Over the past few years I have gone through a bunch of different apps and protocols to find the best one for “securely” communicating with my family and friends.
I ended up with the amazing XMPP protocol and my family/friends frequently use its clients to contact me.
Monal for IOS and Cheogram/Conversations/Quicksy for Android. The android app I install depends on if I can get F-Droid on their phone or not.
It’s been great with OMEMO encryption and the clients/apps available for XMPP. But sometimes I have issues introducing people to it.
Jabber (friendly name for xmpp) sounds silly to say. The clients all have weird names. And after trying the Signal mobile app it feels more focused than what anyone in the XMPP community has whipped up.
But the capabilities of XMPP makes it better.
Signal Cons (immediete)
- Centralized
- Single app
- Phone numbers
XMPP/Jabber Cons
- Picking server
- Apps are sort of less friendly
What really scares me about Signal is the centralization. Any nerd can easily host an XMPP server these days. But Signal from what I’ve heard really wants us to use their server.
If XMPP gets more attention I’m sure we can get people supporting projects and creating better apps.
I keep seeing people recommended Signal instead.
This is a bit of a tired ramble. What I wanna know is why anyone is preferring Signal over XMPP apps. I assume it might be not knowing about it. Tell me what you use to message people.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 108 users / day
- 435 users / week
- 1.32K users / month
- 4.54K users / 6 months
- 1 subscriber
- 4.38K Posts
- 111K Comments
- Modlog
Most people don’t understand what is instance and do not want to do 3 step registration if they can do 2 step registration on Signal. Also, if I understand correctly, xmpp protocol and client didn’t support stickers and Signal added that feature and gifs? Not sure
Protocol and client are different. I know Cheogram has some kind of sticker thing, but I don’t think it’s as robust as what Signal probably has. I can download Signal stickerpacks to use on Cheogram (the xmpp client), but using them was a tad difficult.
I use XMPP, and the original idea was for it to be a family chat and a way to securely ask for things on Jellyfin.
No one uses it. (XMPP, not JF)
No one cares. They know it’s a hassle to ask for media. They know they can only ask me in person if they don’t use it. They just won’t bother installing a client. Can’t be bothered.
Oh well, I can’t be asked, then. So we sit in this perpetual state of tug of war. I can’t be contacted, it’s complained about, the situation is explained again, they complain again, and still never resolve the situation.
Going on three years now.
I’ve been slimming down the services that I don’t personally feel the need to use. And Jellyfin is right around the chopping block. Started Jellyfin to replace costly streaming services. Only one person is using Netflix and that’s the only reason my parents are paying for it still.
I’d still use JF if no one else did. It’s convenient for streaming. The alternative would be maybe kodi and samba and that’s three steps back, two forward imo. I use xmpp for notifications a lot, its close integration with the server its on allows for using it kinda like ntfy.
TBH it’s worrying, but at the same time, it’s better to have people on something that’s somewhat Privacy-respecting.
Baby steps, you know. BTW how many here are familiar with GNU-Jami ?
I tried using Jami with a very technical friend. The android version kinda seemed to work, though a little glitchy. The desktop linux/windows version was complete garbage, completely unusable.
What’s that? GNU-Jami?
Very similar to Signal, but Libre software & uas no phone-number requirement https://jami.net/
Oh okay! Didn’t recognize the GNU in there. Was there a trademark issue in the past?
No I don’t think so. It’s a high-priority GNU project
For most people, Not this community, it’s trying to get people off Whatsapp. So even signal is better
Signal for people that partly care about privacy. SimpleX for true privacy enthusiasts
I love the irony of the name. It’s probably the best thing about the app.
One of the things I’m curious about and the website doesn’t explain: how are the message queues not identifiers?
They are local identifiers, not global ones. Each one exists only for a single pair of users so they don’t function as stable or traceable identities. “Pairwise anonymous addresses”.
https://simplex.chat/#privacy-of-identity-contacts-metadata
But those are still identifiers linked to you and in a global space because it says multiple servers need to know how to route data.
Nvmd: seemingly if the server hosting your queues shuts down you lose all contact, so your UIDs are shared but only to a specific set of servers you choose with the drawback of fragility. Seems like someone else shutting down a server kills your contact list?
@Ferk has given a more elaborate answer. As for servers shutting down. Haven’t had it happen yet. With any service you always risk servers shutting down or failing, even centralized ones like signal: so that is a bit of a nirvana fallacy.
