
Matrix – An open network for secure, decentralized communication - dunefox
https://matrix.org/
======
Arathorn
Beyond the general idea of Matrix itself, a nice snapshot of all the stuff
currently happening in the Matrix ecosystem right now is the This Week In
Matrix blog series, which goes out every Friday. This week’s one is at:
[https://matrix.org/blog/2020/08/21/this-week-in-
matrix-2020-...](https://matrix.org/blog/2020/08/21/this-week-in-
matrix-2020-08-21)

Some of the stuff I’m personally most excited about right now is Hydrogen
([https://github.com/vector-im/hydrogen-web](https://github.com/vector-
im/hydrogen-web)): a super lightweight web client which heavily leans on
indexeddb for storage and so minimises RAM. My primary account has 3000 rooms
and about 450K visible users - on element-web this uses 1.1GB of RAM, but on
hydrogen it uses 14MB :) We’re also looking at glueing E2EE into Hydrogen via
the crypto layer of matrix-rust-sdk, which could be a massive win in terms of
reusing and auditing a robust safe implementation for the Hard problem of
encryption, rather than implementing it from scratch every time in every new
client.

Dendrite (go server impl) progress is also very promising - we’ve been
focusing on it (at last!) since the beginning of the year, and going to enter
beta in the next few weeks. A typical small/medium live server is currently
using 57MB of RAM (rather than synapse’s ~500MB). We haven’t started
optimising yet :)

Synapse has also finally come of age - the whole codebase has almost been
switched to twisted/asyncio rather than twisted deferreds, which both speeds
things up a bit but also gives us way better visibility on profiling for
future perf work. Almost all bits now scale horizontally (apart from the
master dispatcher process). Synapse isn’t going away - we see Synapse and
Dendrite coexisting much as Apache and nginx coexist today.

Conduit is also super exciting as an entirely community developed Rust
homeserver, which currently runs ~10x faster than either Synapse or Dendrite
(but doesn’t federate yet, or scale horizontally). It’s really fun to see an
indie FOSS server implementation properly take off :)

Finally, P2P Matrix is coming together well - compiling Dendrite to WASM and
running it clientside, using Yggdrasil currently as an overlay network to
tunnel through to other P2P nodes.

In short: the Matrix ecosystem is in a fairly healthy place right now - the
next gen of clients and servers should be incredible :)

~~~
Legogris
Thanks for the insight, and had completely missed the blog!

On dendrite: What's your impression of friction needed to migrate an existing
synapse home server to dendrite? Would bridges like the mautrix family be API
compatible or would they have to add additional support for dendrite? And how
far away would you say you feel it is until dendrite is stable and ready for
individuals as personal production server?

Not looking for dates, just a feeling for how worth it is to invest getting
deeper into synapse if one intends to migrate to dendrite eventually.

~~~
Arathorn
The best way to migrate from synapse to dendrite will probably be by
decentralised accounts. We have plans (driven by p2p) to let your account
exist on multiple servers at the same time. The sort of way to do this would
be to have @alice:example.com sign something on @alice:elsewhere.com to prove
that she’s the same person. She then participates in all the same rooms from
both accounts, which are presented as a single logical identity to everyone
else.

So example.com could be synapse and elsewhere.com could be dendrite, and she
would automagically replicate her account over between the two. If she turned
off example.com, she’d have migrated over.

This is scifi right now, but it’s getting closer, as P2P isn’t very usable if
you can’t sync your account across multiple devices/nodes.

Alternatively someone could write a script to migrate synapse’s db into
dendrite’s schema (or dendrite’s kafka logs), but it’s be pretty fragile given
how rapidly both synapse and dendrite evolve.

tl;dr: jump in with Synapse today - the water’s great (even if others have
been scalded in the past). Migration to Dendrite or Conduit or whatever in
future should be transparent, one way or another.

~~~
ndarilek
Will it be possible to temporarily turn off example.com, let its absence
propagate across the network a bit, then turn it back on under a new server?
Synapse has been good to me, but I know Rust more than Python, and Conduit's
use of Sled is one less moving part for me to maintain for my single-user
server. Looking forward to migrating to a lighter server I can potentially
hack on, and would rather not change the underlying DNS infrastructure much.

~~~
Arathorn
No, the idea is that to migrate you would have to run both servers side by
side and then kill the old one. We haven’t yet figured out how you’d point the
old matrix id to refer to the new server (as I assume your concern is keeping
the same mxid as before), but presumably there will be a way to do so.

------
siraben
Matrix is great for bridging[0] between different chat applications.
Personally I use it a lot to bridge to IRC, which is a great alternative to
the older method of setting up a server for use with an IRC bouncer. Since
there's various Matrix clients for mobile (I use Element), you can chat on IRC
from anywhere. If this gets more people into IRC I'm all for it because it's
one of my favorite places on the internet for discussing and learning things.

