Here is a blog post by a widely respected cryptographer on why XMPP+OMEMO is not secure: https://soatok.blog/2024/08/04/against-xmppomemo/
This post is 1.5 years old and outdated.
Do you know if there is a more up to date description of xmpp e2ee without having to read the spec. Specifically interested in stuff like how much metadata is leaked.
Misleading title.
I've personally used 4 encrypted communication apps, here are my thoughts:
Signal: huge downside that it required a phone number (not sure if it still does), and the centralized nature of it makes me very wary of it. It worked reliably when I did use it, but I no longer use it.
Matrix with Element: As others mentioned, it leaks meta data. It wasn't very reliable in my experience with encrypted group chats. Messages would constantly not be readable by other users in the chat, requiring frequent re-sending to finally get through. Overall I found it very frustrating to use.
XMPP: Experience can somewhat vary depending on the app used. With the Movim desktop front-end, I can sometimes have issues with encrypted messages not getting unencrypted (possibly just user error on my part), but with mobile apps like Conversations or Monocles, its been pretty much 100% reliable. Doesn't drain my battery either. Would recommend.
Deltachat: I've used this the least, but I really like it. Super easy to connect to friends and join a group chat, its all encrypted by default so no real chance of encountering an unencrypted message, very nice UI, is available on all platforms as one app, and has been 100% reliable with low battery drain. Highly recommend if you don't need to make voice calls (it can do texts, images, and supports voice/video files you can send and play within the app).
Self host your matrix server, use Continuwuity not Synapse, and do not enable federation.
Then why bother with Matrix at all if that's not for the federation? You give yourself the trouble and inefficiencies of an over-engineered protocol you won't even use.
Why not Synapse?
Super heavy, and overkill unless you need to run matrix.org itself.
I know it's not the most popular, but I've genuinely been happy with Matrix for the last few years. Obviously there are problems, but it really has gotten fairly stable. At least...for me...
+1 for matrix
reason for them not appearing is that xmpp is a largely relaxed platform, that is, all implementations are not equally strict. some may implement certain extensions, others may implement other. encryption (omemo) is a common one that most implement, but then client (the user apps like gajim) may or may not implement them correctly, or they may have a fallback (first communication between 2 clients maybe is not encrypted), and other different problems with encryption being flaky (firstly, it is not perfect forward secrecy, it is a bit prone to failure (messages unable to decrypt), etc.), hence it is not recommended much.
For the first communication not encrypted there's an easy solution: force encryption on your side and block unencrypted communications.
Theres snikket as a solution to that
The freenet/futo devs are working something called river (https://freenet.org/). I don't think it's mobile yet and cannot attest to it's call quality. It's fully decentralized though, so it should work even if they abandon the project. Here's a video on the protocol https://youtu.be/3SxNBz1VTE0 Mostly goes over the introductory docs that're on the site.
I've hardly used it so far, but simpleX seems promising from my limited knowledge. I highly suggest checking it out.
No idea. I use the app Conversations (XMPP+Omemo) and it works great. Only downside ist that you have to somewhat trust the server you are on, because of metadata. But thats basically every chat app.
Prosody XMPP + Pidgin/(Monal|Xabber) has always worked for me. It is not hard to setup or manage, has E2E encryption too.
Tox, where is TOX ? Why it's not mentioned in the article ? It's te most private messaging app, no other app can be more secure.
You should check out "keet" or "Jami" for privacy message app.
Jami is nice in theory, but it was very buggy for me when I tried it and Jami calls had no noise cancelling at all. Other than that, it does work.
I cant find the "keet" git repo, I think its proprietary. So thats a no go for privacy.
https://github.com/holepunchto/keet-appling-next
Here is the github link, note that, this is the "shell" of the desktop. There is another repo specifically for android app.
https://keet.io/ is the official website
Developer is holepunch and uses "pear" peer-to-peer protocol.
Yeah, I saw that too, that not the full source code. I found another repository for the android releases: https://github.com/holepunchto/keet-mobile-releases
Again, no source code, just binaries. Rather shady I think...
Yeah Keet (and Pear in general) are doing some open washing, branding their apps as open source while using very restrictive licences, at least that's how I feel about them. It's closer to source available to my eyes.
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Community icon from opensource.org, but we are not affiliated with them.