I didn’t compare it to signal. I just asked if that was the facts of the situation.
If I were to compare it might be to the topic of this thread which I can self host and thus control.
However, since you opened the door on signal I’d comment that the entire signal org would have to go down for that to happen, not just a few servers. Is simplex managed by a large well funded entity that is unlikely to fail or are the servers more mom & pop setups? What happens if Kurt Cobain wakes up one morning and shuts down his server?
When it comes to initializing the connection, It’s true that those identifiers (or perhaps more accurately, addresses) are susceptible to collisions in a “global space”. But they are temporary, ephemeral addresses (they are discarded after use and/or expiration), and the space is astronomical so chances of collision are tiny, and even in the rare event of a collision you still have a step in which you verify a fingerprint code that’s independent of the address, related to the individual local device… so you have a second factor authentication of sorts, if you are adding a person and the code does match then you can be pretty sure it’s the correct person, since both the shared address and the internal locally-stored key match.
If there’s a permanent global fingerprint code isn’t that, well, the opposite of what the marketing says? Why is that not a unique user identifier?
The fingerprint (or you can also call it “security code”, it’s just a code for verification), is generated from the combination of the locally stored encryption keys from each side of the conversation, it will be different every time. I believe it’s also not technically required by the protocol that the same encryption key should be used for all conversations (although I don’t really know if the client does generate a new one every time or keeps reusing the same, that’s up to the implementation I believe).
Signal may not be the best in a technical sense, but it is good enough and it has the network effect. I’ve been pleasantly surprised when in the span of a few months I met two different people actually in real life, who happened to already be using Signal.
Signal is also just as usable as the big tech alternatives, which makes it not a very hard sell to friends and family. For quite a few years now I have managed to convince everyone I communicate with to do so over Signal. There is no chance I would be as successful with something else.
deleted by creator
I use SimpleX
Do you use simplex or do you have an account with simplex?
I use it daily
That’s honestly shocking. Where do you find other people who actually use it?
https://simplex.chat/docs/directory.html
Based privacy enthusiast 🗿
Don’t forget that OMEMO on XMPP has no backward decryption - all messages are lost with every new client. Massive dealbreaker for me, as I value message history between those I love.
I’ve gone for Matrix. Signal doesn’t interest me until they get rid of the requirement for phone numbers.
Others have noted that XMPP servers hold user contacts (and maybe other parts) wholly unencrypted, and if the server isn’t yours, that’s a trust risk.
I recently switched some of my contacts from Signal to Matrix and I really prefer the user experience. The room-based model and the video chat features are great.
which client are you using? the element client on androud and desktop/web seems to be pretty glitchy.
Do you not use backups?
As in, backup messages to import into new clients? Is that possible?
Yes!
Son of a… Thank you! Time to reassess my server aha
The whol eXMPP ecosystem is really confusing I just strongly disagree that matrix is a step forward. On the subject of its backups, I had multiple mysterious failures with matrix it before switching to XMPP. I use a password manager so the likelihood of user error is low
Many people will tell you you have to sacrifice your principles because interface, because “normies” (which is an elitist way of telling you that non-elitist people are idiots…), etc. I say: stick to your dreams!
It’s not elitist, it’s realist. They don’t want to install Signal just as much as I don’t want to install Facebook messenger.
Yes you can nag people but it will more often than not have the same effect as when people try to convince me to install Facebook messenger.
speaking of “normies” is elitist, because the term is used usually people privileged/experienced with knowledge about technology to describe people who don’t have this privilege/experience. It is implying that there would be a class of (sub-)humans who are not capable of taking the same path as the person who employs this term. I stand by the term “elitist”. In a world of diverse people, life-paths and needs, in my own experience everybody is capable of understanding the political reasons to use a piece of software over another one (because one company sucks, because their model of centralization is detrimental to freedom, because they got shady funding, because they pretend to be something else but bar free software authors to modify their software, because they’re from the USA, etc.). Everyone has their own way of understanding these things. Everyone has some arguments that will resonate better than others. Pretty much the same way you probably decided to not install Facebook messenger. Well the good news is: everybody is capable of understanding these things. It may take time and effort, it may make elitist people realize it is not as easy as they first thought it would be, and require to fail and try again. It requires efforts and a humble approach as to listen to these people and take them where they are and walk a bit along the way with them.
