Secure Instant Messaging 2020 :D

Hi friends :slight_smile:

I was reading something a while ago online but can’t seem to find it again about someone saying XMPP + OMEMO is insecure ? That’s sad if that’s true, is it a little not completely safe ?

I don’t use Signal or Telegram because they require a phone number… Not entirely trusting those companies. Wire… well, it’s ok for security except if the US government asks for everyone’s data … I’m not even in America so no thank you - I pass on Wire… still good though if you just want to connect your mobile phone to your employers wifi and want to chat with a friend though without the owner or CTO creeping on you lol.

Tox & Riot seem ok for those CLOSE TO YOU interpersonally, or for the Riot chat rooms, as adding contacts or video calling could reveal your IP.

I like using apps available on all platforms; Linux, Windows, Mac, iOS, Android , etc…

Does anyone know if XMPP + OMEMO are safe ? And why not if they aren’t ? I’m not sure if phone XMPP clients support XMPP + GPG instead :confused: Is it for the same reason (your IP could be revealed) ? Either way it would still be an option if something happened to Tox and Riot one day and need a replacement… :confused:

The primary issue with XMPP (and many other communication protocols) is that server-side parties can read and modify anything. The server admin can, for example, see all of your contacts, all group memberships, and even your password. We posted an article about this (https://infosec-handbook.eu/blog/xmpp-aitm/); however, some people are convinced that our findings apply to all communication protocols. This isn’t the case.

In this case, OMEMO (if applied correctly) only protects your message content. You still expose your contact lists, groups, device metadata, etc. in cleartext.

On the other hand, OpenPGP (GPG) won’t fix this either and comes with other issues like no support for Perfect Forward Secrecy.

1 Like

Thanks :smiley:

For now I guess I will just hope Tox or Riot don’t dissappear so I can use them for people I trust. I guess for “strangers” I’m still looking and hoping something comes out in the near future :smiley: (an example would be someone you met in a video game - I wouldn’t want some of those people knowing my IP when I turn my VPN off for better performance)

That’s a good detailed paper/article , thanks !

It is not insecure. It uses a proven method Double Ratchet Algorithm which is used with many types of instant messaging programs.

Tox & Riot seem ok for those CLOSE TO YOU interpersonally, or for the Riot chat rooms, as adding contacts or video calling could reveal your IP.

In fact I think that’s quite the opposite. Tox and Riot excel at being used with strangers. You can use them with a VPN or with Tor, unlike Signal which is still bound to a phone number.

Any kind of instant messaging that has VOIP will establish a peer-to-peer connection, including XMPP. This will reveal your IP address unless you’re using Tor or a VPN. For text communications it won’t. The reason for this is most instant messengers try to establish a direct route for VOIP as to keep latency down and provide a clear picture without choppy sound.

I wouldn’t be too worried about revealing your IP address in these circumstances, as there isn’t a whole lot they can do with it. Unless you’ve opened ports on your modem’s firewall and are also running some service from your internet connection that is vulnerable, you shouldn’t have any issues. (If you were doing this you’d know).

Something to keep in mind about OMEMO though is it won’t secure alternate channels of communication, ie VOIP. Additionally not all XMPP clients even support VOIP.

Do not use XMPP with PGP. This lacks forward secrecy, unlike OMEMO, the same rules apply, your VOIP communications won’t be end-to-end encrypted (E2EE).

Also, make sure to see our instant messaging page.

Riot isn’t going anywhere, it is the reference client for the network Matrix. Not to long ago they got $8.5M for further development. There are many governments around the world ie. the French government which are funding it to use as a platform for their communications.

Very soon we’re going to prioritize the federated section see: instant-messenger: list federated above centralized #1701. We’re waiting for Matrix to turn E2EE on by default for private communications.

Like XMPP it is federated, meaning there are literally thousands of servers which all interconnect to each other. This means if one server went offline you could simply pick up your conversation on another server. There is a list of some unofficial but reliable servers at Hello Matrix.

Matrix, (ie Riot) is perfectly ideal for this. At least your communications voice and video communications will also be end-to-end encrypted (E2EE).

I don’t think any service provides E2EE for 1-to-many VOIP communications as the server needs to mix video feeds and send them out to the clients.

Very soon Matrix is going to be the primary messenger we recommend. We’re basically waiting for E2EE to be on by default (which it is in development version).

1 Like

Thanks :smiley: I love these programs ! I didn’t think to use Tor so I just searched online about tunneling through Tor and I’m going to set these up :slight_smile: For Tox its right on their wiki and it looks like Pidgin & Gajim supports Tor as well :smiley: Probably can with the Riot app too, or just use the web version in Tor Browser. hurrayy, or of course run a VPN connection

Note that using Tor or a VPN will likely introduce considerable latency to your VOIP communications.

If you’re using VOIP I wouldn’t bother trying to hide your IP address as they will be seeing your face and hearing your voice anyway.

If you’re not using VOIP then they won’t be able to get your IP as messages go through the server and peer-to-peer connections are not established (this is in the case of Riot (Matrix), and XMPP).

