85
Giving Up on Element & Matrix.org
(xn--gckvb8fzb.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 19 Jul 2025
85 points (95.7% liked)
Technology
74251 readers
774 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
What's the protection in the clients assuming compromised infrastructure, like e.g. in https://notes.valdikss.org.ru/jabber.ru-mitm/ ?
I'm afraid that's quite outside my field of expertise. I can only report how my experience on XMPP has been as a user, though perhaps @poVoq@slrpnk.net, who hosts it, may be able to weigh in on that. Edit: ah, I see you already have 😄
Though from my untrained eye, it seems that Jabber.ru was compromised due to not enabling a particular feature on their server
And it seems that hosting it externally on paid hosting service (hetzner and linode) left them particularly vulnerable to this attack, and tgat it could've been mitigated by self hosting the XMPP locally, as well as activating that feature.
https://www.devever.net/~hl/xmpp-incident
This article discusses some mitigations.
You an also use a platform like simplex or the tor routing ones, but they aren't going to offer the features of XMPP. It's better to just not worry about it. This kind of attack is so difficult to defend against that it should be out of the threat model of the vast majority of users.
Significant improvements to certificate pinning and validation have been added to all major XMPP clients as a result of this incident, but it should also be clear that hosting a server on infrastructure under control by an antagonist government (see also Signal) is a very bad idea and hard to mitigate against.
Signal doesn't suffer anything worse than DoS if a hostile party controls the central service. That's its point and role. It's based on the assumption that such hostile parties as governments don't like DoS'ing central services, they prefer to be invisible.
For other points and roles other solutions exist. One can't make an application covering them all, that never happens.
Briar again (I've finally read on it and installed it, and I love how it works and also the authors' plans on the future possibilities based on the same protocols, but not for IM, say, there's an article discussing possibility of RPC over those, which, for example, can give us something like the Web ; I mean, those plans are ambitious and if I want them to succeed so much, I should look for ways to defeat my executive dysfunction and distractions and learn Java). Except it would be cool if it allowed to toss data over untrusted parties, say, now if two Briar users in the same group are not in each other's range, but there's a third Briar user not in that group between them, their group won't synchronize (provided they don't have Internet connectivity). If one could allow allocating some space for such piggybacked data, or create some mesh routing functionality, then it would become a bit cooler.
You are very naive if you think that is all the US government can do in regards to Signal, but suit yourself 🤷
OK, so what else in your opinion can it do?
A lot, but please educate yourself, this topic has been extensively discussed here and in other places.
Thanks for the advice.
This is noise, not an argument.
I dunno what's the purpose of this comment. I asked for specific things, not for noise.
Whenever anybody on the internet tells you to educate yourself, but refuses to provide the information they allude to, they're lying. They know they're lying.
Signal has issues, like SVR.. which are worth discussing on their own without this weird vague eliteism
Yes, I know that.
Especially the "this has been discussed before" thing, I dunno about other countries and cultures, but in Russia this is the most common obnoxious shit people without arguments and thinking they have authority use.
Yeah it's like appealing to authority and social pressure all in one. We already discussed it. Bah.
Anything that's been proven/confirmed?
End to end encryption between clients (also for groups) seems to partly address the issue of a bad server. As for self-hosting, any rented or cloud sevices are very vulnerable to an evil maid. So either in-house hosting or locked cages with tamper-proof hardware remain an option.
Signal is under control by the government? 🤔
Their server infrastructure is (run by Pentagon and NSA best buddies AWS).
And that means the government controls it?
The infrastructure is under control of an antagonistic government, yes. Hetzner is also technically a private company, but they obviously willingly complied with requests from the German government.
And what are the implications of that control? It doesn't mean they can access anything on it. Especially not data that doesn't exist.
They have live access to all of the metadata and can easily correlate that with phone numbers that Signal stores and shares on request of governments. Just because Signal claims they don't store anything doesn't mean that the ones that 100% run all the servers Signal uses don't access and store anything. You are being extremely naive if you believe Signals BS marketing.
I'd love to see the evidence you have for this.
I don't believe in marketing. I believe in open source code, security audits, and the entirety of the privacy and security community.
Look, if you run the server you have access to metadata of clients connecting to it. That is networking 101. And that Signal shares phone numbers and connection timestamps is well established by court documents.
The security audits are of the code and encryption algorithm, not the infrastructure.
So you don't have any evidence.
They do not share phone numbers. Phone numbers are the identifier, meaning if anyone wants the timestamps, they need to have it already.
The only timestamps shared are when they signed up and when they last connected. This is well established by court documents that Signal themselves share publicly.
I don't need evidence for water being wet 🤷
I can observe that water is wet. I cannot observe that the NSA is collecting mountains of metadata from Signal servers.
You can observe that your Signal client connects to IPs that belong to AWS, which is the same thing.
LOL no it's not.