My personal experience is that most people are capable of understanding such things. It may take time, but everyone is capable.
I also saw tons of elitist tech-enthusiasts and other tech-savvies “bros” not even addressing who they call “normies” out of pure lazyness, to avoid to speak outside of their own comfort zone and question their own status, and to avoid sharing their elitist knowledge.
-> “‘normies’ won’t do that” = “i am too lazy to engage meaningfully with people who do not know the same things as i know.”
That’s a major part of the problem. Elitist feedback loop…
Normies isn’t an elitist term it is a counter culture term for people outside the norm to refer to the general opinion. It is the not like us statement or the fact that there is experience that one would not understand fully unless they are in a subset group.
https://en.wikipedia.org/wiki/Normie_(slang)
was first used in its original meaning of “ordinary, normal” in English in the 1950s.[6] According to Merriam-Webster, the term “normie” appeared in the late 1980s in the United States. It was used ironically by people with disabilities in reference to the rest of the population.[2] In the late 1990s, the term was used in Alcoholics Anonymous literature to refer to individuals who were not addicted to any substances.[7]
Since the early 2000s it has been spreading on the Internet.[2][4] In the Russian-language sphere, popularization was promoted by the use of the imageboard Dvach, whose users consider themselves representatives of informal culture, which is expressed in controversial publications, non-standard political views, black humor, involvement in various subcultures.[8]
First of all normie not an insult or a derogatory term. The term “normies” is often used in many niche communities to refer to someone outside the community. It has nothing to do with being smart, privileged or experienced. It means more like “the average user” or “the typical person”. Example: a person in the boardgaming community may refer to you as a normie, not because you’re dumb but because you don’t play hobby boardgames (check out Brass: Birmingham, what a game).
The problem isn’t about comprehending the problem, most people understand that Facebook is selling their data. They just don’t care. They would rather have their data sold than to have the trouble to move to yet another communication app. WhatsApp is working just fine, Facebook is sparking joy. They don’t care.
“Normies won’t do X” is a perfectly acceptable way to express that the hurdles are too high for the average user. The average user wants a sleek UI, a user friendly experience and most of all they want to be in the place everyone is already at. The average Joe doesn’t want to be the first guy on Simple X, they actually really want the hassle free platform everyone is already at.
Also, the next great communication app is constantly changing. It used to be IRC, ICQ, MSN Messenger, Facebook Messenger, WhatsApp, Instagram, Telegram, Signal, Matrix, Simple X, Session. I’m sorry to say that the average person is not willing to migrate that often. Facebook works, their friends are already there, they stick to it. This isn’t elitism, it’s just stating what I see.
I find this resistance weird. (From the “normies”, not the Signal users)
Most of them have phones filled with all sorts of crap that they download willy nilly, yet they only seem to put the walls up for Signal.
They can say the same about me, right? I have so many communication apps on my phone, why do I draw the line on Facebook Messenger?
Most likely you’re the only person they know on Signal and it makes more sense to them that you move to Facebook rather than moving their entire friend-sphere into Signal.
to answer your question - if you wanna eventually talk to normies. like cute boy/girl you meet at a bar or a business contact from a random meet. even Signal has dogshit penetration compared to the big players, so XMPP/Matrix/Briar/etc aren’t even a blip on the dradis.
also, you sorta sidestepped the UX. if you’re coming off the hyper-polished world of Telelgram and iMessage, all those things have dogshit UX. yes, you’ll eventually find your way around them but you have to be motivated to endure them ugly and slow and unrealiable apps (comparatively speaking); you got that shit covered, your contacts do not.
the situation is kinda like with The Linux Desktop - it’s competing with gargantuan corpos with unlimited resources, and to add to that the miniscule dev teams aren’t working together, they’re competing, pulling in different direction (Gnome, Plasma, Cinnamon, etc.) with duplicated efforts and tons of abandoned paths. can you imagine where we’d be if all that dev effort went towards one goal?
same thing with the messenger space, it’s doubtful any of them will become mainstream, but they have their uses.
Wrong, XMPP is the only option that actually lets you talk to baddies on their phone number without them downloading a new app just for you. Aside from some kind of tortured solution such as AirMessage/BlueBubbles involving buying a literal Macbook.
deleted by creator
Cheogram offers a phone gateway. They don’t even know they are using XMPP.
We still probably show up as green bubbles though. Might have given the baddies the ick.
