Best apps for private messaging (www.privacyguides.org)

submitted 1 day ago by Maragato@lemmy.world to c/opensource@lemmy.ml

70 comments fedilink hide all child comments

Hello. I am looking for an alternative to Telegram and I prefer an application that uses decentralised servers. My question is: why is the xmpp+omemo protocol not recommended on websites when it is open source and decentralised? The privacyguides.org website does not list xmpp+omemo as a recommended messaging service. Nor does this website include it in its comparison of private messaging services.

https://www.privacyguides.org/en/assets/img/cover/real-time-communication.webp

Why do you think xmpp and its messaging clients such as Conversations, Movim, Gajim, etc. do not appear in these guides?

top 50 comments

sorted by: hot top new old

[-] ProdigalFrog@slrpnk.net 1 points 46 minutes ago* (last edited 44 minutes ago)

I've personally used 4 encrypted communication apps, here are my thoughts:

Signal: huge downside that it required a phone number (not sure if it still does), and the centralized nature of it makes me very wary of it. It worked reliably when I did use it, but I no longer use it.

Matrix with Element: As others mentioned, it leaks meta data. It wasn't very reliable in my experience with encrypted group chats. Messages would constantly not be readable by other users in the chat, requiring frequent re-sending to finally get through. Overall I found it very frustrating to use.

XMPP: Experience can somewhat vary depending on the app used. With the Movim desktop front-end, I can sometimes have issues with encrypted messages not getting unencrypted (possibly just user error on my part), but with mobile apps like Conversations or Monocles, its been pretty much 100% reliable. Doesn't drain my battery either. Would recommend.

Deltachat: I've used this the least, but I really like it. Super easy to connect to friends and join a group chat, its all encrypted by default so no real chance of encountering an unencrypted message, very nice UI, is available on all platforms as one app, and has been 100% reliable with low battery drain. Highly recommend if you don't need to make voice calls (it only supports voice files you can send).

[-] loweffortname@lemmy.blahaj.zone 3 points 2 hours ago

I know it's not the most popular, but I've genuinely been happy with Matrix for the last few years. Obviously there are problems, but it really has gotten fairly stable. At least...for me...

[-] UnfinishedProjects@lemmy.zip 5 points 12 hours ago

I've hardly used it so far, but simpleX seems promising from my limited knowledge. I highly suggest checking it out.

[-] Neptr@lemmy.blahaj.zone 17 points 21 hours ago

Here is a blog post by a widely respected cryptographer on why XMPP+OMEMO is not secure: https://soatok.blog/2024/08/04/against-xmppomemo/

[-] artyom@piefed.social 1 points 12 hours ago

This post is 1.5 years old and outdated.

[-] Hazematman@lemmy.ca 1 points 6 hours ago

Do you know if there is a more up to date description of xmpp e2ee without having to read the spec. Specifically interested in stuff like how much metadata is leaked.

[-] Neptr@lemmy.blahaj.zone 1 points 9 hours ago

What has changed?

[-] artyom@piefed.social 1 points 9 hours ago

They updated OMEMO

[-] Neptr@lemmy.blahaj.zone 5 points 9 hours ago

Did that fix any of the underlining issues with OMEMO use across XMPP clients, such as odd/opaque choices by the OMEMO maintainer, or the fragmentation of OMEMO versions used by clients (most being very out-of-date)?

Let me be clear: I am NOT anti-XMPP (or even OMEMO). I would love to see it succeed because I much prefer it over Matrix and other alternatives. My problem isn't with the technology, just the implementation.

[-] u_tamtam@programming.dev 0 points 9 hours ago

This blog post has been debunked as fallacious (posing as evidence what's unsubstantiated), and in bad faith (some comments, including by the protocol developers, were removed from the blog's comments section). That aside, if you are left unimpressed by the crypto jargon, all you take away from it is that Soatok really likes Signal and this isn't Signal. There have been several independent audits on OMEMO, it's used today by serious institutions and governments, it's been under more scrutiny than soatok gave it, and there's nothing knowingly insecure about it.

[-] Neptr@lemmy.blahaj.zone 3 points 7 hours ago

OMEMO leaks plenty of metadata; most things other than message contents are left unencrypted. Many of the mature XMPP use different OMEMO versions (which can be hard to tell when the client doesn't clearly state the XEP versions, like Snikket). I spent 40 min scouring Snikkets website and source repo without any clear way to determine what version of OMEMO they bundle. I said OMEMO+XMPP because no matter how secure your protocol is, the actual implementation by your largest userbases determine real-world security.

And lastly, just because "serious institutions and governments" use it doesn't make it more secure. Many European governments use Matrix, and that has even worse security, breaks forward secrecy, doesn't encrypt basically anything other than message content, etc. Many governments have critical systems that run unpatched Win 7 or older. My point is that security is independent of adoption.

[-] Caravaggio@feddit.nl 13 points 21 hours ago

Misleading title.

[-] cockmushroom@reddthat.com 5 points 20 hours ago

The freenet/futo devs are working something called river (https://freenet.org/). I don't think it's mobile yet and cannot attest to it's call quality. It's fully decentralized though, so it should work even if they abandon the project. Here's a video on the protocol https://youtu.be/3SxNBz1VTE0 Mostly goes over the introductory docs that're on the site.

load more comments