<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>salix.host</title><link>https://salix.host/projects/</link><description>Recent blog posts on salix.host</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Fri, 17 Jul 2026 00:00:00 +0200</lastBuildDate><atom:link href="https://salix.host/projects/index.xml" rel="self" type="application/rss+xml"/><item><title>Keeping Bots Out Without Inviting Google In</title><link>https://salix.host/posts/privacy-friendly-captcha/</link><pubDate>Fri, 17 Jul 2026 00:00:00 +0200</pubDate><guid>https://salix.host/posts/privacy-friendly-captcha/</guid><description>&lt;p>If you tried to register on salix.host, you probably noticed the little driving game. You have to survive eighteen seconds of traffic before you get a registration token. It is a bit silly, but there is a reason it exists.&lt;/p>
&lt;p>Running an open Matrix server means I need some way to keep automatic signups out. If registration is completely open, bots will find it sooner or later. They can use the accounts for spam, scams, or things I really do not want hosted on my server. Closing registration would solve that, but then normal people cannot join either, which misses the point of running a public server.&lt;/p>
&lt;p>The normal answer is adding a CAPTCHA. Usually that means placing a box from Google, Cloudflare, or another large company on the page. It works, but it also means every person who wants an account has to talk to that company first. Their browser sends another request, their IP address goes somewhere else, and sometimes they get asked to identify traffic lights for five minutes because some invisible score did not like them.&lt;/p>
&lt;p>That felt a bit wrong for a privacy-focused Matrix server. &amp;ldquo;We care about your privacy, now please report to Google before entering&amp;rdquo; is not a very convincing welcome message.&lt;/p>
&lt;p>So I made my own.&lt;/p>
&lt;h2 id="the-first-version">The first version&lt;/h2>
&lt;p>The registration system was already using proof of work. The server gives your browser a small SHA-256 puzzle, and the browser tries numbers until it finds the correct one. It takes a few seconds on a normal device, but doing it thousands of times becomes expensive for a spammer.&lt;/p>
&lt;p>Proof of work is useful, but by itself it is not enough. A real visitor waits a few seconds once. A bot can solve puzzles all day, especially if the accounts are worth something. It raises the cost, which is good, but it does not really tell humans and scripts apart.&lt;/p>
&lt;p>I wanted a second check that needed some interaction, without collecting personal information. For some reason my answer to this was a five-lane road full of badly driven pixel cars and trucks.&lt;/p>
&lt;p>The idea was inspired by &lt;a href="https://store.steampowered.com/app/4310270/CAPTCHA_Hell/">CAPTCHA Hell&lt;/a>, an upcoming game about someone trying to get through a pile of increasingly ridiculous CAPTCHAs. I saw the driving CAPTCHA in it and thought it was funny. Then I started wondering if something like that could work as a real CAPTCHA too. So credit for the strange idea belongs there. I just made my own version and probably took it much too seriously.&lt;/p>
&lt;p>You control a small car with a slider. Other vehicles come down the road, some change lanes, and you need to avoid them for eighteen seconds. The car has a bit of momentum, so you cannot instantly jump from one side to the other. If you crash, you can try the same road again.&lt;/p>
&lt;p>It is not a scientific test for being human. It is just an annoying enough task that basic signup scripts cannot press a button and receive unlimited accounts.&lt;/p>
&lt;h2 id="the-browser-is-not-trusted">The browser is not trusted&lt;/h2>
&lt;p>The obvious problem with a homemade CAPTCHA is that all browser code is visible. Anyone can open the developer tools, read the JavaScript, and change it. If the page simply sent &lt;code>I won&lt;/code> to the server, a bot would also send &lt;code>I won&lt;/code>, probably much faster than me.&lt;/p>
&lt;p>The server therefore does not trust the result reported by the browser. During the game, the browser records the position of the steering slider on every game tick. That list of steering inputs is what gets submitted at the end.&lt;/p>
&lt;p>The server then runs the same movement physics again. It starts the car in the middle, applies every steering input, and checks the calculated position against the traffic at that moment. If the replay hits a vehicle, the run is rejected. The browser never gets to decide where the car really was.&lt;/p>
&lt;p>There was another issue. If I sent all traffic data as nice structured JSON, a script could read every vehicle position and calculate a perfect route. Instead, the server creates the traffic and renders it into a PNG image. The browser receives the pixels needed to show the road, but not a convenient list saying &amp;ldquo;truck in lane three at tick 120&amp;rdquo;.&lt;/p>
&lt;p>Of course pixels can still be analysed. I am not claiming I invented some unbreakable bot detector here. But analysing an animated pixel road and producing valid steering input is quite a bit more work than calling an API with the right JSON fields. For a small hobby server, that difference matters.&lt;/p>
&lt;h2 id="making-sure-the-game-is-fair">Making sure the game is fair&lt;/h2>
&lt;p>Random traffic sounds fun until the game generates a wall of trucks across every lane.&lt;/p>
&lt;p>Before sending a challenge, the server checks that the road can actually be completed with the same speed limits as the player&amp;rsquo;s car. It works backwards through the game and checks which positions still have an escape route. It also rejects roads where sitting in the centre and doing nothing would pass, because then it would be a rather useless driving test.&lt;/p>
&lt;p>This part took more work than I expected. Generating random cars is easy. Generating random cars that look unpredictable, require steering, and never put a normal player into an impossible trap is less easy.&lt;/p>
&lt;p>Lane-changing cars even blink before moving. That is partly to be fair, and partly because apparently I care about the driving manners of CAPTCHA traffic now.&lt;/p>
&lt;h2 id="several-small-locks-instead-of-one-big-lock">Several small locks instead of one big lock&lt;/h2>
