IM/RTC: Perfect Forward Secrecy Requirement

We’re currently considering a change to our instant messenger criteria which would require all messengers to support Perfect Forward Secrecy.

This would disqualify Session of course, which notoriously removed support for PFS in a crypto change despite initially supporting it while their product was based on Signal’s crypto. Generally speaking, the team is okay with this change.

This would also disqualify Matrix. While Megolm theoretically supports PFS, it is not mandatory and in fact is not used in practice at all, because the option to do so is not exposed in Element, and would break functionality like key backups:

by default, our use of megolm doesn’t provide perfect forward secrecy. this is by design, so that if you log in on a new device, you can still rescue your encryption keys from other devices and read your history, which is the expected UX. in other words, devices don’t delete megolm keys after they’ve been used to decrypt history (which is why you can back them up and share them with your other devices in order to ensure that all your devices can read your history). […] We’ve always intended to provide PFS semantics as an option for those who need that level of paranoia (at the expense of drastically increasing the number of unable-to-decrypt errors, as keyshare and keybackup mechanisms would no longer be available to mitigate them); […]

The way I see it here, we have essentially two choices, because I think the team is in agreement that PFS is important:

  1. We can require PFS, and remove Session and Matrix.
  2. We can put PFS in our best-case criteria, and clearly delineate between Signal, SimpleX, and Briar, and Matrix and Session, and say that Matrix/Session are only useful for certain use-cases with some limitations, similarly to how we distinguish between providers which use OpenPGP and those that don’t on our email recommendations page: Email Services - Privacy Guides

It is worth noting that like Matrix, Session does fulfill some specific use-cases for people, such as having desktop clients which SimpleX lacks, and so keeping it listed while noting its downsides much more prominently is probably a reasonable move here.

1 Like

As @matchboxbananasynergy also argued on github Matrix serves (or should serve) a different purpose. It’s more a platform for large rather public rooms IMO much like IRC (people still use this).

If this means that Matrix is removed as IM I think that that is a right decision. It doesn’t nearly offer the same standard. I am fine with using Matrix but not for the same things that I would be discussing on Signal. We always have to think what are we protecting from whom.

Matrix I personally do not use for sensitive data and I would discourage you from doing so.

While it is true that SimpleX doesn’t currently have a desktop app as far as I’m aware, Briar now has a Windows and Linux desktop app, with macOS supposedly coming eventually.

Something being cross-platform is paramount to its usability, as IM is only useful when both participants are being to use it, but I think that it is more important to support projects that put significant effort in doing encryption properly.

Session’s jarring decision to remove PFS makes it a non-starter for me. I’ve used it in the past, and along with the aforementioned deficiency, it was also consistently buggy on both Android and desktop (Linux) and I eventually had to give it up.

Matrix has its own issues. Along with no PFS and E2EE flaws that still feel weirdly unaddressed and swept under the rug (this could have changed, but that was the impression I got previously), it is also clunky as hell, especially in E2EE rooms. It’s so often bad that it has become a meme at this point.

I actively use Matrix, but like @ph00lt0 said, I wouldn’t trust it for sensitive discussions, and I wouldn’t recommend it to someone at all who wasn’t already using it due to all of the reliability issues that plague it.

I would be completely fine with seeing Matrix go from the recommendations, personally.


I seem to remember one of the FOSDEM presentations touching on that particular point as a motivating reason for doing MLS.

I suppose my proposed solution would be to state PFS is a best-case criteria, and restructure the page as follows:

  • Encrypted Messengers
    • Signal
    • SimpleX
    • Briar
  • Additional Options
    • Element
    • Session

With a warning on the second category along the lines of:

These messengers do not utilize Forward Secrecy, and while they fulfill certain use-cases that our previous recommendations may not, we do not recommend their use for long-term or sensitive communications. Any key compromise among message recipients would compromise the confidentiality of all past communications.

I realize this almost brings back “worth mentioning” projects in a sense, but this is actually a change I’ve been meaning to make for a while, because it provides additional nuance to our recommendations that the current flat hierarchy of recommendations lacks. The truth of the matter is that none of these projects are the best at everything, and presenting them in a way that makes them seem interchangeable seems harmful.

At the end of the day there is no viable replacement for Matrix for the purposes we commonly use Matrix for, which it sounds like everyone agrees with, since everyone in this thread so far actively uses it, so removing Matrix from the site entirely does not make sense to me.


The way most people use Matrix is for public rooms with no encryption whatsoever. I use Matrix because it is where the groups I want to be a part of are, not because I enjoy the Matrix user experience or think it brings significant benefits, especially when it comes to privacy.

To me, it makes a lot of sense for the real time communication page to focus on private methods of doing so. Signal allows for groups, and while they’re not as versatile as Matrix rooms, as mentioned, Matrix has a lot of issues and bugs that can completely brick rooms when they exceed a certain size, which has been seen in practice and has not been fixed at this point, to my knowledge.

You can argue that there is no use in privacy when we’re talking about a group as anybody could be leaking messages outside of that group, but at least it provides assurances in cases where all participants of the group keep what’s being said in there confidential.

I see no use case for Session when it comes to group chats, and while I see the usefulness in using Matrix for public, unencrypted discussion, it may not necessarily make sense in the real time communication page.

