this post was submitted on 12 Oct 2025

125 points (97.0% liked)

Privacy

42553 readers

483 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

125

Why Signal over Jabber/XMPP? (piefed.world)

submitted 2 days ago by TurkeyDurkey@piefed.world to c/privacy@lemmy.ml

122 comments fedilink hide all child comments

Over the past few years I have gone through a bunch of different apps and protocols to find the best one for "securely" communicating with my family and friends.

I ended up with the amazing XMPP protocol and my family/friends frequently use its clients to contact me.

Monal for IOS and Cheogram/Conversations/Quicksy for Android. The android app I install depends on if I can get F-Droid on their phone or not.

It's been great with OMEMO encryption and the clients/apps available for XMPP. But sometimes I have issues introducing people to it.

Jabber (friendly name for xmpp) sounds silly to say. The clients all have weird names. And after trying the Signal mobile app it feels more focused than what anyone in the XMPP community has whipped up.

But the capabilities of XMPP makes it better.

Signal Cons (immediete)

Centralized
Single app
Phone numbers

XMPP/Jabber Cons

Picking server
Apps are sort of less friendly

What really scares me about Signal is the centralization. Any nerd can easily host an XMPP server these days. But Signal from what I've heard really wants us to use their server.

If XMPP gets more attention I'm sure we can get people supporting projects and creating better apps.

I keep seeing people recommended Signal instead.

This is a bit of a tired ramble. What I wanna know is why anyone is preferring Signal over XMPP apps. I assume it might be not knowing about it. Tell me what you use to message people.

top 50 comments

sorted by: hot top controversial new old

[–] Wigglesworth@retrolemmy.com 14 points 1 day ago* (last edited 19 hours ago) (1 children)

I use XMPP, and the original idea was for it to be a family chat and a way to securely ask for things on Jellyfin.

No one uses it. (XMPP, not JF)

What's better?

No one cares. They know it's a hassle to ask for media. They know they can only ask me in person if they don't use it. They just won't bother installing a client. Can't be bothered.

Oh well, I can't be asked, then. So we sit in this perpetual state of tug of war. I can't be contacted, it's complained about, the situation is explained again, they complain again, and still never resolve the situation.

Going on three years now.

[–] TurkeyDurkey@piefed.world 2 points 23 hours ago (1 children)

I've been slimming down the services that I don't personally feel the need to use. And Jellyfin is right around the chopping block. Started Jellyfin to replace costly streaming services. Only one person is using Netflix and that's the only reason my parents are paying for it still.

[–] Wigglesworth@retrolemmy.com 1 points 19 hours ago

I'd still use JF if no one else did. It's convenient for streaming. The alternative would be maybe kodi and samba and that's three steps back, two forward imo. I use xmpp for notifications a lot, its close integration with the server its on allows for using it kinda like ntfy.

[–] biotin7@sopuli.xyz 7 points 1 day ago* (last edited 22 hours ago) (1 children)

TBH it's worrying, but at the same time, it's better to have people on something that's somewhat Privacy-respecting.

Baby steps, you know. BTW how many here are familiar with GNU-Jami ?

[–] TurkeyDurkey@piefed.world 1 points 23 hours ago (1 children)

What's that? GNU-Jami?

[–] biotin7@sopuli.xyz 4 points 22 hours ago (1 children)

Very similar to Signal, but Libre software & uas no phone-number requirement https://jami.net/

[–] TurkeyDurkey@piefed.world 3 points 22 hours ago (1 children)

Oh okay! Didn't recognize the GNU in there. Was there a trademark issue in the past?

[–] biotin7@sopuli.xyz 3 points 21 hours ago

No I don't think so. It's a high-priority GNU project

[–] Mgineer@lemmy.ml 36 points 1 day ago (1 children)

For most people, Not this community, it's trying to get people off Whatsapp. So even signal is better

[–] AmanitaCaesarea@slrpnk.net 10 points 1 day ago (1 children)

Signal for people that partly care about privacy. SimpleX for true privacy enthusiasts

[–] balance8873@lemmy.myserv.one 4 points 1 day ago* (last edited 1 day ago) (1 children)

I love the irony of the name. It's probably the best thing about the app.

One of the things I'm curious about and the website doesn't explain: how are the message queues not identifiers?

[–] AmanitaCaesarea@slrpnk.net 3 points 1 day ago (1 children)

They are local identifiers, not global ones. Each one exists only for a single pair of users so they don't function as stable or traceable identities. "Pairwise anonymous addresses".

https://simplex.chat/#privacy-of-identity-contacts-metadata

[–] balance8873@lemmy.myserv.one 1 points 1 day ago* (last edited 1 day ago) (2 children)

But those are still identifiers linked to you and in a global space because it says multiple servers need to know how to route data.

Nvmd: seemingly if the server hosting your queues shuts down you lose all contact, so your UIDs are shared but only to a specific set of servers you choose with the drawback of fragility. Seems like someone else shutting down a server kills your contact list?

[–] Ferk@lemmy.ml 3 points 1 day ago* (last edited 1 day ago) (1 children)

When it comes to initializing the connection, It's true that those identifiers (or perhaps more accurately, addresses) are susceptible to collisions in a "global space". But they are temporary, ephemeral addresses (they are discarded after use and/or expiration), and the space is astronomical so chances of collision are tiny, and even in the rare event of a collision you still have a step in which you verify a fingerprint code that's independent of the address, related to the individual local device.. so you have a second factor authentication of sorts, if you are adding a person and the code does match then you can be pretty sure it's the correct person, since both the shared address and the internal locally-stored key match.

