1. 21
  1.  

  2. 21

    Why (practically) no mention of xmpp/jabber? It’s federated, has E2EE support (OMEMO), many FOSS clients and server implementations, and providers generally don’t require any personal info to sign up. The article only mentions that last bit briefly, but instead spends more time focusing on the various walled garden services out there.

    1. 7

      It’s not trendy and new? Honestly the only reason I can think why these articles always gloss over it.

      From a user point of view, I can see why it struggled. It is old, it wasn’t always great, OMEMO rollout has been slow and steady.

      However, if you are writing an article like this you should know that XMPP in 2019 is really good. Services like Conversations make it a program that I use with real people in the real world every day.

      Nerds like me use their domain as their ID. Other people just use hosted services. Doesn’t matter, it all works.

      Decentralised services are always going to have a branding issue I guess.

      1. 7

        no mention of xmpp/jabber? It’s federated,

        It is listed under Worth Mentioning of our Federated section. The reason why it is not a main feature is because client quality is such fragmented ecosystem, and this is due largely to poor quality of documentation. Many of the XEPs still remain in draft or proposed status.

        However, if you are writing an article like this you should know that XMPP in 2019 is really good. Services like Conversations make it a program that I use with real people in the real world every day.

        The issue is Conversations is the only good client. If there were iOS and Desktop clients as good as that then we would be more likely to make it a main feature.

        1. 3

          Nerds like me use their domain as their ID. Other people just use hosted services. Doesn’t matter, it all works.

          There is also Quicksy.im by the Conversations author that provides even easier on-boarding for non-nerds but still uses XMPP underneath.

          For me the biggest problems with XMPP are lack of good clients for iOS and desktops. There is Dino.im but still in beta and it’s not clear if there will ever be an iOS client with Conversations feature-parity.

          Edit: It seems some members of privacytools.io actually like XMPP: https://github.com/privacytoolsIO/privacytools.io/pull/1500#issuecomment-559405853

          1. 2

            It’s not trendy and new? Honestly the only reason I can think why these articles always gloss over it.

            I should mention here that is not the case at all. We look at number of factors, including client quality, developer documentation quality, types of ‘footguns’ involved, ie where a user might expect something to be encrypted and in reality it is not etc.

            1. 2

              You’re being too kind to XMPP, like PGP it’s another example of focusing on things that are trendy in some FOSS circles and meanwhile losing focus on actually providing value where it really matters to users.

              It’s trendy to assume that federation is an unequivocal good thing and centralized services are bad, when looking deeper into the topic reveals it’s a mess of tradeoffs. Every time this comes up, Moxie’s “The Ecosystem is Moving” post is looking more and more insightful.

              XMPP, like PGP provides a horrible user experience unless you have extensive domain-specific knowledge. In XMPP’s case, federation is partly to blame for that. Another part is that XMPP is very much a “by nerds, for nerds” thing which comes with a very different set of priorities than anything that aims to be used by most people.

              1. 2

                Every time this comes up, Moxie’s “The Ecosystem is Moving” post is looking more and more insightful.

                For a different perspective on the subject see “An Objection to ‘The ecosystem is moving’”.

                1. 2

                  I personally like this one I don’t trust Signal by Drew DeVault.

            2. 2

              For me the biggest problems with XMPP are lack of good clients for iOS and desktops.

              For the desktop there is Gajim (gajim.org). It has OMEMO and works very well with Conversations. I have been using this for years and years, although I can only attest to the Linux version.

              1. 3

                Yes, I agree. Gajim is fully featured. It’s not without flaws: outdated UI, OMEMO not built in and enabled by default and apparently no official MacOS version (there is https://beagle.im/ for MacOS though…).

                I guess XMPP’s problem no 1 is software fragmentation as there is no single company that’s maintaining full suite of software. It’s always mix-and-match depending on what OS/phone is used by one’s friends.

              2. 2

                Ah, iOS is a big deal. Didn’t realise Conversations didn’t have an app on there.

                1. 2

                  Yeah. Some people report good results with ChatSecure or Monal or Siskin.im but it seems all of them have minor issues here and there.

                  1. 1

                    For me the biggest problems with XMPP are lack of good clients for iOS and desktops. There is Dino.im but still in beta and it’s not clear if there will ever be an iOS client with Conversations feature-parity.

                    The issue with that is they have no tagged releases, which means maintainers have some ancient random old version or have to keep up to date with every commit. It is unacceptable for something as complex as an instant messenger program to have no tagged release and we believe this because the developers are not comfortable in the completeness of the product to do so.

                    https://github.com/privacytoolsIO/privacytools.io/pull/1500#discussion_r347156496

              3. 2

                Because it does not solve any privacy, security or resilience problems from the point of view of individual.

                a) Federation is meaningless from resilience PoV since XMPP accounts are not transferable; if someone is targeting me they can take down server I’m using. User or programmer giving a damn about “network being resilient as whole” is irrational. It’s should always be about end-user experience.

                b) Until people will figure out how to create Open Incentive-Aligned Cloud Messaging Platform (replacement for FCM and APNS) battery life will suck. Having multiple tcp sockets each with its own heartbeat for every of your apps means short battery life. I want one socket with heartbeat values optimized for network I’m using ATM.

                If you want to figure out how to build open replacement for FCM/APNS, I would love to help.

                1. 1

                  Aren’t all of there points especially worse for the services mentioned in the article? They all depend on a single company, none of the accounts or services are transferable.