Matrix has to provide a level of privacy over its alternatives, which in this case aren’t really Signal and Briar, but are Discord and Slack. Which it absolutely does, so I don’t really follow the argument that it doesn’t merit a mention on at all.

And if it does, then I don’t see how we can fairly remove Session, which supports unlimited-size public groups and pretty much all the other features one would expect from a messenger. I think the anti-Session camp just needs to come up with a better reason to remove them, because personally not liking it isn’t the best argument when plenty of people use Session every day just fine.

I do not think any one has said Matrix deserves no place at all. But I do not see it as an IM in the way we use Signal. Matrix serves a good solution for a short message format much like email. It is actually distributed and easy to run for larger communities.

As for session. Session does not support community like features like Matrix does. Therefore cannot be really compared to Matrix. I feel session is more a simple IM. Session however advertises them as being the best IM for privacy, which I simply cannot agree with. Also I have never heard a good argument from them to use a modified protocol without PFS. Their CTO said to me a couple of times they believe they do not need it because their service is distributed. This is a really neglecting mass surveillance of ISPs and the fact that companies behind session that controls this network.

PFS is a very essential measure against cryptographic attacks and can prevent a lot of harm as it drastically slows down the capabilities of any adversary.

To summarize, PFS should be the standard for an IM, simply because this is good practice. You shouldn’t be using either Matrix or Session for your private conversations. Matrix serves a community, Session doesn’t really. Therefore I can only conclude that there is really no good reason to be using Session.

  • How does Session not support a community?
  • How is Matrix not Real-Time Communication?

I believe your concerns are addressed in my proposal TBQH, so I don’t know what changes to make here.

  • Session does not have moderation like Matrix
  • Matrix isn’t as secure, i am not saying it doesn’t have these features, just would never use it for this.

session-pysogs/ at 2c8e4f1535bbd2cc676fa46914c691d2332cb41f · oxen-io/session-pysogs · GitHub indicates Session has community moderation.

I am fine with your proposal btw, I just don’t see the purpose of Session

I would however still think of a different caption session does have encryption. So we might want to have something like:

  • Perfect Secure messengers (idk?)
  • Messengers for community conversations. (idk?)

This would also allow to state requirements for what we believe is a good secured messenger. If you think there is a purpose for Session in less sensitive conversations go for it, but I see no reason to list project that are not used much in this way. Just like we could list every offline note taking app on android but I prefer to have just one good one.

I don’t like Session either*, all I’m saying is that there are no compelling reasons that come to my mind to remove Session if Matrix is kept. The goal is to have consistency, if we can’t define criteria that lets us include Matrix and exclude Session then we should not be excluding Session, that’s all I’m saying. If we can create criteria that does this though then I’m all ears.

* also my feelings about Session are not really relevant, because many many people do like Session.

I think I see the issue here. I would not necessarily remove Matrix from Privacy Guides, but I would perhaps put it in its own page.

I’m unsure whether we are all on the same page on whether Matrix should be used for private and encrypted communication or not, but if not, perhaps there should be a page on messengers like SimpleX, Signal and Briar which are IM solutions which provide modern encryption, and another page for as you said Discord and Slack alternatives, in which Matrix, despite its issues, fits.

Does that make more sense?

By that token, Matrix makes for a pretty good forum for community discussion. In that context, does it have advantages over Session? I believe it does. Do options like SimpleX and Signal have advantages over Session in the context of private conversations? I believe they do.

Therefore, it feels like Session is in this weird middle-ground that makes it subpar at multiple things at once.

I get your struggle in this tho and I know someone will not be happy with this discussion already. But why list things if they serve no one in a way that helps them? Matrix is the thing people use for communities ( i wish there was something better) but honestly nobody uses session for this stuff or am I missing out?

Okay so I just checked. I can see 3 public communities in Session:

  • Lokinet Updates
  • Oxen Updates
  • Session Updates

I think it proves my point

So this was also brought up in our chat, but my question is if we create a new page for community discussions, what would be the reasoning for excluding Session from that page?

Because theoretically Session does support community features, including self-hosted group servers specifically for this purpose, i.e. GitHub - oxen-io/session-pysogs: Python implementation of the Session open group server

My understanding is that some people do.

I am also not sure, but my perspective is that we are all on the same page that Matrix serves a purpose in this space and should be included somewhere on the site regardless, so I don’t think our opinion on this particular issue actually impacts our overall discussion here.

I mean if people do, fine let’s put in that place, nothing against that.
For the category we should clearly state that there are different more secure options for IM

I do wonder tho, any public community known? In the app I see none other then their own.

I don’t believe there is a central room directory, community operators would share their QR codes within their own communities, which would make enumerating the number of public rooms out there difficult.

We can look further whether Session provides the same flexibility as Matrix for communities (I doubt that but I am open to finding out). If that is the case, perhaps Session and Matrix can be on the same page.

I don’t know what the real-time communication page should be renamed to, but it should operate under the assumption that this page is for people looking to communicate with privacy and proper encryption with all of its bells and whistles.

The new page that can include Matrix/Element and/or Session etc. would be for platforms that we recommend for non-sensitive communication.