1. Signal, where an attacker with granular access to AWS's global network logs could perform traffic analysis to match timings between sender and recipient IP addresses, which would work for some portion, and narrow things down for some other portion. The attacker would then need to combine that with data from mobile networks and other ISPs to link the sender/recipient IPs at a given timestamp with a subscriber.
2. Other messaging platforms, including Matrix, where they can just check the server's database to get a table of what user messaged what other user at a given time.
On Matrix, that assumes the attacker knows where the server is or that it even exists. Whereas on Signal it’s pretty obvious where the server is, given there’s only one logical server.
The only thing I find is that it's such a moving target. I was trying Element X last week which is now meant to be the new client to be. But I wasn't able to set up the encryption with my recovery key, there was only the online validation which I couldn't use because I was on the go and didn't have access to my desktop. It's supposed to be better but still lacks such basic things (also seems to still lack TOFU for my private server)
The same with the homeservers, there's synapse and dendrite is supposed to take over at some point but that point is forever far in the future. And then there's conduit, so which one is it? I understand this is a fully open multi-server multi-client platform but I kinda expect the "stock" ones to be clear in their strategy :)
The strategy doesn't really feel well thought out in that sense. I really like Matrix and am rooting for it but such things undermine my confidence in recommending it to others.
I'm sure the questions I ask are crystal clear to the matrix in-crowd but to me they're not. In that sense it feels a bit like recommmending arch Linux to a beginner, the first thing they have to do is choose a partition scheme, a network management stack, a desktop environment etc etc. This just doesn't work for those that aren't already deeply in the know :)
So the two things we're comparing are:
1. Signal, where an attacker with granular access to AWS's global network logs could perform traffic analysis to match timings between sender and recipient IP addresses, which would work for some portion, and narrow things down for some other portion. The attacker would then need to combine that with data from mobile networks and other ISPs to link the sender/recipient IPs at a given timestamp with a subscriber.
2. Other messaging platforms, including Matrix, where they can just check the server's database to get a table of what user messaged what other user at a given time.
On Matrix, that assumes the attacker knows where the server is or that it even exists. Whereas on Signal it’s pretty obvious where the server is, given there’s only one logical server.
Yeah matrix is pretty great.
The only thing I find is that it's such a moving target. I was trying Element X last week which is now meant to be the new client to be. But I wasn't able to set up the encryption with my recovery key, there was only the online validation which I couldn't use because I was on the go and didn't have access to my desktop. It's supposed to be better but still lacks such basic things (also seems to still lack TOFU for my private server)
The same with the homeservers, there's synapse and dendrite is supposed to take over at some point but that point is forever far in the future. And then there's conduit, so which one is it? I understand this is a fully open multi-server multi-client platform but I kinda expect the "stock" ones to be clear in their strategy :)
The strategy doesn't really feel well thought out in that sense. I really like Matrix and am rooting for it but such things undermine my confidence in recommending it to others.
I'm sure the questions I ask are crystal clear to the matrix in-crowd but to me they're not. In that sense it feels a bit like recommmending arch Linux to a beginner, the first thing they have to do is choose a partition scheme, a network management stack, a desktop environment etc etc. This just doesn't work for those that aren't already deeply in the know :)
2 replies →