Over the past few years I have gone through a bunch of different apps and protocols to find the best one for “securely” communicating with my family and friends.

I ended up with the amazing XMPP protocol and my family/friends frequently use its clients to contact me.

Monal for IOS and Cheogram/Conversations/Quicksy for Android. The android app I install depends on if I can get F-Droid on their phone or not.

It’s been great with OMEMO encryption and the clients/apps available for XMPP. But sometimes I have issues introducing people to it.

Jabber (friendly name for xmpp) sounds silly to say. The clients all have weird names. And after trying the Signal mobile app it feels more focused than what anyone in the XMPP community has whipped up.

But the capabilities of XMPP makes it better.

Signal Cons (immediete)

  • Centralized
  • Single app
  • Phone numbers

XMPP/Jabber Cons

  • Picking server
  • Apps are sort of less friendly

What really scares me about Signal is the centralization. Any nerd can easily host an XMPP server these days. But Signal from what I’ve heard really wants us to use their server.

If XMPP gets more attention I’m sure we can get people supporting projects and creating better apps.

I keep seeing people recommended Signal instead.

This is a bit of a tired ramble. What I wanna know is why anyone is preferring Signal over XMPP apps. I assume it might be not knowing about it. Tell me what you use to message people.

  • Ferk@lemmy.ml
    3·
    10 hours ago

    When it comes to initializing the connection, It’s true that those identifiers (or perhaps more accurately, addresses) are susceptible to collisions in a “global space”. But they are temporary, ephemeral addresses (they are discarded after use and/or expiration), and the space is astronomical so chances of collision are tiny, and even in the case of collision you still have a step in which you verify a fingerprint code that’s independent of the address, related to the individual local device… so you have a second factor authentication of sorts, if you are adding a person and the code does match then you can be pretty sure it’s the correct person, since both the shared address and the internal locally-stored key match.

    • balance8873@lemmy.myserv.one
      1·
      5 hours ago

      If there’s a permanent global fingerprint code isn’t that, well, the opposite of what the marketing says? Why is that not a unique user identifier?

      • Ferk@lemmy.ml
        2·
        4 hours ago

        The fingerprint (or you can also call it “security code”, it’s just a code for verification), is generated from the combination of the locally stored encryption keys from each side of the conversation, it will be different every time. I believe it’s also not technically required by the protocol that the same encryption key should be used for all conversations (although I don’t really know if the client does generate a new one every time or keeps reusing the same, that’s up to the implementation I believe).