Matrix ≠ MITM-proof by default.
Matrix uses E2EE, but device keys are fetched from homeservers. If you don’t manually verify devices, a rogue homeserver can inject a fake device = MITM possible. Same issue exists in XMPP (OMEMO) and even Signal — both rely on centralized servers or key directories to distribute public keys.
That’s why device verification matters: E2EE is only as secure as the key exchange.
SimpleX Chat, by contrast:
- Exchanges keys out-of-band (via invite link),
- Doesn’t use user IDs, DNS, or central directories,
- Has no metadata, no global identity, and no way for a server to impersonate anyone.
There’s no network-wide attack surface — no servers can lie about keys, because they never see them.
E2EE alone isn’t magic. How you get the keys matters.
#SimpleX #Matrix #E2EE #NoMetadata #TrustNoOne #MITM #Decentralization
https://github.com/simplex-chat/simplex-chat/blob/stable/docs/SIMPLEX.md#comparison-with-other-protocols
Andrey
npub1an…l8jd4
2025-06-16 23:39:29
Author Public Key
npub1andyx2xqhwffeg595snk9a8ll43j6dvw5jzpljm5yjm3qync7peqzl8jd4Published at
2025-06-16 23:39:29Event JSON
{
"id": "64fedcb9b1cd878cc3860e2c6d5162639a9e727be5f5c1a7ef0c024408c70d3a",
"pubkey": "ecda4328c0bb929ca285a42762f4fffd632d358ea4841fcb7424b7101278f072",
"created_at": 1750117169,
"kind": 1,
"tags": [
[
"t",
"SimpleX"
],
[
"t",
"simplex"
],
[
"t",
"Matrix"
],
[
"t",
"matrix"
],
[
"t",
"E2EE"
],
[
"t",
"e2ee"
],
[
"t",
"NoMetadata"
],
[
"t",
"nometadata"
],
[
"t",
"TrustNoOne"
],
[
"t",
"trustnoone"
],
[
"t",
"MITM"
],
[
"t",
"mitm"
],
[
"t",
"Decentralization"
],
[
"t",
"decentralization"
],
[
"r",
"https://github.com/simplex-chat/simplex-chat/blob/stable/docs/SIMPLEX.md#comparison-with-other-protocols"
]
],
"content": "Matrix ≠ MITM-proof by default.\n\nMatrix uses E2EE, but device keys are fetched from homeservers. If you don’t manually verify devices, a rogue homeserver can inject a fake device = MITM possible. Same issue exists in XMPP (OMEMO) and even Signal — both rely on centralized servers or key directories to distribute public keys.\n\nThat’s why device verification matters: E2EE is only as secure as the key exchange.\n\nSimpleX Chat, by contrast:\n\n- Exchanges keys out-of-band (via invite link),\n\n- Doesn’t use user IDs, DNS, or central directories,\n\n- Has no metadata, no global identity, and no way for a server to impersonate anyone.\n\n\nThere’s no network-wide attack surface — no servers can lie about keys, because they never see them.\n\nE2EE alone isn’t magic. How you get the keys matters.\n\n\n#SimpleX #Matrix #E2EE #NoMetadata #TrustNoOne #MITM #Decentralization\n\nhttps://github.com/simplex-chat/simplex-chat/blob/stable/docs/SIMPLEX.md#comparison-with-other-protocols",
"sig": "c462c30c8f48a097043d42c93bee330f9c9e09064fdd72cff086a48693bee9905e931596f29a2394e3cccea9dc10445c70bcb3131cab22395ec560799fb35119"
}