alt Hacker NewsI was on a team that evaluated moving a significant portion of a product that should be used for government/healthcare onto Matrix. There were several drawbacks that made us NOT go this route:
- Olm/Megolm does not offer forward secrecy for group messaging
- Olm/Megolm does ensure end-to-end encryption for message data, but not for metadata.
- Federation makes it challenging to be GDPR compliant
- Synapse is very heavy, other implementations are less production ready
- For better or worse, the matrix foundation is under UK jurisdiction.
I'm sure I forget some of the nuance, but these were some of the major points. However, there are several government entities in Germany, France, Poland, etc, that can live with the limitations and DO self-host Matrix servers.
I won't go into the pair of high-severity vulns in 2025 (and the somewhat difficult mitigation) because that could hit anyone.
Replies
Thanks for the info, what do you think about Delta chat?
Which tool did you guys end up using?
> - Federation makes it challenging to be GDPR compliant
Can you elaborate? AFAIK when everything is encrypted, GDPR compliance is trivial.
> Olm/Megolm does not offer forward secrecy for group messaging
Megolm does provide forward secrecy - just in blocks of messages. If a message key gets stolen, an attacker could decrypt subsequent messages from that sending device until the next session begins: by default this happens either after 100 msgs have been sent, a week has elapsed, or if the room membership changes. Most folks consider this to be adequate perfect secrecy.
In terms of the Matrix Fdn being incorporated in the UK… I guess that means one shouldn’t use the Internet, given IETF is US incorporated? :)