over some other channel, it's pretty much impossible to hide metadata from a malicious server running statistical analysis. Even if you're not malicious, there's no way to know if your server has been compromised. Or, if you somehow can harden your server against the NSAs of this world, please, go work for the Freedom of The Press Foundation or something.

"Freedom to extend the protocol."

When the protocol fails to mandate BASIC security features like E2EE, it's kind of pointless to talk about the possibilities of extendability. There's always going to be maintainers and theyneed to prioritize, so there's always going to be someone who decides whether something will be implemented by them. Signal doesn't forbid pull-requests if you want something done. The nice thing is, it's at least six times faster to do it for Signal.

"Freedom to write your own client, or build whole new as-yet-unimagined systems on top."

So it's the freedom of the developer we're talking about. Reminds me of BSD vs GPL (BSD says developer has freedom to fuck over users with proprietary fork, GPL says user has right to not be abused like that, and that developers have the obligation to not do that). It's the rights of the users that matter. That is, human rights. You can merge as-yet-unimagined systems to Signal. You might face initial criticism because it needs to be secure by default. But it's not like Moxie will show you the finger for proposing something before it's discovered or announced. I have first hand experience with this: https://github.com/signalapp/Signal-Android/issues/4171

"It’s true that if you’re writing a messaging app optimized for privacy at any cost, Moxie’s approach is one way to do it."

If you consider privacy is a human right, developer freedom isn't, it's easier to see who has their priorities in order.

"you end up thoroughly putting all your eggs in one basket, trusting past, present & future Signal to retain its values, stay up and somehow dodge compromise & censorship… despite probably being the single highest value attack target on the ‘net."

So which one is easier to subvert, community of experts constantly under scrutiny by peer experts trying desperately to make a name for themselves, or open work group on protocol that still isn't secure by default, and that is much more susceptible to stagnation via bike-shedding and mission hijacking. OpenPGP work group still hasn't agreed on v5 fingerprint, the SHAppening happened five years ago. I'm going to have to disagree and say I don't have faith in unnecessarily large organizations.

I'm just going to say this FUD is worth being pointed out, but that it's not worthy of dissection.

"We owe the entire success of the Internet (let alone the Web) to openness, interoperability and decentralization."

A thought that was denounced in the 36c3 talk whether you watched the stream or not.

"To declare that openness, interoperability and decentralization is ‘too hard’ and not worth the effort when building a messaging solution is to throw away all the potential of the vibrancy, creativity and innovation that comes from an open network"

The worth was not addressed by this writing in any way, and the practical problems that far outweigh the idealistic goals were discussed by Moxie because what matters is the human rights to privacy of the users of the tool, not whether the infrastructure is based on idealistic ideas that don't offer tangible security benefits in practice.

Like Moxie said, prove that decentralization works by doing the bare necessities of implementing E2EE, then it's worth discussing whether the idealism part matters, and if decentralization has something useful to offer.

"Sure, you may end up with a super-private messaging app - but one that starts to smell alarmingly like a walled garden like Facebook’s Internet.org initiative, or an AOL keyword, or Google’s AMP. "

The negative connotations of these companies are about lack of respecting privacy. It's really weird to essentially say "you end up with super private app that shares other commonalities with privacy invading companies". Walled garden isn't ideal, but for now, it's more secure and that's what matters more to users.

"So, we continue to gladly take up Moxie’s challenge to prove him wrong - to show that it’s both possible and imperative to create an open decentralized messaging platform which (if you use reputable apps and servers) can be as secure and metadata-protecting as Signal…"

That's the attitude we need. Now go out there and use your preferred methods to make the idealistic protocol secure by default! Just don't expect me or anyone else to recommend its use before that happens.

"and indeed more so, given you can run your server off the grid, and don’t need to register with a phone number"

Will you be getting rid of IP-address leak to servers too? Quick jabs in closing notes that aren't thought out too well are not very nice.

"and in future may not even need a server at all."

Also maybe reconsider ending your refutal of criticism towards decentralized architecture by hinting that users should look towards upcoming P2P architecture.