About a decade ago (Oh no, it's never a good sign when you can legitimately start a story like that...) I was introduced to Jabber by a friend. I was complaining that I really wanted to talk to him about a certain topic, but that the topic was sensitive enough that I was paranoid about it being logged forever on some server somewhere.
He pointed out the OTR plugin, and it blew my mind that it was guaranteed that no one could possibly snoop our conversation.
I knew that it was theoretically possible, but I can't overstate how important it is to package the crypto in a user-friendly way. Being able to get the session going in about 30 seconds was a killer feature.
But, more than that, it seemed to have an advantage over present-day Signal: I use Signal now, but I always feel a bit queasy about trusting it implicitly. I do trust it, but it's such a massive ecosystem now that it doesn't feel nearly as "transparent" as the OTR plugin did. The OTR plugin was like, if this is broken, there are many eyeballs that will know pretty quickly. Whereas Signal doesn't quite feel the same way.
I'm not entirely sure why, or if that feeling is just me. There's no reason to feel like an OTR plugin is inherently more secure. And yet, as evidenced by the article, it was rock solid for 18 years.
The technical and product requirements that Signal is solving is drastically different to anything attempted before in the open source community. Signal is only looking to generate a movement to guarantee e2e encryption across all chat and social stacks. They don’t care who ends up owning the social wars, as long as that becomes the new standard. Think of it as an attempt to strike at the heart of the capitalistic forces that have diverted that kind of research away from production. It’s a brilliant strategic play they’re doing so I’m more grateful to figuring out how to do that because it looked like it had repeatedly failed in the past.
I'm in one reading group that uses signal primarily for its communication. We have not been able to figure out what we're going to read next because suggested texts get lost as people make random comments.
I hope that post Facebook messages gets to the level of threaded messages. Sometimes pure chat is enough and sometimes chat is really annoying for accomplishing things.
The alternative to capitalistic forces showing you ads personalized based on your conversation isn't to get the same app with no ads at all - it is either get the same app just with non-personalized ads, or no app at all.
You are right to feel uneasy about Signal, because there is a possibility (I don't know how big) to snoop and is centralized. Checkout Session, forked Signal with decentralized infrastructure.
> I use Signal now, but I always feel a bit queasy about trusting it implicitly. I do trust it, but it's such a massive ecosystem now that it doesn't feel nearly as "transparent" as the OTR plugin did
Conversations on Android works quite well for XMPP on Android. Quicksy by the same author even has phone-based discoverability.
OTR is certainly simpler than Signal. Signal's claim to fame is that it can deal with the case of an offline client and still offer forward secrecy. In Signal's case that means a server based infrastructure to store cryptographic state that the decentralized OTR gets along without. On top of that, Signal's per message forward secrecy (OTR is per session) adds even more complexity.
Yeah. Basically Signal protocol over XMPP. It uses the XMPP server for the stored/delayed cryptographic state which is why you need a server that can do PEP (Personal Eventing Protocol) if you want to do OMEMO.
OMEMO has pretty much replaced OTR in the clients so if you want simple/stateless you are left with one of the two PGP flavours.
It seems like things like Jabber and Signal are going to become more and more prevalent as Facebook and other suppress voices outside the mainstream ... in an entirely ham-hand fashion.
The thing I miss with non-facebook stuff is threaded discussion. Earlier comment just get lost.
So probably your best bet is to look at the list of supported features of all XMPP clients and see which ones support XEP-0085, and then between any clients that support that see if they support threading.
You can quote on signal too but quoting isn't sufficient, it doesn't give you a list of subtopic branching from a single topic. You want a UI something HN or the Facebook feed for coherent discussion imo. Twitter, even, is insufficient - we can see how terrible Twitter is anything like in-depth discussion.
I've used XMPP and OTR for about 15 years. I'm not a cyber criminal. It's efficient and secure. There are lots of open source clients to use as well. That's why I use it.
