Hello. I am looking for an alternative to Telegram and I prefer an application that uses decentralised servers. My question is: why is the xmpp+omemo protocol not recommended on websites when it is open source and decentralised? The privacyguides.org website does not list xmpp+omemo as a recommended messaging service. Nor does this website include it in its comparison of private messaging services.

https://www.privacyguides.org/en/assets/img/cover/real-time-communication.webp

Why do you think xmpp and its messaging clients such as Conversations, Movim, Gajim, etc. do not appear in these guides?

  • ProdigalFrog@slrpnk.netEnglish
    1·
    4 months ago

    I’ve personally used 4 encrypted communication apps, here are my thoughts:

    Signal: huge downside that it required a phone number (not sure if it still does), and the centralized nature of it makes me very wary of it. It worked reliably when I did use it, but I no longer use it.

    Matrix with Element: As others mentioned, it leaks meta data. It wasn’t very reliable in my experience with encrypted group chats. Messages would constantly not be readable by other users in the chat, requiring frequent re-sending to finally get through. Overall I found it very frustrating to use.

    XMPP: Experience can somewhat vary depending on the app used. With the Movim desktop front-end, I can sometimes have issues with encrypted messages not getting unencrypted (possibly just user error on my part), but with mobile apps like Conversations or Monocles, its been pretty much 100% reliable. Doesn’t drain my battery either. Would recommend.

    Deltachat: I’ve used this the least, but I really like it. Super easy to connect to friends and join a group chat, its all encrypted by default so no real chance of encountering an unencrypted message, very nice UI, is available on all platforms as one app, and has been 100% reliable with low battery drain. Highly recommend if you don’t need to make voice calls (it can do texts, images, and supports voice/video files you can send and play within the app).

  • loweffortname@lemmy.blahaj.zoneEnglish
    1·
    4 months ago

    I know it’s not the most popular, but I’ve genuinely been happy with Matrix for the last few years. Obviously there are problems, but it really has gotten fairly stable. At least…for me…

      • Hazematman@lemmy.ca
        0·
        4 months ago

        Do you know if there is a more up to date description of xmpp e2ee without having to read the spec. Specifically interested in stuff like how much metadata is leaked.

    • u_tamtam@programming.dev
      0·
      4 months ago

      This blog post has been debunked as fallacious (posing as evidence what’s unsubstantiated), and in bad faith (some comments, including by the protocol developers, were removed from the blog’s comments section). That aside, if you are left unimpressed by the crypto jargon, all you take away from it is that Soatok really likes Signal and this isn’t Signal. There have been several independent audits on OMEMO, it’s used today by serious institutions and governments, it’s been under more scrutiny than soatok gave it, and there’s nothing knowingly insecure about it.

      • N.E.P.T.R@lemmy.blahaj.zoneEnglish
        0·
        4 months ago

        OMEMO leaks plenty of metadata; most things other than message contents are left unencrypted. Many of the mature XMPP use different OMEMO versions (which can be hard to tell when the client doesn’t clearly state the XEP versions, like Snikket). I spent 40 min scouring Snikkets website and source repo without any clear way to determine what version of OMEMO they bundle. I said OMEMO+XMPP because no matter how secure your protocol is, the actual implementation by your largest userbases determine real-world security.

        And lastly, just because “serious institutions and governments” use it doesn’t make it more secure. Many European governments use Matrix, and that has even worse security, breaks forward secrecy, doesn’t encrypt basically anything other than message content, etc. Many governments have critical systems that run unpatched Win 7 or older. My point is that security is independent of adoption.

    • Victor@lemmy.world
      0·
      4 months ago

      Could you elaborate on why Signal is a bad choice?

      Are SimpleX and Briar also poor choices? Delta Chat?

      And maybe why being funded by western governments is a bad thing as opposed to other governments?

      Thanks 🙇‍♂️

      • theherk@lemmy.world
        0·
        4 months ago

        It isn’t. But I see this same post over and over. Really feels like there is a campaign against signal. Also tor developed by US Naval Research, so I guess it’s bad too.

        • A🔻atar of 🔻engeance@lemmy.mlBEnglish
          0·
          4 months ago

          good to know leaking phone numbers and being the main Discord alternative used by congress and Jeff Bezos on a centralized server isn’t a problem on .world

          TOR nodes are mostly run by the US government and independent cryptocurrency entrepreneurs (Jeffrey Epstein email chain inhabitants)

          if you had half a brain you would use i2p

          • theherk@lemmy.world
            0·
            4 months ago

            Cool strawmen; I didn’t say any of that. Signal protocol is awesome for privacy, not anonymity. Maybe I don’t have half a brain, but I happen to think the double ratchet implementation is an impressive piece of tech. Maybe I’m as dumb as your fever dream, but compromised exits doesn’t make tor any less of an achievement. Though i2p is also superb. I guess my brain is too weak to understand why those statements are mutually exclusive.

            • Arthur Besse@lemmy.mlEnglish
              0·
              4 months ago

              Signal protocol is awesome for privacy, not anonymity

              The “privacy, not anonymity” dichotomy is some weird meme that I’ve seen spreading in privacy discourse in the last few years. Why would you not care about metadata privacy if you care about privacy?

              Signal is not awesome for metadata privacy, and metadata is the most valuable data for governments and corporations alike. Why do you think Facebook enabled e2ee after they bought WhatsApp? They bought it for the metadata, not the message content.

              Signal pretends to mitigate the problem it created by using phone numbers and centralizing everyone’s metadata on AWS, but if you think about it for just a moment (see linked comment) the cryptography they use for that doesn’t actually negate its users’ total reliance on the server being honest and following their stated policies.

              Signal is a treasure-trove of metadata of activists and other privacy-seeking people, and the fact that they invented and advertise their “sealed-sender” nonsense to pretend to blind themselves to it is an indicator that this data is actually being exploited: Signal doth protest too much, so to speak.

              • ToTheGraveMyLove@sh.itjust.works
                0·
                4 months ago

                I Facebook said they enabled E2EE, theres zero evidence and zero way to verify that. Facebook has been caught in lie after lie. They most likely lied about that too.

                • Arthur Besse@lemmy.mlEnglish
                  0·
                  4 months ago

                  Many people have reverse-engineered and analyzed whatsapp; it’s clear that they are actually doing e2ee. It is not certain that they don’t have ways to bypass it for targeted users, and there is currently a lawsuit alleging that they do, but afaik no evidence has been presented yet.

  • cockmushroom@reddthat.com
    0·
    4 months ago

    The freenet/futo devs are working something called river (https://freenet.org/). I don’t think it’s mobile yet and cannot attest to it’s call quality. It’s fully decentralized though, so it should work even if they abandon the project. Here’s a video on the protocol https://youtu.be/3SxNBz1VTE0 Mostly goes over the introductory docs that’re on the site.