Matrix is an open-source project that publishes the Matrix open standard for secure, decentralized, real-time communication. In this blog post, I will compare the Matrix protocol with some of the most commonly used centralized instant messengers, namely Whats App, Signal, and Telegram. For a comparison of all instant messaging protocols in a spreadsheet format refer to this Wikipedia article.
Security
Matrix features end-to-end encryption by default. It uses asymmetric encryption, which means that each user has a private key and an associated public key, also known as key pair. The private key is only known to the user and used for decrypting messages. As the name suggests, the public key of each user is available publicly. It can only be used to encrypt messages meant for the owner of the respective set of keys. Once the message is encrypted, it can only be decrypted with the associated private key.
The messenger that comes closest to Matrix in regard of security is Signal. In fact, Matrix uses the Double Ratchet algorithm, used in the Signal Protocol and invented by Signal. Several security audits confirm that the Signal Protocol is cryptographically sound and secure. The Olm library is an independent implementation of said algorithm, created by Matrix, while Megolm is an extension of that library, intended for large group communications. Another advantage of Megolm is that it allows the receiver to decrypt the messages multiple times. The ciphertext can be stored on an untrusted server, while the user can decrypt the message with as many clients as needed. While Matrix allows the user to have an unlimited amount of devices connected to the network, Signal can only have one main device, which must be a mobile device. It then allows to link up to five desktop and tablet devices with that main device. A further limitation is that linked devices only sync new messages from the main device, starting from the time when the link was created. Further, the syncing breaks the end-to-end encryption. The main device will in fact re-encrypt the message before syncing them to the linked devices. In contrast, when logging into a new Matrix device, it requests permission from another device to transmit the private key of the user. Alternatively one can manually import a backup of the private key. This allows each client to directly request the encrypted message from the server.
Now to Whats App by Facebook, the most popular mobile messaging app in the US, and likely in the whole so-called western hemisphere. Whats App directly implements the Signal Protocol. Like Signal, it only allows for one main device to be connected. Other devices are connected through the Whats App Web interface. The amount of those devices is not limited, though only one can be active at the same time. This device syncs the messages from the main device, but unlike Signal the whole message history is viewable. The same limitations as Signal regarding end-to-end encryption also apply to Whats App Web. The major security flaw with Whats App is that your private key is stored on Facebook’s servers. This basically allows Facebook to read all your messages. Although Facebook still claims that they do not read their users’ messages, it is publicly known that they do. Either when their algorithm detects a suspicious message or a user manually report a message, all recent messages of this chat will become visible to a moderator. I would not rule out that Facebook is constantly processing messages for marketing purposes, i.e. creating an advertisement profile of a user, which they can link to their other services.
Lastly, there is Telegram. Although commonly used by people, who try to evade monitoring by their government or other institutions, it is in fact the least secure competitor. The protocol used by Telegram is called MTProto, which is based on symmetric encryption. In the past several security flaws have been found in the protocol, thus it can not be described as cryptographically sound. By default, direct messages are not end-to-end encrypted. Only when manually selected, a new device-bound end-to-end encrypted chat will be started. This means when a user starts an encrypted chat on his phone, it won’t be visible on the desktop client. Further, there is no possibility at all to have end-to-end encrypted group chats. So, by default text messages in Telegram are only protected by encryption in transmission and not end-to-end encrypted. At least their voice and video calls are end-to-end encrypted by default.
Concluding, in single device scenarios Signal and Matrix provide the same level of security. Although Whats App uses the Signal Protocol, the private key of the user is stored at Facebook’s servers, giving them the ability to decrypt and read any message. Simply put, it is secure against third parties but not against Facebook. Telegram is the least secure competitor, as it doesn’t provide end-to-end encrypted group chats and their protocol is simply inferior in general. In multiple device scenarios, Matrix is superior, as every device directly accesses the ciphertext from the server, instead of syncing from the main device and therefore breaking end-to-end encryption, like Whats App and Signal do.
Data-Privacy and Data-Sovereignty
What makes Matrix special is the decentralization aspect. The Matrix network is not controlled by a single institution. Instead, it consists of many homeservers, joined together in a federation. This gives users the freedom to register with their preferred homeserver or even host their own homeserver.
Think of the Matrix network as of E-Mail and its SMTP protocol. It doesn’t matter with which server you are registered, you should be able to use any E-Mail user on the internet. In fact, Matrix user IDs look rather similar to E-Mail addresses. For instance, my E-Mail address is “gerrit@gogel.me” and my Matrix ID is “@gerrit:gogel.me”. Resolving of endpoints also works similar to SMTP, where the sending server will look up the MX record of the receiving domain via DNS, in order to find the IP address of the associated SMTP server. In the Matrix protocol, the sending homeserver will look up the SRV record named “_matrix” of the receiving domain to find the IP address of the receiving homeserver.
In contrast, Signal, Whats App and Telegram are all centralized messaging networks. One institution has full control over the network and hosts all servers. While using a service with end-to-end encryption, this might not matter in regard to data privacy, but it does in regard to the stability of the network, as the recent outage of all Facebook services has shown again.
Concluding, Matrix is superior in regard of data privacy compared to all other competitors, simply out of the nature of its decentralized network structure.
Expandability, Integratability and Open-Source
Starting with Whats App, their system is mostly closed. Users can only connect to the network using the official app. Their server and client software are closed-source, although they heavily rely on open-source software. Third-party tools, like chatbots, can only be implemented through their chargeable Business API.
All of the Signal software, both client and server-side, is open-source. Although it is theoretically possible to connect third-party clients and integrations to their network, they are actively against it.
Telegram only offers their client as open-source, while their server-side is closed-source and proprietary. Compared to Signal, they support and appreciate the development of third-party clients and integrations, such as chatbots.
Regarding Matrix, everything is open-source. They support and appreciate any development around their messaging protocol. It is even possible to implement server software according to their specification. Although, to my knowledge, nobody except the organization themself has implemented one so far. The first homeserver software they have developed is called Synapse, which is written in Python. They are currently developing a second-generation server, called Dendrite, written in Go. It is intended to have greater efficiency, reliability, and scalability over Synapse. The discover section of their website offers an overview of all software created around the Matrix protocol, including a variety of clients, bots, SDKs, and bridges. The latter aims to bridge the Matrix network with other communication channels, such as Telegram, Discord, and Slack. The most popular Matrix client is Element, available on Web, Android, iOS, macOS, Windows & Linux. It is the most common way to enter the Matrix.
Conclusion
In all considered departments Matrix is superior to its competitors. Obviously, this post mostly covers technical aspects and does not cover topics such as client usability. For example, it would be reasonable to argue that Element is more complex to set up and use than Whats App. Especially less technically affine users first have to get their head around the decentralized concept and registration process, where you not only provide your phone number but actually register with a username and password. On the other hand, the openness of Matrix allows for full flexibility when designing and implementing clients, which will eventually solve this problem. In fact, most of the other available clients market themself as less complex.
In my opinion, Matrix will eventually deprecate all other messaging services, the same as SMTP has superseded X.400 as standard for E-Mail. Although it is still fairly unknown, it has gained in popularity rapidly within the last years, especially in the public sector. French and German authorities already deployed matrix in various departments and will continue to do so. For instance, the Bundeswehr is already using Matrix for communication on the highest confidentially level for about a year.
This was a very informative blog article! I also think Matrix is the future
That’s the way, spread the word about Matrix! Definitely need to get going and spin up my Synapse instance ASAP!! Great read and explanations, sir!