Privacy

42553 readers

492 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

125

Why Signal over Jabber/XMPP? (piefed.world)

submitted 3 days ago by TurkeyDurkey@piefed.world to c/privacy@lemmy.ml

122 comments fedilink hide all child comments

Over the past few years I have gone through a bunch of different apps and protocols to find the best one for "securely" communicating with my family and friends.

I ended up with the amazing XMPP protocol and my family/friends frequently use its clients to contact me.

Monal for IOS and Cheogram/Conversations/Quicksy for Android. The android app I install depends on if I can get F-Droid on their phone or not.

It's been great with OMEMO encryption and the clients/apps available for XMPP. But sometimes I have issues introducing people to it.

Jabber (friendly name for xmpp) sounds silly to say. The clients all have weird names. And after trying the Signal mobile app it feels more focused than what anyone in the XMPP community has whipped up.

But the capabilities of XMPP makes it better.

Signal Cons (immediete)

Centralized
Single app
Phone numbers

XMPP/Jabber Cons

Picking server
Apps are sort of less friendly

What really scares me about Signal is the centralization. Any nerd can easily host an XMPP server these days. But Signal from what I've heard really wants us to use their server.

If XMPP gets more attention I'm sure we can get people supporting projects and creating better apps.

I keep seeing people recommended Signal instead.

This is a bit of a tired ramble. What I wanna know is why anyone is preferring Signal over XMPP apps. I assume it might be not knowing about it. Tell me what you use to message people.

you are viewing a single comment's thread
view the rest of the comments

[–] balance8873@lemmy.myserv.one 1 points 1 day ago* (last edited 1 day ago) (2 children)

But those are still identifiers linked to you and in a global space because it says multiple servers need to know how to route data.

Nvmd: seemingly if the server hosting your queues shuts down you lose all contact, so your UIDs are shared but only to a specific set of servers you choose with the drawback of fragility. Seems like someone else shutting down a server kills your contact list?

[–] Ferk@lemmy.ml 3 points 1 day ago* (last edited 1 day ago) (1 children)

When it comes to initializing the connection, It's true that those identifiers (or perhaps more accurately, addresses) are susceptible to collisions in a "global space". But they are temporary, ephemeral addresses (they are discarded after use and/or expiration), and the space is astronomical so chances of collision are tiny, and even in the rare event of a collision you still have a step in which you verify a fingerprint code that's independent of the address, related to the individual local device.. so you have a second factor authentication of sorts, if you are adding a person and the code does match then you can be pretty sure it's the correct person, since both the shared address and the internal locally-stored key match.

[–] balance8873@lemmy.myserv.one 1 points 1 day ago (1 children)

If there's a permanent global fingerprint code isn't that, well, the opposite of what the marketing says? Why is that not a unique user identifier?

[–] Ferk@lemmy.ml 2 points 1 day ago* (last edited 1 day ago) (1 children)

The fingerprint (or you can also call it "security code", it's just a code for verification), is generated from the combination of the locally stored encryption keys from each side of the conversation, it will be different every time. I believe it's also not technically required by the protocol that the same encryption key should be used for all conversations (although I don't really know if the client does generate a new one every time or keeps reusing the same, that's up to the implementation I believe).

[–] balance8873@lemmy.myserv.one 1 points 1 day ago

Makes sense, thanks for the explanation

[–] AmanitaCaesarea@slrpnk.net 2 points 1 day ago (1 children)

@Ferk has given a more elaborate answer. As for servers shutting down. Haven't had it happen yet. With any service you always risk servers shutting down or failing, even centralized ones like signal: so that is a bit of a nirvana fallacy.

[–] balance8873@lemmy.myserv.one 2 points 1 day ago* (last edited 1 day ago)

I didn't compare it to signal. I just asked if that was the facts of the situation.

If I were to compare it might be to the topic of this thread which I can self host and thus control.

However, since you opened the door on signal I'd comment that the entire signal org would have to go down for that to happen, not just a few servers. Is simplex managed by a large well funded entity that is unlikely to fail or are the servers more mom & pop setups? What happens if Kurt Cobain wakes up one morning and shuts down his server?