# Comparisons of XMPP, Signal, MQTT, Tox, Telegram



## sidetone (May 12, 2018)

XMPP is said to have a lot of overhead, in part because it uses XML. Also, each message must pass through servers that were used for establishing the connection, rather than more directly afterwards.

Telegram markets itself as being very secure, but I've seen past comments that were dubious about this. Aside from that, Signal is a better alternative than Telegram. Signal is secure by default, while Telegram leads the assumption that it is, when it isn't.

MQTT, which is lightweight, is intended for IOT (small device communication). The project Eclipse Paho http://www.eclipse.org/paho/ is a rare example of its use for messaging. MQTT's security is too basic for secure conversation.

Matrix is basically a proprietary derivative of XMPP.

Also discussions about TOX.


----------



## shkhln (May 12, 2018)

sidetone said:


> Is MQTT seen as an alternative for instant messaging, apart from its use in small device communication?



If you consider things like RabbitMQ or JMS  instant messaging, then sure.


----------



## shkhln (May 12, 2018)

sidetone said:


> Telegram markets itself as being very secure, but I've seen past comments that were dubious about this.



There are two separate concerns with Telegram: their protocol and their security claims. The encryption was discussed to death already and is not really worth revisiting here. See https://news.ycombinator.com/item?id=16097793 for summary.

Their claims are highly misleading _regardless of whether their protocol has any security holes_. Telegram is not designed to resist mass surveillance: it does not use e2e encryption by default (afaik, e2e is also not supported in the official desktop client); it stores contacts and message history centrally; and they even have plans to make it into a payment network, which would require them to have accurate information about actual real life user identities.

Now, optional e2e is inherently dangerous since the act of its activation itself might be a sensitive information. You don't necessarily want third parties to know you've considered something interesting enough to properly encrypt. More so, I don't think users should decide what data is actually important: things that typical user would consider sensitive like nude pictures, medical test results, financial documents aren't really that interesting to the government (think about it, with the exception of nude pictures, they already _have_ access to that data). It is the more mundane things that need protection from mass surveillance the most: where have you been at a certain date (location metadata), whom you talked to (metadata again), what are your shared interests (can be determined from regular chatter). Even state-of-the-art Signal doesn't quite solve that problem: it protects chat contents, but not metadata. Telegram does nothing of the sort.


----------



## rigoletto@ (May 12, 2018)

I would like to bring TOX to the list.


----------



## sidetone (May 12, 2018)

lebarondemerde said:


> I would like to bring TOX to the list.


I tried to communicate with Tox, to a user with a Windows computer, they said, they had to give up access to their files and available audio and webcams in order to use it. I discourage and don't expect someone to communicate using a bundled a program that asks for that. Perhaps it was the client, or the put together package for that version of Tox that did that. Whomever put that package together, abused user trust in exchange for convenience.

Most users use Windows, that aren't able to conveniently compile out of the box, in order for a specific application to communicate properly with a BSD machine.


----------



## sidetone (May 12, 2018)

This reminds me. If a client, its application, protocol and server are securely encrypted from end to end, knowing how Google collects data, is the Android OS on the phone able to read data on the end display on the messaging application?

Google has been more responsible with data than Facebook, but they use that for marketing, to eventually figure out what you want to buy, before you do. That, requires user trust, which we know will be for monetary purposes.

Similar for iPhones. IIRC, according to Telegram's website, Apple granted 70% of requests for encrypted data to the Chinese government. (perhaps because they do business there). Apple did try to gain credibility at one time for iPhones being secure, by refusing to hand over keys or backdoors to criminal investigators to access data.

There are trust issues with Telegram. There is, however, the case, that they haven't given up access keys to certain governments, and got banned for it, which seems to be a good thing. shkhln 's points on the vulnerability of Telegram, still come in to play. The current reputation of Telegram seems to be in contrast to its reputation last year, but that doesn't necessarily mean its current reputation is accurate.


----------



## shkhln (May 12, 2018)

sidetone said:


> There is, however, the case, that they haven't given up access keys to certain governments



It really doesn't matter what Telegram says, how pure are their intentions, whether they are affiliated with FSB, etc. _They don't have the ability to protect the data stored on their servers._ If somebody wants access to it badly enough, they will have access.






And you won't know anything about that from the news.


----------



## tingo (May 13, 2018)

FWIW, MQTT has gained popularity with the "Internet Of Things" movement. I use it with Home Assistant to get data from some external sensors, for example. And at our local makerspace, MQTT is pretty much the "bus" for all automation we do, including the door locks / door openers.


----------



## ronaldlees (May 13, 2018)

Not to mention any particular messaging apps by name, but IMO the publicity put out by various governments all over the world to "not use" a particular application is probably meant to build a false sense of security.  Because, as shkhln mentioned, a single person or small group of persons is easy to intimidate. That said, I won't discount that  some messaging app developers might be _very_ brave people who can stand their ground.  For my teabag opinion, the best bet is: "Don't use *any* messaging app, and meet in a dark coffee shop with no cameras or entangled photon generators, and exchange keys on paper."


----------



## ronaldlees (May 13, 2018)

Afterwards, eat the paper.


----------



## Sensucht94 (May 13, 2018)

I've used XMPP extensively throughout years and convinced many people to try it. A secure and simple, rock solid  open standard proto, offering tons of clients, many of which open source. Currently I talk through XMPP with a group of close friends and with my girlfriend.

On computer I always rely on net-im/profanity, while on Android I use Conversations (GPL-3.0; could hope for MIT or BSDv2/3-clause but sadly largest part of open source software released for Android is either GPL-3.0 or Apache-2.0; screw their Linux kernel).

SMS and E-mails for everything else.

I would have tried TOX, but I haven't seen reason for doing this so far outside curiosity


----------



## fernandel (May 13, 2018)

lebarondemerde said:


> I would like to bring TOX to the list.



I am using net-im/qTox for talking with brother who has Windos and it works but it is on computers.


----------



## sidetone (Jun 10, 2018)

https://gizmodo.com/apple-isnt-your-friend-1826611293
About motive, intent and marketing by companies offering apps and services, to separate themselves from eavesdropping competitors, in this case, I'm relating it to instant messaging.

Keeping in mind, that Apple tries to make itself look trustworthy by not offering backdoors to criminal investigators. In turn, Telegram pointing out that Apple has given up access to about %50 of requested records to the Chinese government, which does not share the same ideas of freedom of expression and human rights as other nations.


----------



## sidetone (Jun 15, 2018)

I might try net/linphone, which uses SIP.

XMPP carries too much data in the form of opening and closing tags, which doesn't work well on congested or underdeveloped networks. I read that data is not peer-to-peer after the handshake to the server, which means data can't go directly to computers without making a stop at the server. So, after the handshake connection, the data must make extra inconvenient trips sometimes around the globe.


----------



## sidetone (Jul 28, 2018)

For XMPP on the phone, I use Astrachat. XMPP also works from thunderbird email client.


----------



## sidetone (Mar 12, 2019)

Can We End Data Exploitation in Google and Facebook? | Hacker Noon
					





					hackernoon.com
				




It says end to end encryption is a potential problem for using Whatsapp (owned by Facebook) and Signal by unencrypted data stored on the phone. I suspect Facebook going after data, no matter what they claim to offer.


----------



## Deleted member 48958 (Mar 12, 2019)

sidetone said:


> Telegram markets itself as being very secure, but I've seen past comments that were dubious about this.


Nothing may be "secure", if it needs your mobile phone number to register, IMO.


