-
@ Andrey Arapov
2025-06-16 23:39:29
Matrix ≠ MITM-proof by default.
Matrix uses E2EE, but device keys are fetched from homeservers. If you don’t manually verify devices, a rogue homeserver can inject a fake device = MITM possible. Same issue exists in XMPP (OMEMO) and even Signal — both rely on centralized servers or key directories to distribute public keys.
That’s why device verification matters: E2EE is only as secure as the key exchange.
SimpleX Chat, by contrast:
- Exchanges keys out-of-band (via invite link),
- Doesn’t use user IDs, DNS, or central directories,
- Has no metadata, no global identity, and no way for a server to impersonate anyone.
There’s no network-wide attack surface — no servers can lie about keys, because they never see them.
E2EE alone isn’t magic. How you get the keys matters.
#SimpleX #Matrix #E2EE #NoMetadata #TrustNoOne #MITM #Decentralization
https://github.com/simplex-chat/simplex-chat/blob/stable/docs/SIMPLEX.md#comparison-with-other-protocols