Add XMPP clients

[jubalh]

The section about messengers is sadly very misleading in my opinion.
Have you ever used ChatSecure?
I suppose you recommend it becuase it runs on multiple mobile operating systems.
Are you aware that it is different on each of these, has different featuers?
Can it do http_upload, carbons? Do you tell people about how OTR can also be a pain if you have multiple devices? It doesn't seem so, which will result in users trying the software, seeing that it doesn't work as expected and saying its no good.

In my opinion the best XMPP client for mobile is Conversations, which is mentioned on the page too.

I think one should just mention XMPP in general and then link to a broader explanation of it. Explaining that behaviour of clients can differ depending on which XEPs they support. And listing a good pre selection for people who do not want to read all those details. Which in my opnion is: Conversations for Android, Gajim and Swift for desktop. I can't speak for iOS since I don't use it.
This would also give the user the right impression: it's not just for mobile but for all kinds of things. Currently in my opinion it looks like its a mobile only thing.

[jubalh]

Just today: http://www.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM?sp=alcms
So much about secure and privacy

[PrivacyDefender]

There's a list which compares different servers and their support for different XEPs (https://gultsch.de/compliance.html). However, privacytools.io suggests using OTR/openPGP, while there is a far more sophisticated encryption (OMEMO) available, which is currently supported by Conversations, Gajim and CryptoCat (ChatSecure for iOS already announced to support it with the next app release).

[privacytoolsIO]

@jubalh So your idea is to add a "XMPP" recommendation and link to several different clients for Desktop, iOS and Android?

As far as I know: Conversations for Android and Chatsecure is still good for iOS?

Please help me out here.

[jubalh]

@privacytoolsIO :)

Maybe these tips are helfpul:
A list with clients and which XEPs they support. https://www.zash.se/xmpp-clients.html
http://xmpp.iodoru.org/details.html mentions which XEPs are important to have a usable chat experience.
I agree usual users shouldnt have to think about such things thats why currently many clients try to make things easier and implement all the important XEPs.
The best client is Conversations I'd say, I even have the feeling that its the leading example and often drags the others along.
Gajim is a good client for the desktop, but it needs some tweaking (going to settings and download plugins for some of the XEPs). Swift-im is another good client which wants to make things easy.
Cannot talk about iOS since I dont have any such devices :/

[ghost]

TODO: Add XMPP clients.

[Atavic]

Are we OMEMO yet?

[NeverDucky]

I could make a PR for this but how should/would it be added? It seems a bit odd to have an entire section dedicated to XMPP when it's really just a sub-section of the Encrypted Instant Messenger section.

[Mikaela]

As far as I know: Conversations for Android and Chatsecure is still good for iOS?

I think that Conversations for Android still applies, but I have gotten image that Chatsecure needs its own module or something like that in the XMPP server and Monal may be better. However I am not an iOS user personally so this information is second (or more) hand.

On PC, Gajim works ~everywhere and another worth mentioning client is Dino however it may be Linux-only.

[Mikaela]

I am not sure if this or https://github.com/privacytoolsIO/privacytools.io/issues/141 is a better place for this, but there are at least two XMPP clients/servers with registration using phone number and contact discovery that way:

• Kontalk which is the older one
• Quicksy which is from the author of Conversations (and actually a build flavour of it and designed as a gateway drug to Conversations/XMPP itself)
  • It also optionally supports mapping existing XMPP ID to phone number with a price of 4.99 € Quicksy.im/enter

[Mikaela]

@infosec-handbook on https://github.com/privacytoolsIO/privacytools.io/issues/779#issuecomment-471687384

When it comes to user experience, no, absolutely not. There are dozens of XEPs needed for a WhatsApp-like client that are only supported by several client implementations. Then, modern encryption (OMEMO, which is still experimental) is only supported by a small number of clients. Finally, you need an XMPP server that must also support several XEPs. There is no simple way for users to find the right client AND server when they decide to switch to XMPP.

Are you familiar with Kontalk or Quicksy I mentioned here? I think they are attempting to be WhatsApp-like experience. I think the XEPs can be found out from https://compliance.conversations.im/, but it could have a simpler UI. On OMEMO and XMPP, I think my recommended list would be:

• Desktops: Gajim.org (or Dino.im)
• Android: Conversations.im
• iOS: Monal (I don't have personal experience though)
• Web: I have heard good things of Conversejs, but cannot remember using it (I am mentioning it as Matrix's main client is https://riot.im/app)

Another drawback of all of these systems (Matrix, XMPP etc) is that contact/account management is done by the server, while messengers like Signal/Briar implement client-side account/contact management.