----------



## Sevendogsbsd (Mar 12, 2019)

So, just to throw this out there about Telegram: I have outgoing rules in my pfsense FW at home. I block outbound to a couple of geographic regions known to be hostile in terms of hacking/phishing/malware activity. Telegram was originally written in one of those countries. I found that once I installed it on my phone (android), I had a lot of outbound traffic to that country from my phone. The Telegram servers are (were) not hosted in that country. I asked about this on an android forum and (yes, this is hearsay), a member mentioned that the devs who wrote Telegram were originally from said country.

To me, this is a communication channel left in by the devs, for whatever reason. It might be fine, but it might not. Once I removed Telegram, the traffic stopped.

My .02

So, I'll have to revise this statement because now I am not seeing any of this traffic. Perhaps this was unrelated to Telegram when I first checked and I misread the traffic destination or what, I don't know. I am actually back using telegram on my iPhone and I have not seen anything like this in my firewall anymore.


----------



## sidetone (Mar 13, 2019)

It started as you said. IIRC, the owner moved to another country, maybe Britain.


----------



## longimanus (Mar 13, 2019)

On my phone/Linux laptop I use ring, now renamed jami. It works reasonably well. No signup using any personal details are required. Just pick a user name and go Jami


----------



## Sevendogsbsd (Mar 13, 2019)

sidetone said:


> It started as you said. IIRC, the owner moved to another country, maybe Britain.



I believe there were politics involved and I am not trying to knock the Telegram devs, I just found the traffic the app generated to be disturbing. Then again I am a paranoid security guy so that goes with the territory.


----------



## sidetone (Mar 13, 2019)

It's reasonable until knowing what that traffic is about, which may be difficult or impossible to really know. Excessive traffic doesn't belong.


----------



## unix4you2 (Mar 20, 2019)

Hi there.

I really like XMPP and use it for years for some thousands of users whitouth problems and with a very small machine.

Here is my how-to install an XMPP server under FreeBSD using Openfire with internal and external authentication .









						FreeBSD + OpenFire con autenticación externa
					

FreeBSD + OpenFire y autenticación externa SERVICIOS DE MENSAJERÍA INSTANTÁNEA  Objetivo:  Alcance: Tener una hoja de ruta resumida para la instalación de servidores de mensajería utilizando la autenticación, grupos y otras características desde sistemas externos.  Sistemas operativos F...




					docs.google.com
				




It's in my native language, but all the commands are in blue for people that just want to follow them.

Regards.


----------



## sidetone (Apr 12, 2019)

XMPP seems to be the way to go over Telegram. A setback about XMPP is, XML takes up more bandwidth when internet connection speeds are unreliable or slow.

An inconvenience is, when I have XMPP open on two different hardwares, one can get the message, while the other doesn't, and there's no option to turn it off on a mobile phone. On Telegram, all receiving devices get the message.


----------



## unix4you2 (Apr 18, 2019)

getopt said:


> Does Openfire support OMEMO  (PEP, XEP-0163)?



As I understand OMEMO doesn’t work yet with Openfire by PEP's problems

Regards


----------



## sidetone (Sep 14, 2020)

The Best and Worst Encrypted Messaging Apps
					

There’s never been a better time to start encrypting your texts and phone calls. Hackers are breaking into more personal devices than ever before, and massive government surveillance dragnets are indiscriminately sweeping up people’s digital communications. Encryption can protect you.




					gizmodo.com
				




It says, that for Telegram, encryption isn't the default, while being stored on servers. Also, that its encryption is weak and not built by experts.

It recommends Signal instead.









						Why You Should Stop Using Telegram Right Now
					

Telegram, the supposedly secure messaging app, has over 100 million users. You might even be one of them. If you are, you should probably stop using it right now. Here’s the unfortunate truth about Telegram: it’s not as secure as the company’s marketing campaigns might lead you to believe.




					gizmodo.com
				




This says that they can tell when you're online, therefore who you're talking to. For most purposes, that's not so bad.

There was an update to this one saying that its MTProto encyption was later improved to be recognized as secure.


Signal, like Telegram, requires a phone number. It seems like a replacement upgrade over Telegram.



ILUXA said:


> Nothing may be "secure", if it needs your mobile phone number to register, IMO.


----------



## Mjölnir (Sep 14, 2020)

So the most reasonable _free & open protocol_ alternatives seem to be to use a client that supports XMPP+OMEMO or TOX.  OMEMO supports Perfect Forward Secrecy (PFS), which I find very atractive. EDIT _XMPP_ aka _Jabber_ is the same.  `psearch -c net-im -s XMPP`, `psearch -s jabber` or use ports-mgmt/portfind.


----------



## ekvz (Sep 14, 2020)

mjollnir said:


> So the most reasonable _free & open protocol_ alternatives seem to be to use a client that supports XMPP+OMEMO or TOX.  OMEMO supports Perfect Forward Secrecy (PFS), which I find very atractive.



Agreed. And given i really don't like XMPP that is meaning something.


----------



## sidetone (Sep 14, 2020)

Signal is recommended by many authors and at least two organizations. Looks more trustworthy than Telegram.









						Tories switch to messaging app Signal after WhatsApp leaks
					

Platform has option to make messages automatically disappear after set time period




					www.theguardian.com
				




From this Thread valuable-news-2020-03-02.74304, it mentions that the EU recommends Signal for its staff.









						EU tells staff to ditch WhatsApp and other secure messaging apps and use Signal instead
					

The dictum came in early February when the European Commission sent a message to all staff saying, “Signal has been selected as the recommended application for public instant messaging.”




					www.fastcompany.com
				




When bandwidth isn't an issue, XMPP. When bandwidth is an issue for anyone being communicated with, I still have to consider others' opinions.

Someone, Thread how-is-sip-simple-for-an-xmpp-alternative.76331, said SIP/SIMPLE is really good. IMO only if everyone involved has the know how to secure that. That option is unavailable on most clients.


----------



## sidetone (Sep 15, 2020)

UseCrypt messaging for phones, as an alternative to Signal? This application charges a fee.









						Can We End Data Exploitation in Google and Facebook? | Hacker Noon
					





					hackernoon.com
				












						Usecrypt is the world’s most-advanced data encryption system
					

Usecrypt is the world’s most-advanced data encryption system and the first company offering fully secured and truly private communication.




					www.advisorsmagazine.com
				




Is intended to be secure on phone from other apps and compromised audio/video access.


----------



## a6h (Sep 15, 2020)

Telegram server-side code is closed source, but its client is open source. Signal is open source. I'm not enough knowledgeable to vet any of them. Some people have done it. I have take their word for it. I thinks I should say Signal is probably more secure than Telegram. I've never recommended using Telegram to anyone and I don't trust them.

[EDIT]: 
I hate to say it, but as far as I know the only way of secure communication is TNO (Trust no one!):
Choose a password, share it with you partner, write down your message in a text file, encrypt it with a AES program (use your password), and finally send the encrypted file. The medium doesn't matter; email, messenger, etc.


----------



## olli@ (Sep 15, 2020)

From a practical point of view …

The problem is, if you want to communicate with your friends, you either have to use what they use, or try to convince them to use something else. For me, the latter has turned out to be rather difficult and unsuccessful. In other words, I won’t be able to convince all of them to switch to a certain messaging app. Most of my friends and relatives use either WhatsApp or Telegram, so that’s what I use, too. Personally I prefer Telegram, and in fact I managed to convince a few of them to switch to Telegram – _Not_ because it is more secure, but because it has some nice features, like animated stickers (I think WhatsApp has these now, too, but I’m not sure), higher member limits on channels, and so on.

What I like about Telegram is the open client API that is very easy to use. I’ve written several Telegram bots and client programs in Python, for example a simple IRC-Telegram gateway for my personal use.

