I’m the Never Ending Pie Throwing Robot, aka NEPTR.
Linux enthusiast, programmer, and privacy advocate. I’m nearly done with an IT Security degree.
TL;DR I am a nerd.
In order of most to least secure
VM > Docker+GVisor > Docker/LXC
Docker+GVisor is good middle ground because it provides the guest container with an application kernel in a memory safe language and reduced syscall attack surface to avoid kernel container escapes. Docker/LXC share the kernel with the host.
The other problem with Matrix for me is that Element call (the protocol) is not present in most public instances and isn’t very straightforward to selfhost. The default is jitsi which is not E2EE. Pretty major IMO because if Matrix is supposed to be a Discord alternative and supposedly E2EE but VC isnt encrypted, pretty yikes.
Also they have claimed for years that they have forward secrecy. Has something actually changed recently?
Where did you read that Signal uses MLS? I could not find any claims of using MLS on Signal’s specs page or their GitHub repo. Also MLS doesn’t mean anything on its own, see Soatok’s blog on MLS.
Soatok is currently in the process of writing a blog post about another vulneribilty they found in Matrix’s encryption, and with Matrix’s history of numerous vulnerabilities, I would stay away from that shit. No matter how “good” the algorithm is in theory, it is all about implementation. Matrix also has very brittle encryption, often times many messages will become unrecoverable, which is terrible UX.
You’d be better off just selfhosting XMPP+OMEMO, with the caveat that it is also flawed and leaks plenty of metadata.
The best alternatives to Signal (but not Discord) are SimpleX and Briar. Both are significantly better than XMPP/Matrix for privacy and security.
It still isnt great. Better than DeltaChat/Matrix but decently worse than Signal’s security.
OMEMO is better than nothing. Much better than OTR or PGP (looking at you DeltaChat), and the biggest problem seems to be the metadata and old versions used in some clients. The encryption (of message contents) at the very least is decent.
OMEMO is better than Matrix’s encryption, which the later doesnt offer proper forward secrecy and breaks all the time leaving messages inaccessible.
You can use the WebCord app for Spacebar.
I dont really understand what you mean in your last sentence.
My reason for saying GVisor is safer is because it is an application kernel which provides traps and emulates most Linux syscalls in the guest with a far smaller set of syscalls to the host kernel, helping to prevent container escapes and privilege escalation. GVisor also fully drops privileges early into start up (before running any significant logic), helping to prevent privilege escalation.
Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things). You can not use GVisor with LXC.