[–] balance8873@lemmy.myserv.one 1 points 20 hours ago (1 children)

If there's a permanent global fingerprint code isn't that, well, the opposite of what the marketing says? Why is that not a unique user identifier?

[–] Ferk@lemmy.ml 2 points 19 hours ago* (last edited 19 hours ago) (1 children)

The fingerprint (or you can also call it "security code", it's just a code for verification), is generated from the combination of the locally stored encryption keys from each side of the conversation, it will be different every time. I believe it's also not technically required by the protocol that the same encryption key should be used for all conversations (although I don't really know if the client does generate a new one every time or keeps reusing the same, that's up to the implementation I believe).

[–] balance8873@lemmy.myserv.one 1 points 18 hours ago

Makes sense, thanks for the explanation

[–] AmanitaCaesarea@slrpnk.net 2 points 23 hours ago (1 children)

@Ferk has given a more elaborate answer. As for servers shutting down. Haven't had it happen yet. With any service you always risk servers shutting down or failing, even centralized ones like signal: so that is a bit of a nirvana fallacy.

[–] balance8873@lemmy.myserv.one 2 points 20 hours ago* (last edited 18 hours ago)

I didn't compare it to signal. I just asked if that was the facts of the situation.

If I were to compare it might be to the topic of this thread which I can self host and thus control.

However, since you opened the door on signal I'd comment that the entire signal org would have to go down for that to happen, not just a few servers. Is simplex managed by a large well funded entity that is unlikely to fail or are the servers more mom & pop setups? What happens if Kurt Cobain wakes up one morning and shuts down his server?

[–] undefinedTruth@lemmy.zip 17 points 1 day ago* (last edited 1 day ago) (1 children)

Signal may not be the best in a technical sense, but it is good enough and it has the network effect. I've been pleasantly surprised when in the span of a few months I met two different people actually in real life, who happened to already be using Signal.

Signal is also just as usable as the big tech alternatives, which makes it not a very hard sell to friends and family. For quite a few years now I have managed to convince everyone I communicate with to do so over Signal. There is no chance I would be as successful with something else.

[–] umbrella@lemmy.ml 7 points 1 day ago* (last edited 1 day ago)

yes baby steps. more important to get rid of zucc and his big brother eyes on everyone than to be 100% perfectly private from the get go.

[–] SteleTrovilo@beehaw.org 111 points 2 days ago* (last edited 2 days ago) (1 children)

Signal is the best intersection of genuine security and ease-of-use that I've ever seen. No choosing a server, no making an account. Just install the app, get a confirmation SMS, and now you can communicate with future-proof encryption and authentication right away.

For more technical people, who aren't going to be intimidated by things like making accounts and secure passwords and choosing servers, Signal is not the best. But when I need to communicate securely with non-technical people, it's a wonderful quick go-to solution.

[–] shortwavesurfer@lemmy.zip 8 points 2 days ago (5 children)

With some spit and polish, I think that SimpleX could actually be very similar in that regard.

load more comments (5 replies)

[–] Lyra_Lycan@lemmy.blahaj.zone 18 points 2 days ago* (last edited 2 days ago) (6 children)

Don't forget that OMEMO on XMPP has no backward decryption - all messages are lost with every new client. Massive dealbreaker for me, as I value message history between those I love.

I've gone for Matrix. Signal doesn't interest me until they get rid of the requirement for phone numbers.

Others have noted that XMPP servers hold user contacts (and maybe other parts) wholly unencrypted, and if the server isn't yours, that's a trust risk.

[–] jerkface@lemmy.ca 1 points 22 hours ago

I recently switched some of my contacts from Signal to Matrix and I really prefer the user experience. The room-based model and the video chat features are great.

load more comments (5 replies)

[–] glitching@lemmy.ml 19 points 2 days ago* (last edited 2 days ago) (22 children)

to answer your question - if you wanna eventually talk to normies. like cute boy/girl you meet at a bar or a business contact from a random meet. even Signal has dogshit penetration compared to the big players, so XMPP/Matrix/Briar/etc aren't even a blip on the dradis.

also, you sorta sidestepped the UX. if you're coming off the hyper-polished world of Telelgram and iMessage, all those things have dogshit UX. yes, you'll eventually find your way around them but you have to be motivated to endure them ugly and slow and unrealiable apps (comparatively speaking); you got that shit covered, your contacts do not.

the situation is kinda like with The Linux Desktop - it's competing with gargantuan corpos with unlimited resources, and to add to that the miniscule dev teams aren't working together, they're competing, pulling in different direction (Gnome, Plasma, Cinnamon, etc.) with duplicated efforts and tons of abandoned paths. can you imagine where we'd be if all that dev effort went towards one goal?

same thing with the messenger space, it's doubtful any of them will become mainstream, but they have their uses.

load more comments (22 replies)

[–] shortwavesurfer@lemmy.zip 9 points 2 days ago (2 children)

I use SimpleX

[–] balance8873@lemmy.myserv.one 3 points 1 day ago (3 children)

Do you use simplex or do you have an account with simplex?

load more comments (3 replies)

load more comments (1 replies)

[–] Lazycog@sopuli.xyz 39 points 2 days ago (5 children)

I'm not going to push anyone who uses a secure decentralized FOSS chat already to signal, but someone who uses telegram/viber/whatsapp is easier to get gradually on signal, which is super low effort compared to the ones you mentioned.

I've tried. I'm happy that I got friends and family to move from SMS and WhatsApp to Signal. Some I got to move to e.g. matrix but that's only a few.

Just my two cents since you asked. I agree with you but I don't want perfect to be the enemy of good.

load more comments (5 replies)

load more comments