As far as security and trustworthiness are concerned … I consider _all_ messaging apps as basically insecure, no matter what. I wouldn’t type my credit card number into any of them, no matter if open source, E2E encryption or whatever. For me, these apps are just for chatting with friends, equivalent to meeting in a restaurant. I wouldn’t say my credit card number loudly there either, or write it onto a table napkin. For really secure communication I would _not_ use a messaging app. And in particular I would not do that on a regular Android or Apple device.


----------



## Mjölnir (Sep 15, 2020)

sidetone said:


> UseCrypt messaging for phones, as an alternative to Signal? But this application charges a fee.


You get what you pay for...  Charging a (moderate) fee or asking for voluntary donations is the only way to achieve that your personal data & metadata is not monetarized, since services have costs, right?  Electricity, hardware, manpower for software development & maintainance, all cost money.  The attitude that (internet) services are free of charge is shere dumbness & naivitee...  If someone wants me to communicate via one of the _data kraken_ services, I just don't do it & explain to that person that I can't take anyone serious who uses such so-called _free_ services.  Often the reply is to ask for alternatives, and we have some, see above.  This may be strict, but it makes me feel good.


----------



## sidetone (Sep 15, 2020)

mjollnir said:


> You get what you pay for...  Charging a (moderate) fee or asking for voluntary donations is the only way to achieve that your personal data & metadata is not monetarized, since services have costs, right?



I was saying it was different in that regard, that it charges a fee, a monthly one. That's fine. It may be more difficult for people who've used the service to return to it, to communicate months later. To maintain use of it, or to convince others to try it, who don't know if they'll use it for other purposes. If that service is really needed, like private email, then its use can be paid for.

I brought up UseCrypt, because it deserved mention as an application.

Really, for a phone, the phone is paid for and the monthly service is paid for. The phone itself and the way apps are accessed should be secure from Facebook like apps. Ironically, most phones use Google's Android. I use my computer for messaging, sometimes a phone. Usually, others mainly use their phones for communicating.

Not everything charges a fee, especially opensource. People contribute to it, and services that use them are often non-profit. Their costs are largely covered. People often donate to what they like. In comparison to Facebook, they're for profit, and it's in their nature to make as much as they can off in a greedy way of imposing on people's data. Not all for profits that don't charge are as infringing as them. If a for profit offers something for free, it's their right to make money off of advertisements, but not in a way that's invasive and annoying as Facebook (which owns Whatsapp). DuckDuckGo is able to do that. "You get what you pay for" is usually ok for having nothing or something with less features, but it's no justification for what Facebook does.

For third world countries, there needs to be full security that's accessible and doesn't have too much overhead or nothing.

What about FreeBSD as something that is free to use? That argument doesn't apply to open-source.


----------



## Mjölnir (Sep 15, 2020)

sidetone said:


> What about FreeBSD as something that is free to use? That argument doesn't apply to open-source.


It does.  Open source projects need an intrastructure (internet services, meetings, travel grants for developers, a few full-time employees, etc.pp.).  Although some costs are covered by companies using the project's "product", ordinary users are free to decide to donate, too.  My signature states you're very likely paying for a Windows license when you purchase a new computer.  You can get that back, and then you can decide what to do with that money.  IMHO it's fair to donate that to the OS projects you're using instead of Windows, and/or support a developer; some have a link or button to donate on their personal website.  They have to pay their bills, too.  As of today, the FreeBSD Foundation reached less than 40% of their annual goal, and Wikipedia keeps bugging me with an invitation to donate although I already did...


----------



## ekvz (Sep 15, 2020)

mjollnir said:


> It does.  Open source projects need an intrastructure (internet services, meetings, travel grants for developers, a few full-time employees, etc.pp.).  Though some costs are covered by companies using the project's "product", ordinary users are free to decide to donate, too.  My signature states you're very likely paying for a Windows license when you purchase a new computer.  You can get that back, and then you can decide what to do with that money.  IMHO it's fair to donate that to the OS projects you're using instead of Windows, and/or support a developer; some have a link or button to donate on their personal website.  They have to pay their bills, too.  As of today, the FreeBSD Foundation reached less than 40% of their annual goal, and Wikipedia keeps bugging me with an invitation to donate although I already did...



I agree. It depends a lot on the scale and type of said projects though. Resources are ridiculously cheap. If development isn't taken into account (like done by some guy as a hobby - we all know it happens) a textbased messanger service is likely able to serve a couple 1000 people on a budget of like maybe 50€/month. At this price point there is always going to be people who will do it just for the fun of it or even because of actual altruistic motives. Large(r) or more intensive projects are a completely different topic of course.

Edit: It's not entirely the same but still: Just look at this forum. Of course a lot of the time it's what i'd call a pleasantly intellectual exchange but another part of it seems suspiciously like unpaid tech support work. Now i am not saying that this isn't fun but in a way each and every person around here is to a certain degree already an unpaid open source "worker".


----------



## ekvz (Sep 15, 2020)

vigole said:


> I know it sounds radical, but developers need to eat too. If Open/Libre model doesn't work them, they have to work for corporations or/and! governments.



It's very true. There is a lot of things i'd absolutely love to do but amount of time it would take to realize them pared with the fact those likely aren't commercially viable (at least i'd hate to corrupt the vision just to squeeze money out of it - i am pretty bad at business things anyways so i doubt trying to do so would work all that great to begin with) directly conflict with the need of putting food on the table. Sometimes it's a bit frustrating but that's life and there is nothing one can do about it so...


----------



## sidetone (Sep 16, 2020)

I wasn't saying, "but" as in a bad thing. I was saying it like, it was different in that way.

If I need features from UseCrypt, I'll pay for it to use them. I mentioned UseCrypt, because it deserved discussion as something neat and exceptional among otherwise free and opensource messenger applications. XMPP and SIP/SIMPLE are the only ones recognized by IETF.

Opensource developers and organizations deserve donations and appreciation. There's no way around that. I need to make a donation to an open-source project.

It's different than Wikipedia. That's a shit project that uses mob mentality to support retardedness, then pretends it's something else. I will donate to projects and charities I like and generally agree with. FreeBSD and related projects are worthy of donations. I don't agree with few things FreeBSD does, which I see as misinformed, but that's not a big enough of an issue to stop people from favoring it.


For users all in developed nations, XMPP is perfect.

If talking to people not in a developed nation, subject to poor infrastructure or blackouts for whatever reason, XMPP takes up critical bandwidth.

As for Telegram or Signal, people should probably drop Telegram for Signal. The fact that Snowden endorses Signal, makes me a bit dubious about it, however.

Even if I think a messenger application is secure, I would get worried if someone who regularly visits a country without free speech says something bad about someone in that government. I would discourage someone from saying that as long as they have to deal with those countries, even on something I think is secure, because they throw people in jail for simply criticizing.

That would be a cause for some who realize this, and not a weight on an opensource community in general. The good thing about opensource is that those who see that, are allowed to adopt it for use.


----------



## hruodr (Sep 18, 2020)

Nice thread! I also wanted to investigate the issue for my server project:









						Lightweight Groupware software
					

Continuation from:  https://forums.freebsd.org/threads/what-do-you-think-about-doing-js-free-sites.76622/page-6#post-475316   I've got most of an Ansible script that sets up a Freebsd server on Digital Ocean to run Postfix, Dovecot, and Roundcube. It includes a Roundcube plugin I wrote to allow...




					forums.freebsd.org
				




Since I want standards, I though about SIP and XMPP.


----------



## hruodr (Sep 18, 2020)

olli@ said:


> The problem is, if you want to communicate with your friends, you either have to use what they use, or try to convince them to use something else.



Well, perhaps all of them use a web browser and now there is WebRTC.


----------



## olli@ (Sep 18, 2020)

hruodr said:


> Well, perhaps all of them use a web browser and now there is WebRTC.