&lt;p>The driving game is only one layer. While you are driving, the browser solves the proof-of-work puzzle in the background. The challenge is signed by the server, tied to the visitor&amp;rsquo;s IP rate-limit bucket, expires after fifteen minutes, and can only be used once. Finishing in less than eighteen seconds is also rejected, for fairly obvious reasons.&lt;/p>
&lt;p>There are limits on how many challenges and tokens one address can request, plus a global limit in case somebody arrives with a large number of addresses. IPv6 needs a little care here, because one device can have a huge amount of addresses, so I count them by network instead of pretending every address is a different visitor.&lt;/p>
&lt;p>After everything passes, the registration token is valid for ten minutes and can create one account. That is enough time for a person to paste it into Element, but not very useful to someone collecting tokens for later.&lt;/p>
&lt;p>None of these protections is perfect alone. Together they make abuse inconvenient enough without making registration terrible for normal people. At least that is the balance I am trying to find.&lt;/p>
&lt;h2 id="keeping-the-dangerous-secret-somewhere-else">Keeping the dangerous secret somewhere else&lt;/h2>
&lt;p>The public dispenser needs permission to hand out registration tokens, but I did not want the public-facing process to hold the Synapse administrator token. If there is a bug in the dispenser, that secret would give an attacker much more power than they should ever get.&lt;/p>
&lt;p>So token creation is split into a second, very small service. The public process verifies the puzzle, the driving run, and the rate limits. Only after all of that it asks the second service to mint one token through a local Unix socket.&lt;/p>
&lt;p>That second service understands exactly one command: &lt;code>mint&lt;/code>. It has its own global rate limit and returns a short-lived, single-use token. It does not listen on a public network port. The public process can talk to it, but cannot read the administrator token it holds.&lt;/p>
&lt;p>Process separation is not exciting to show in a screenshot, but it might be the part I care most about. A public web service will always have some attack surface. Giving it fewer secrets makes a mistake less disastrous.&lt;/p>
&lt;h2 id="what-it-does-not-solve">What it does not solve&lt;/h2>
&lt;p>I know a driving game has accessibility problems. It needs vision and reasonably precise input, and it might be difficult or impossible for some people. That is the biggest weakness of this design. At the moment, contacting me for an account is the fallback, but that is not as good as having an accessible option built into the page. I still need a better answer for this.&lt;/p>
&lt;p>It also will not stop a determined attacker forever. Someone could build computer vision for it, automate a browser, or simply pay humans to solve challenges. CAPTCHAs are an arms race and a small custom one does not magically escape that.&lt;/p>
&lt;p>What it does stop is cheap, generic automation. There is no standard CAPTCHA-solving service already prepared for this exact strange road. There are no cookies, no fingerprinting, and no third-party script learning who visited the registration page. The temporary IP limits live on my server, where the signup is happening anyway.&lt;/p>
&lt;p>That is good enough for my current threat model. salix.host is a small homeserver, not a bank and not the next giant social network. I do not need to defeat every bot on earth. I need to make mass signup more trouble than this server is worth abusing.&lt;/p>
&lt;p>And if people get a tiny pixel racing game out of it, honestly, that is nicer than clicking nine blurry bicycles.&lt;/p></description></item><item><title>Chat Control Passed in the European Parliament. I Am Against It.</title><link>https://salix.host/posts/chat-control-passed-2026/</link><pubDate>Mon, 13 Jul 2026 00:00:00 +0200</pubDate><guid>https://salix.host/posts/chat-control-passed-2026/</guid><description>&lt;p>You may have seen the headlines this week: Chat Control passed in the European Parliament.&lt;/p>
&lt;p>The full situation is more complicated, because of course EU lawmaking cannot be explained without several different proposals, readings and voting rules. But my own opinion is not complicated: I am against Chat Control 1.0, and I am against Chat Control 2.0.&lt;/p>
&lt;p>I don&amp;rsquo;t want companies scanning private messages without suspicion. I don&amp;rsquo;t want it when the scanning is called &amp;ldquo;voluntary&amp;rdquo;, and I especially don&amp;rsquo;t want it turned into a permanent European system. A private message should be private unless there is a specific reason and proper legal approval to investigate somebody.&lt;/p>
&lt;h2 id="two-versions-of-the-same-bad-idea">Two versions of the same bad idea&lt;/h2>
&lt;p>What people call &lt;strong>Chat Control 1.0&lt;/strong> is a temporary exception to the EU’s ePrivacy rules. It allows messaging and email providers to &amp;ldquo;voluntarily&amp;rdquo; scan private communications for child sexual abuse material, and to report and remove it. It does not force every provider to scan, but it gives companies the legal space to inspect messages which people reasonably believe are private.&lt;/p>
&lt;p>The word &amp;ldquo;voluntarily&amp;rdquo; does a lot of work here. The provider may volunteer to scan. The person sending a photo or having a conversation did not volunteer to be monitored. From the user&amp;rsquo;s side, there is nothing voluntary about it.&lt;/p>
&lt;p>This exception existed since 2021 and expired on 3rd of April 2026. In March, Parliament &lt;a href="https://www.europarl.europa.eu/news/en/press-room/20260325IPR39207/child-sexual-abuse-online-voluntary-detection-measures-will-not-be-extended">rejected an extension&lt;/a>, with 228 voting for the extension, 311 against it and 92 abstaining.&lt;/p>
&lt;p>Then there is &lt;strong>Chat Control 2.0&lt;/strong>, officially the permanent Child Sexual Abuse Regulation. It would create permanent rules for online services, including risk assessments, removal and blocking orders, and a new EU Centre on Child Sexual Abuse. The Council and Parliament are still negotiating the final text. It has not passed yet, and I hope it does not pass in a form which permits general scanning of private communication.&lt;/p>