I'd actually assume the opposite of your statement (which I read as "One mustn't be a criminal to use Jabber"): I wouldn't trust any technology completely unused by criminal organisations.
Criminal orgs require their communications be secure, ideally without the ability for whomever they're chatting with to compromise the chat without meaning to (see iMessage saving both the key and the messages to iCloud, Whatsapp backing up messages to Google Drive, etc.)
It's very true to say not every criminal organisation uses proper opsec, but my point is not every criminal is smart. I'm simply pointing out that if a communication platform isn't used by any criminals, it's likely not worth using for me.
Did the author of the article bother to do any research at all?
The "popular" messaging service HipChat has been dead since 2018 when Slack acquired it's codebase and moved it's users to Slack.
WhatsApp no longer runs on Jabber/XMPP. They used to run on modified eJabberd a long time ago but these days they use a combination of Signal and something custom...
I feel like there's some sort of a FUD campaign going on right now against privacy tools and strong encryption. You need to bring up Russia or terrorists or sex trafficking or the story is not scary enough.
35 comments
[ 3.3 ms ] story [ 82.5 ms ] threadHe pointed out the OTR plugin, and it blew my mind that it was guaranteed that no one could possibly snoop our conversation.
I knew that it was theoretically possible, but I can't overstate how important it is to package the crypto in a user-friendly way. Being able to get the session going in about 30 seconds was a killer feature.
But, more than that, it seemed to have an advantage over present-day Signal: I use Signal now, but I always feel a bit queasy about trusting it implicitly. I do trust it, but it's such a massive ecosystem now that it doesn't feel nearly as "transparent" as the OTR plugin did. The OTR plugin was like, if this is broken, there are many eyeballs that will know pretty quickly. Whereas Signal doesn't quite feel the same way.
I'm not entirely sure why, or if that feeling is just me. There's no reason to feel like an OTR plugin is inherently more secure. And yet, as evidenced by the article, it was rock solid for 18 years.
I hope that post Facebook messages gets to the level of threaded messages. Sometimes pure chat is enough and sometimes chat is really annoying for accomplishing things.
Any decentralised alternatives without the cryptocurrency linkage.
Conversations on Android works quite well for XMPP on Android. Quicksy by the same author even has phone-based discoverability.
Movim is another pretty great XMPP client.
https://github.com/otrv4/otrv4
Wasn't that addressed by OMEMO, the OTR "replacement" protocol?
OMEMO has pretty much replaced OTR in the clients so if you want simple/stateless you are left with one of the two PGP flavours.
The thing I miss with non-facebook stuff is threaded discussion. Earlier comment just get lost.
Is there an XMPP client with threaded discussion?
For example, the following XEP (XMPP Extension) talks about best practices for message threads:
https://xmpp.org/extensions/xep-0201.html
And XEP-0085 about chat state notifications has a section about threads.
https://xmpp.org/extensions/xep-0085.html#bizrules-threads
So probably your best bet is to look at the list of supported features of all XMPP clients and see which ones support XEP-0085, and then between any clients that support that see if they support threading.
Criminal orgs require their communications be secure, ideally without the ability for whomever they're chatting with to compromise the chat without meaning to (see iMessage saving both the key and the messages to iCloud, Whatsapp backing up messages to Google Drive, etc.)
It's very true to say not every criminal organisation uses proper opsec, but my point is not every criminal is smart. I'm simply pointing out that if a communication platform isn't used by any criminals, it's likely not worth using for me.
The "popular" messaging service HipChat has been dead since 2018 when Slack acquired it's codebase and moved it's users to Slack.
WhatsApp no longer runs on Jabber/XMPP. They used to run on modified eJabberd a long time ago but these days they use a combination of Signal and something custom...
WhatsApp switched to Signal Protocol in 2016 however so that point still stands.
Is it that other cybercriminals use different tools? Or do we somehow hold Russian cybercriminals to higher esteem?
That's wonderful but how do you handle the trust aspect?
I hit a wall on infosec stuff because people are pretty gatekeepy.