Isn't Signal still uploading contacts to server frequently to check that they are using Signal?

Server-side management implies that the server knows much more about registered accounts like group memberships, contact lists, devices, reading status, and even passwords (as mentioned in https://infosec-handbook.eu/blog/xmpp-aitm/). In my opinion, this isn't privacy-friendly at all.

I read the link and your reader feedback seems to already say everything.

However, don’t try to force us to tell our readers your ideological beliefs.

I wonder if you are trying to do the opposite here, but I think in the end it boils down to all IM systems being horrible and having their flaws.

[ghost]

@Mikaela

Are you familiar with Kontalk or Quicksy I mentioned here?

Kontalk and Quicksy rely on phone numbers, AFAIK. Quicksy is a modified Conversations client built by the developer of Conversations, and uses the same registration process as Signal. However, compared with Signal, Conversations/Quicksy don't enforce encryption, and as I mentioned in #779, XMPP comes with server-side account management that exposes most personal data to the server administrator.

I think the XEPs can be found out from https://compliance.conversations.im/

I know this website. However, this isn't an official XMPP website but a list of servers that comply with XEPs used by Conversations. Moreover, this website doesn't rate any privacy aspects like "who runs the server?", "where is the server located?", "is the server software up-to-date?", "is there a privacy policy?", "does this server offer TLS with PFS?" etc.

On OMEMO and XMPP, I think my recommended list would be …

The last time we used Gajim, it wasn't user-friendly. Dino seems to be better here.

I don't know Monal, but people recommended ChatSecure as the best iOS client before. However, development of ChatSecure seems to fall asleep. One big problem of some messengers is that they only partially support OMEMO. For instance, some clients allow OMEMO-encrypted 1-to-1 chat, however, they don't support group (MUC) chats.

As for ConverseJS, many people criticize JS-based encryption as being insecure by design, so it doesn't make sense to recommend it.

Besides, another point is the state of end-to-end encryption in XMPP:

• many clients support OpenPGP while OpenPGP doesn't support PFS, and produces a huge overhead
• OTR (+ PFS) is also widely supported, however, some clients like Gajim and Conversations dropped support for it, and the developer of Conversations left some statements on GitHub that look like it was never securely implemented. Then, there is the new OTRv4 which seems to be good but isn't widely supported. The "old" OTR standard comes without multi-device support and both parties need to be only if they want to chat, though.
• OMEMO is still experimental and subject to change. Only some clients support it, and some of these clients with OMEMO support only partially support it (as mentioned above).

AFAIK, Conversations is the only messenger that tries to enforce OMEMO in some situations. And, AFAIK, no messenger explains benefits/drawbacks of no encryption/OpenPGP/OTR/OMEMO. New users have to guess what is best for them.

Isn't Signal still uploading contacts to server frequently to check that they are using Signal?

1. This feature can be turned off OR
2. you don't allow Signal to access your contacts OR
3. you use Android without any contacts in your phone book

In all cases, Signal works fine. The disadvantage is that you need to manually enter the phone number of your chat partner before you can chat.

I wonder if you are trying to do the opposite here

Our main point here is that it doesn't make sense to tell people every other month to switch their messenger since someone showed up somewhere and decided that the current recommendation must be changed due to strange reasons.

in the end it boils down to all IM systems being horrible and having their flaws

Exactly. We already tried to summarize this in https://infosec-handbook.eu/blog/discussion-secure/#sm (and this section is only about the technical part of such discussions).

[Mikaela]

I could make a PR for this but how should/would it be added? It seems a bit odd to have an entire section dedicated to XMPP when it's really just a sub-section of the Encrypted Instant Messenger section.

• NeverDucky in https://github.com/privacytoolsIO/privacytools.io/issues/60#issuecomment-377622021

@privacytoolsIO/editorial thoughts?

[Mikaela]

Judging by https://github.com/privacytoolsIO/privacytools.io/pull/1048#issuecomment-514817075 this has been done.

[sethidden]

It's been removed again?