I’ve learned about, installed, and configured both Synapse (official Python server implementation) and riot-web (browser version of Riot, the official client) recently, to give me and some friends a post-IRC means of modern, secured chat.
There are some wrinkles, but in the main I think the project is making significant progress on making the whole thing work well for both admins of the hosted server and riot-web, and people signing up to and using the network with Riot.
Key management and verification needs the most work in Riot (even the redesigned client), especially for secure channels. That’s the biggest point of friction for me and my friends so far.
I’m very much looking forward to what Matrix can do as a network, and what both rich clients like Riot, combined with esoteric clients that do strange and wonderful things, can enable.
Yes Riot really needs a way to swap keys using NFC, so you only have to tap phones together when you meet. We actually did get an encrypted chatroom going at the last KVM Forum in Edinburgh, but it was insanely tedious to do all the key verification.
Meanwhile we also have cross-signing on the horizon, as demo'd in the OP: (https://github.com/matrix-org/matrix-doc/pull/1756) so you only have to verify a user once and then transitively trust all their other devices automatically (assuming that user verified them when they logged in).
This was a massive amount of work, but tantalising close.
Edit: NFC would be cute, but it's not ideal from an evil maid perspective, and you'd have to tap to confirm that you verified the right user ID anyway. So personally QR codes ftw.
Matrix is an open standard protocol (https://matrix.org/docs/spec) and an open network like the Web, but for realtime comms. Anyone can spin up a server and start participating in the network, and in Matrix the conversations are replicated over all the servers whose users participate in that conversation, so there is no single point of failure or control: the conversations are owned by the users. All the implementations we release as matrix.org are Apache licensed FOSS.
Now, Keybase is cool - particularly how it's effectively a key management system which drives a collaboration tool. We hoped originally they would provide it as a decentralised identity management system that we could hook into Matrix to replace our identity service. But in practice it seems to be centralised, and whilst the client is FOSS (https://github.com/keybase/client) the server isn't. So, it's more an E2EE-capable centralised collaboration tool built on a cool key management system. I believe their E2EE is based on shared keys rather than a cryptographic ratchet (Matrix uses inspired-by-Signal Double Ratchet with extensions), which is a simpler approach, but doesn't give you the option of PFS. I'm also not sure if their crypto has been audited (whereas we have a slightly ageing audit of Matrix's implementation over at https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-en...).
[disclaimer: I'm project lead of Matrix and the author of the OP]
Any plans to focus on Riot as a, let's say, WhatsApp/Signal alternative too from what it actually seems as of now which is just being Slack/IRC alternative?
And with that any chances an easier way of having an ID/username? @<user>:matrix.org seems extremely easy and convenient for me but may not be the same for my friends and family without whom any messaging platform is useless.
PS. Totally rooting for you guys! I wish Signal was federated though.
Riot is already a pretty servicable Signal / WhatsApp alternative. You can start conversations by username or email in one on one rooms that you can encrypt and they show up as separate entries besides the groupchats in Riots UI.
> And with that any chances an easier way of having an ID/username? @<user>:matrix.org seems extremely easy and convenient for me but may not be the same for my friends and family without whom any messaging platform is useless.
Matrix emphasizes the use of third-party IDs (3PIDs) via dedicated identity servers. The idea is to link your Matrix ID (@user:server) to other identifiers like your email or phone number. Then you can use those to log in and other users can find you using them too.
I might sound dismissive, but in my views Keybase is entirely focused on being an identity provider; all the other tools they've been developing on the side are nice to play with and will probably be the ones bringing in money to them, but at the core they're not really reinventing the wheel, and wouldn't have any value without the powerful and simple-as-dirt reliable identification platform they provide. I might be completely off but I'm sure their dream would be that any new protocol would care about the exchange of data, and leave authentication and identity checking to them.
AFAIK Keybase is centralized while Matrix is federated, so you can set up and run your own Matrix server without worry of a central point of failure (or surveillance).
There are some wrinkles, but in the main I think the project is making significant progress on making the whole thing work well for both admins of the hosted server and riot-web, and people signing up to and using the network with Riot.
Key management and verification needs the most work in Riot (even the redesigned client), especially for secure channels. That’s the biggest point of friction for me and my friends so far.
I’m very much looking forward to what Matrix can do as a network, and what both rich clients like Riot, combined with esoteric clients that do strange and wonderful things, can enable.