There's a comprehensive tutorial[1] on how to connect to Freenode via Matrix.
Gitter ⇔ Matrix bridge is pretty good too, since Gitter is pretty horrendous
on web and especially mobile.

[0] [https://matrix.org/bridges/](https://matrix.org/bridges/)

[1] [https://github.com/matrix-org/matrix-appservice-
irc/wiki/Gui...](https://github.com/matrix-org/matrix-appservice-
irc/wiki/Guide:-How-to-use-Matrix-to-participate-in-IRC-rooms)

~~~
Vinnl
As someone who's in a Gitter room with a couple of people using the Matrix
bridge: it works, but I wouldn't call it great. Messages by Matrix uses look
like messages by the same user ("Matrixbot" or something like that), which
simply prefixes its messages by `<username>`. @mentioning people no longer
autocompletes, and you often see Matrix users trying to do it as well but
inadvertently using someone's display name rather than their actual handle,
thus not resulting in a notification. And when a Matrix users tries to edit
their message, the edited message just gets sent again in addition to the non-
edited one which is still there.

~~~
Arathorn
we’re working with the gitter folks to do a much better job of bridging in the
nearish future :)

~~~
Vinnl
Good to hear :)

------
em-bee
previous and related discussions:

Matrix 1.0 and the Matrix.org Foundation
[https://news.ycombinator.com/item?id=20157809](https://news.ycombinator.com/item?id=20157809)

Matrix 1.0 – Are We Ready Yet?
[https://news.ycombinator.com/item?id=19416678](https://news.ycombinator.com/item?id=19416678)

Synchronous Messaging at Mozilla: The Decision
[https://news.ycombinator.com/item?id=21835749](https://news.ycombinator.com/item?id=21835749)

Automattic invests in Matrix
[https://news.ycombinator.com/item?id=23256050](https://news.ycombinator.com/item?id=23256050)

Cross-signing and end-to-end encryption by default
[https://news.ycombinator.com/item?id=23107564](https://news.ycombinator.com/item?id=23107564)

Running your own secure communication service with Matrix and Jitsi
[https://news.ycombinator.com/item?id=22802645](https://news.ycombinator.com/item?id=22802645)

We’ve decided to rename Riot
[https://news.ycombinator.com/item?id=23611863](https://news.ycombinator.com/item?id=23611863)

------
Funes-
In my own estimation, if anyone ever wants to engage with instant
messaging[0], and wants it to be in an actually secure manner, the best option
would be Briar[1]. It's anonymous (uses tor), P2P (meaning no data is
accessible to third parties--unlike Matrix, which is federated), encrypted,
and quite censorship resistant.

[0] I don't think it's an efficient, non-distracting or just desirable means
of communication.

[1] [https://briar.app](https://briar.app).

~~~
Youden
> meaning no data is accessible to third parties--unlike Matrix, which is
> federated

I acknowledge that this isn't an option for everyone but for the HN crowd,
it's fairly easy to run your own homeserver. You just need to install Synapse
[0] (which has a convenient Docker image [1]) and give your server a domain
name.

If you do this, your metadata will only be accessible to yourself and the
homeservers of your contacts (who could share your server or run their own).

Message contents are usually e2e encrypted, so the homeserver you use is
irrelevant.

[0]: [https://github.com/matrix-org/synapse](https://github.com/matrix-
org/synapse)

[1]:
[https://hub.docker.com/r/matrixdotorg/synapse/](https://hub.docker.com/r/matrixdotorg/synapse/)

~~~
phre4k
It's not about running the homeserver but not leaving metadata behind. At
least this is how I understood it.

------
Havoc
Keen to use this for notifications and web hooks etc. slack seems great but
would rather not buy into yet another proprietary ecosystem if I can help it

------
MR4D
I think for Mattix to truly make a dent in the world,it will need libraries in
popular languages.

I should be able to spin up a client or server in python, JavaScript, rust, c,
etc with minimal effort.

~~~
ptman
There are client libraries for lots of languages, and a simple client is easy
with just a HTTP library:

[https://matrix.org/sdks/](https://matrix.org/sdks/)
[https://github.com/ara4n/random/blob/master/bashtrix.sh](https://github.com/ara4n/random/blob/master/bashtrix.sh)

~~~
MR4D
Sorry if I wasn’t clear - there also needs to be server libraries.

I can spin up a web server in python, Ruby, JavaScript, etc in a couple lines
of code. With matrix I need to install java and then do a whole bunch of
config.

My belief is that as long as that hurdle remains, it won’t hit widespread
adoption, even if the technology is great.

Personally, I really like it, and have used Riot For a couple years now. I’d
love to use it for our company, but it’s not yet there for ease of use on the
server side.

I think it will get there, it’s just not there now.

------
thepra
I've been running Synapse from home for more than a year, so far nothing is
too painful about maintenance, except at every update its asking to review the
changes of the homeserver.yaml config file from the terminal, I would have
liked a more automatic approach, like when a setting is different from the new
one, just leave it at it is and update the rest.

