Ok so, here I am again asking another question ๐๐ But hear me out: I read this post here about, if there even is a good privacy messenger that can be trusted. Someone in the comments mentioned Conversations (a XMPP client for Android). This made me look into XMPP and at the moment I am giving Conversations a try. Reading into XMPP, I couldnโt find a problem security or privacy wise. Also it seems like it does not matter what server I use (atm. we are on 07f.de) since it is all e2e with OMEMO. Am I missing something or is it really this good? And if I dont trust anyone, I could host my one instance of ejabberd, right?
its really really save
Edit: sorry I misread it as XMR.
XMPP can be very unsafe. It depends on the client you use. Its best to use a protocol that doesnโt allow unencrypted messages to be sent at all. Like Wire or Signal.
If I understand correctly, you can prohibit non-e2e messages on your server .
Its best to use a protocol that doesnโt allow unencrypted messages
This is an implementation thing and not a protocol thing. What protocol doesnโt allow unencrypted messages? I am sure signalโs protocol would still allow it, itโs just that the implementation doesnโt.
And same for XMPP. Just go with the implementation that doesnโt.
It depends on the client and the security implementations they support. For example IIRC no client support the last version of OMEMO (I think it was about OMEMO, I remember an article about it some time ago). Also are you sure that all the other peopleโs clients are on the same version and youโre not susceptible to a downgrade attack?
Unless you are ready to/want to control the whole environment (i.e. at least the clients and possibly the server), look into simplex.chat
There are some clients that support the latest version of OMEMO, but yes, since the most popular ones do not, you end up using the older version most of the time. That said, the older version is not generally unsafe, it basically is the same as WhatsApp or Signal are using. The newer version is just somewhat better as it includes some lessons learned from earlier attempts.
Having to ask means youโre probably conducting unsafe behaviors anyway
I am asking because I want to understand the โhypeโ about XMPP that and why it is always mentioned when someone is asking for a good privacy friendly messenger :)
The โhypeโ around XMPP is that it is simple and extensible. The server implementations of XMPP are very performant, especially compared to other protocols like Matrix that fit the same niche. I would like to see XMPP succeed, but what people want is a finished, unified product. Matrix, more so Element Matrix, succeeds in the personal messaging space because it provides a unified experience and a finished product. XMPP has been utilized by thousands of different projects, from Xbox game chats, to Zoom and WhatsApp, but each implementation is different and specialized. Conversations works great as a messenger, I recommend it. Easy to selfhost as well.
Off the top of my head you need to ensure everyoneโs using the same OMEMO version; and i donโt think it encrypts metadata.
E2ee is not everything, as most of the privacy sensitive metadata can still be collected. Sure it is nice to have, but even more important is that you can chose a trustworthy server operator or run your own. XMPP allows doing that, but it has some weaknesses with client implementations and so on.
I am a bit biased and would say all in all XMPP is probably the best option right now, but it depends on your specific priorities. It certainly has some rough edges though.
Conversation let you configure that all conversations are omemo secure by default (omemo always). Dinoโs next release will include it as well (omemo always issue)