No, most of them use a smartphone with a native app; usually WhatsApp or Telegram. Web applications don’t work very well for this. (Telegram’s web client is actually pretty good, but it is meant to be used on a PC, not on a phone.)


----------



## sidetone (Sep 19, 2020)

Telegram messages are a focus in newly uncovered hack campaign from Iran
					

Active since 2014, “Rampant Kitten” uses Windows and Android infostealers.




					arstechnica.com
				




Iran attempting to hack phones to steal SMS and Telegram data. They use a fake .docx file and a fake app. It cautions about enabling macros.


----------



## ekvz (Sep 20, 2020)

sidetone said:


> a fake .docx file



Jeez, how long has this been going on? 10 years, 15 years, ... and people still aren't wise to the fact that opening random word documents is a bad idea. PDF had it's problems/exploits but at least there are some viewers that are pretty trustworthy in regards to not doing stupid things. In any case it's absolutely irresponsible for MS to not have put up a big fat warning about the potencial consequences of opening documents of unclear origin when macros are enabled by now. Given their tendency to track things they likely even know those documents originated from emails and are opened for the first time but still seem to do nothing about it (and why does a word processor even have access to OS functions?). Way to go...


----------



## a6h (Sep 20, 2020)

From Outlook/Thunderbird to Libre/MS Office, if you have macro/script enabled in your client, you shouldn't open any documents [period]

Disable all marco, scripting, addon, OLE, etc in LibreOffice (1) and MSOffice (2)
All scripting in document is bad! WSF, VBA, JXA, ECMAscript (JavaSCripp/TypeScript), AppleScript, Basic, Python, BeanShell, etc.
Disable remote content in emails (3)
Read mails in plain text (4)
Disable inline attachments in email clients (5)
Respect others by sending them text-only email (6)
Who need script/macro in documents (pdf, docx, etc)? docx is a zip package file and could be opened with zip software (*)
Nobody need scrips in email. Same goes for spreadsheet (Excel,...). If you need to script spreadsheet, it's a sign. You are using the wrong program. Maybe you should use SPSS, R or python.

(1) LibreOffice: Tool | Options | LibreOffice | Security => (Options) & (Macros)
(2) MS Office: File | Help | Options | Trust centre | _so forth and so on! (sorry I don't have MS Office)_
(3) Thunderbird | Tools | Options | Privacy & Security | Uncheck "allow remote content in message"
(4) Thunderbird | View | Message Body as | plain text
(5) Thunderbird | View | Uncheck "Display attachment inline"
(6) Thunderbird | Tools | Account settings | choose an account => | Composition & addressing | Uncheck "compose message in HTML format"
(*) https://www.loc.gov/preservation/digital/formats/fdd/fdd000397.shtml


----------



## sidetone (Sep 21, 2020)

Popular Messenger Services – Such As WhatsApp, Signal, and Telegram – Are Extremely Insecure
					

WhatsApp, Signal & Co: Billions of users vulnerable to privacy attacks. Researchers from the Technical University of Darmstadt and the University of Würzburg show that popular mobile messengers expose personal data via discovery services that allow users to find contacts based on phone number



					scitechdaily.com
				




Says contact lists can be uploaded by Signal and Telegram, and this information is insecure.

Its results are from the PDF, All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers.

Signal's contact information is hashed, but there's not a lot of users, so that information can be found.


----------



## getopt (Sep 21, 2020)

sidetone  thanks for pointing to this new paper, as the linked PDF is worth reading in full.

Contact crawling is not limited to these messengers. It's a general problem mainly with mobile devices and interests may exist that such problems persist.


----------



## olli@ (Sep 21, 2020)

By the way, you can refuse access to your contacts for any app. I did that with Telegram on my Android smartphone. It still works fine, the only difference is that I cannot select from my contacts within Telegram, but I have to enter it manually. So it’s a small inconvenience, but I’m fine with that. (I also disabled access to camera and microphone for Telegram because I use it only for textual messaging.)


----------



## getopt (Sep 21, 2020)

Beware of communication partners who work around security (policies) for a convenient usage.

Contact data are sensitive and have to be protected!

Readers of the above mentioned study who understood that even hashes are no meaningful protection won't create any unencrypted files with their contacts.

This is an example of the human factor in sensitive communications and their storage. One never knows what ideas pop up on the other side for a "better user experience". Convenience ever has been opposed to security.


----------



## Mjölnir (Sep 21, 2020)

A little bit OT but:  the FreeBSD Bugathon @saturday was using the google-meet...  Maybe I'll write a rant e-mail about that...  Are there really no _free_ (open source) alternatives?
https://www.heise.de/news/Berliner-...uer-grosse-Videokonferenzdienste-4835808.html (german: _Berlin data security officer states big video conferencing services insecure_)


----------



## a6h (Sep 21, 2020)

Apparently same goes for OfficeHours. Two days ago I was looking for more information on "how to participate in OfficeHours", as it was announced in the newsletter. I think that program is going to use some google tech too. Email Ranting on these subjects are always appropriate. Also it's nice to have similar rant in the Off-topic section of the FreeBSD Forums too.
Latecomer TL;DR: YAY!


----------



## getopt (Sep 21, 2020)

mjollnir said:


> the FreeBSD Bugathon @saturday was using the google-meet...


For ethical reasons I refuse any Google services. Strictly, no joke. Gmail users get a one shot answer from a special email account only for this purpose.

Also Google captchas are a hurdle I refuse to take.

So when it came to google-meet, this had prevented me from participating FreeBSD Bugathon. Period.


----------



## Mjölnir (Sep 21, 2020)

getopt said:


> For ethical reasons I refuse any Google services. Strictly, no joke. Gmail users get a one shot answer from a special email account only for this purpose.


+1


getopt said:


> So when it came to google-meet, this had prevented me from participating FreeBSD Bugathon. Period.


IRC is fine & enough to participate.  The benefit of video was none, except for those who earn from traffic...   I closed it after an hour & was only on IRC.  Besides that, it was fun!  Hope to see you there next time.


----------



## getopt (Sep 29, 2020)

sidetone said:


> For users all in developed nations, XMPP is perfect.
> 
> If talking to people not in a developed nation, subject to poor infrastructure or blackouts for whatever reason, XMPP takes up critical bandwidth.


I saw you using the term "third world" and now talking about "developed nations". For my taste his kind of reference has the sound of a little too much hubris. A lot of poor infrastructure can be found i.e. in the "rust belt" or in "fly over states". Even NY and CA has blackouts.

If you wanted to talk about XMPP bandwith, please explain.


----------



## sidetone (Sep 29, 2020)

getopt said:


> I saw you using the term "third world" and now talking about "developed nations". For my taste his kind of reference has the sound of a little too much hubris. A lot of poor infrastructure can be found i.e. in the "rust belt" or in "fly over states". Even NY and Florida has blackouts.
> 
> If you wanted to talk about XMPP bandwith, please explain.


It's not hubris, and this wasn't about the US where the majority of the time, Internet is reliable and blackouts happen but are rare. A few countries have nationwide Internet blackouts, sometimes intentionally timed. Some countries have low infrastructure as it is. However, this can apply to developed nations (regardless of where in that country) such broadband rather than dedicated DSL-like service, when too many customers are on at once.

XMPP has to hold a lot of data, as it holds the whole conversation as structured by XML, instead of a message at a time. The message data doesn't go directly, as it goes through many points.

When I use XMPP, a server would be in Japan. The Internet connection to the US, Europe or other countries to Japan doesn't have lag. When, the hosting server for the screename was switched to Europe, the connection would be a lot better. It has to do with distance among 3 or 4 points around the world; when these 4 points are all in developed countries, even if the distance is around the world twice, there isn't an issue, as messages will get there within a a few seconds. An XMPP conversation has to go through all of them, and have the whole XML data open, as XML is structured from beginning of the conversation to end.

