35 comments

[ 3.3 ms ] story [ 82.5 ms ] thread
About a decade ago (Oh no, it's never a good sign when you can legitimately start a story like that...) I was introduced to Jabber by a friend. I was complaining that I really wanted to talk to him about a certain topic, but that the topic was sensitive enough that I was paranoid about it being logged forever on some server somewhere.

He pointed out the OTR plugin, and it blew my mind that it was guaranteed that no one could possibly snoop our conversation.

I knew that it was theoretically possible, but I can't overstate how important it is to package the crypto in a user-friendly way. Being able to get the session going in about 30 seconds was a killer feature.

But, more than that, it seemed to have an advantage over present-day Signal: I use Signal now, but I always feel a bit queasy about trusting it implicitly. I do trust it, but it's such a massive ecosystem now that it doesn't feel nearly as "transparent" as the OTR plugin did. The OTR plugin was like, if this is broken, there are many eyeballs that will know pretty quickly. Whereas Signal doesn't quite feel the same way.

I'm not entirely sure why, or if that feeling is just me. There's no reason to feel like an OTR plugin is inherently more secure. And yet, as evidenced by the article, it was rock solid for 18 years.

The technical and product requirements that Signal is solving is drastically different to anything attempted before in the open source community. Signal is only looking to generate a movement to guarantee e2e encryption across all chat and social stacks. They don’t care who ends up owning the social wars, as long as that becomes the new standard. Think of it as an attempt to strike at the heart of the capitalistic forces that have diverted that kind of research away from production. It’s a brilliant strategic play they’re doing so I’m more grateful to figuring out how to do that because it looked like it had repeatedly failed in the past.
I'm in one reading group that uses signal primarily for its communication. We have not been able to figure out what we're going to read next because suggested texts get lost as people make random comments.

I hope that post Facebook messages gets to the level of threaded messages. Sometimes pure chat is enough and sometimes chat is really annoying for accomplishing things.

Maybe have a channel for chat and a separate one for reading suggestions?
The alternative to capitalistic forces showing you ads personalized based on your conversation isn't to get the same app with no ads at all - it is either get the same app just with non-personalized ads, or no app at all.
well... signal doesn't have ads...
(comment deleted)
Why, outright paying for products and services is pretty capitalistic! Works well in many cases.
That's a fine argument and all, but practically speaking, we see that as driven content for free outcompetes.
Disallowing such content then might be the right solution if you view the societal trade offs as not being worth the increased economic activity.
You are right to feel uneasy about Signal, because there is a possibility (I don't know how big) to snoop and is centralized. Checkout Session, forked Signal with decentralized infrastructure.
Session relies the Loki network overlay. Loki is another cryptocurrency.

Any decentralised alternatives without the cryptocurrency linkage.

Yes, the Loki is the incentive to running nodes. Jami is decentralized without incentives. Berty.tech is distributed, also without incentives.
> I use Signal now, but I always feel a bit queasy about trusting it implicitly. I do trust it, but it's such a massive ecosystem now that it doesn't feel nearly as "transparent" as the OTR plugin did

Conversations on Android works quite well for XMPP on Android. Quicksy by the same author even has phone-based discoverability.

Conversations reminds me of Google Talk in a good way. Also blown away by how fast onboarding and message delivery is over XMPP.

Movim is another pretty great XMPP client.

OTR is certainly simpler than Signal. Signal's claim to fame is that it can deal with the case of an offline client and still offer forward secrecy. In Signal's case that means a server based infrastructure to store cryptographic state that the decentralized OTR gets along without. On top of that, Signal's per message forward secrecy (OTR is per session) adds even more complexity.
> deal with the case of an offline client and still offer forward secrecy.

Wasn't that addressed by OMEMO, the OTR "replacement" protocol?

Yeah. Basically Signal protocol over XMPP. It uses the XMPP server for the stored/delayed cryptographic state which is why you need a server that can do PEP (Personal Eventing Protocol) if you want to do OMEMO.

OMEMO has pretty much replaced OTR in the clients so if you want simple/stateless you are left with one of the two PGP flavours.

It seems like things like Jabber and Signal are going to become more and more prevalent as Facebook and other suppress voices outside the mainstream ... in an entirely ham-hand fashion.

The thing I miss with non-facebook stuff is threaded discussion. Earlier comment just get lost.

Is there an XMPP client with threaded discussion?

Seems like there are extensions for threaded discussions.

For example, the following XEP (XMPP Extension) talks about best practices for message threads:

https://xmpp.org/extensions/xep-0201.html

And XEP-0085 about chat state notifications has a section about threads.

https://xmpp.org/extensions/xep-0085.html#bizrules-threads

So probably your best bet is to look at the list of supported features of all XMPP clients and see which ones support XEP-0085, and then between any clients that support that see if they support threading.

Yeah, I saw that and I've looked for clients and features but it's really quite difficult to discover them.
What about Matrix? It has E2EE and you can "quote" a previous message to provide context in a crowded discussion.
From what I've read, Matrix servers are significantly harder to run compared to XMPP.
You can quote on signal too but quoting isn't sufficient, it doesn't give you a list of subtopic branching from a single topic. You want a UI something HN or the Facebook feed for coherent discussion imo. Twitter, even, is insufficient - we can see how terrible Twitter is anything like in-depth discussion.
I've used XMPP and OTR for about 15 years. I'm not a cyber criminal. It's efficient and secure. There are lots of open source clients to use as well. That's why I use it.
I'd actually assume the opposite of your statement (which I read as "One mustn't be a criminal to use Jabber"): I wouldn't trust any technology completely unused by criminal organisations.

Criminal orgs require their communications be secure, ideally without the ability for whomever they're chatting with to compromise the chat without meaning to (see iMessage saving both the key and the messages to iCloud, Whatsapp backing up messages to Google Drive, etc.)

It's very true to say not every criminal organisation uses proper opsec, but my point is not every criminal is smart. I'm simply pointing out that if a communication platform isn't used by any criminals, it's likely not worth using for me.

The exploit.im service mentioned in the article is a big source of XMPP spam if your server has enabled XMPP federation.
Did the author of the article bother to do any research at all?

The "popular" messaging service HipChat has been dead since 2018 when Slack acquired it's codebase and moved it's users to Slack.

WhatsApp no longer runs on Jabber/XMPP. They used to run on modified eJabberd a long time ago but these days they use a combination of Signal and something custom...

The article is from 2017. Should've been put in the thread title, but yeah...
Ah, haven't noticed that... In that case the HipChat bit makes more sense although I still wouldn't call it popular...

WhatsApp switched to Signal Protocol in 2016 however so that point still stands.

I'm not sure I get the "Russian" focus here.

Is it that other cybercriminals use different tools? Or do we somehow hold Russian cybercriminals to higher esteem?

I feel like there's some sort of a FUD campaign going on right now against privacy tools and strong encryption. You need to bring up Russia or terrorists or sex trafficking or the story is not scary enough.
>He pointed out the OTR plugin, and it blew my mind that it was guaranteed that no one could possibly snoop our conversation.

That's wonderful but how do you handle the trust aspect?

I hit a wall on infosec stuff because people are pretty gatekeepy.