&lt;p>The two versions are legally different, but they move in the same direction. Chat Control 1.0 makes private scanning seem normal now. Chat Control 2.0 risks making the system permanent later. I oppose both for the same reason: people who are not suspected of a crime should not have their private communication inspected.&lt;/p>
&lt;h2 id="they-brought-it-back-after-parliament-rejected-it">They brought it back after Parliament rejected it&lt;/h2>
&lt;p>After the March rejection, the extension should have been finished. Instead, on 2nd of July, the Council adopted the Commission&amp;rsquo;s original proposal as its position and sent it back to Parliament for a second reading. The &lt;a href="https://www.consilium.europa.eu/en/press/press-releases/2026/07/02/council-moves-to-reinstate-interim-measure-to-combat-child-sexual-abuse-online/">Council wants the exception restored until 3rd of April 2028&lt;/a>.&lt;/p>
&lt;p>This second reading had different voting rules. Rejecting or amending the Council position required an absolute majority of all MEPs, not only a majority of those who voted. The threshold was 360.&lt;/p>
&lt;p>On 9th of July, 314 MEPs voted to reject the Council position. 276 voted against rejection and 17 abstained. More MEPs voted to reject Chat Control than to keep it, but the rejection still failed because 314 was below the special threshold.&lt;/p>
&lt;p>Maybe this follows the official procedure, but I find it very difficult to call the outcome democratic. Parliament rejected the extension in March. A clear majority of votes cast rejected it again in July. Still, the proposal survived. Bringing it back just before the summer break, under rules which made rejection much harder, looks like finding a procedural way around an answer the Council did not like.&lt;/p>
&lt;p>This is also why people lose trust in the EU. You cannot tell citizens their representatives voted against a proposal, then say it passed anyway, and expect nobody to be angry about it.&lt;/p>
&lt;h2 id="the-encryption-amendment-does-not-make-it-good">The encryption amendment does not make it good&lt;/h2>
&lt;p>Parliament did add one important amendment. The exception should not apply to communications which use, used, or will use end-to-end encryption. If that protection remains in the final text, encrypted Signal conversations and encrypted Matrix rooms should be outside its scope.&lt;/p>
&lt;p>I am glad this amendment exists. I am still against the proposal.&lt;/p>
&lt;p>Unencrypted private messages also deserve privacy. Email does not become public communication because its protection is weaker. And a legal exception encouraging companies to inspect private messages is still wrong even if some encrypted services are excluded.&lt;/p>
&lt;p>The &lt;a href="https://www.europarl.europa.eu/news/en/press-room/20260706IPR46318/">official Parliament announcement&lt;/a> also makes clear that this is not the final step. The amended text now goes to the Council. It has three months to accept all Parliament&amp;rsquo;s amendments. If it refuses, Parliament and the Council enter a conciliation procedure to negotiate a common text.&lt;/p>
&lt;p>So, as of 13th of July 2026:&lt;/p>
&lt;ul>
&lt;li>Parliament failed to reject Chat Control 1.0, even though more MEPs voted for rejection than against it.&lt;/li>
&lt;li>Parliament added an exclusion for end-to-end encrypted communication.&lt;/li>
&lt;li>The Council still has to accept that exclusion for the text to become law in this form.&lt;/li>
&lt;li>Chat Control 2.0, the permanent and more far-reaching proposal, has not passed.&lt;/li>
&lt;/ul>
&lt;p>It would be inaccurate to say that the EU can now scan every encrypted message. Chat Control 1.0 allows providers to scan &amp;ldquo;voluntarily&amp;rdquo; and the Parliament text excludes end-to-end encryption. But correcting exaggerated headlines should not become an excuse to defend the proposal. The real version is already bad enough.&lt;/p>
&lt;h2 id="protecting-children-does-not-require-scanning-everybody">Protecting children does not require scanning everybody&lt;/h2>
&lt;p>Child sexual abuse is real and horrific. Material showing it should be removed, offenders should be investigated, and victims deserve serious support. I don&amp;rsquo;t question any of that.&lt;/p>
&lt;p>What I reject is the idea that opposing mass scanning means opposing child protection. It does not. Police can investigate suspects. Courts can authorise targeted searches. Platforms can act on reports and remove confirmed illegal material. Governments can give investigators and victim-support organisations enough staff and money to do their work properly.&lt;/p>
&lt;p>These are actions aimed at abuse and abusers. Scanning the conversations of people who are not suspected of anything is surveillance first and investigation second.&lt;/p>
&lt;p>Automated detection is not harmless either. Matching a known illegal image is one thing. Trying to detect unknown material or grooming from ordinary conversations is much less certain. False reports can expose innocent people and deeply private messages to companies, reviewers and authorities. &amp;ldquo;An algorithm will check it&amp;rdquo; is not a meaningful privacy protection.&lt;/p>
&lt;p>End-to-end encryption cannot magically stay private while a system checks the content. If software inspects a message on the device before it is encrypted, the encryption may still work during transport, but the conversation was already inspected. Moving the scanner to the phone does not solve the privacy problem. It only moves the place where privacy is broken.&lt;/p>
&lt;h2 id="why-chat-control-20-worries-me-even-more">Why Chat Control 2.0 worries me even more&lt;/h2>
&lt;p>Chat Control 1.0 is described as temporary, although temporary EU measures have a strange habit of returning. Chat Control 2.0 is meant to create the permanent framework. The &lt;a href="https://www.consilium.europa.eu/en/press/press-releases/2025/11/26/child-sexual-abuse-council-reaches-position-on-law-protecting-children-from-online-abuse/">Council&amp;rsquo;s position on the permanent law&lt;/a> includes making the current &amp;ldquo;voluntary&amp;rdquo; scanning exception permanent.&lt;/p>