Someone will send me a message, and it will arrive 4 or 12 hours later through XMPP. When they change names to a tld closer to their country to theirs, there's a major reduction in lag. Sometimes, a conversation will be dropped, and won't return for days. For certain times of a day, XMPP conversations can be made. It reminds me of when I used broadband service, where the Internet would work after midnight. Broadband is described as faster, which it can be, and in theory is, but when everyone is on at once, I rather have a slower but fast for my uses DSL line which is consistent. Even then, I'm not that concerned about broadband and XMMP. The problem is countries which don't consistently have reliable Internet service.

In those countries, where communicating is essential, XML messaging (XMPP) takes up too much critical bandwidth for their infrastructure.

An example of a country like this is Sudan. XMPP is unacceptable for use there. This is about people being able to communicate as they need to, and be not limited by poor or sabotaged infrastructure.


----------



## getopt (Sep 29, 2020)

sidetone said:


> The problem is countries which don't consistently have reliable Internet service.


Thanks for clarification. The Internet is quite resilient. If that is a problem for some countries they cut it or make unusable in part. That's not a bandwidth problem isn't it?

Here is a reader for using XMPP in constrained networks:






						Operating XMPP over Radio and Satellite Networks
					






					www.isode.com


----------



## sidetone (Sep 29, 2020)

getopt said:


> That's not a bandwidth problem isn't it?


It is, when there's some (perhaps alternate, minimal and basic) internet going on there, or if a minimal bandwidth network can be established. No matter how minimal and basic.

For instance, what if 90% of the Internet was cut intentionally, and there's 10% that can't be cut. Bandwidth matters there.

It's also bandwidth, when it has to do with infrastructure by itself, including if Internet infrastructure is kept under-maintained to restrict communications.


----------



## getopt (Sep 29, 2020)

sidetone said:


> For instance, what if 90% of the Internet was cut intentionally, and there's 10% that can't be cut. Bandwidth matters there.


What is specific to XMPP and wouldn't this hurt other protocols too?


----------



## Mjölnir (Sep 29, 2020)

sidetone said:


> [...]  XMPP has to hold a lot of data, as it holds the whole conversation as structured by XML, instead of a message at a time. The message data doesn't go directly, as it goes through many points.  [...]  In those countries, where communicating is essential, XML messaging (XMPP) takes up too much critical bandwidth for their infrastructure.


And what's a reasonable low-bandwidth alternative for XMPP?  I tried TOX, but in contrast to XMPP+OTR encryption, it causes a constant data stream of several kbit/s.  Mathematically, that makes it harder to break by brute-force attacks, but it's much more data intensive.  IIRC I can enable compression in XMPP?  I guess that helps with low-bandwidth connections, but keeping XML eases to build robust clients, because many libraries to parse XML exist for all reasonable programming languages & toolkits/frameworks.


----------



## sidetone (Sep 29, 2020)

getopt said:


> What is specific to XMPP and wouldn't this hurt other protocols too?


More data can get through with other protocols, because XMPP uses XML, and because each message has to go through all points. That it uses XML itself for unnecessary data for messages causes a lot more data use. Other protocols go through all points for the connection, then the shorter route more direct for each message.

If XMPP takes up 10MB, and another protocol takes up a few KB per 20 messages. With a minimal network, more message of that other protocol get through. Let's say it's next door, and the server is in Europe. Instead of communicating directly to either next door or the closest ISP, that connection goes through Europe and back. XMPP is also like a clog on those infrastructures.

As with anything. More people can exit at a time through a big garage door than a small door. More water will flow through a larger diameter pipe than a smaller one. If someone puts a wooden block in a toilet, it will clog. The more that can get through, the better. If there are 5 open doors, and only 1 door is open, the more that can get through that by needing lower resources to get through that door.


----------



## sidetone (Sep 29, 2020)

mjollnir said:


> And what's a reasonable low-bandwidth alternative for XMPP?


That's what this whole thread is about. There's nothing really ideal, the closest things are Signal, UseCrypt or SIP/SIMPLE not without being an expert on setting it up. XMPP is perfect when all points are through developed countries.

They need an XMPP/SIP hybrid, where the only thing that would be under XML is used for the handshake and an optional (and not required for messaging when it is used) count of the message numbers to synchronize and display if messages were dropped.


----------



## getopt (Sep 29, 2020)

sidetone said:


> because XMPP uses XML





			https://xmpp.org/about/myths/


----------



## sidetone (Sep 29, 2020)

sidetone said:


> and because each message has to go through all points.


.. [for XMPP as opposed to SIP]

For an XMPP connection, each message has to go through all/most points that were used for the handshake, unlike SIP. All messages go between all included servers, which is a extra hop or more around the world. Using a server closer to a country than Japan caused an improvement. Not the short route (bypassing those servers once the handshake was already established) from computer to computer, like SIP.

For a webpage, a server from one place near the Atlantic to Japan or Australia can add 6 seconds to load compared to a visitor to a webpage in the same country or all parties near the Atlantic, to show an example of the lag for a large amount of data, even if the lag for smaller amounts of data is much smaller. There's more data for webpages, but it shows the difference in distance. When a message must pass through Japan, and Europe depending on where each person's XMPP server account is based, in that way. To pass from any combination of developed countries, whether through Japan, Europe, USA, even if it must go from the most indirect routes around the world twice, lag or bandwidth isn't an issue.

Still, XML is a problem. The whole structure of the conversation must be maintained, instead of 1 message at a time. XML consists of required closing tags, and a whole conversation an hour or more long is a sub element of another XML tag. The fact that messages are sub elements of other elements and the XML headers, rather than each message be its own full dataset. Also that each message isn't within it's own self contained XML or other element as well.

For single documents and one way messages (self contained messages), XML based is perfect no matter the network infrastructure. For two way messages, the basis of XML (sub-elements, and headers maintaining a whole conversation) over each message is a logjam on un-reliable networks.

I'm not a fan of JSON and Javascript, for a comparison to be made to that.

XML makes perfect sense for handshakes, logging in/out, terminating conversations, one-way messages/documents and optionally keeping minutes (to indicate messages dropped, or order of messages, and not being required for a conversation to continue, as this doesn't have to be kept up as quickly as the message are exchanged), not for real-time/two way messages. Individual messages within a whole conversation are better off self-contained, than being of a sub-element of other tags and a heading. XML requires structure of that whole conversation (with parts at a time having to be synchronized through 1 or 2 account servers, while maintaining the full XML structure) which is not being made from 1 direction at a time.


----------



## Mjölnir (Sep 29, 2020)

XMPP has the _Jingle_ (STUN/TURN) extension to decouple a P2P connection from the server.


----------



## sidetone (Sep 29, 2020)

getopt said:


> Here is a reader for using XMPP in constrained networks:
> 
> 
> 
> ...



What's described there makes it better.

There's major issues on constrained networks with excess handshakes. The Open-source standards to improve this are at https://www.isode.com/products/swift-open-standards.html. HF radio has an open standard, but it's not listed there: it's very interesting, but not needed for typical use.



mjollnir said:


> XMPP has the _Jingle_ (STUN/TURN) extension to decouple a P2P connection from the server.


Sounds good. How to configure an XMPP client to make use of that.


Still, having to have these as extensions to XMPP and SIMPLE makes it so that applications of it aren't set to readily make use of needed features. They need a hybrid to also consolidate their user bases.


----------



## Mjölnir (Sep 30, 2020)

Matrix may be a another reasonable alternative.  The german Wikipedia says the Bundeswehr (army) is switching from XMPP to Matrix, and the french government decided to switch, too.