~~~
ptman
Running debian? You can place override configs in /etc/matrix-synapse/conf.d/
and let /etc/matrix-synapse/homeserver.yaml stay updated by the package

------
daniel-s
Besides JSON, what's the main differentiator between Matrix and XMPP?

~~~
dependenttypes
Matrix has a single implementation that supports E2EE and it uses electron.
XMPP has multiple of them that do not.

~~~
Arathorn
This is completely untrue and disingenuous; there are loads of Matrix
implementations that support E2EE, and only one that happens to use Electron.

As of a few months ago, the list is: Element Web (via matrix-js-sdk), Element
iOS (via matrix-ios-sdk), Element Android (via matrix-android-sdk2), the old
Riot Android app (via matrix-android-sdk), weechat-matrix (via matrix-nio),
weechat-matrix-rs (via matrix-rust-sdk), Mirage (via matrix-nio), Nheko (via
mtx-client), gomuks (via mautrix), Seaglass (via matrix-ios-sdk), OCRCC
Chatbox (via matrix-js-sdk), FluffyChat Flutter, Daydream via matrix-rust-sdk,
etc.

There’s also pantalaimon (built on matrix-nio, and in future matrix-rust-sdk),
which lets _any_ Matrix client talk e2ee.

Hydrogen (github.com/vector-im/element-web) is also about to sprout e2ee via
matrix-rust-sdk.

~~~
maqp
So Pantalaimon is something that needs to be added and configured, how easy is
it to fuck up this configuration and accidentally send a non-E2EE message? Is
it a program you can forget to launch? Is it something that can crash and make
the user vulnerable?

How many of the apps you listed in second paragraph spawn E2EE chat by
default?

How many of the apps warn about E2EE not being enabled when joining a room?

How many of the apps warn when E2EE is broken by e.g. IRC-bridge-bots?

~~~
Arathorn
Pan won’t let you send plaintext msgs in E2EE rooms. If you don’t launch it,
your client can’t connect. It doesn’t have any known downgrade vulns. You
can’t downgrade an E2E room to a non-encrypted one.

I haven’t checked to see which of those apps spawns E2EE chat by default.
Element does, and I’d assume the other client devs are following suit; there’s
no reason not to. Likewise, i haven’t surveyed to see what UI they use to warn
for unencrypted rooms.

We’re currently working on an MSC to better advertise what bots/bridges exist
in a room so you can track whether any is likely to be leaking your
conversation to an unencrypted system. This is inevitably going to be on a
best effort basis though.

~~~
dependenttypes
> Element does

But does not warn regarding unverified seasons and will gladly send messages
to them by default.

------
junon
Please, stop using HTTP and JSON as a transport. I can't take any project
seriously that thinks this is a good combination.

Everything at Uber was HTTP and JSON and all it did was slow things down and
cause more bug surface area.

~~~
Arathorn
We use HTTP+JSON as the baseline default transport because it’s so ubiquitous
and well understood. Anyone who’s ever touched a browser or curl knows how to
use it.

However, Matrix isn’t tied to any single transport - you are encouraged to use
more efficient or exotic ones, eg
[https://matrix.org/blog/2019/03/12/breaking-the-100-bps-
barr...](https://matrix.org/blog/2019/03/12/breaking-the-100-bps-barrier-with-
matrix-meshsim-coap-proxy/)

~~~
jeltz
Is there anyone currently working on alternate transports?

~~~
Arathorn
yeah, the whole P2P Matrix project is using different transports. One is
CBOR+CoAP+Yggdrasil, another is JSON+QUIC+Yggdrasil. The plan is to pull these
back into mainstream matrix when proven, especially as a push replacement.

------
corobo
Decentralised, adj: hard to use

~~~
Youden
Step 1: Open [https://app.element.io/](https://app.element.io/)

Step 2: Create account

Step 3: Enter username, password and email address

Step 4: Click confirmation email

Step 5: Log in

Step 6: Share your username with others

What aspect of this is hard to use?

There's also another pair of decentralized systems you might be familiar with:
email and the world-wide web. Do you think these are hard to use?

~~~
Multicomp
The steps you list above are not particularly difficult, but if everyone
followed them, the decentralization features might as well be redundant
because we would all be on one Central set of servers.

~~~
kethinov
There are other public servers. Matrix is basically like email. Pick whatever
server you like and talk to whoever you want on any other server.

------
chromedev
Do they even have production-ready server software yet? Synapse is not great,
and they say Dendrite isn't ready for production.