Not a real thing, you just have high bodyfat and poor eye contact skills. Hope this helps
Just an unrelenting FOSS agenda and weird aversion towards social media 😭
If you avoid technical stuff a lot of people are pretty understanding of not having socials. Instagrsm ks HITLER NOW! Everyone jokes abt it. Way I do it is I just post hiking photos on Insta and other stuff. In order to avoid booting it up yourself, it can be automated with IFTTT (proprietary but so are the datamining services you use it to reach so who care??). Problem is being responsive to notifs but I just check half of them every other day so people don’t think you died and hit like
deleted by creator
Oh, since you mentioned Telegram, I ought to mention that it’s totally possible to puppeteer your account on there so it looks just like you are using the real app. If a lady asked me to use TG or Signal I would unironically assume she knows drug dealers 😭
deleted by creator
Yeah if you want to use Signal and TG, Molly and AyuGram are a bit better than stock FYI
Matterbridge works with some of those, but I doubt anyone wants to talk to a relay bot. Just directly get people’s real phone numbers and run the Insta from your home PC in browser. All of those apps are cancer and even in a separate profile on Graphene or some shit, I would feel like a dirty bastard.
Speaking of wacky hole in the wall messagers!
https://reticulum.network/
Its tectonically a network stack but theres a few apps, to use it. And MAAAN is it decentralized
First of all, thank you for your recommendation. I was on the fence between Siskin IM and Monal, so I went with Monal to replace AstraChat.
I’ve used Signal before and it was fine but I prefer not to give a phone number to open an account; there are other services that don’t require it.
Speaking of services, I use Simple X, Session, Matrix and Delta Chat (occasionally). Most of my eccentric mix of family, friends and colleagues are happy to try something new or switch as long as it doesn’t require a phone number to sign up. They’re slowly leaving Signal, WhatsApp, Telegram and limiting access to their iMessage.
In my experience, Session syncs very well between my devices which makes it my favorite. I chose FluffyChat over Element because of the App Privacy in iOS.
Against XMPP+OMEMO
I think this post is a noteworthy response. Against Silos+Signal
Noteworthy perhaps, but one is based on analysis of facts and the other is based on principle. I think they’re both valuable points of view, but they’re not actually debating the same points IMO even if they think they are.
I’ll be honest, most of the crypto/security jargon flies straight over my head, but Tim Henkes’ reply at the end, for fucks’ sake man. I don’t suppose xmpp has an alternative encryption to use instead of omemo?
Pretty much any encryption you can send over text. My favorite clients support PGP instead. But it’s up to the clients to implement envryption and not really the protocol I guess.
Signal is a much better recommendation when leaving Telegram. And the OMEMO implementation concerns are something I need to consider. That unprofessional response from one of the devs is not a good look at all.
Though as a comment pointed out, control of servers is like the one main checkbox that I really need filled.
On the point about clients not being OMEMO by default or enforced. This isn’t the biggest issue for me. I’m not doing crimes, but I still wouldn’t want my saucy messages to be read by server admins or third parties. Whenever I message somebody, I confirm that they are the proper recipient and are using OMEMO. And the clients I found myself comfortable with all support PGP key use instead. (That would be Cheogram & Gajim if anyone was interested.)
This was a great read though, at least to me. It gave me some thoughts to consider.
I’m gonna look into what kind of threats these improper dependency versions and such might pose. Hopefully by now most of these issues have been resolved.
The biggest thing is getting people into the loop of “secure apps” before they really need it.
If I could get a single person to use Signal instead of Whatsapp… or even the nerds I know to use matrix instead of Discord…
There two kinds of nerds. Ones that are actually curious to try new things, and ones that conform and sully the name. It’s like tech bros vs real IT professionals.
I think the slightly more charitable division is “nerds who want to work on the tool” vs “nerds who want to use the tool to work on something else”
Some people want their discord chat to work with little effort or errors because what they’re actually interested in is some video editor, or something. And if the chat is broken, it prevents then from getting to what they really want.
I personally use XMPP, so this isn’t just to clear my own name, or anything.
XMPP also supports federation, or server-to-server communication, but it’s whitelist based from my cursory read
Such a benefit indeed. Like email, you can use any server and app. Except it has more instant messenging features.
removed by mod
It does suck if you do a lot of filesharing, since files only stay in the servers for 2 days
We should definetly not make it a habit to store files for long on volunteer servers. :(