n8fr8
commented
8 years ago These are very good points, and we are still sorting out how to approach this.
Zom currently doesn't require Tor but it will use it opportunistically if Orbot is installed and running, and the XMPP server you are trying to connect to offers a dot onion address. Perhaps we should just always use it in this case? We are also thinking of adding a preference a "require Tor" or "use this proxy always" option with manually proxy settings, to allow slightly more advanced users to choose that if needed. Of course, you can use Orbot's VPN feature to force Zom through Tor.
Having Tor and Pluggable Transport technology built into Zom, and used automatically, transparently if needed is definitely something we are considering.
Otherwise, related to metadata more broadly, Zom does not require a phone number, email, or real name to register, thus limiting the amount of useful metadata the server has. We also support and promote XMPP services that support the minimized logging configuration setup here: https://otr.im/chat.html
The XMPP protocol itself has issues, that systems like Ricochet support, and we have considered adding in support for the Ricochet protocol itself into Zom, as another option for connecting. Stay tuned for that.
ghostlands
ghost
pascalwacker
ghsrcgh
Due to the simplified nature of Zom, it isn't apparent anywhere easily discoverable whether it is anonymized as well as encrypted. Even having read several release and update announcements, I can't discern whether Zom has any functioning relationship with Tor or anonymity, or what the consistency of that relationship is if it does exist.
I tried uninstalling Orbot to see if Zom gave me any warnings or advice about installing Orbot, but it didn't, which implies that Zom doesn't require any mixing network or proxies to connect.
Hoping for personal clarification obviously, but this may also be something to look more closely at in terms of advertisiment/PR, at least when writing release announcements to the community.
Basically I might like to recommend this to less technically aware/interested contacts, but not unless anonymization is factored in by default. Do I have to ask them to install Orbot as well? Does Zom come with Tor inside, like Ricochet? Does Tor get used if there's an Orbot but not if there isn't?
I think Zom solves some interesting and important problems with adoption; Surespot, also based on XMPP (modified), basically did similar things in that most users don't give any f \ ks about choosing a server, they simply look to the app to be the agent/connection, and assess "is this app good?".
But I wonder if the 2nd app (Orbot) is the weak link in the simplification process. Because anonymization/mixing shouldn't be a luxury layer.