&lt;p>Once scanning infrastructure exists, there will always be pressure to use it for more. Today the reason is child sexual abuse. Later somebody will propose terrorism, organised crime, copyright infringement, or another serious subject which makes opposing surveillance politically difficult. The technical system does not know that it was promised for only one purpose.&lt;/p>
&lt;p>This is a boundary we should not cross. Private communication should not become a space where everybody is monitored just in case somebody commits a crime.&lt;/p>
&lt;h2 id="what-it-means-for-small-services">What it means for small services&lt;/h2>
&lt;p>I run a Matrix homeserver, so this is not only a theoretical discussion for me. Small independent services don&amp;rsquo;t have entire legal and compliance departments. If European rules create pressure to scan communication, a small provider may have to build surveillance infrastructure, remove features, stop accepting users, or shut down.&lt;/p>
&lt;p>Big companies can pay for scanning systems and lawyers. Smaller privacy-friendly alternatives often cannot. Regulation like this can end up strengthening Meta, Google and Microsoft while making independent services disappear. That would leave people with fewer private choices, not more safety.&lt;/p>
&lt;p>For encrypted Matrix rooms, Parliament&amp;rsquo;s amendment would offer some protection if it survives. But I don&amp;rsquo;t want protection to depend on one amendment surviving every later negotiation. And I don&amp;rsquo;t believe unencrypted rooms should be treated as fair targets for general scanning either.&lt;/p>
&lt;h2 id="i-oppose-both-versions">I oppose both versions&lt;/h2>
&lt;p>Chat Control 1.0 passed an important stage through a process where 314 votes for rejection were not enough. It is not final in its amended form, and the Council may still fight the encryption exclusion. Chat Control 2.0 is still being negotiated and will decide the permanent direction.&lt;/p>
&lt;p>I oppose Chat Control 1.0 because it normalises companies scanning private communication without suspicion. I oppose Chat Control 2.0 because it risks making that principle permanent and building the infrastructure for wider surveillance.&lt;/p>
&lt;p>If you care about this, contact your MEPs and your national government. National governments form the Council, so they have direct influence over what happens next. Ask them to keep end-to-end encryption outside the temporary law and to reject general scanning in the permanent one. &lt;a href="https://www.europarl.europa.eu/meps/en/home">European Parliament has a tool to find your MEPs&lt;/a>.&lt;/p>
&lt;p>You can also follow &lt;a href="https://fightchatcontrol.eu/">Fight Chat Control&lt;/a> to stay up to date. It keeps track of the changing proposals, upcoming decisions and positions of EU countries, and also helps you find the right representatives to contact.&lt;/p>
&lt;p>For a much more detailed explanation, I also recommend &lt;a href="https://www.patrick-breyer.de/en/posts/chat-control/">Patrick Breyer&amp;rsquo;s Chat Control overview&lt;/a>. He has followed this proposal for years and keeps a timeline, comparisons of the different texts, background documents and arguments against both versions in one place.&lt;/p>
&lt;p>Protecting children and protecting private communication are not opposite goals. We can target criminals, support victims and remove illegal material without treating every person in Europe as a possible suspect.&lt;/p>
&lt;p>My private messages are not the government&amp;rsquo;s messages. They are not Meta&amp;rsquo;s messages either. They should not be scanned just in case.&lt;/p></description></item><item><title>Private Messengers Compared</title><link>https://salix.host/posts/private-messengers-compared/</link><pubDate>Wed, 08 Jul 2026 00:00:00 +0200</pubDate><guid>https://salix.host/posts/private-messengers-compared/</guid><description>&lt;p>People ask me sometimes why I bother with Matrix when Signal exists. Fair question. There&amp;rsquo;s a lot of &amp;ldquo;private&amp;rdquo; messengers out there and honestly they are all trying to solve slightly different problems. So here&amp;rsquo;s my take on the ones I actually have opinions about.&lt;/p>
&lt;p>Quick disclaimer: I run a Matrix server, so of course I&amp;rsquo;m biased. I&amp;rsquo;ll try to be fair anyway.&lt;/p>
&lt;h2 id="signal">Signal&lt;/h2>
&lt;p>Signal is the default answer, and for good reason. The encryption is basically the gold standard, the apps are polished, and it&amp;rsquo;s easy enough that you can get your parents on it. If someone asks me &amp;ldquo;what should I use instead of WhatsApp&amp;rdquo; and they don&amp;rsquo;t want a lecture, I say Signal.&lt;/p>
&lt;p>But it has two problems that bother me. First, it wants your phone number. They added usernames a while ago, so you can hide it from other people, but Signal itself still knows who you are. Second, it&amp;rsquo;s one centralized service run by one foundation in one country. If Signal goes down, or gets blocked, or makes a decision you don&amp;rsquo;t like, there is no plan B. You can&amp;rsquo;t take your account somewhere else. That&amp;rsquo;s the exact thing I wrote about in my first post.&lt;/p>
&lt;p>And this is not theoretical anymore. Signal has been fighting laws in the UK for years, and just recently they threatened to pull out of Canada over a proposed law there. They also said they need something like 50 million dollars a year to keep running. I trust them to fight the good fight, but the point stands: when everything depends on one organization, their problems become your problems.&lt;/p>
&lt;h2 id="matrix">Matrix&lt;/h2>
&lt;p>You knew this was coming. Matrix is not an app, it&amp;rsquo;s a network. Nobody owns it, anyone can run a server (hi), and servers talk to each other like email does. End-to-end encryption is on by default in private chats.&lt;/p>
&lt;p>It&amp;rsquo;s also been a good year for Matrix, honestly. Matrix 2.0 and the new Element X client fixed a lot of the old sluggishness, governments in Europe keep adopting it for their internal comms (France and Germany run huge deployments), and when Discord announced their age verification thing in February, a nice wave of people came looking for alternatives and found Matrix. And that makes sense, because for communities, public rooms, spaces, that whole Discord-shaped use case, Matrix is currently simply the best option on this list. Nothing else here even really tries: Signal groups are private only, and you&amp;rsquo;ll see later what I think about big groups on SimpleX.&lt;/p>