----------



## sidetone (Sep 30, 2020)

I found France went with Tchap, which is only for the French government, plus those selected by them. Tchap is based on Element [https://element.io/], formerly RiotChat.









						French government releases in-house IM app to replace WhatsApp and Telegram use
					

French government open-sources in-house-made end-to-end encryption IM app named Tchap.




					www.zdnet.com
				




Element is a client for Matrix, https://matrix.org/. Two of its founders are also founders of the Matrix Foundation.

Matrix uses JSON, which means Javascript.


----------



## sidetone (Sep 30, 2020)

There's the Open Tech Fund (OTF) non-profit project which promotes Internet freedom.









						Supporting Internet Freedom Worldwide
					






					www.opentech.fund
				




They support Signal, and a lot of other open-source software projects.


----------



## Mjölnir (Sep 30, 2020)

off-topic, but with all this open source hype going on, I'm not always shure who's "got the hat on"...  Look at the owners of the repositories (_sourceforge disaster_), and where the server & client-side software used is completely free software...


----------



## sidetone (Sep 30, 2020)

mjollnir said:


> off-topic, but with all this open source hype going on, I'm not always shure who's "got the hat on"...  Look at the owners of the repositories (_sourceforge disaster_), and where the server & client-side software used is completely free software...


Not everything is Sourceforge. For example: FreeBSD, Signal, OTF. Everything is different, and everything should be verified/reviewed and left for discussion.

As for for-profits, Twitter isn't Facebook, and DuckDuckGo isn't Google.


When someone with a Windows computer downloaded a Tox client, it might have been from Sourceforge. I don't remember well. They said it asked for access to their files. I told them, then don't use that. It was likely Sourceforge, based on what I remember from the website's design/presentation from that time.

Maybe Tox switched that to host their own download, Github or something else for each OS. Before, what a person needed for their specific OS wasn't available for download from Tox's website.

I don't know if that was Tox's default behavior, if 3rd party developers for an application did that, or if it had other stuff packaged with it.


----------



## a6h (Oct 3, 2020)

The Inside Story of How Signal Became the Private Messaging App for an Age of Fear and Distrust
					

As protests against systemic racism and police brutality intensified this year, downloads of Signal surged across the country




					time.com


----------



## sidetone (Oct 10, 2020)

What is Signal? How the popular encrypted messaging app keeps your texts private
					

Signal is a messaging app that uses end-to-end encryption to keep your messages private — not even the company that makes the app can see them.




					www.businessinsider.com


----------



## getopt (Oct 19, 2020)

TL;DR-Boys: Don't click on that one!









						Taking Back Our Privacy
					

Moxie Marlinspike, the founder of the end-to-end encrypted messaging service Signal, is “trying to bring normality to the Internet.”




					www.newyorker.com
				




*EDIT: *
Skimmers' capabilities may fade due to text excess length.​​Persons getting discombobulated when reading VIP names should not click on that either.​


----------



## ekvz (Oct 19, 2020)

getopt said:


> TL;DR-Boys: Don't click on that one!
> 
> 
> 
> ...



You are right. I regret even skimming it...



> In the early two-thousands, he taught himself to sail by taking a solo two-month round trip to Mexico on a twenty-seven-foot Catalina with a broken engine. Later, he and three friends bought a fibreglass boat on Craigslist for a thousand dollars, restored it, and sailed through the Florida Keys to Grand Bahama Island.



Like what??? Why would i care?


----------



## MasterOne (Mar 21, 2021)

A touch decision to make. I have just fitted the whole family with new mobile phones (POCO X3 NFC) running a custom ROM (ArrowOS 11) with microG (instead of Google Play Services) and a line of measures to enhance privacy.

Now I have to decide on a secure open source communication app/service that respects privacy and supports messaging, voice and video calls, and possibly has a desktop-app available that's compatible with FreeBSD as well.

Several options are not an option, one app/service has to suffice, and as far as I can see it petty much comes down to Signal versus Conversations (XMPP).

There is way too much information to skim through, but as it seems XMPP is still too geeky for the general public and chances are higher to convince others to move from WhatsApp to Signal than to using a XMPP client where you have to look for a reliable free Jabber/XMPP server.

Any more thoughts on this?


----------



## Mjölnir (Mar 21, 2021)

MasterOne said:


> A touch decision to make.


We all honour you to have taken up a 1/2 year old thread!  Right you are: this topic is still hot!
DEIT tougj tougj tougj


MasterOne said:


> I have just fitted the whole family with new mobile phones (POCO X3 NFC) running a custom ROM (ArrowOS 11) with microG (instead of Google Play Services) and a line of measures to enhance privacy.


Can't comment, have to investigate further.


MasterOne said:


> Several options are not an option, one app/service has to suffice, and as far as I can see it petty much comes


what a wonderful typo 


MasterOne said:


> down to Signal versus Conversations (XMPP).


Exactly.  Or _Matrix_.


MasterOne said:


> There is way too much information to skim through, but as it seems XMPP is still too geeky for the general public and chances are higher to convince others to move from WhatsApp


Wrong spelling: correct to: _WhatsApe_, please.


MasterOne said:


> to Signal than to using a XMPP client where you have to look for a reliable free Jabber/XMPP server.  Any more thoughts on this?


Yes: there are gateways, and some nerds/geeks/responsible persons are running these available for the public.


----------



## Mjölnir (Mar 21, 2021)

FWIW I can read about that _microG_, but when I click the link on _ArrowOS_ I get _"Please disable your adblock and script blockers to view this page"._  I have some non-uncommon adblockers enabled.  Nothing special, same what millions (hopefully) others have, too.


----------



## sidetone (Mar 21, 2021)

I read that MQTT's authenticiation security is too basic to be used for secure conversation.


Matrix is basically a proprietary derivative of XMPP.

For open source messaging, it's between Signal and XMPP, depending on which one you're more comfortable with. Tox was mentioned, but its technical aspects are still a question mark.

It appears that XMPP isn't so bad for constrained networks, and with the right extensions and settings, the overhead isn't so overbearing. XMPP still needs learning about to use, and maintaining compatibility for features on different clients/servers isn't always easy. Privacy can easily be confirmed on XMPP. Thread xmpp-basics-security-constrained-networks.77220

SIP/SIMPLE requires a lot of expertise on both ends to know for certain if the communications are secure/private. Many clients don't have this ability by default. Thread how-is-sip-simple-for-an-xmpp-alternative.76331

SIP/SIMPLE and XMPP are the only open source standards for conversation recognized by IETF. OASIS offers its own open source standards such as: AMQP for secure business messaging, and MQTT. A standard is a different classification than a client or provider. Open source standards are meant for inter-organizational use that can be offered by different providers. For instance, many companies have had their own offerings on top of XMPP, some open source and some proprietary: ZOOM, Whatsapp, Jitsi. Google's and DuckDuckGo's offerings of XMPP are defunct. Signal is a client rather than a standard, as it's only offered by its own organization.

If one is looking to host their own communication server or have something that can be interoperable among different providers, then SIP/SIMPLE, XMPP and possibly AMQP are the only ways to go. If wanting a client provided by a single provider, Signal is opensource and has endorsements. Its technical aspects are also written about a lot in publications.

With this understanding, now opensource standards can be compared to opensource standards: Thread opensource-communication-frameworks-xmpp-sip-amqp-mqtt-cap-iax.79474. We can now better evaluate clients, which are under a different classification than standards, for what they are.


----------



## MasterOne (Mar 21, 2021)

Not so convinced about Signal anymore, will look into XMPP and Nextcloud Talk now.


----------



## Deleted member 30996 (Mar 21, 2021)

The one word I did not see-on-speed-scan in this thread was proxy.

