While Signal’s home base is the US, they are a non profit org that doesn’t operate in the same way as for-profit corporations. Also, Signal collects basically zero data so there’s no incentive to sell out, and who would want to buy them anyway when they have no data and the server and client are open source.
Matrix is great, but I wouldn’t compare it to Signal. I use both for very different purposes.
Agree with the sentiment against signal. However, Matrix is terrible for anyone who doesn’t want to bother with reading up on several hours of information just to use a text messenger. I will start recommending Matrix the moment someone actually manages to produce a feature complete client with usable UI/UX.
+1 This is why I moved my family over to Signal, despite it being an American company.
Another benefit is that it’s gaining some serious traction with a lot of people now moving to Signal. Makes it easier for family members to move as well.
XMPP allows unencrypted messages and leaks metadata - Signal does neither.
Signal does need (yes, need) a phone number, and most people only have one so that is identifiable info.
Signal is basically a privacy enhanced text/SMS/phone replacement. I can give my phone to someone in person and they can immediately start “texting” me on Signal - this is a feature (as well as a con to some people).
This puts it at mostly the same level as some competitors, including WhatsApp which is often advised against.
People advise against Whatsapp because while it uses Signal to encrypt message contents, they take no effort to minimize the collection of metadata - Signal’s been compelled by court to present all data it has on its users various times and the only info they have is the day/time you signed up for their services and the last day (not time) one of your clients pinged their servers - Source: https://signal.org/bigbrother/
I have yet to find any other free service that collects this little information and works just as well as a normal non-encrypted messenger. Even Signals sticker packs are end-to-end encrypted - Source: https://signal.org/blog/make-privacy-stick/
What metadata does XMPP leak?
AFAIK only when a message was sent, roughly (in large increments) how large the message was, the server of the sender knows from who to which server, the server of the recipient knows from which server to who.
I find it strange that Signal somehow doesn’t know when a message was sent, and from who to who; how would they ever make this possible?
Also, you say you have yet to find any other free service that collects as little data… How about most e-mail providers?
Not Google and Microsoft of course, but most e-mail providers only need a name which can be made up as well.
You hm also host your own email server, then you are in control.
All of this is true for XMPP and Matrix, as well.
Sender’s Full Jabber ID (JID): This is typically in the format user@domain.com/resource. The user@domain.com part identifies the user and their home server, and the /resource identifies the specific client device they are using (e.g., alice@example.com/mobile or alice@example.com/laptop).
Recipient’s Full Jabber ID (JID): Similar to the sender’s, this specifies who the message is intended for, including their user, home server, and often the specific resource.
Sender’s Server: The domain of the sender’s JID reveals which XMPP server the sender is connected to.
Recipient’s Server: The domain of the recipient’s JID reveals which XMPP server the message is being routed to.
Timestamp of Message Transmission: Servers record when a message was sent, which can be used to infer activity patterns.
Approximate Message Size: While the exact content is encrypted, the size of the encrypted stanza can still be observed. This can sometimes give clues about the type of content (e.g., a small text message - versus a larger file transfer).
Message Type (e.g., chat, group chat, presence, IQ): XMPP uses different stanza types for various purposes. Even with E2EE, the type of stanza (e.g., a “message” stanza vs. a “presence” stanza) is visible.
Participation in Group Chats: If a user is part of a Multi-User Chat (MUC), the MUC service and the user’s participation in it are known to the MUC server and potentially other participants’ servers.
Presence Information: XMPP inherently broadcasts presence (online/offline status, “away” messages, etc.) to contacts. This reveals when a user is active.
Contact List (Roster) Information: While not “leaked” during every message, the XMPP server hosts and manages the user’s contact list, meaning the server knows who a user is communicating with.
Device Information (Resource): As mentioned, the /resource part of the JID can reveal the type of client or device being used.