&lt;p>The honest downsides: the experience depends a lot on which client and server you use, encryption in huge public rooms can still be a bit clunky, and metadata (who talks to who, room names, that kind of stuff) is more visible to servers than on Signal. Also the Matrix Foundation itself is chronically underfunded, they say reaching break-even is the goal for this year. The protocol won&amp;rsquo;t disappear if they struggle, it&amp;rsquo;s open and the code is everywhere, but it&amp;rsquo;s a reminder that open infrastructure runs on too little money.&lt;/p>
&lt;p>And since I&amp;rsquo;m being honest, there&amp;rsquo;s one thing that bothers me as a server admin: how much of Matrix is effectively one company, Element. They employ most of the core developers, they make the flagship clients, and they make Synapse, the server implementation almost everyone runs (including me). In 2023 they relicensed Synapse from Apache to AGPL, with a contributor agreement that lets Element alone sell commercial licenses on top of everyone&amp;rsquo;s contributions. AGPL is a fine license, but the move made it clear who holds the steering wheel. It&amp;rsquo;s an open network on paper, and it really is, I can leave any time with the protocol intact. But in practice the health of the ecosystem depends a lot on one company&amp;rsquo;s business surviving, and I&amp;rsquo;d sleep better if the server side was more diverse.&lt;/p>
&lt;p>Anyway, Matrix still trades some tightness for something I think matters more long term: you&amp;rsquo;re not renting your identity from a single company. Worst case your server dies, you make an account elsewhere and keep going.&lt;/p>
&lt;p>So: Signal is a better product, Matrix is a better network. Pick what you&amp;rsquo;re optimizing for.&lt;/p>
&lt;h2 id="threema">Threema&lt;/h2>
&lt;p>Threema is interesting because it&amp;rsquo;s the &amp;ldquo;pay once, no phone number&amp;rdquo; option. It&amp;rsquo;s Swiss, it&amp;rsquo;s been around forever, and you get a random ID instead of giving your number. The apps are decent and the company had a reasonable track record.&lt;/p>
&lt;p>Had, past tense, because I have to be honest here: the original founders left the company back in 2024, and this January a German private equity firm announced they&amp;rsquo;re acquiring Threema. Maybe nothing changes. But &amp;ldquo;privacy company gets bought by private equity&amp;rdquo; is not a sentence that usually ends well, and it&amp;rsquo;s exactly the risk of trusting one company with your messenger. I&amp;rsquo;d be careful recommending it right now.&lt;/p>
&lt;p>The other catch is that it costs a few euros, which sounds like nothing but is actually a real barrier when you try to move a group chat there. &amp;ldquo;Just install this app&amp;rdquo; already loses half the people, &amp;ldquo;just install this app and pay for it&amp;rdquo; loses the rest. And it&amp;rsquo;s still centralized, same story as Signal, just with a different flag on it.&lt;/p>
&lt;h2 id="session">Session&lt;/h2>
&lt;p>Session took the Signal protocol idea and removed the phone number and the central server. Your messages get routed through a decentralized node network, so in theory nobody can see who is talking to who. No identifier needed at all, you just get a key.&lt;/p>
&lt;p>I want to like Session more than I do. The anonymity story is genuinely strong. But they changed the encryption in ways cryptographers were not happy about (they dropped forward secrecy, which means one leaked key can expose your past messages), and the whole thing is tied to a crypto token ecosystem which always makes me a bit nervous.&lt;/p>
&lt;p>The project also had a rough time lately. It started in Australia, and after Australian police literally showed up at an employee&amp;rsquo;s home, the foundation moved to Switzerland in 2024. Then earlier this year they announced they were 90 days from shutting down completely because the money ran out. Donations saved it at the last minute (a big chunk came from Vitalik Buterin, of all people), but it&amp;rsquo;s running on a skeleton crew now. Funny enough, the day this post goes up was supposed to be the shutdown date. I&amp;rsquo;m glad it survived, but it shows the risk of these smaller centralized-ish projects: your messenger can just&amp;hellip; end. Between the weakened encryption, the token stuff and the funding drama, I honestly can&amp;rsquo;t recommend Session anymore. If you need that level of anonymity, look at SimpleX instead.&lt;/p>
&lt;h2 id="briar">Briar&lt;/h2>
&lt;p>Briar is the extreme one, and I respect it a lot. No servers at all. Messages go peer to peer over Tor, and if the internet is down it can literally sync over Bluetooth or WiFi between phones that are near each other. This is the messenger you want during a protest or an internet blackout.&lt;/p>
&lt;p>The cost of that design is convenience. Both people basically need to be online for messages to go through, there&amp;rsquo;s no real multi-device story, battery usage is rough, and iOS support is still not there (the team says iOS is too locked down for the background stuff P2P needs, which honestly says more about Apple than about Briar). It&amp;rsquo;s developed by a small non-profit on grant money, still getting steady updates in 2026, just slowly. Briar is not trying to replace WhatsApp, it&amp;rsquo;s a tool for situations where everything else fails. Good to have installed, not something you daily drive.&lt;/p>
&lt;p>What I secretly wish existed is something in between Briar and Matrix: a federated protocol with real servers, but where the servers talk to each other over Tor or i2p. You&amp;rsquo;d keep the convenience of servers (offline delivery, multi-device, your phone not running a Tor node all day), but the network layer wouldn&amp;rsquo;t leak who federates with who. And if the entire stack ran over Tor, clients included, a lot of the metadata problems I complained about in the Matrix section would stop being such big issues: the server still sees which accounts talk to each other, but it couldn&amp;rsquo;t tie any of it to an IP address or a real identity anymore, because you&amp;rsquo;d be connecting over Tor and staying anonymous. Same between servers, so federation wouldn&amp;rsquo;t reveal anything either. As a bonus, a network like that would be very hard to block: no fixed IPs or domains to blacklist, just onion services. Remember what happened to WhatsApp in Russia, that kind of country-wide block basically stops working. Matrix over onion services sort of half-works if you force it, but nothing is built for that from the ground up. If someone knows a project like this, message me, seriously.&lt;/p>
