I want this to take off. I'm tired of having to follow trends because people suddenly think there's a new shinyshinytrendy thing around: IRC to ICQ to MSN to Skype to Google Talk to Facebook Messenger to Whatsapp to Signal.
Pidgin is good (I also miss the ancient Trillian, even though it was closed source), but limited to a local device.
EDIT: for encryption fans, I've been wondering for a long time now: why would you trust ANY 3rd party with your so sensitive data instead of running your own service? Are you not aware of OMEMO for XMPP? (See https://omemo.top/ )
> for encryption fans, I've been wondering for a long time now: why would you trust ANY 3rd party with your so sensitive data instead of running your own service? Are you not aware of OMEMO for XMPP?
we ran our own XMPP server for over 10 years using the "off the record" plugin for end to end encryption. Development seem to basically stop on open chat clients a few years ago and everything started getting crufty. (I see Pidgin dev has apparently picked back up again to some extent, as has Adium, to a much lesser extent).
"off the record" mostly worked ok, between Pidgin users, but failed with other clients.
A couple of OMEMO plugins came along but making them work (and keeping them working) was a continual drain - and we're only a small team with only 2 operating systems (Linux and OSX)!
My hunch is that enough people just moved to things like Whatsapp and Slack etc that developers were no longer using chat clients they could hack on. People stopped being able to scratch their itches.
Not to mention lack of any/decent XMPP client support for syncing histories between multiple clients, or handling inline images and things. All that modern stuff people expect.
Things like Mattersmost tried to fit in here but we just didn't get along with them.
Eventually Element/Matrix matured enough and while it was far from perfect, it worked and we sadly finally gave up on XMPP.
For the past two years; I've been using Conversations (Android), Dino (Linux), and friends of mine have been using Gajim (Windows), Monal/Siskin (iOS).
All of these work fine with OMEMO (the iOS ones gained better OMEMO and push support in the past few months) and message history retrieval between clients. Gajim doesn't do inline images, but the rest do.
I occasionally use profanity as a console client and that recently had message archive support land in Git.
So, yeah, no idea what you mean by developers giving up - if anything, the ecosystem has greatly improved (minus group OMEMO on iOS).
Maybe not developers in general, but development of Pidgin certainly stalled, which is why I stopped using it. Too man features not implrmnted in XMPP and no working support for e.g. Skype.
I didn't say developers "gave up", but even as of 2019 it didn't seem like things were moving forward in any meaningful way.
Even just for OMEMO support, we all had to compile a plugin for libpurple/Pidgin, and it didn't even have full UI support so was very difficult to use when things didn't work automatically.
We used a gajim but iirc, to get OMEMO support we had to compile that too.
But I'm truly glad to hear the ecosystem has improved - I would have much preferred to have stuck with XMPP. But in 2019/2020, Matrix offered all this and more and worked very well. It was impossible to make the case for us to stay on XMPP.
I use Conversations and Dino daily, they're awesome. When I'm stuck on MacOS or iOS I use BeagleIM and ChatSecure, though Monal looks a little more slick...maybe I should try that.
There are a few options yet for XMPP clients, I have some hope for the ecosystem...!
I don’t run my own service for the same reason I don’t build my own car or I don’t do accounting for my company, I don’t have the time to learn how to do it nor doing it.
I don't want "the utmost privacy". I want something better than raw SMS. I'm not an international secret agent. I encrypt things out of principal more than because I really care if some government force reads them. If a nation-state decides I'm of interest to them for malicious reasons, I'm probably screwed either way.
But Signal is better than Signal over these bridges, and it's easy too. Just because you don't want to run your own service doesn't mean you have to choose a poor option over a pretty good one.
But not everyone I talk to is on Signal. And I don't want to remember which app to open to message a certain person.
What's the difference between Element offering these bridges, people deploying their own bridges or others having 3rd party clients that you can't trust with your E2E encryption?
Nothing makes that better, you're right. I prefer to just remember who uses what and act accordingly, but you choose convenience instead — and both are reasonable choices.
That depends a lot. In a civilized country with low risk of 2G downgrade attacks and sensible telecom laws/law enforcement restrictions, SMS is a lot more secure and private than many other options.
Obviously still a long way off actual secure communication though.
I recently had my internet snapped last month and I did not want reddit to know "last 90 days IP access log" so I had a dormant account and I wrote a post locally, called a friend living overseas and made him login to that dormant account and I dictated the text.
And you want utmost security for your body, which is why you go to the doctor instead of self threat. And also doctors go to other doctors when they are ill.
The sad reality is that things are complex and you probably get suboptimal results trying to do everything yourself, what other spend their lives trying to accomplish the same.
WhatsApp scaled to 1B users with only 50 engineers, but there were 50 people working full time to provide what people think they can provide in their spare time?
Also as the other end of any communication is quite scaring thinking I am communicating securely with someone, but then finding out that their server is compromised because of an out of date library or service.
If you've ever used Docker or deployed an nginx server - then you can very easily deploy a chat server. Pretty much the same thing but over a different protocol.
Server getting compromised - that's largely unimportant with end-to-end encryption through OMEMO. Distros also apply security patches (just keep things up to date).
You do not require 50 engineers to run a chat server for <200 of your friends. In my experience, once you have the software configured and running - it pretty much runs itself.