                  Battery life doesn’t ‘suck’. My nexus 5x regularly sees 24hr+ with moderate xmpp usage through Conversations (and no Google play services installed)

                2. 1

                  I’ve been using XMPP with OMEMO E2EE for about a year now, after a FOSS enthusiast convinced me to use it. I’m using Gajim (https://gajim.org/) pretty much daily now and am quite happy with the feel and performance of the chat. It even has code highlighting blocks and other goodies and addons, and it stores the history in a sqlite database. Apparently it’s also possible to use multiple clients on the same account and the messages go to all your clients once they’re hooked up, but I’ve never tried it myself.

                  1. 3

                    Yeah I use it on my phone and desktop, much like one might use whatsapp and whatsapp web. Only your phone doesn’t have to be on for it to work.

                    1. 3

                      Apparently it’s also possible to use multiple clients on the same account and the messages go to all your clients once they’re hooked up, but I’ve never tried it myself.

                      Yep, I believe that’s XEP-0280 ‘message carbons’. Many servers/clients support it.

                      1. 2

                        XMPP with OMEMO E2EE

                        The other issue we have with XMPP is that E2EE is not consistent. For example file transfer and VOIP.

                        https://github.com/privacytoolsIO/privacytools.io/pull/1500#discussion_r351079569

                        It’s not abundantly clear to the user whether their file transfer was sent with E2EE or not. As for VOIP over Jingle, there’s no E2EE to be found there. We believe all channels should be E2EE and not “some features only”.

                        1. 2

                          I’ve been using XMPP with OMEMO E2EE for about a year now, after a FOSS enthusiast convinced me to use it. I’m using Gajim (https://gajim.org/) pretty much daily now and am quite happy with the feel and performance of the chat.

                          That is the client we suggested for desktop under our Federated section.

                          We would like to see documentation for MacOS. Pages like https://gajim.org/download/ just simply say things like:

                          MacOS

                          MacOS instructions to follow.

                          1. 1

                            Apparently it’s also possible to use multiple clients on the same account and the messages go to all your clients once they’re hooked up, but I’ve never tried it myself.

                            Yes, and it works very well. I am using Conversation on my mobile and Gajim on the desktop. Both support OMEMO.

                            See omemo.top for the OMEMO implementation status across a large number of XMPP clients.

                        2. 8

                          I fell back to an old approach:

                          Step 1. What are my friends, coworkers, or target audience using?

                          Step 2. Install that.

                          Step 3. Send them a message.

                          Step 4: Depending on audience, try to interest them in private messaging.

                          1. 3

                            Same. Which means I basically have half a dozen messenger apps.

                            1. 2

                              I like your style. A lot of people say ‘oh my friends would never switch’. Often people never even bother asking. In my experience people are more receptive to new things than they are given credit for.

                              1. 2

                                And, private conversations are a good selling point. Most people want that, but don’t change the defaults. If you switch them to a private-by-default alternative, they sometimes become cheerleaders in their own circles.

                            2. 3

                              I wrote the content in https://github.com/privacytoolsIO/privacytools.io/pull/1500 which became this blog article and was the changes on our website https://www.privacytools.io/software/real-time-communication/

                              1. 4

                                Thanks for the links (and your contribution), interesting stuff. I had a discussion about the recommendations on that site just the other day within my friend group. Most people thought it was confusing that services/software/protocols are kind of interleaved in there. It looks like that’s mostly cleared up now (e.g. instead of promoting Riot, it’s now Matrix).

                                That said, the blog post mentions Telegram is without encryption by default. While it doesn’t do E2EE, stating it doesn’t do encryption at all is not completely true either. As shady as MTProto is, it does provide encryption. This might just be a simplification catering to non-crypto-savvy users though, but it stood out to me.

                                I’m really rooting for Matrix, I hope that the client ecosystem becomes more mature so we don’t all have to rely on Riot as much, and that enough people start using it as a “main” IM thing.

                                1. 3

                                  Yes it’s been quite a work in progress and has certainly taken me and the team (and our contributors in particular djoate) quite some time.

                                  We will be doing the same to the email section in the coming months. We plan to launch that with a criteria mentioned here. I have contacted all the providers listed, and we will be keeping the ones which meet the new requirements to stay listed. We want to see more providers implement these RFCs or place priority on it as that will be good for everyone.

                                  The deadline given to providers for that is March 2020 to coincide with the deprecation of TLS 1.0 and 1.1 in major browsers.

                                  That said, the blog post mentions Telegram is without encryption by default. While it doesn’t do E2EE, stating it doesn’t do encryption at all is not completely true either. As shady as MTProto is, it does provide encryption. This might just be a simplification catering to non-crypto-savvy users though, but it stood out to me.

                                  One of the things we place importance on is security auditing, as we like to see things are verified. My understanding is that Telegram’s MTProto 2.0 has not been formally audited. I don’t agree with releasing a product first and auditing later. This may make sense from a business point of view, but if people put trust in a product and it then fails them, that could have terrible consequences.

                                  They provide “cracking competitions” which are a bit of a marketing red flag and really don’t add too much value by themselves.

                                  Our site is placing more importance on auditing and formal verification by external parties. We’re doing this because we live in a world where we are swamped with marketing spiel that, you can’t really trust.

                                  I’m really rooting for Matrix, I hope that the client ecosystem becomes more mature so we don’t all have to rely on Riot as much, and that enough people start using it as a “main” IM thing.

                                  I think this is very well a possibility. The spec is in great shape, unlike some other federated instant messaging platforms.