&lt;h2 id="whatsapp">WhatsApp&lt;/h2>
&lt;p>Okay, the elephant. WhatsApp actually uses the Signal protocol for encryption, so the message content itself is protected. Credit where it&amp;rsquo;s due, that&amp;rsquo;s billions of people with end-to-end encryption who never asked for it.&lt;/p>
&lt;p>The problem is everything around the messages. WhatsApp belongs to Meta, and Meta&amp;rsquo;s whole business is knowing things about you. They can&amp;rsquo;t read your texts, but they know who you talk to, when, how often, from where, and they connect all of it to the biggest advertising profile on earth. Encryption of content is not the same as privacy. WhatsApp is proof of that.&lt;/p>
&lt;p>And it&amp;rsquo;s getting worse, not better. This year WhatsApp got ads, and Meta AI is now baked into the app. Anything you say to the AI is processed on Meta&amp;rsquo;s servers, outside the end-to-end encryption, and their new policy says those AI conversations feed into ad targeting, with no opt-out. So the encrypted messenger now ships with a built-in unencrypted channel straight to the ad machine. They also finally added usernames so you can hide your phone number from strangers, which is nice I guess. Oh, and Russia blocked WhatsApp entirely this year, which is a good reminder that centralized apps can vanish from a whole country overnight.&lt;/p>
&lt;p>If your family is on it and won&amp;rsquo;t move, fine, at least the messages between humans are still encrypted. Just don&amp;rsquo;t talk to the AI, and don&amp;rsquo;t call it a private messenger.&lt;/p>
&lt;h2 id="simplex">SimpleX&lt;/h2>
&lt;p>SimpleX is the newest project on this list, and its core idea is genuinely different: there are no user identifiers at all. Not a phone number, not a username, not even a random key that ties your chats together. Every conversation runs through its own pair of one-way message queues on relay servers, and the two directions of a chat don&amp;rsquo;t even have to use the same server. From the network&amp;rsquo;s point of view, &amp;ldquo;your account&amp;rdquo; simply doesn&amp;rsquo;t exist, so there&amp;rsquo;s nothing to correlate. On paper it&amp;rsquo;s the most private design of all of these.&lt;/p>
&lt;p>The relays are worth explaining because it&amp;rsquo;s a nice middle ground: SimpleX runs default servers, but they&amp;rsquo;re basically dumb mailboxes that hold encrypted queues, and you can switch to other people&amp;rsquo;s relays or self-host your own without losing anything, since your identity was never on a server to begin with. That also means contact discovery works differently: you connect by sharing a link or QR code out of band, there&amp;rsquo;s no &amp;ldquo;find friends by number&amp;rdquo; and never will be, which is a feature or a dealbreaker depending on who you ask.&lt;/p>
&lt;p>It&amp;rsquo;s also picking up momentum: Trail of Bits reviewed the cryptographic design, another security assessment is planned for this summer, and the funding situation looks healthier than most (Jack Dorsey invested, and Vitalik Buterin donated to them too, apparently he&amp;rsquo;s just going around funding private messengers now). A Russian court fined them for refusing to hand over user data, and their transparency report says they had nothing to hand over anyway, which is kind of the best advertisement a private messenger can get.&lt;/p>
&lt;p>The downsides are the flip side of the design. It&amp;rsquo;s young, and the UX shows it. No identifiers means moving to a new phone or adding a device is more fiddly than elsewhere. And larger groups or communities are honestly where it falls apart: a &amp;ldquo;group&amp;rdquo; is really just a pile of pairwise connections, every message gets fanned out to every member separately, so anything beyond a small friend group gets slow and unreliable. If you want Matrix-style public rooms and communities, SimpleX is simply the wrong tool.&lt;/p>
&lt;p>One more thing that bugs me about the design. By default, when you talk to someone, the traffic to their queue gets proxied through your own relay servers. That&amp;rsquo;s meant to hide your IP from unknown servers, which is fair, but it means your relay is in the loop for both directions: it knows when you send a message and when you check for or receive one. That&amp;rsquo;s exactly the kind of timing metadata this whole design is supposed to avoid, just concentrated at your own relay instead. I&amp;rsquo;d much rather they shipped an in-app Tor proxy (or something like it) so you talk to every queue directly and anonymously, instead of routing your activity pattern through one server that gets to watch it all. You can run the app over Tor yourself, but defaults are what actually matter.&lt;/p>
&lt;p>And the funding is venture money, which I&amp;rsquo;d keep half an eye on; investors eventually want something back. Still, of everything on this list it&amp;rsquo;s the project I&amp;rsquo;m most curious about, and it&amp;rsquo;s the one I now point people to when they ask for real anonymity, at least for one-on-one chats.&lt;/p>
&lt;h2 id="the-short-version">The short version&lt;/h2>
&lt;p>If you skipped everything above, here&amp;rsquo;s the table. Scores are out of 5, and yes it&amp;rsquo;s my personal judgement, not science:&lt;/p>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>&lt;/th>
 &lt;th>Encryption&lt;/th>
 &lt;th>Anonymity&lt;/th>
 &lt;th>Metadata&lt;/th>
 &lt;th>No lock-in&lt;/th>
 &lt;th>Communities&lt;/th>
 &lt;th>Ease of use&lt;/th>
 &lt;th>Future&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>&lt;strong>Signal&lt;/strong>&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>2/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>1/5&lt;/td>
 &lt;td>3/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;strong>Matrix&lt;/strong>&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>3/5&lt;/td>
 &lt;td>2/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;strong>Threema&lt;/strong>&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>1/5&lt;/td>