I find it strange that Signal somehow doesn’t know when a message was sent
Signal uses Sealed Sender (wired.com). Imagine if letters you sent didn’t require a “from” field - or it was inside the envelope and impossible for anyone to see it. The post office would only know who its going to and only the recipient can decrypt it (open the letter) to see who sent it. Now, you could say, well they have your IP and can correlate it to the account, but the easy way around this is to either use a VPN or Signal proxy (support.signal.org) if you’re that paranoid.
How about most e-mail providers? Not Google and Microsoft of course, but most e-mail providers only need a name which can be made up as well
Most email providers suffer similar metadata leaks as XMPP because:
Email was created in the 70’s and we’ve learned a lot since then about privacy and security.
XMPP works off a similar concept where you inherently pass data along to another server.
You could host your own email, XMPP, or Matrix server - that’s definitely a win for privacy. But as soon as you interact with someone outside your ecosystem (server), metadata leakage is an issue again. It’s why making end-to-end encrypted email is a hard problem to solve. It’s not that it can’t be secure, its that it has to work with those that aren’t because that’s the expectation.
… host your own email server, then you are in control
Until you interact with others who aren’t using encryption or have it misconfigured.
Chatgpt used to be a non profit. Now it’s almost half Microsoft owned. Sneaky! T&cs can change too (e.g. Firefox selling out google funds them a bit now apparently? ). Don’t give up just find European fully alternatives.
FWIW Matrix and XMPP are also decentralised, much like e-mail is, which is why I recommended it.
I’m immediately skeptic about SimpleX’s premise of having no user IDs; they’ll likely need some unique field for each user, this might as well be a UUID or something like that… So what’s the benefit?
I think the other person here explained the thing about user ids. Matrix and xmpp are good too, they’re just different.
Simplex is more of a messenger, while xmpp/matrix are more of discord alternatives.
Also simplex works with nodes. I can host a simplex server and it will be added to the network. In matrix/xmpp if I host a server it will be a new instance, like in lemmy (if I get it right). Simplex’s approach is like tor’s approach, each server added contributes to the whole network (they arent a separate instance).
If you check their page they have some bery good features, to me it seems like its signal, done (somewhat) right. Signal doesnt even have a proper way to migrate accounts across devices… not to mention the phone number requirement which might scare people who aren’t gonna waste time hearing my explanation as to why it’s not an issue or the fact that until recently signal would notify everyone in your contacts who had a signal account that you made an account, bruh
There’s also this comment here that throws some shade to matrix, havent looked much into that tho.
Signal is American
Opt for a Matrix or XMPP provider in Europe (magicbroccoli.de is a genuinely great XMPP provider)
While Signal’s home base is the US, they are a non profit org that doesn’t operate in the same way as for-profit corporations. Also, Signal collects basically zero data so there’s no incentive to sell out, and who would want to buy them anyway when they have no data and the server and client are open source.
Matrix is great, but I wouldn’t compare it to Signal. I use both for very different purposes.
Agree with the sentiment against signal. However, Matrix is terrible for anyone who doesn’t want to bother with reading up on several hours of information just to use a text messenger. I will start recommending Matrix the moment someone actually manages to produce a feature complete client with usable UI/UX.
yeah been trying out matrix. Setup a server and tried various clients. They are all shit.
+1 This is why I moved my family over to Signal, despite it being an American company.
Another benefit is that it’s gaining some serious traction with a lot of people now moving to Signal. Makes it easier for family members to move as well.
XMPP is more comparable to Signal, yes.
Signal does need (yes, need) a phone number, and most people only have one so that is identifiable info.
This puts it at mostly the same level as some competitors, including WhatsApp which is often advised against.
XMPP allows unencrypted messages and leaks metadata - Signal does neither.
Signal is basically a privacy enhanced text/SMS/phone replacement. I can give my phone to someone in person and they can immediately start “texting” me on Signal - this is a feature (as well as a con to some people).
