Hello. I am looking for an alternative to Telegram and I prefer an application that uses decentralised servers. My question is: why is the xmpp+omemo protocol not recommended on websites when it is open source and decentralised? The privacyguides.org website does not list xmpp+omemo as a recommended messaging service. Nor does this website include it in its comparison of private messaging services.
https://www.privacyguides.org/en/assets/img/cover/real-time-communication.webp
Why do you think xmpp and its messaging clients such as Conversations, Movim, Gajim, etc. do not appear in these guides?
OMEMO leaks plenty of metadata; most things other than message contents are left unencrypted. Many of the mature XMPP use different OMEMO versions (which can be hard to tell when the client doesn’t clearly state the XEP versions, like Snikket). I spent 40 min scouring Snikkets website and source repo without any clear way to determine what version of OMEMO they bundle. I said OMEMO+XMPP because no matter how secure your protocol is, the actual implementation by your largest userbases determine real-world security.
And lastly, just because “serious institutions and governments” use it doesn’t make it more secure. Many European governments use Matrix, and that has even worse security, breaks forward secrecy, doesn’t encrypt basically anything other than message content, etc. Many governments have critical systems that run unpatched Win 7 or older. My point is that security is independent of adoption.
Could you even cite an example of such leaked metadata? I’d like to also remind you that metadata leaking to your own server (which you can chose, which you can self-host) isn’t as big a deal in XMPP as it is with other services. Which is also why I can’t take Soatok’s opinion about and obsession for Signal seriously: when all accounts are hosted by a single actor, you have a much bigger metadata problem, and all obfuscation attempts (sealed senders being one) are ultimately defeated by simple timing and packet correlation attacks.
You were probably looking at a rebrand/spin of https://xmpp.org/software/conversations/ . All major XMPP clients and servers declare their compat via DOAP: https://xmpp.org/extensions/xep-0453.html
Correct, but in this case OMEMO is secure and is used in contexts where security actually matters. There have been multiple audits of it over the years:
https://conversations.im/omemo/audit.pdf
https://raw.githubusercontent.com/hardenedvault/vault-docs/master/report/lurch-audit.pdf
https://www.scribd.com/document/568512285/chiffrement-messagerie-instantanee-fmaury-anssi
https://download.igniterealtime.org/smack/docs/smack-omemo-audit-1.0.pdf