 &lt;td>3/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>3/5&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;strong>Session&lt;/strong>&lt;/td>
 &lt;td>2/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>3/5&lt;/td>
 &lt;td>3/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>2/5&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;strong>Briar&lt;/strong>&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>1/5&lt;/td>
 &lt;td>2/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;strong>WhatsApp&lt;/strong>&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>1/5&lt;/td>
 &lt;td>1/5&lt;/td>
 &lt;td>1/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;strong>SimpleX&lt;/strong>&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>5/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>4/5&lt;/td>
 &lt;td>1/5&lt;/td>
 &lt;td>2/5&lt;/td>
 &lt;td>3/5&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;p>Some of these need a footnote: Signal&amp;rsquo;s anonymity is a 2 because of the phone number, Session&amp;rsquo;s encryption a 2 for the missing forward secrecy, WhatsApp&amp;rsquo;s encryption only covers the message content, and WhatsApp&amp;rsquo;s 5/5 future is not a compliment. The reasons for everything else are up in the text.&lt;/p>
&lt;h2 id="so-what-should-you-use">So what should you use?&lt;/h2>
&lt;p>Boring answer: it depends on your threat model.&lt;/p>
&lt;ul>
&lt;li>You want easy and solid: &lt;strong>Signal&lt;/strong>&lt;/li>
&lt;li>You want to own your identity and be part of an open network: &lt;strong>Matrix&lt;/strong> (I know a nice server)&lt;/li>
&lt;li>You want communities and public rooms, the Discord-shaped stuff: also &lt;strong>Matrix&lt;/strong>, nothing else comes close&lt;/li>
&lt;li>You don&amp;rsquo;t want to give any phone number and don&amp;rsquo;t mind paying: &lt;strong>Threema&lt;/strong>, but watch how the acquisition plays out&lt;/li>
&lt;li>You need real anonymity: &lt;strong>SimpleX&lt;/strong> (not Session, sorry)&lt;/li>
&lt;li>The internet is on fire: &lt;strong>Briar&lt;/strong>&lt;/li>
&lt;li>Your family refuses to move: WhatsApp, I guess. I&amp;rsquo;m not mad, just disappointed.&lt;/li>
&lt;/ul>
&lt;p>The real point is that all of these are better than the default of doing everything through one giant ad company. Pick one, drag some friends over, and the network effect problem gets a little bit smaller for everyone.&lt;/p>
&lt;p>As always, if you want to try Matrix, you know where to find me.&lt;/p></description></item><item><title>Chat Control Is Still Not Dead (Unfortunately)</title><link>https://salix.host/posts/chat-control-is-still-not-dead-july-2026/</link><pubDate>Tue, 07 Jul 2026 00:00:00 +0000</pubDate><guid>https://salix.host/posts/chat-control-is-still-not-dead-july-2026/</guid><description>&lt;p>Okay, different topic today. If you&amp;rsquo;re in the EU and you care about privacy even a little bit, you&amp;rsquo;ve probably heard of Chat Control at some point. It&amp;rsquo;s the EU proposal to make messaging apps scan private messages for child abuse material. Sounds reasonable when you say it like that, which is exactly the problem, because what it actually means is scanning &lt;em>everyone&amp;rsquo;s&lt;/em> messages, all the time, without any suspicion. And you can&amp;rsquo;t do that with end-to-end encrypted messages without breaking the encryption. There is no magic version of this where your chats stay private but also get scanned. Every cryptographer who looked at it said the same thing.&lt;/p>
&lt;p>This law has been &amp;ldquo;almost passing&amp;rdquo; for years now, and I noticed most people I talk to have completely lost track of where it stands. Honestly I lose track sometimes too. So here&amp;rsquo;s the current state, as of when I&amp;rsquo;m writing this.&lt;/p>
&lt;h2 id="the-good-news">The good news&lt;/h2>
&lt;p>There was actually a real win this spring. On March 26 the European Parliament voted against extending &amp;ldquo;Chat Control 1.0&amp;rdquo;, the temporary rule that let providers like Meta scan everyone&amp;rsquo;s messages &amp;ldquo;voluntarily&amp;rdquo;. The vote was 307 to 306.&lt;/p>
&lt;p>One vote. Let that sink in for a moment.&lt;/p>
&lt;p>Anyway, that temporary regulation then expired on April 3. So right now, for the first time in years, there is no legal basis for mass scanning of private messages in the EU at all. That happened because a lot of normal people made noise about it. It worked.&lt;/p>
&lt;h2 id="the-bad-news">The bad news&lt;/h2>
&lt;p>Here&amp;rsquo;s the thing, and this is the part that&amp;rsquo;s actually urgent right now: they&amp;rsquo;re trying to bring Chat Control 1.0 back. The Parliament voted to let it die, it expired, and now EU ambassadors have pushed to just extend it anyway, and MEPs are being asked to vote on reversing the decision they made in March. Read that again. The Parliament said no, by however thin a margin, and the answer to that is apparently &amp;ldquo;vote again until you say yes&amp;rdquo;. That&amp;rsquo;s the vote to watch right now, and it&amp;rsquo;s why the pressure matters again &lt;em>right now&lt;/em> and not at some vague point in the future.&lt;/p>
&lt;p>And in the background, the permanent version, Chat Control 2.0 (officially the CSA Regulation), is still being negotiated between the Parliament, the Council and the Commission. That fight is the same one as always. The Parliament&amp;rsquo;s position is actually fine: only scan specific suspects, and only with a court order. Normal police work, basically. The Council wants scanning of everyone without suspicion. Their newest trick is calling it &amp;ldquo;own-initiative&amp;rdquo; scanning by the providers, so on paper nobody is &lt;em>forced&lt;/em> to scan, wink wink. Even the Council&amp;rsquo;s own legal service looked at that in June and said no, this is still generalised scanning of private communication. Which is the thing the EU courts keep saying is not compatible with fundamental rights.&lt;/p>
&lt;p>There was supposed to be a final negotiation round on 2.0 on June 29, and it fell apart, exactly over this suspicionless scanning question. So no deal yet there either. Talks continue under the Irish presidency now, and Ireland is unfortunately one of the countries pushing &lt;em>for&lt;/em> scanning.&lt;/p>