~~~
67868018
Recent benchmark showed Dendrite (go) is slower than Synapse (Python) but I'd
guess it's from all the context switching with the multi process design of
Dendrite

~~~
siinamon
This has kept me from coming back to Matrix. Running your own homeserver can
be pretty atrocious.

~~~
fossuser
Their hosting is $10/month and totally worth it.

As a bonus, it helps to support the devs too.

~~~
rglullis
They already got investments from large governments and Automattic. I don't
believe they are in dire need of financial support.

I totally agree that more people should look into managed hosting, though.

~~~
Arathorn
The economics of this are curious actually. Element has had investments from
Automattic, VCs and Status.im (no governments, ftr). However, the only reason
people invest is in the expectation that Element can be a sustainable healthy
business - which it does so by providing Matrix SaaS hosting, and
support/consulting for big on premise deployments.

In other words, it’s critical that folks use the managed hosting in order to
be sustainable, otherwise we’re just burning fossil fuel, as it were.

~~~
rglullis
I misspoke. I wanted to say that the money from the governments are part of
the revenue as "support/consulting for big on-premise deployments". Sorry
about that.

In any case, I would be surprised that Element relies on getting significant
part of their revenue from the SaaS. Isn't p2p-matrix going to cannibalize
that market? I could swear that the strategy for you would be to chase the
enterprise/government market and let p2p-matrix as an alternative for network
effects and/or those who don't want to pay and prefer to manage things
themselves.

~~~
Arathorn
np - just wanted to clear up the confusion if folks might think Element might
be part-owned by nation states, which it isn’t.

So we expect revenue from SaaS, where plain TCO says it’s cheaper to get us to
host your data than pay in-house people to sysadmin it for you. It’s still
your DNS and your keys, and we provide db snapshots if you want, so it really
is just outsourced hosting. There is definitely a market for this, as well as
separately providing support for massive on premise deployments.

P2P then drives both by network effects. It effectively becomes the default
free-for-all platform - but anyone who actually wants a serious home for their
data (e.g. any business) will want to find a server, whether that’s selfhost
or SaaS.

~~~
rglullis
Ok, cool. Follow-up questions: I honestly believed that your SaaS offering was
just a middle-market play and that you expected to be filled by a cottage
industry of sorts. Don't you have any concerns about other business
undercutting you? In a way what I am doing with communick competes already
with your hosting (or I can dream about it) and I won't have the overhead of
funding development. What if AWS/GCS/Azure decides to offer Matrix as well?

~~~
Arathorn
We don’t expect to be the only SaaS players - but we still think it’s a good
market. The more hosting solutions the better - we believe there’s enough
customers for everyone to go around :) We‘ve started maintaining a list in
matrix.org - and if the big boys started offering Matrix hosting too; it
sounds like a good problem to have! (Plus the sort of people interested in
Matrix are probably not that interested in buying it from GAFAM ;)

------
ThA0x2
Every time I hear Matrix.org being mentioned, I giggle:
[https://matrix.org/blog/2019/05/08/post-mortem-and-
remediati...](https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-
for-apr-11-security-incident)

Describing their practices as sophomoric may be giving them too much credit.

~~~
chromedev
I believe they tried blaming this on the creator of the C++ port of their
server software without any proof and it sort of left a bad impression with
me.

~~~
Funes-
I think everyone should be free to post whatever they want; nonetheless,
providing some kind of source to incriminating claims would be great--if only
to make verifying them easier to other users.

In any case, this kind of posts is a reminder to stay alert and think
critically; otherwise, we would believe many instances of misinformation
without giving them a second thought. And we cannot expect others to downvote
comments to oblivion or moderate them: it's something we ourselves have to be
responsible for.

~~~
chromedev
[https://news.ycombinator.com/item?id=19418111](https://news.ycombinator.com/item?id=19418111)

~~~
Arathorn
That post was nothing to do with the security incident in question here (which
happened April 11th 2019; that post is from March). The details in that post
are sadly true (as others confirm on that thread).

However, we have no reason to believe there was a link to the April incident.

~~~
chromedev
You called him malicious/dangerous and said he is involved in an ongoing
campaign of exploiting security vulnerabilities in Matrix.

~~~
detaro
Which is not what you claimed.

~~~
chromedev
That's how I perceived it.

~~~
phre4k
Maybe you want to look into your perception of the world in contrast to facts.
Some bias in there apparently.

~~~
chromedev
Based on what was said by Arathorn, it would be easy for anyone to perceive it
that way

~~~
detaro
It would be easy to perceive Arathorn to be talking about some future event
instead of the protocol issues he mentions earlier in the same comment?