Tox is always peer-to-peer, and relies on no servers so they will always see your IP. There is not a whole lot they can actually do with that information though.

1 Like

hmmm good point, and good to know about tox

I would give Jami a try. If it works well for your use case, you should go for it. At least until Riot or Tox become better

Give a try to Briar though it doesn’t support VOIP but still best P2P messenger.

Problem is, it’s Android only. Not even PC client exists

I wanted to give Signal a try, but PC version requires additional verification form time to time, and it really annoys me. Though it is much more reliable than Wire, when it comes to message delivery and notifications (on Android)

1 Like

Hey I would like to ask if the issue with Signal is using a phone #. Can’t you use a virtual phone # to get the text message.?

Well. What about servers like the Calix institute. On their website they state that they don’t keep records of any conversations or who you talk to because it forces you to use OTR( Off The Record ) encryption. On top of that it has a Tor onion site as well. Using this combined with using this with Tails its pretty hard for someone to track you down. ( I’m a newbie with this things but based on those 3 things I belive its secure enough).

Please check this website out. Its the Calix institute its an XMPP server . https://calyxinstitute.org/projects/digital-services/xmpp

Actually, you can use any other phone number during registration. However, you need to be able to receive an SMS or phone call to get the confirmation code. You do not need to use the phone number of the SIM card in your phone, for example.

As written in the article, it doesn’t matter if you enable OMEMO or OTR since XMPP produces tons of metadata and stores lots of information on the server in cleartext. For instance, if you always use OMEMO or OTR, server-side parties can still see when you use which device, your group memberships and roles, all of your contacts stored on the server, your contact details, etc. OMEMO or OTR only protects the content of the message.

Some people always say setting up XMPP “is as secure as setting up e-mail.” We would say “XMPP is as insecure as e-mail.” It is basically like using OpenPGP to encrypt your e-mails while everything else is left in cleartext.

A side note here: OTR and OpenPGP have various disadvantages when it comes to security or usability. For this reason, OMEMO is developed. However, OMEMO is still a draft and only adopted by a small number of clients (and some of these clients do not fully support OMEMO).

If you always use OMEMO or OTR + Tor and Tails, then XMPP still produces tons of metadata and server-side parties can still access the information mentioned above. The issue is that XMPP servers nearly store everything in cleartext, and server-side parties can just increase the log level to see everything. In the case of ejabberd, you can even log user passwords in cleartext (it doesn’t matter if hashing is enabled). This is an official feature of ejabberd, not a bug.

Contrary to this, Signal (only one example) implements other measures to avoid most metadata or server-side data is always encrypted.

The security features they list (StartTLS, RSA key, DNSSEC, DANE/TLSA) don’t protect your messages or any other data on the server, but only data in transit (e.g., when your data in transmitted from your phone to the server).


Clicking on their privacy policy linked in the article leads to:

Not Found
The page you seek is not found at this location.

Clicking the footer link leads to a 2013 privacy policy that doesn’t mention anything specific to XMPP and obviously does not meet the requirements of the GDPR.

Besides, there are many vague statements like:

Your IP address may be logged, but we will delete such logs on a regular basis.

(How do they decide when to log your IP address? “Deleting on a regular basis” can mean that they delete their logs every 10 years.)

Connecting to these servers may reveal your IP address, but as with our Websites logs, we plan to retain this information only for a limited period of time as set forth in this Privacy Policy.

(What does “we plan” mean? Do they delete their logs or is this only planned for 7 years?)

We may use cookies on our Websites for the purposes of tracking your session but we do not include third party cookies.

(Again a “may” …)

At the end of your article you mention that Signal is the best solution. Any other recommendations? As the OP says, sometimes you just wanna talk with people you don’t really know like someone you met in a game. So I’m not gonna give him my number.
Would you rather recommend Element just like the PTIO Team?

On Element E2EE is turned on by default right? So it kinda should be PTIO’s primary messenger. Other Clients shouldn’t be even recommended unless they were audited.

Besides, can I ask why was Tox delisted? I didn’t find anything about it online. Is it because Jami is better or something like that?

No, we don’t say that Signal is the best solution. We only say that Signal is one solution. “The best solution” for you depends on your use cases and threat models, also see https://infosec-handbook.eu/blog/discussion-secure/#sm

Not from our side since we stay with our principle of only recommending services or products that we own/use and know.

1 Like

Element (Matrix) also collects lot of metadata, maybe even more than XMPP. But I would still use it and recommend it to people who care about privacy, as it is the best decentralized/self-hosted option.

Even getting EMS subscription, with admin account might be better in terms of metadata collection than anything else, and it is still easy to manage, unlike self-hosted server, VPS, etc.

1 Like

any specific reason why you won’t recommend Element or Briar?
and in case Session get audited, it might be a good choice too. Matrix is the only one between of these 3 which keeps Metadata.
(I’d be interested in an article were you discuss some popular “private” messanger services (like the one I mentioned above) and why you wouldn’t recommend it. Just like the one for XMPP, just a little bit shorter because the list could be too long for you)