&lt;p>This is the pattern with Chat Control. It gets rejected, it comes back with a new name. It gets blocked, it comes back under the next presidency. It expires, they try to extend it after the fact. The people pushing it only need to win once. We have to win every single time. That asymmetry is what worries me the most, more than any specific version of the text.&lt;/p>
&lt;h2 id="why-i-care">Why I care&lt;/h2>
&lt;p>Well, I run a Matrix server. If a scanning obligation like this passes, what am I supposed to do exactly? Break encryption for my users, or shut down? The big companies can hire compliance people and build scanning infrastructure. Signal at least has the weight to say &amp;ldquo;we&amp;rsquo;ll leave the market&amp;rdquo; and make headlines with it. A small homeserver like mine just quietly dies, or I&amp;rsquo;d be forced to move my server elsewhere with better privacy regulations.&lt;/p>
&lt;p>And even if you don&amp;rsquo;t run anything: once the infrastructure to scan everything exists, &amp;ldquo;it&amp;rsquo;s only for CSAM&amp;rdquo; is just a promise. Promises like that have a history. First it&amp;rsquo;s this, then it&amp;rsquo;s terrorism, then it&amp;rsquo;s copyright, then it&amp;rsquo;s whatever the government of the day doesn&amp;rsquo;t like. Surveillance powers never shrink on their own.&lt;/p>
&lt;h2 id="what-you-can-actually-do">What you can actually do&lt;/h2>
&lt;p>The March vote was 307 to 306. Margins like that don&amp;rsquo;t happen without ordinary people bothering their representatives, so this is not one of those &amp;ldquo;nothing you do matters&amp;rdquo; situations. Concretely:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Contact your MEPs.&lt;/strong> The easiest way is &lt;a href="https://fightchatcontrol.eu">fightchatcontrol.eu&lt;/a>, they have a tool that finds your representatives and helps you contact them, plus they track the current status of everything. Takes five minutes. A short personal message is better than a copy-paste one, but a copy-paste one is a lot better than nothing.&lt;/li>
&lt;li>&lt;strong>If your government is on the pro-scanning side&lt;/strong> (Denmark, Ireland, Spain, France, Italy and a bunch of others), write to them too. The worst versions of this keep coming from the Council, and the Council is just national governments, and those care about national voters.&lt;/li>
&lt;li>&lt;strong>Follow the people who actually track this stuff.&lt;/strong> &lt;a href="https://www.patrick-breyer.de/en/posts/chat-control/">Patrick Breyer&lt;/a> has documented every twist of this saga for years, and &lt;a href="https://edri.org">EDRi&lt;/a> does a lot of the real policy work.&lt;/li>
&lt;li>&lt;strong>Use encrypted messengers, and get others on them.&lt;/strong> Not because it fixes the law, but because the more normal encryption is, the harder it gets politically to ban it. I&amp;rsquo;m working on a whole post comparing the options, should be up tomorrow, conveniently.&lt;/li>
&lt;/ul>
&lt;p>I know &amp;ldquo;write to your politician&amp;rdquo; sounds like the most useless advice in the world. But this specific fight has been won multiple times now by exactly that. One vote in March. That was people making noise.&lt;/p>
&lt;p>They will try again, they always do. So stay loud.&lt;/p>
&lt;p>And as always, if you want to talk about this, you know where to find me.&lt;/p></description></item><item><title>Why I'm Starting salix.host</title><link>https://salix.host/posts/why-im-starting-salix-host/</link><pubDate>Fri, 10 Apr 2026 00:00:00 +0000</pubDate><guid>https://salix.host/posts/why-im-starting-salix-host/</guid><description>&lt;p>So, first post. I figured I should explain what this whole thing is and why I bothered setting it up.&lt;/p>
&lt;p>salix.host is a Matrix homeserver. If you don&amp;rsquo;t know Matrix, the short version: it&amp;rsquo;s a chat network that nobody owns, kind of like email but for messaging. You pick a server, make an account there, and you can talk to anyone on any other server. No single company in the middle deciding the rules or reading your messages.&lt;/p>
&lt;h2 id="why-though">Why though?&lt;/h2>
&lt;p>Honestly, I got tired. Tired of every messaging app being owned by some company that treats your conversations as a product. You don&amp;rsquo;t really own your account on those platforms, you just borrow it until they decide otherwise. One policy change, one ban with no explanation, and years of contacts and history are gone.&lt;/p>
&lt;p>The usual answer is &amp;ldquo;just run your own server&amp;rdquo;. And sure, that works, I do it myself. But let&amp;rsquo;s be real, most people are not going to rent a VPS and maintain a Synapse install just to chat with their friends. That&amp;rsquo;s a pretty big ask.&lt;/p>
&lt;p>That&amp;rsquo;s the gap salix.host tries to fill. A simple, generic gateway into the Matrix network. You get an account here, and you&amp;rsquo;re in. No need to run anything yourself, no need to understand what federation means under the hood. It just works, and your privacy comes with it.&lt;/p>
&lt;h2 id="what-this-server-is-and-isnt">What this server is (and isn&amp;rsquo;t)&lt;/h2>
&lt;ul>
&lt;li>It&amp;rsquo;s small, and I like it that way. I&amp;rsquo;m not trying to build the next big platform.&lt;/li>
&lt;li>It&amp;rsquo;s run by one person (me) who actually cares about keeping it up and keeping it clean.&lt;/li>
&lt;li>It&amp;rsquo;s not a business. There&amp;rsquo;s no growth target, no ads, no selling data. There is no data to sell anyway, most of what goes through here is end-to-end encrypted.&lt;/li>
&lt;/ul>
&lt;p>I won&amp;rsquo;t pretend it&amp;rsquo;s perfect. A one-person server means when something breaks at 3am, it stays broken until I wake up. But I think there&amp;rsquo;s value in small servers run by real people, instead of everyone piling onto the same two or three giant ones. Federation only works if the network is actually spread out.&lt;/p>
&lt;h2 id="whats-next">What&amp;rsquo;s next&lt;/h2>
&lt;p>I want to write more here. Not just server announcements, but posts about self-hosting, privacy, and honestly some social stuff too, because I don&amp;rsquo;t think you can talk about privacy without talking about why it matters for people.&lt;/p>
&lt;p>If you want an account, or you just want to say hi, come find me on Matrix. That&amp;rsquo;s kind of the whole point.&lt;/p></description></item></channel></rss>