You're right, it isn't the same. Instructions on how to build a car don't change every week. As a hobbiest I wouldn't trust my life on getting in a car if that was a requirement. There's more in my life than that single hobby that I need to do and I only have so much time.
Why? Specialization is a thing. Not everyone specializes in security. Which let's be real, being an expert in security is really difficult, especially since it's a constantly moving goal post. Unless you're an expert it's probably not a good idea to roll your own.
Also, to run your own service you must specialize in security AND devops. The two thing overlaps a bit, but not 100%. And you must hope that every contact you are talking to has the same knowledge.
so much this - you can make a service 100% secure - by shutting it down. But if you want to stay online and be secure at the same time, there's always some resource tradeoff between the two
If you know a problem is hard and the consequences for doing it wrong are potentially serious, it would be irrational to not consider selecting a well-managed third party solution. Being a hacker doesn't mean being all-knowing and the best hacks are done with the knowledge of human limits (both of the hacker and of the maker of the system being hacked).
Encryption fan here, bridging is one more avenue for failure, is why I won't buy in. Security is about odds, and nothing is 100% safe. I'm pretty sure signal is way better than anything I could come up with, so I choose it.
Maybe it’s not for you but more for those of us forced onto FB’s WhatsApp and their phone book scanning/uploading by social conventions. This presents a way out without giving up the benefits.
You know people that have the FB app installed. And all their messages and SMS running through the FB app. And you can't get all of them to stop this madness.
Just don't install it. I've never used it. People ask why, I answer that I do not accept the spying in their terms of service. Far more people are sympathetic to that line than you might expect.
If you live in the Netherlands and have young kids in school this really isn't option. It's how kids' parties are arranged, sports schedules are communicated, parents are kept informed about school. And then it is also often the most convenient way to contact any help desk.
The annoying thing is is that WA became the standard for communications when they were not owned by FB and had a privacy focus. This is why I have no qualms abut trying to cheat out of their horrible system.
> I'm tired of having to follow trends because people suddenly think there's a new shinyshinytrendy thing around: IRC to ICQ to MSN to Skype to Google Talk to Facebook Messenger to Whatsapp to Signal.
As someone who used trillian, you should recognize that you're likely to need to follow someone to a new trendy messaging service within a few years, regardless of an aggregator taking off.
> why would you trust ANY 3rd party with your so sensitive data instead of running your own service?
Because end to end encryption means you don't have to trust a third party? The channel goes out of the equation, at least with reference to the content of your messages. Metadata is definitely handled differently by different services but that's a question of threat model.
I wrote a bridge between signald and prosody (without spectrum) so I can use xmpp clients with signal. Async python, only non-standard library dependency is slixmpp. It's working well.
I've seen your project! Congrats, it is very nice.
I stopped fiddling with transports because signald doesn't compile/run on freebsd (some of the java libs behind it rely on native libs which have problems compiling), and for now I've put it aside.
> These bridges are actually just an intermediate step. Since Matrix itself is an amazing chat network, eventually as more people start using bridges on Matrix, they’ll notice that their friends are already on Matrix, eliminating the need for bridges gradually over time.
> I really believe that the world will be a better place when everyone is in the Matrix. Matrix is the non-proliferation treaty of chat.
I dont have a PhD in crypography and am not sure I will do a good enough job in covering even potential mid-level vulnerabilities. I still care about privacy and so use Signal.
The point of encryption in the first place is to allow an untrusted transport. If you trust the transport, you don't need encryption.
OMEMO nor XMPP provide trusted transport.
Perhaps the point you are reaching for is that encryption and transport should be different parties. The message should be encrypted before you hand it to the Western Union agent. After that, the decision between Western Union, Union Pacific, or Pony Express hinges on other concerns.
Because your own service is not an alternative if you actually need to secure-message others because of the line of work you're in, or the regime you're under. The idea that "just do it yourself" is more secure than a company that can't just be walked into and have their computers taken without it causing a huge problem for everyone from your mom to heads of state is a bit naive.
I'm pretty sure my server at home is less secure since I'm not a professional security expert. I can recognize that I'm dumb and going to make a lot of mistakes.
The disadvantage of having your server at your home is that you don't know if it's compromised from day one. I may never even find out and just fool myself the entire time.
there is a news by arstechnica that updates by cisco who deny the same but these curbs were imposed and i personally suffered so i am not sure if "have their computers taken without it causing a huge problem for everyone from your mom to heads of state is a bit naive"... even a big company like cisco must bow down and bend rules to a dictatorial country like india.
Not sure if it's still around, but bitlbee for a long time provided an IRC gateway for almost every chat protocol around at the time (including following Twitter feeds, and Google/Facebook chat via xmpp when they still supported it)
Pidgin is good (I also miss the ancient Trillian, even though it was closed source), but limited to a local device.
There are XMPP Transports as well for these (see https://git.eta.st/eta/whatsxmpp , https://gitlab.com/nicocool84/spectrum2_signald , but sadly https://spectrum.im/ is surprisingly finicky to set up.)
EDIT: for encryption fans, I've been wondering for a long time now: why would you trust ANY 3rd party with your so sensitive data instead of running your own service? Are you not aware of OMEMO for XMPP? (See https://omemo.top/ )