People advise against Whatsapp because while it uses Signal to encrypt message contents, they take no effort to minimize the collection of metadata - Signal’s been compelled by court to present all data it has on its users various times and the only info they have is the day/time you signed up for their services and the last day (not time) one of your clients pinged their servers - Source: https://signal.org/bigbrother/
I have yet to find any other free service that collects this little information and works just as well as a normal non-encrypted messenger. Even Signals sticker packs are end-to-end encrypted - Source: https://signal.org/blog/make-privacy-stick/
What metadata does XMPP leak? AFAIK only when a message was sent, roughly (in large increments) how large the message was, the server of the sender knows from who to which server, the server of the recipient knows from which server to who.
I find it strange that Signal somehow doesn’t know when a message was sent, and from who to who; how would they ever make this possible?
Also, you say you have yet to find any other free service that collects as little data… How about most e-mail providers? Not Google and Microsoft of course, but most e-mail providers only need a name which can be made up as well. You hm also host your own email server, then you are in control. All of this is true for XMPP and Matrix, as well.
user@domain.com/resource. Theuser@domain.compart identifies the user and their home server, and the/resourceidentifies the specific client device they are using (e.g.,alice@example.com/mobileoralice@example.com/laptop)./resourcepart of the JID can reveal the type of client or device being used.Signal uses Sealed Sender (wired.com). Imagine if letters you sent didn’t require a “from” field - or it was inside the envelope and impossible for anyone to see it. The post office would only know who its going to and only the recipient can decrypt it (open the letter) to see who sent it. Now, you could say, well they have your IP and can correlate it to the account, but the easy way around this is to either use a VPN or Signal proxy (support.signal.org) if you’re that paranoid.
Read more about it here: Technology preview: Sealed sender for Signal (signal.org)
Most email providers suffer similar metadata leaks as XMPP because:
You could host your own email, XMPP, or Matrix server - that’s definitely a win for privacy. But as soon as you interact with someone outside your ecosystem (server), metadata leakage is an issue again. It’s why making end-to-end encrypted email is a hard problem to solve. It’s not that it can’t be secure, its that it has to work with those that aren’t because that’s the expectation.
Until you interact with others who aren’t using encryption or have it misconfigured.
Chatgpt used to be a non profit. Now it’s almost half Microsoft owned. Sneaky! T&cs can change too (e.g. Firefox selling out google funds them a bit now apparently? ). Don’t give up just find European fully alternatives.
Signal will operate until Elon Musk decides that everyone has to use X to communicate.
Also simplex is a good alternative, it’s decentralized:)
This? https://https/://simplex.chat/
FWIW Matrix and XMPP are also decentralised, much like e-mail is, which is why I recommended it. I’m immediately skeptic about SimpleX’s premise of having no user IDs; they’ll likely need some unique field for each user, this might as well be a UUID or something like that… So what’s the benefit?
Since it’s related, here’s a good comparison:
https://eylenburg.github.io/im_comparison.htm
I think the other person here explained the thing about user ids. Matrix and xmpp are good too, they’re just different.
Simplex is more of a messenger, while xmpp/matrix are more of discord alternatives.
Also simplex works with nodes. I can host a simplex server and it will be added to the network. In matrix/xmpp if I host a server it will be a new instance, like in lemmy (if I get it right). Simplex’s approach is like tor’s approach, each server added contributes to the whole network (they arent a separate instance).
If you check their page they have some bery good features, to me it seems like its signal, done (somewhat) right. Signal doesnt even have a proper way to migrate accounts across devices… not to mention the phone number requirement which might scare people who aren’t gonna waste time hearing my explanation as to why it’s not an issue or the fact that until recently signal would notify everyone in your contacts who had a signal account that you made an account, bruh
There’s also this comment here that throws some shade to matrix, havent looked much into that tho.
Oh that is a great explanation, thanks a bunch!
Each convo gets its own UUID, and the convos can be spread across different servers/companies too.
That said the notifications don’t work consistently for me on iOS, so that’s a dealbreaker. Hopefully they fix that soon.