GrapheneLover I'd love to use xmpp, but a reference implementation would make it so much easier ! Each time I try, I overwhelmed by the different optional specifications, implementations, compatibility, ... How did you choose your server, and what clients are you using ?
Better than Signal?
zzz I have no idea at the moment if the devs of OMEMO are going to implement such a thing, I will have to ask them.
No, Signal uses its own protocol and XMPP is compatible with OMEMO which is a fork of the Signal created protocol.
Eirikr70 Still matrix is buggy as hell and heavy upon both phone and desktop imo.
Prosody is imo the best robust XMPP server which comes configured pretty good as default, though you can always improve it by adding onion routing and disabling server2server connection and more features. Setting up a server is just a 1-time effort and after setting up everything you're done and can use an app like Conversations like any other IM app.
Hathaway_Noa did you also try ejabberd ?
Hathaway_Noa Still matrix is buggy as hell and heavy upon both phone and desktop imo.
You might be right. But it was hard having my familiars switch from Whatsapp to a Matrix client. I won't try and have them migrate to xmpp ...
Tuba XMPP is way lighter than Matrix. It's been around for decades and has managed to evolve with time to support the new needs as the context since 1999 has changed. In my opinion that signals that it can continue evolving for another couple of decades. It's a very stable standard. It doesn't have a reference implementation nor a "default" server provider, which makes it harder to "kill" or steer in a specific direction for the benefit of a few.
On the other hand, it's more confusing and less friendly to newcomers. Which is I guess why Matrix seems to be more popular nowadays
SimpleX is a great step up from Signal. It has the same double-ratchet encryption but fixes privacy issues around metadata and phone #s. Should absolutely replace WhatsApp for anyone still using that.
- Edited
supersonic Signal leaves no metadata except date app downloaded (which can be avoided with GitHub APK) and date app last used. Pretty useless stuff. Just phone number if you choose to make it available. Otherwise it is a truncated hash on an encrypted Signal server. For me, I want people to know my number is attached to Signal as I am not high threat model. I want my contacts who start using Signal to know I use Signal. I want to see if a contact has added Signal. The more the merrier.
MoonshineMidnight The proof is in the pudding. If I know law enforcement can't get any info, I'm good with the app. Here is Signal's response to a subpoena. Subpoena and Signal's response on the bottom.
Bumwin3
I agree with this, it is the most annoying aspect of secure texting, the need for which seems so obvious to us.
My family and I were using Signal and Wickr, until Wickr changed. Then we all migrated to Session, and Signal sort of fell out of use.
There are only two of us with pixel phones, and I am the only one on GrapheneOS. The rest are iPeople, and they have had trouble with sending photos and notifications. One has trouble at work, I suspect due to the antics of her IT people, but we have no idea how or why.
I strongly suspect that were I not the patriarch, they may not have all gone along with any of this. I have four friends on Signal, and one who refuses to use secure texting. There is very little communication with him.
For whatever I may be worth, that is my/our history. We are not wizards or geeks, we just don’t want our correspondence sitting on someone’s server, in the clear, ready to be read at the whim of some “authority”.
I’ve seen how almost any statement, no matter how innocuous, can be interpreted differently, or distorted in meaning, to ever be comfortable with my texts being read by anyone who has the power to ruin my life.
MoonshineMidnight
I have heard rumors that members of the US military are “advised and encouraged” to use Signal for correspondence with their families.
Blastoidea
Well said! I don't know who to quote on this one but "don't let perfection be the enemy of progress". If I can convince someone to learn about PGP Great! If I can get them to use signal awesome! If I can get them to wrap their head around why something like E2EE is important but they're stuck on using whatsapp, that's fine too.
My experience in trying to spread awareness on security & privacy has been that there is nothing wrong with incremental improvements and pushing too much complexity on a newcomer is the best way to drive them straight into the arms of blissful ignorance, which is the worst possible outcome.
Blastoidea The Senate and their staff have been ordered by their chief of security to use Signal - and they already have hardened, more secure government cell phones (I always wonder what they do for that and if it is more secure than GOS. Heck, maybe they use GOS).
- Edited
MoonshineMidnight
Interesting, I hadn’t heard that.
Just remember that a significant number of those folks would cheerfully vote for legislation which forbade you and me from using encrypted communications.
[deleted]
- Edited
AlanZ Hopefully this is will be addressed soon, but you also aren't met by a completely empty contact list. Phone numbers are there for a reason, but good on Threema for making both approaches work, although my contact list is still at zero, just like it was when I first purchased it.
[deleted]
- Edited
People looking at XMPP might be interested to read XMPP: Admin-in-the-middle by now defunct Infosec Handbook and associated HN discussions here and here. It mostly applies to using third party servers, not hosting your own.