jubalh
commented
8 years ago Just today: http://www.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM?sp=alcms So much about secure and privacy
Closed jubalh closed 5 years ago
jubalh
commented
8 years ago Just today: http://www.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM?sp=alcms So much about secure and privacy
PrivacyDefender
commented
8 years ago There's a list which compares different servers and their support for different XEPs (https://gultsch.de/compliance.html). However, privacytools.io suggests using OTR/openPGP, while there is a far more sophisticated encryption (OMEMO) available, which is currently supported by Conversations, Gajim and CryptoCat (ChatSecure for iOS already announced to support it with the next app release).
privacytoolsIO
commented
7 years ago @jubalh So your idea is to add a "XMPP" recommendation and link to several different clients for Desktop, iOS and Android?
As far as I know: Conversations for Android and Chatsecure is still good for iOS?
Please help me out here.
jubalh
commented
7 years ago @privacytoolsIO :)
Maybe these tips are helfpul: A list with clients and which XEPs they support. https://www.zash.se/xmpp-clients.html http://xmpp.iodoru.org/details.html mentions which XEPs are important to have a usable chat experience. I agree usual users shouldnt have to think about such things thats why currently many clients try to make things easier and implement all the important XEPs. The best client is Conversations I'd say, I even have the feeling that its the leading example and often drags the others along. Gajim is a good client for the desktop, but it needs some tweaking (going to settings and download plugins for some of the XEPs). Swift-im is another good client which wants to make things easy. Cannot talk about iOS since I dont have any such devices :/
ghost
commented
7 years ago TODO: Add XMPP clients.
Atavic
commented
6 years ago 
NeverDucky
commented
6 years ago I could make a PR for this but how should/would it be added? It seems a bit odd to have an entire section dedicated to XMPP when it's really just a sub-section of the Encrypted Instant Messenger section.
Mikaela
commented
5 years ago As far as I know: Conversations for Android and Chatsecure is still good for iOS?
I think that Conversations for Android still applies, but I have gotten image that Chatsecure needs its own module or something like that in the XMPP server and Monal may be better. However I am not an iOS user personally so this information is second (or more) hand.
On PC, Gajim works ~everywhere and another worth mentioning client is Dino however it may be Linux-only.
Mikaela
commented
5 years ago I am not sure if this or https://github.com/privacytoolsIO/privacytools.io/issues/141 is a better place for this, but there are at least two XMPP clients/servers with registration using phone number and contact discovery that way:
Mikaela
commented
5 years ago @infosec-handbook on https://github.com/privacytoolsIO/privacytools.io/issues/779#issuecomment-471687384
When it comes to user experience, no, absolutely not. There are dozens of XEPs needed for a WhatsApp-like client that are only supported by several client implementations. Then, modern encryption (OMEMO, which is still experimental) is only supported by a small number of clients. Finally, you need an XMPP server that must also support several XEPs. There is no simple way for users to find the right client AND server when they decide to switch to XMPP.
Are you familiar with Kontalk or Quicksy I mentioned here? I think they are attempting to be WhatsApp-like experience. I think the XEPs can be found out from https://compliance.conversations.im/, but it could have a simpler UI. On OMEMO and XMPP, I think my recommended list would be:
Another drawback of all of these systems (Matrix, XMPP etc) is that contact/account management is done by the server, while messengers like Signal/Briar implement client-side account/contact management.
Isn't Signal still uploading contacts to server frequently to check that they are using Signal?
Server-side management implies that the server knows much more about registered accounts like group memberships, contact lists, devices, reading status, and even passwords (as mentioned in https://infosec-handbook.eu/blog/xmpp-aitm/). In my opinion, this isn't privacy-friendly at all.
I read the link and your reader feedback seems to already say everything.
However, don’t try to force us to tell our readers your ideological beliefs.
I wonder if you are trying to do the opposite here, but I think in the end it boils down to all IM systems being horrible and having their flaws.
ghost
commented
5 years ago @Mikaela
Are you familiar with Kontalk or Quicksy I mentioned here?
Kontalk and Quicksy rely on phone numbers, AFAIK. Quicksy is a modified Conversations client built by the developer of Conversations, and uses the same registration process as Signal. However, compared with Signal, Conversations/Quicksy don't enforce encryption, and as I mentioned in #779, XMPP comes with server-side account management that exposes most personal data to the server administrator.
I think the XEPs can be found out from https://compliance.conversations.im/
I know this website. However, this isn't an official XMPP website but a list of servers that comply with XEPs used by Conversations. Moreover, this website doesn't rate any privacy aspects like "who runs the server?", "where is the server located?", "is the server software up-to-date?", "is there a privacy policy?", "does this server offer TLS with PFS?" etc.
On OMEMO and XMPP, I think my recommended list would be …
The last time we used Gajim, it wasn't user-friendly. Dino seems to be better here.
I don't know Monal, but people recommended ChatSecure as the best iOS client before. However, development of ChatSecure seems to fall asleep. One big problem of some messengers is that they only partially support OMEMO. For instance, some clients allow OMEMO-encrypted 1-to-1 chat, however, they don't support group (MUC) chats.
As for ConverseJS, many people criticize JS-based encryption as being insecure by design, so it doesn't make sense to recommend it.
Besides, another point is the state of end-to-end encryption in XMPP:
AFAIK, Conversations is the only messenger that tries to enforce OMEMO in some situations. And, AFAIK, no messenger explains benefits/drawbacks of no encryption/OpenPGP/OTR/OMEMO. New users have to guess what is best for them.
Isn't Signal still uploading contacts to server frequently to check that they are using Signal?
In all cases, Signal works fine. The disadvantage is that you need to manually enter the phone number of your chat partner before you can chat.
I wonder if you are trying to do the opposite here
Our main point here is that it doesn't make sense to tell people every other month to switch their messenger since someone showed up somewhere and decided that the current recommendation must be changed due to strange reasons.
in the end it boils down to all IM systems being horrible and having their flaws
Exactly. We already tried to summarize this in https://infosec-handbook.eu/blog/discussion-secure/#sm (and this section is only about the technical part of such discussions).
Mikaela
commented
5 years ago I could make a PR for this but how should/would it be added? It seems a bit odd to have an entire section dedicated to XMPP when it's really just a sub-section of the Encrypted Instant Messenger section.
@privacytoolsIO/editorial thoughts?
Mikaela
commented
5 years ago Judging by https://github.com/privacytoolsIO/privacytools.io/pull/1048#issuecomment-514817075 this has been done.
sethidden
commented
3 years ago It's been removed again?
The section about messengers is sadly very misleading in my opinion. Have you ever used ChatSecure? I suppose you recommend it becuase it runs on multiple mobile operating systems. Are you aware that it is different on each of these, has different featuers? Can it do http_upload, carbons? Do you tell people about how OTR can also be a pain if you have multiple devices? It doesn't seem so, which will result in users trying the software, seeing that it doesn't work as expected and saying its no good.
In my opinion the best XMPP client for mobile is Conversations, which is mentioned on the page too.
I think one should just mention XMPP in general and then link to a broader explanation of it. Explaining that behaviour of clients can differ depending on which XEPs they support. And listing a good pre selection for people who do not want to read all those details. Which in my opnion is: Conversations for Android, Gajim and Swift for desktop. I can't speak for iOS since I don't use it. This would also give the user the right impression: it's not just for mobile but for all kinds of things. Currently in my opinion it looks like its a mobile only thing.