That is what should be between your Instant Messenger and the text readodout of your Message and the text should be associated with the Proxy IP#, not yours.If you're not doing it that way now you are behind the curve of those that do.

They will be using a list of machines with open ports ( 21, 25 80, 110),fr om around the world. Who they belong to of less importance than the Country you want to be from. Use the standard greeting for that country when you enter the room for theatrics and style. (Hej, hola howdy, hi, hallo, etc.)

Nobody is going to pay attention to another automated scan and the first proxy off your machine is the only one that will see  your IP, and if they were smart they wouldn't be used as a proxy.  Or they are very cagey and hoping you will use a password while using a proxy they set up to sniff for passwords.

I no longer use IM and consider it a Security risk, so I am unfamiliar with every app you listed and how things are done today. But that's the way Agents of Chaos did it back in the day and pretty sure is still done today by those still at large. Using maybe net/proxychains and something like security/proxycheck.

That slightly naive 15 year old girl in the room might be me waiting on a pedophile to play bait and switch on.


----------



## sidetone (Apr 23, 2021)

In epic hack, Signal developer turns the tables on forensics firm Cellebrite
					

Widely used forensic software can be exploited to infect investigators' computers.




					arstechnica.com


----------



## MasterOne (Apr 23, 2021)

I have put the idea of using Signal or XMPP to rest and settled with Nextcloud Talk and Delta Chat (+ Jitsi Meet) for now. 
I have just installed and configured that setup on each family member's phone and my test have worked out considerably well so far.

Now all that's missing is the FreeBSD port of the Delta Chat Desktop-App.


----------



## teo (Apr 26, 2021)

Parler or  Town are not secure?


----------



## sidetone (Nov 5, 2021)

So, Signal is now using closed sourced components. Omemo is a technology from Signal that was adopted by XMPP.

Telegram agreed to give Russia access to its information in 2020. Telegram was already under question in this thread.

Some on this forum have mentioned Delta, which uses email for an account. Email uses indirect federation, when direct federation would be better to reduce spoofing.








						Like Whatsapp, Signal just “jumped the shark” and stops caring so much about privacy
					

Signal changes their policy about being completely open with users and decides to start adding closed-source components to their centralized servers.




					pocketnow.com
				











						10 Ways Delta Chat is Better than WhatsApp, Signal, and Telegram
					

With everyone deleting WhatsApp and switching to Telegram or Signal, maybe there's something better that you haven't heard of yet. Here are 10 ways Delta Chat is better than the others.




					pocketnow.com
				





			https://conversations.im/omemo/audit.pdf


----------



## hardworkingnewbie (Nov 5, 2021)

Well what Signal is doing is in-house development of an anti spam solution which will remain closed source. That is all.

If this is enough to destroy your trust in it, you could still give Swiss made Threema a try.


----------



## sidetone (Nov 5, 2021)

Signal and Telegram had centralized servers, so this made it easier for the companies to change their model.

XMPP and Matrix are both open-source standards and decentralized networks. XMPP is recognized as a standard by IETF: Thread opensource-communication-frameworks-xmpp-sip-amqp-mqtt-cap-iax.79474/. The major issue with XMPP is that Omemo doesn't seem compatible across different clients. SIP/SIMPLE is an open standard for VOIP and text that goes with VOIP.









						Stop being naive when it comes to things like WhatsApp, Telegram, Signal, etc.
					

Facebook is breaking promises about WhatsApp, as expected. Learn how to tell if your next messaging app is going to last or will eventually become horrible just like the others.




					pocketnow.com


----------



## Jose (Nov 5, 2021)

sidetone said:


> Some on this forum have mentioned Delta, which uses email for an account. Email uses indirect federation, when direct federation would be better to reduce spoofing.


What's the difference between indirect and direct federation?




sidetone said:


> Signal and Telegram had centralized servers, so this made it easier for the companies to change their model.


Skype was peer-to-peer, and Microsoft still found a way.


----------



## sidetone (Nov 5, 2021)

Thread xmpp-basics-security-constrained-networks.77220.

Direct federation uses the fewest routes from clients. Each client has a server or uses the same server. These servers connect to each other directly, unless they are both the same server used by both clients. The server manages its own clients. The only potential for spoofing here, is if unicode is used for very similar lettering.

There can be an additional point called the Client Manager (usually on the same location as the XMPP server, that has a client point, where the data goes to the end user's web browser), as a layer for HTTPS. BOSH (Bidirectional-streams Over Synchronized HTTP) was an older method for a Client Manager for using XMPP over a webbrowser. Websocket is the current way for a CM to broweser over HTML5. XEP's (XMPP extensions) have made Websockets better for intermittent connections.

Indirect federation has plenty of connection routes to multiple servers between email ends. There's a lot of potential for spoofing and unsecure entrances between these points.

There was something mentioned about Skype that I recently read. It explained why its use has declined.


----------



## Jose (Nov 5, 2021)

sidetone said:


> Indirect federation has plenty of connection routes to multiple servers between email ends. There's a lot of potential for spoofing and unsecure entrances between these points.


Which also makes the protocol more resilient and harder to block.


----------



## sidetone (Nov 5, 2021)

Alternate routing availability through indirect federation? It's still less secure, unless all of the points are determined and known to be secured from the start. Signal and Telegram were blocked in some countries, which was mentioned in the article about Delta, though these are centralized rather than any kind of Federated network.

With XMPP (or direct federation), the best way is to use a server that's geographically closer to the client being used on that end. Server to server connections are usually stable, reliable and fast despite distance.

Maybe a better method would be to have 1 alternate or duplicate server for each server for XMPP, which can accept the same client.


On another note, instead of certificate authority (CA) for security handshakes, XMPP needs an opensource standard for secure server negotiations, perhaps on multiple XMPP servers that replaces the CA for that purpose. Perhaps an XMPP extention thats purpose is to replace CA, which is used by trusted sister XMPP servers to verify connections.


----------



## Jose (Nov 6, 2021)

sidetone said:


> Alternate routing availability through indirect federation? It's still less secure, unless all of the points are determined and known to be secured from the start. Signal and Telegram were blocked in some countries, which was mentioned in the article about Delta, though these are centralized rather than any kind of Federated network.


I'm not sure I agree with your direct-indirect federation taxonomy, and you really shouldn't accept mail from a domain that doesn't use an SPF record anyway. The ability to have multiple intermediate hops as needed adds resiliency and scalability to the protocol.



sidetone said:


> On another note, instead of certificate authority (CA) for security handshakes, XMPP needs an opensource standard for secure server negotiations, perhaps on the same machines or location that hosts an XMPP server that replaces the CA for that purpose. Perhaps an XMPP extention thats purpose is to replace CA, which is used by trusted sister XMPP servers to verify connections.


Well, the Gnupg web of trust didn't work out so well. The CA situation has improved dramatically with the rise of Let's Encrypt. Maybe just a better curated and smaller set of roots will do. In any case, I think the Openssl monoculture is a far bigger problem.


----------



## sidetone (Nov 6, 2021)

XMPP servers are offered free CA's (https://xmpp.org/2009/09/ca-updates/). They were still working on other alternatives (https://blog.prosody.im/mandatory-encryption-on-xmpp-starts-today/), like DNSSEC, Monkeysphere (http://web.monkeysphere.info/) and using manual fingerprints.

I worried about spoofing from emails, and didn't know if an email's domain were spoofed. I know for https, the domain name can't be spoofed as long as the tld and domain name read the same. So, one way to tell is to check if the email address in the inbox has an SPF record?

PGP Web of Trust looks like a good experiment where a lot was learned from signature abuse through overload. I was thinking that only confirmed XMPP servers could be trusted, than other types of servers/applications.

