• Dreeg Ocedam@lemmy.ml
    link
    fedilink
    arrow-up
    5
    arrow-down
    4
    ·
    3 years ago

    Another issue is that you suggest using Matrix or XMPP, which take security much less seriously. XMPP is not encrypted by default, and Matrix has some serious issues regarding its trust model.

    • n0n@kallutatud.info
      link
      fedilink
      arrow-up
      0
      ·
      3 years ago

      That linked article talks about how crypto in browser is easily subverted. You don’t have to use matrix with a browser client and most people I know use standalone clients.

      • Dreeg Ocedam@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 years ago

        You don’t have to use matrix with a browser client

        But the presence of a browser client seriously undermines the security of the whole platform. People don’t know that they should not use the browser client. If it were a third party client it wouldn’t undermine the seriousness of Matrix, but the browser client is an official one, which shows that Matrix takes security much less seriously than Signal.

        • n0n@kallutatud.info
          link
          fedilink
          arrow-up
          0
          ·
          3 years ago

          True, the element.io site offers the browser client first, which I find wrong. On the other hand some of Signal’s choices were justified by “helping adoption” so I guess that falls under the same category.

          Currently I can’t find a way to see which client another user is using in the Element mobile app. Not sure if that is even possible. So I guess for really sensitive matters you have to make sure your collaborators know how to stay safe. And of course if your use-case really required a web-client you could just self-host it.

          • Dreeg Ocedam@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            3 years ago

            So I guess for really sensitive matters you have to make sure your collaborators know how to stay safe

            This is a really bad idea. The software you use should be usable safely without any knowledge of security if you want it to be really effective outside of security conscious people. And even security conscious people make mistakes.

            And of course if your use-case really required a web-client you could just self-host it

            That’s not an option for 99.99% of the population.