Over the past few years I have gone through a bunch of different apps and protocols to find the best one for “securely” communicating with my family and friends.
I ended up with the amazing XMPP protocol and my family/friends frequently use its clients to contact me.
Monal for IOS and Cheogram/Conversations/Quicksy for Android. The android app I install depends on if I can get F-Droid on their phone or not.
It’s been great with OMEMO encryption and the clients/apps available for XMPP. But sometimes I have issues introducing people to it.
Jabber (friendly name for xmpp) sounds silly to say. The clients all have weird names. And after trying the Signal mobile app it feels more focused than what anyone in the XMPP community has whipped up.
But the capabilities of XMPP makes it better.
Signal Cons (immediete)
- Centralized
- Single app
- Phone numbers
XMPP/Jabber Cons
- Picking server
- Apps are sort of less friendly
What really scares me about Signal is the centralization. Any nerd can easily host an XMPP server these days. But Signal from what I’ve heard really wants us to use their server.
If XMPP gets more attention I’m sure we can get people supporting projects and creating better apps.
I keep seeing people recommended Signal instead.
This is a bit of a tired ramble. What I wanna know is why anyone is preferring Signal over XMPP apps. I assume it might be not knowing about it. Tell me what you use to message people.
I love the irony of the name. It’s probably the best thing about the app.
One of the things I’m curious about and the website doesn’t explain: how are the message queues not identifiers?
They are local identifiers, not global ones. Each one exists only for a single pair of users so they don’t function as stable or traceable identities. “Pairwise anonymous addresses”.
https://simplex.chat/#privacy-of-identity-contacts-metadata
But those are still identifiers linked to you and in a global space because it says multiple servers need to know how to route data.
Nvmd: seemingly if the server hosting your queues shuts down you lose all contact, so your UIDs are shared but only to a specific set of servers you choose with the drawback of fragility. Seems like someone else shutting down a server kills your contact list?
@Ferk has given a more elaborate answer. As for servers shutting down. Haven’t had it happen yet. With any service you always risk servers shutting down or failing, even centralized ones like signal: so that is a bit of a nirvana fallacy.
I didn’t compare it to signal. I just asked if that was the facts of the situation.
If I were to compare it might be to the topic of this thread which I can self host and thus control.
However, since you opened the door on signal I’d comment that the entire signal org would have to go down for that to happen, not just a few servers. Is simplex managed by a large well funded entity that is unlikely to fail or are the servers more mom & pop setups? What happens if Kurt Cobain wakes up one morning and shuts down his server?
When it comes to initializing the connection, It’s true that those identifiers (or perhaps more accurately, addresses) are susceptible to collisions in a “global space”. But they are temporary, ephemeral addresses (they are discarded after use and/or expiration), and the space is astronomical so chances of collision are tiny, and even in the case of collision you still have a step in which you verify a fingerprint code that’s independent of the address, related to the individual local device… so you have a second factor authentication of sorts, if you are adding a person and the code does match then you can be pretty sure it’s the correct person, since both the shared address and the internal locally-stored key match.
If there’s a permanent global fingerprint code isn’t that, well, the opposite of what the marketing says? Why is that not a unique user identifier?
The fingerprint (or you can also call it “security code”, it’s just a code for verification), is generated from the combination of the locally stored encryption keys from each side of the conversation, it will be different every time. I believe it’s also not technically required by the protocol that the same encryption key should be used for all conversations (although I don’t really know if the client does generate a new one every time or keeps reusing the same, that’s up to the implementation I believe).
Makes sense, thanks for the explanation