XMPP E2EE tracking

[Mikaela]

XMPP is under thread of delisting in https://github.com/privacytoolsIO/privacytools.io/pull/1836 as there is currently only one client known that has OMEMO enabled by default, Conversations.

I wish to relist it as soon as it comforms the criteria and I hope this issue can be used for tracking issues related to that.

From XMPP Compliance Suites 2020 / Future development there are a few interesting specifications linked:

• [ ] XEP-0420: Stanza Content Encryption
  • draft
• [ ] XEP-0384: OMEMO Encryption
  • draft
• [ ] XEP-0396: Jingle Encrypted Transports - OMEMO
  • deferred
• [ ] XEP-0374: OpenPGP for XMPP Instant Messaging
  • deferred

[dngray]

I've subscribed to this issue, because I am curious to see how it develops.

I think we that we can continue with https://github.com/privacytoolsIO/privacytools.io/pull/1836.

[jonaharagon]

We're going to relist "Matrix" as "Riot" in #1836 because we realized we wanted to avoid recommending protocols (which is mostly helpful for administrators) and focus on recommending clients (which is more helpful for end-users, our target).

So we can rethink criteria a bit, and maybe that deserves its own issue, but what it boils down to is:

1. The client needs to be secure and privacy-respecting (which I think Conversations is)
   • I think we should also agree now whether we only want OMEMO (this is my current assumption) or if OTR is acceptable.
2. Users need to be able to communicate across platforms to avoid vendor lock-in.

The second point being where I think "XMPP" is currently failing, because Conversations is Android-only... I'm not against listing XMPP clients per-operating-system if we need to, but I'm not aware of any other decent clients, so what we're waiting for is...

• [x] Android: Conversations
• [ ] iOS
  • Having used ChatSecure and Monal I feel incredibly uncomfortable with recommending either. Unless they have drastically changed in the past 6 months.
• [ ] Linux: Dino?
  • Which may not be a good recommendation due to the lack of tagged releases multiple people have brought up, so I don't know if we want to consider it.
• [ ] macOS
• [ ] Windows

A web-client would also be neat but is perhaps wishful thinking. But I think when decent clients materialize for all of the above platforms we can probably list that set of clients as our general "XMPP" recommendation for RTC.

[Mikaela]

https://conversejs.org/

[nitrohorse]

For iOS clients, I believe Monal has the most active development with Siskin coming in 2nd and now ChatSecure in 3rd.

Having used ChatSecure and Monal I feel incredibly uncomfortable with recommending either. Unless they have drastically changed in the past 6 months.

No, I don't think either has drastically changed in terms of UX or UI.

[woj-tek]

@JonahAragon there is SiskinIM for iOS (https://github.com/tigase/siskin-im/) and BeagleIM for macOS (https://github.com/tigase/beagle-im/)

[mdosch]

As others already mentioned: Siskin is the client I recommend to iOS people. Also if you have objections to Dino you could recommend Gajim for Linux and Windows (I'm not sure about the state on Macs).

[GintokiHub]

I find gajim quite easy to use actually. It might seem a -littele-bit- imposing at first but it's really quite straightforward IMO. What are others opinion on the client for windows?

[mdosch]

Right now Gajim is imo the best client on windows. Maybe Dino will be an option once they provide a windows build. So far there are only community builds for windows.

On 27.10.2020 09:22, GintokiHub wrote:

I find gajim quite easy to use actually. It might seem a -littele-bit- imposing at first but it's really quite straightforward IMO. What are others opinion on the client for windows?

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/privacytools/privacytools.io/issues/1838#issuecomment-717360425

[arendtio]

Just contributing my experience:

• Conversations is superb. Quicksy (Conversations flavor + Account) might be worth mentioning, as it has the lowest entrance barrier.

• iOS clients are a disaster. Currently, I have ChatSecure and Siskin installed, but neither works in a way that I would recommend it. ChatSecure seems to be the best but it has some serious issues (like asking to confirm valid SSL certificates when they get renewed).

• For desktop usage I recommend Gajim. I tried Dino from time to time but always returned to Gajim so far.

All these clients support OMEMO afaik. I don't think that having OMEMO enabled by default should be relevant for listing XMPP clients. On the other hand, I would not recommend clients that only support OTR (used a few years before OMEMO became a thing and still remember those slow transfer speeds).

Haven't tried anything on MacOS yet, but I heard that Monal is a bad but still the best option.

[albjeremias]

why isn't conversations on privacytools.io ?!

[mdosch]

See above, because conversations is android only whereas riot is everywhere.

[Mikaela]

I am not sure Element being on iOS is a good argument and I also wouldn't seek for privacy on Matrix in it's current state and if it was up to me, I would add a lot of warnings or simply delist it again. Then again putting in personal effort to do that would be pointless until the team is released from renaming/redomaining etc.

• https://mikaela.info/blog/english/2021/08/03/matrix-perfect-privacy-not.html

EDIT:

• I self-marked this offtopic instantly after posting.
• I opened https://github.com/privacytools/privacytools.io/issues/2424 for discussing the privacy issues with Matrix.