Ugh. I’ve always liked Matrix (and was not bothered too much by the metadata leaks because my home server was not federated anyways), but after noticing some issues and finally reading up on the actual protocol spec a couple of weeks ago… oof. Yeah. No.
Set up XMPP for now. Works really well and the protocol seems so much saner. Unfortunately, it too has some annoyances that are unacceptable to me in the long term. I’m this close to saying “fuck it” and wasting the next couple of years of my life on a new protocol that no one is gonna use. (Cue the XKCD here.)
I’m this close to saying “fuck it” and wasting the next couple of years of my life on a new protocol that no one is gonna use.
This article does a good job exploring the landscape of text chats, and ultimately finds that XMPP is still our best bet, it just needs some spit and polish.
Ha, thanks, I’d already read that. And I do, mostly, agree; the OMEMO implementation is not great both from the security perspective discussed in the post, as well as the UX (not being able to decrypt old messages on new devices at all).
That being said, I primarily want a selfhosted, federated messenger which also takes privacy and security seriously, and at least for the former, XMPP is really refreshingly good.
Yeah no shit you already read it they post it every single time. I don’t think any of them have actually read it, the problems he is complaining about were solved ages ago or by two clicks, once. The guy actually argues for people to use Telegram because they have disabilities and software is hard. An absolute masterclass.
I want to point out that the author of that linked blog, Soatok, actually removed a response in the comments from an OMEMO developer which clarified some things, which personally I think was rather odd/bad faith of them to do. When asked about it, this was their response:
“I’ll make an edit later about the protocol version thing, but I’m not interested in having questions answered. My entire horse in this race is for evangelists to f** off and leave me alone. That’s it. That’s all I want.”
According to the OMEMO developer in his response (you can it read here), there’s nothing really wrong with OMEMO 0.3.0, as the dev considers it a stable standard that clients can safely implement, with newer versions basically being public beta releases toward a stable ‘OMEMO 2’ standard that can eventually replace 0.3.0.
I didn’t know about this response, thank you for pointing it out. However, this response fails to address the main criticism of the XMPP+ONEMO:
To understand why this is true, you only need check whether OMEMO is on by default (it isn’t), or whether OMEMO can be turned off even if your client supports it (it can).
Both of these conditions fail the requirements I outlined under the End-to-End Encryption header in that other blog post.
And that’s all that I should have needed to say on the matter.
Yes, posting wrong opinions would be against the theme of the post, and in fact my account as a whole. That’s pretty standard for programmers who wear bunny suits. If we keep going here one of them is going to show up and post that Soatok person’s blog.
I’m here to educate people, not nitpick people and try to pass off my low standards for “secure software” and US government-dependent NGOs as an interest in sustainable OPSEC.
addendum (to ensure someone gets hopping mad):
They’re still far more encrypted than literally every other alternative.
You people have zero awareness of the limitations of your own knowledge.
Ugh. I’ve always liked Matrix (and was not bothered too much by the metadata leaks because my home server was not federated anyways), but after noticing some issues and finally reading up on the actual protocol spec a couple of weeks ago… oof. Yeah. No.
Set up XMPP for now. Works really well and the protocol seems so much saner. Unfortunately, it too has some annoyances that are unacceptable to me in the long term. I’m this close to saying “fuck it” and wasting the next couple of years of my life on a new protocol that no one is gonna use. (Cue the XKCD here.)
This article does a good job exploring the landscape of text chats, and ultimately finds that XMPP is still our best bet, it just needs some spit and polish.
Funny, I’ve also already read that 😄 Good blog and article.
Unfortunately, it is not.
Ha, thanks, I’d already read that. And I do, mostly, agree; the OMEMO implementation is not great both from the security perspective discussed in the post, as well as the UX (not being able to decrypt old messages on new devices at all).
That being said, I primarily want a selfhosted, federated messenger which also takes privacy and security seriously, and at least for the former, XMPP is really refreshingly good.
Yeah no shit you already read it they post it every single time. I don’t think any of them have actually read it, the problems he is complaining about were solved ages ago or by two clicks, once. The guy actually argues for people to use Telegram because they have disabilities and software is hard. An absolute masterclass.
I want to point out that the author of that linked blog, Soatok, actually removed a response in the comments from an OMEMO developer which clarified some things, which personally I think was rather odd/bad faith of them to do. When asked about it, this was their response:
According to the OMEMO developer in his response (you can it read here), there’s nothing really wrong with OMEMO 0.3.0, as the dev considers it a stable standard that clients can safely implement, with newer versions basically being public beta releases toward a stable ‘OMEMO 2’ standard that can eventually replace 0.3.0.
Also @smiletolerantly@awful.systems.
I didn’t know about this response, thank you for pointing it out. However, this response fails to address the main criticism of the XMPP+ONEMO:
HAHAHAHAHAHAHAHA https://lemmy.ml/comment/24436351
I FUCKING KNEW IT YOU PEOPLE ONLY KNOW THAT ONE BLOG
What blog?
Meanwhile Discord in it’s entirety is unencrypted
I can’t believe that worked. Well, it’s a good thing we have more than three options
To be fair, Discord has e2e encrypted voice calls using their “Dave” protocol.
https://discord.com/blog/meet-dave-e2ee-for-audio-video
well well well, this is news to me… but c’mon it’s like an abuser decided to be nice for once xD (not enough)
Dude, don’t start
You should also link Ariadne’s post saying she rather use signal, but that would be against the tone of your post, right?
https://social.treehouse.systems/@ariadne/116043045098562878
Yes, posting wrong opinions would be against the theme of the post, and in fact my account as a whole. That’s pretty standard for programmers who wear bunny suits. If we keep going here one of them is going to show up and post that Soatok person’s blog.
Got it, you’re just here to bait people.
I’m here to educate people, not nitpick people and try to pass off my low standards for “secure software” and US government-dependent NGOs as an interest in sustainable OPSEC.