Ok so, here I am again asking another question 🙈🙊 But hear me out: I read this post here about, if there even is a good privacy messenger that can be trusted. Someone in the comments mentioned Conversations (a XMPP client for Android). This made me look into XMPP and at the moment I am giving Conversations a try. Reading into XMPP, I couldn’t find a problem security or privacy wise. Also it seems like it does not matter what server I use (atm. we are on 07f.de) since it is all e2e with OMEMO. Am I missing something or is it really this good? And if I dont trust anyone, I could host my one instance of ejabberd, right?
You have to trust the servers with your metadata, and that the servers have their inter-server communication locked down, but at least you can choose/operate servers.
Some clients are a bit flaky with their e2e encryption defaults or from a UI perspective it is easy to send an unencrypted message (in a new chat for example) before noticing that was how it was set.
There are a few XEPs the server needs which enable things like OMEMO, efficient mobile data/battery use, offline and multiple device deliverability, file transfers, etc. Audio/video calling has various requirements as I think xmpp only facilitates the setup of the call.
Having to ask means you’re probably conducting unsafe behaviors anyway
E2ee is not everything, as most of the privacy sensitive metadata can still be collected. Sure it is nice to have, but even more important is that you can chose a trustworthy server operator or run your own. XMPP allows doing that, but it has some weaknesses with client implementations and so on.
I am a bit biased and would say all in all XMPP is probably the best option right now, but it depends on your specific priorities. It certainly has some rough edges though.
its really really save
Edit: sorry I misread it as XMR.
XMPP can be very unsafe. It depends on the client you use. Its best to use a protocol that doesn’t allow unencrypted messages to be sent at all. Like Wire or Signal.
Kinda depends on your threat model too, like if you don’t want your traffic going through the US signal is gonna be a big no no.
Simplex.chat is the current best one AFAIK
It depends on the client and the security implementations they support. For example IIRC no client support the last version of OMEMO (I think it was about OMEMO, I remember an article about it some time ago). Also are you sure that all the other people’s clients are on the same version and you’re not susceptible to a downgrade attack?
Unless you are ready to/want to control the whole environment (i.e. at least the clients and possibly the server), look into simplex.chat
There are some clients that support the latest version of OMEMO, but yes, since the most popular ones do not, you end up using the older version most of the time. That said, the older version is not generally unsafe, it basically is the same as WhatsApp or Signal are using. The newer version is just somewhat better as it includes some lessons learned from earlier attempts.