Problems with centralized servers become apparent after reading about them. Direct federation would be better than that, and perhaps Indirect federation is a way. If not, some type of indirect/direct hybrid.

This can be narrowed down to XMPP, Matrix and Delta. IETF accepted standards are a big deal for XMPP, though Matrix claims it learned from other messenger products. Depending on opinion, Signal could still be viable, except for those where a centralized server is blocked.

Here's a good comparison between XMPP and Matrix: https://lukesmith.xyz/articles/matrix-vs-xmpp.


----------



## Jose (Nov 6, 2021)

Sender Policy Framework records are DNS records that identify the mail exchangers that are allowed to forward mail from a given domain. You should reject and probably blacklist any MXs that don't match the SPF record. Unfortunately, not everyone publishes SPF records.



sidetone said:


> Here's a good comparison between XMPP and Matrix: https://lukesmith.xyz/articles/matrix-vs-xmpp.


Good lord!


> Matrix is a metadata disaster.​
> It gets worse. Because Matrix doesn't really just exchange individual messages, but because it syncs entire chats to all involved servers, this means that while all messages might be end-to-end encrypted, the conversation metadata is known to all servers, including what accounts are involved, when messages are sent and other account information made public (for example, users can add their emails and phone numbers to their accounts).        See more here.
> 
> 
> That means that all Matrix servers, _especially_ Matrix.org, has a huge repository of metadata.        Although chats are thankfully encrypted, encrypted chat logs are synced between all relevant servers, spreading metadata far and wide,        and nearly always back to Matrix.org.


----------



## hardworkingnewbie (Nov 6, 2021)

Jose said:


> Sender Policy Framework records are DNS records that identify the mail exchangers that are allowed to forward mail from a given domain. You should reject and probably blacklist any MXs that don't match the SPF record. Unfortunately, not everyone publishes SPF records.


Reason why is quite simple: because take John Doe user as roadwarrior abroad, just sending some mail using a different MX host with that SPF protected company domain name. Mail gets lost. 

This should not happen, but in reality it happens all the time.


----------



## Jose (Nov 6, 2021)

hardworkingnewbie said:


> Reason why is quite simple: because take John Doe user as roadwarrior abroad, just sending some mail using a different MX host with that SPF protected company domain name. Mail gets lost.
> 
> This should not happen, but in reality it happens all the time.


Open relays are a thing of the past. They either get shut down or blocked in minutes nowadays. That road warrior must have an account that requires authentication on some private mail exchanger. That MX should either be listed in the organization's SPF record or should only forward to an MX that is.


----------



## hardworkingnewbie (Nov 6, 2021)

Yes, open relays are a past. But it's entirely possible to put in any sending address into Gmail that you want to use, for example. And some people are just exactly doing that. Also mailing lists are another problem which SPF alone probably breaks, which is why SRS came into existance. 

SPF is just one technic which can be used to restrain some abuse of your domain, and keep its reputation high amongst MTAs evaluations SPF records. That's all about it.


----------



## sidetone (May 4, 2022)

Signal is a drop-in replacement for SMS (except for communicating to those who don't have Signal). Contacts' phone numbers are needed, so it's only for communicating with those you would give your number to. Although, Signal also allows you to use messaging from other devices which aren't your phone as well. It has ways to prevent or reduce spoofing from other devices. For those without Signal, it seems like texting defaults to SMS.

Line is similar that it needs a phone number to sign up. With this one, a user ID can be used as well as telephone numbers to communicate.

Telegram also needs a telephone number to use the service. IDs or phone numbers can be used for communicating with others. Contacts can be added from a global search of their ID. Telegram is widely used, and while it claims to be highly secure, it lacks security.

Edit: SMS is standard with phones and is used anyway. Signal is an upgrade from that to those who also have the service. That's why its use is limited to those you would share your number with. These 3 applications require phone numbers; two of them can be used without exchanging numbers. Its to give an idea for what kind to use for which purpose.

Late edit: It seems that only 1 piece of hardware is allowed to use Signal at a time.


----------



## bsduck (May 4, 2022)

Threema and Session are similar to Signal but don't ask for a phone number.

I don't use Threema nor Signal because they require a phone to be the primary device of any account (you need your phone even to login on desktop) and I don't usually connect my phone to the internet so I want the desktop client to be self-sufficient.

Session looks more interesting to me, but the desktop client isn't ported to FreeBSD yet and isn't available as a web application either. I could probably use it through Linux emulation or in a Linux VM but I like to keep things simple and since I don't have either of them in use for other software I don't really want to set it up just for a messenger.

For my limited instant messenging needs I currently use:

Wire. Despite zero mention of it on its website mostly geared towards business clients, it's actually available as a free personal messenger, you can create an account on https://app.wire.com (or from the phone app). It offers audio and video calls too.

Tox. I like the idea of peer-to-peer messenging as opposed to a system relying on centralised servers, but that isn't a proper replacement for mainstream messengers or SMS since a message won't be sent until both the emitter and the receiver are online.


----------



## Jose (May 4, 2022)

hardworkingnewbie said:


> Yes, open relays are a past. But it's entirely possible to put in any sending address into Gmail that you want to use, for example. And some people are just exactly doing that.


Yes, you can put any email you like in the from: header. That is not a way around SPF. SPF check will fail with forged from: headers.


hardworkingnewbie said:


> Also mailing lists are another problem which SPF alone probably breaks


How?


hardworkingnewbie said:


> SPF is just one technic which can be used to restrain some abuse of your domain, and keep its reputation high amongst MTAs evaluations SPF records. That's all about it.


No, you can also use it to reject messages with a forged from: sender. There's no legitimate reason to do that.


----------



## hardworkingnewbie (May 4, 2022)

Never heared about SRS? That's what was introduced to overcome those problems.






						Sender Rewriting Scheme - Wikipedia
					






					en.wikipedia.org


----------



## Jose (May 5, 2022)

hardworkingnewbie said:


> Never heared about SRS?


No, I'd never heard of of that, and reading that Wikipedia page, I'm not surprised. It lists two authorities for this scheme. The first one is a draft standard that expired in 2003 and doesn't mention mailing lists at all. The second one is another draft standard, this time from 2004 (no expiration date) that explicitly says:


> SRS must be implemented by all mail servers which forward mail from a domain which does not designate
> the sender of that mail in its SPF record. This includes:
> • Many servers which support .forward files.
> • Third party mail forwarders.
> ...


Emphasis mine.

Let's look at actual headers sent by and actual mailing list to me today, in 2022:

```
Received: from mx2.freebsd.org (mx2.freebsd.org [96.47.72.81])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
    key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by myserver (Postfix) with ESMTPS id 4D5EC21D9A6
    for <me>; Wed,  4 May 2022 20:46:15 +0000 (UTC)
    (envelope-from freebsd-ports+bounces-1867-myemailaddress@FreeBSD.org)
Sender: owner-freebsd-ports@freebsd.org
```
The sender and the envelope-from are both from the freebsd.org domain. Let's check its SPF record.

```
$ drill freebsd.org txt | grep spf                                                  
freebsd.org.    3600    IN    TXT    "v=spf1 redirect=_spf.freebsd.org"
$ drill _spf.freebsd.org txt | grep spf                                             
;; _spf.freebsd.org.    IN    TXT
_spf.freebsd.org.    242    IN    TXT    "v=spf1 ip4:96.47.72.81 ip6:2610:1c1:1:606c::19:2 ~all"
```
As you can see, the sending host's IP address is listed in the domain's SPF record. The SPF check passes.



hardworkingnewbie said:


> That's what was introduced to overcome those problems.


What problems?


----------



## hardworkingnewbie (May 5, 2022)

SPF: SRS


----------

