Hello. I am looking for an alternative to Telegram and I prefer an application that uses decentralised servers. My question is: why is the xmpp+omemo protocol not recommended on websites when it is open source and decentralised? The privacyguides.org website does not list xmpp+omemo as a recommended messaging service. Nor does this website include it in its comparison of private messaging services.
https://www.privacyguides.org/en/assets/img/cover/real-time-communication.webp
Why do you think xmpp and its messaging clients such as Conversations, Movim, Gajim, etc. do not appear in these guides?
Could you even cite an example of such leaked metadata? I’d like to also remind you that metadata leaking to your own server (which you can chose, which you can self-host) isn’t as big a deal in XMPP as it is with other services. Which is also why I can’t take Soatok’s opinion about and obsession for Signal seriously: when all accounts are hosted by a single actor, you have a much bigger metadata problem, and all obfuscation attempts (sealed senders being one) are ultimately defeated by simple timing and packet correlation attacks.
You were probably looking at a rebrand/spin of https://xmpp.org/software/conversations/ . All major XMPP clients and servers declare their compat via DOAP: https://xmpp.org/extensions/xep-0453.html
Correct, but in this case OMEMO is secure and is used in contexts where security actually matters. There have been multiple audits of it over the years:
https://conversations.im/omemo/audit.pdf
https://raw.githubusercontent.com/hardenedvault/vault-docs/master/report/lurch-audit.pdf
https://www.scribd.com/document/568512285/chiffrement-messagerie-instantanee-fmaury-anssi
https://download.igniterealtime.org/smack/docs/smack-omemo-audit-1.0.pdf