this post was submitted on 02 Feb 2025
44 points (90.7% liked)

Opensource

1786 readers
98 users here now

A community for discussion about open source software! Ask questions, share knowledge, share news, or post interesting stuff related to it!

CreditsIcon base by Lorc under CC BY 3.0 with modifications to add a gradient


founded 1 year ago
MODERATORS
pylapp@programming.dev
44
I Stopped Using Matrix - Tatsumoto (tatsumoto.neocities.org)
submitted 9 hours ago* (last edited 9 hours ago) by Kissaki@programming.dev to c/opensource@programming.dev
12 comments fedilink hide all child comments
 

What ultimately pushed me to leave Matrix was discovering that my homeserver's admin was using my account without my consent.

In an encrypted room even with fully verified members, a compromised or hostile home server can still take over the room by impersonating an admin. That admin (or even a newly minted user) can then send events or listen on the conversations.

…, I've decided to move my conversations over to SimpleX.

For the past few months, the Matrix community has been largely inactive (despite having over 5,000 members), while the Telegram community has remained much more vibrant. This is disappointing given that I have been a strong advocate for using Matrix and have promoted it widely. For some reason, people are not moving to Matrix at the rate I had hoped.

you are viewing a single comment's thread
view the rest of the comments
[–] Kissaki@programming.dev 8 points 7 hours ago (1 children)

I thought the same at first, but honestly, there's probably nothing that warrants impersonation. If it's a system announcement or change from the host, it should be labeled as such.

[–] hendrik@palaver.p3x.de 6 points 7 hours ago* (last edited 1 hour ago)

Sure. I haven't looked into the technical details. Impersonation often is a crutch to deal with technical shortcomings. Though in this scenario it changes the whole story, whether the admin does someone a favor or is acting maliciously. And I'm not even sure if this allows to break encryption. At least in the old days, Element would ask me to verify each new device. And the admin doesn't have access to the encryption keys, since they're stored with the client. So I'm not sure what's happening here and I'm also not sure about the implications. Just seemed kind of fishy to me to omit that kind of information in a longer article. Can the admin do more than thange the room version and maybe kick or ban people? Because that would be well within their job.