While I know XMPP is an older and decentralized protocol with many IMs that also has encryption, I’d like to understand more about it.
My primary questions are:
How to ensure E2EE (with minimal metadata exposure) and is OMEMO is gold standard for E2EE on XMPP
How to choose the best XMPP client that always ensures E2EE
How to choose the best XMPP service provider
Are all XMPP clients are equally good/well
Do all clients or the protocol have voice calls (or even video)
I hope this explains all the things I’d like to learn and understand.
The reason I want to or rather have to use XMPP is because it is decentralized and it makes it possible to connect with friends, family, and colleagues privately and securely in the Middle East (in restrictive countries) from North America.
Signal with a VPN stopped working a few days ago. Cat and mouse game. I need decentralization or a good guide on how to make your own Signal proxy that’s easy to understand by tech savvy users atleast.
For most of these you probably want to look at Client and/or Server by Snikket https://snikket.org/ As you already noticed the XMPP field is a bit fractured, and Snikket is imo the best project that brings together the most recent best practices with rich feature support while using plain XMPP compatible with everyone out there.
Some more detail: Yes, OMEMO is the best you can get with regards to encryption. Most clients have support for it https://omemo.top/ but it’s not without flaws Against XMPP+OMEMO - Dhole Moments It’s probably fine for most threat models, but if you need something more bulletproof encryption-wise you’ll probably want to use actual Signal or similar. Metadata exposure… forget about stuff like that with XMPP, there are no meaningful defenses. Most clients have at least an option to use encryption by default, so you probably want to turn that on in the settings.
In general I like to use Snikket or Cheogram as client. Both are forks of Conversation. Most clients (these included) only support an older version of the OMEMO standard (0.3.0) and this hasn’t changed in a long time. If you really care about encryption, well you wouldn’t be using XMPP in the first place, but newer versions are supported by https://moxxy.org/https://www.kaidan.im/ and aTalk.org just make sure your chat partners also use a client supporting the newest version if you care about that.
Self-hosting an XMPP server is actually quite easy, they are very lightweight in comparison to something like Synapse (popular Matrix server). So you don’t need to use a third-party service provider I think. This could also help a bit with metadata privacy if you and your friends/family all use your server. Setting up a Signal proxy however is even easier. As for trustworthy providers, the first challenge is actually finding a server that has good extension support. Here’s a list XMPP Providers Everyone with A or B ranking should be fine for general usage feature-wise. Whether they can be trusted, I cannot tell you. Some are run by independent non-profits like https://anoxinon.de/ so these would seem good to me personally. Connectability from countries with censored internet however might not be a given. XMPP is generally easy to just block.
Yes voice calls and video calls can work. However make sure you use clients and servers with good extension support. In general if you go by my advice and use something like Snikket it should all work out-of-the-box. But XMPP is probably the most finicky overall in the messenger world when it comes to making these kind of things work. (But also very lightweight and flexible.)
I hope that answered some of your questions. My personal advice to resolve your real issue however would be maybe finding a Signal proxy. Setting that up should be much easier for your friends etc and as long as the connection itself works you don’t need to worry about any other aspects. They provide a simple solution with Docker Compose here Signal-TLS-Proxy/README.md at main · signalapp/Signal-TLS-Proxy · GitHub Basically if you want/need to run your own just rent a bog-standard VPS somewhere with something like Debian and a domain name, set up DNS properly, and then run the few commands there to bring everything up. There are probably more verbose guides out there just by searching, but if you ever hosted anything with Docker you probably don’t need anything else.
Thank you so much for the detailed response and answering my questions. Reading more about it today, I figured as much about it but this was good to know since you confirmed most of what I learned anyway.
About the Signal proxy server - I am a tech savvy person but not technical and have no experience with Docker. And every guide out there goes two steps above my head so I don’t feel confident even following what they do on video because I have follow up questions about and don’t want to make mistakes.
If you are aware of a ELI5 guide on how to do it, please share. Thanks again!
i am not sure what was finicky for you , but I have been using it for 4 years now and everything works for me by default , so i am not sure what exact thing you needed to work. Hopefully you get it solved.
Also regarding signal proxy recommendation, i don’t think its a replacement for xmpp self hosted servers. A proxy would essentially just change your routing to connect signal servers incase you can’t reach the servers directly.
Personally when compared to matrix , i like that xmpp has lot more public servers available to chose from. Yes not every server would be maintained as well as some reputable ones.
Which is exactly what the actual issue of OP is. Even though he initially asked about XMPP.
For me it’s not. But the question is about making sure communication via text, audio, video works reliably with friends, family, colleagues from various locations, some of which are located in restrictive countries. Which one is easier to achieve? Make sure that a bunch of people with different age, educational background, language ability have all setup XMPP just right, OR send them a single link to setup your Signal proxy and be done with it. In the end it’s OP choice, that’s why I included all the info in my initial post.
Sorry not aware of any. Edit: A bunch of people run proxies you can use for free, you might find some for example by looking for hashtags like Mastodon on social networks.
If I use proxies made by other people, is that safe enough? I mean, wouldn’t I be trusting that they have set up everything properly and that they don’t or cannot get any info about who I am using it with and what we are discussing?
In general yes it should be totally safe. Signal is still E2E-encrypted with Double Ratchet and of course uses transport encryption on top of that. So the proxy provider wouldn’t be able to know which Signal accounts are connecting specifically and won’t be able to see any of the content of your messages / files / video, audio chats.
However the provider might be able to log some metadata like IP addresses or frequency of usage of users that connect to the proxy. If the log everything they could try to deduce some basic information from that. That is probably fine, and chances are if they are benign they won’t log anything at all, but depends on your threat model ultimately. (In any case if metadata privacy is that much of an issue for you, then neither Signal nor XMPP are suitable in my opinion, whether used through a proxy like this or not. In these cases something like https://docs.cwtch.im/ might be a better option.)