Hacker News new | comments | show | ask | jobs | submit login

Moxie Marlinspike has a blog post about why protocols like XMPP aren't good enough to support modern messaging apps. https://signal.org/blog/the-ecosystem-is-moving/

XMPP is an example of a federated protocol that advertises itself as a “living standard.” Despite its capacity for protocol “extensions,” however, it’s undeniable that XMPP still largely resembles a synchronous protocol with limited support for rich media, which can’t realistically be deployed on mobile devices. If XMPP is so extensible, why haven’t those extensions quickly brought it up to speed with the modern world?

Like any federated protocol, extensions don’t mean much unless everyone applies them, and that’s an almost impossible task in a truly federated landscape. What we have instead is a complicated morass of XEPs that aren’t consistently applied anywhere. The implications of that are severe, because someone’s choice to use an XMPP client or server that doesn’t support video or some other arbitrary feature doesn’t only affect them, it affects everyone who tries to communicate with them. It creates a climate of uncertainty, never knowing whether things will work or not. In the consumer space, fractured client support is often worse than no client support at all, because consistency is incredibly important for creating a compelling user experience.

Tangentially related, I have to take issue with this:

> addressing with user-owned identifiers like phone numbers

Phone numbers are owned by telecoms, not users. Sometimes they're transferable between telecoms, but not always. I, in particular travel internationally often and do not maintain phone service in the same country continuously. I've had to change phone numbers with Signal and Whatsapp a couple times now and have not found it to be a particularly friendly experience.

I got a free Google Voice number and might use that in the future, but I had to tie that to another US-based phone number. What will happen if someone else starts using that number, especially if they also connect a Google Voice account to it?

I don't know that I have a better design in mind, but using a phone number as an identity has some nasty edge cases.

> addressing with user-owned identifiers like phone numbers

Don't take things like that too seriously. That's just the result of the reality distortion field that comes with sitting on top a huge database of phone numbers.

> I don't know that I have a better design in mind

Simple: usernames. Humans are not phone numbers. Phone numbers are the IP addresses of legacy phone networks.

Obligatory plug for Tox.


A lot of countries require require registering the phone number to your name.

Relying on phone numbers as uniqie identifiers especially in "crypto" hipster apps (Signal) is stupid bordering on malicious

The reason people use Signal over WhatsApp is partly because of a perception it is more likely to be good against malicious state-like actors: tyrannical regimes etc.

If said malicious actors pwn the phone of the person you were talking to, suddenly they have a pretty good way of mapping a contact called "My Best Friend" to a human through billing records.

Or even easier, they type the phone number into Google and find that the Syrian dissident they've just arrested has been corresponding with the NYTimes or BBC.

If they know only that they are talking to anonymoushackzor@gmail.com they could, uh, get Google to release their IP address. Google are fairly unlikely to honour a legal demand for disclosure from Libya or North Korea or some other tyrannical/fucked-up hellhole.

I like Signal, but I'm not totally sure about the threat model.

Usernames do not solve the problems described in the link:

* They're not portable. My username here is Zak. It is on reddit as well, but I think that's the only other place. If I don't discover a service within it's first week of operation, I won't get that username, and many won't allow it because it's "too short".

* They don't tap into users' existing contact lists. I've discovered several people I know using Signal because I had their phone numbers stored in my phone's contacts.

But if a new communications protocol is to replace the legacy phone network, which I consider desirable, it probably shouldn't use identifiers tied to the legacy phone network.

Turn message forwarding off and nothing will happen, I've lent my cell # to broke friends afew times to make a Google Voice account, and have a Voice number myself for Craigslist exchanges, lapses between paying my carrier, etc

you seem to miss the point.

1) get US phone

2) register google voice to US phone

3) stop paying for US phone

4) you can't de-register you US phone, unless you register a new one

5a) if you never sign up for a US phone, anybody can get assigned that number and click "forgot password" on your google voice.

5b) you get a new US phone: go to 2.

that is true for every single service that ties you up to a phone number or that has phone number as recovery option.

Pay $20 and you get the number permanently. I've set up my kids' soccer club and my son's Cub Scout Pack with voicemail-only numbers. Callers leave a message and a recording and a transcription is forwarded to the appropriate person via email.

I've also read using Google Voice is highly recommended for things that require a voice or text number since it's very difficult to get hold of someone at Google that can be socially engineered. Much easier to scream at somebody at Verizon, etc.

Where can I get a permanent (US) number anywhere?

The cheapest I've seen slightly below $2/month, but all the super cheap carriers are very volatile businesses and you can't expect to keep them more than a few years.

Seeing as you don't really own phone numbers in the sense you own domain names, any permanence is limited by the life span of your service provider.

Google Voice will let you pay $20 to "buy" a phone number (either a GV number they assign, or another number you port in), which is then yours forever (subject to Google's arcane EULA, I'm sure).

...it's yours forever until it becomes Google's forever ;)

I currently have my google voice number only and not tied to a landline or cell number. When was the last time you tried #4, because it's been like this for me for a year or more.

Extension availability/usage will cluster around the tent-pole implementations.

A really popular mobile Jabber client will suddenly have the extensions it supports become popular with everyone else. Conversations looks nice.

As for why some set of extensions hasn't been brought up to modernity, that answer's simple: nobody cares about xmpp enough. Maybe just some users, but fuck those guys, they don't build anything.

>> A really popular mobile Jabber client will

> Will

Man, xmpp has been out for twenty years now.

Irony here is that WhatsApp, Google and Facebook all had xmpp working (in their own silos) for mobile. WhatsApp still do.

> A really popular mobile Jabber client will suddenly have the extensions it supports become popular with everyone else

Until you have two popular apps that implement two different extensions that accomplish the same thing. Now everyone is stuck implementing two, three, four extensions to display the same content. God forbid there's a new version of an extension that's backwards incompatible.

And yet, this is what you can get today with several IRC clients already: https://twitter.com/irccloud/status/971416931373854721?s=21

IRCCloud is using only standard IRC features to implement their Slack gateway that offers all features of slack - including reactions and threads.

Federated protocols can move extremely quickly, I've seen that myself recently.

And here is the response to that https://gultsch.de/objection.html

If it's not in the baseline spec it isn't going to happen.

It would at least have been nice if the 'extensions' had a required way to be opaquely handled and saved as files so that other tools could use them.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact