-
-
Notifications
You must be signed in to change notification settings - Fork 385
Add XMPP clients #60
Comments
Just today: http://www.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM?sp=alcms |
There's a list which compares different servers and their support for different XEPs (https://gultsch.de/compliance.html). However, privacytools.io suggests using OTR/openPGP, while there is a far more sophisticated encryption (OMEMO) available, which is currently supported by Conversations, Gajim and CryptoCat (ChatSecure for iOS already announced to support it with the next app release). |
@jubalh So your idea is to add a "XMPP" recommendation and link to several different clients for Desktop, iOS and Android? As far as I know: Conversations for Android and Chatsecure is still good for iOS? Please help me out here. |
Maybe these tips are helfpul: |
TODO: Add XMPP clients. |
I could make a PR for this but how should/would it be added? It seems a bit odd to have an entire section dedicated to XMPP when it's really just a sub-section of the Encrypted Instant Messenger section. |
I think that Conversations for Android still applies, but I have gotten image that Chatsecure needs its own module or something like that in the XMPP server and Monal may be better. However I am not an iOS user personally so this information is second (or more) hand. On PC, Gajim works ~everywhere and another worth mentioning client is Dino however it may be Linux-only. |
I am not sure if this or https://github.com/privacytoolsIO/privacytools.io/issues/141 is a better place for this, but there are at least two XMPP clients/servers with registration using phone number and contact discovery that way:
|
@infosec-handbook on https://github.com/privacytoolsIO/privacytools.io/issues/779#issuecomment-471687384
Are you familiar with Kontalk or Quicksy I mentioned here? I think they are attempting to be WhatsApp-like experience. I think the XEPs can be found out from https://compliance.conversations.im/, but it could have a simpler UI. On OMEMO and XMPP, I think my recommended list would be:
Isn't Signal still uploading contacts to server frequently to check that they are using Signal?
I read the link and your reader feedback seems to already say everything.
I wonder if you are trying to do the opposite here, but I think in the end it boils down to all IM systems being horrible and having their flaws. |
Kontalk and Quicksy rely on phone numbers, AFAIK. Quicksy is a modified Conversations client built by the developer of Conversations, and uses the same registration process as Signal. However, compared with Signal, Conversations/Quicksy don't enforce encryption, and as I mentioned in #779, XMPP comes with server-side account management that exposes most personal data to the server administrator.
I know this website. However, this isn't an official XMPP website but a list of servers that comply with XEPs used by Conversations. Moreover, this website doesn't rate any privacy aspects like "who runs the server?", "where is the server located?", "is the server software up-to-date?", "is there a privacy policy?", "does this server offer TLS with PFS?" etc.
The last time we used Gajim, it wasn't user-friendly. Dino seems to be better here. I don't know Monal, but people recommended ChatSecure as the best iOS client before. However, development of ChatSecure seems to fall asleep. One big problem of some messengers is that they only partially support OMEMO. For instance, some clients allow OMEMO-encrypted 1-to-1 chat, however, they don't support group (MUC) chats. As for ConverseJS, many people criticize JS-based encryption as being insecure by design, so it doesn't make sense to recommend it. Besides, another point is the state of end-to-end encryption in XMPP:
AFAIK, Conversations is the only messenger that tries to enforce OMEMO in some situations. And, AFAIK, no messenger explains benefits/drawbacks of no encryption/OpenPGP/OTR/OMEMO. New users have to guess what is best for them.
In all cases, Signal works fine. The disadvantage is that you need to manually enter the phone number of your chat partner before you can chat.
Our main point here is that it doesn't make sense to tell people every other month to switch their messenger since someone showed up somewhere and decided that the current recommendation must be changed due to strange reasons.
Exactly. We already tried to summarize this in https://infosec-handbook.eu/blog/discussion-secure/#sm (and this section is only about the technical part of such discussions). |
@privacytoolsIO/editorial thoughts? |
Judging by https://github.com/privacytoolsIO/privacytools.io/pull/1048#issuecomment-514817075 this has been done. |
It's been removed again? |
The section about messengers is sadly very misleading in my opinion.
Have you ever used ChatSecure?
I suppose you recommend it becuase it runs on multiple mobile operating systems.
Are you aware that it is different on each of these, has different featuers?
Can it do http_upload, carbons? Do you tell people about how OTR can also be a pain if you have multiple devices? It doesn't seem so, which will result in users trying the software, seeing that it doesn't work as expected and saying its no good.
In my opinion the best XMPP client for mobile is Conversations, which is mentioned on the page too.
I think one should just mention XMPP in general and then link to a broader explanation of it. Explaining that behaviour of clients can differ depending on which XEPs they support. And listing a good pre selection for people who do not want to read all those details. Which in my opnion is: Conversations for Android, Gajim and Swift for desktop. I can't speak for iOS since I don't use it.
This would also give the user the right impression: it's not just for mobile but for all kinds of things. Currently in my opinion it looks like its a mobile only thing.
The text was updated successfully, but these errors were encountered: