Secure Instant Messaging 2020 :D

Hi friends :slight_smile:

I was reading something a while ago online but can’t seem to find it again about someone saying XMPP + OMEMO is insecure ? That’s sad if that’s true, is it a little not completely safe ?

I don’t use Signal or Telegram because they require a phone number… Not entirely trusting those companies. Wire… well, it’s ok for security except if the US government asks for everyone’s data … I’m not even in America so no thank you - I pass on Wire… still good though if you just want to connect your mobile phone to your employers wifi and want to chat with a friend though without the owner or CTO creeping on you lol.

Tox & Riot seem ok for those CLOSE TO YOU interpersonally, or for the Riot chat rooms, as adding contacts or video calling could reveal your IP.

I like using apps available on all platforms; Linux, Windows, Mac, iOS, Android , etc…

Does anyone know if XMPP + OMEMO are safe ? And why not if they aren’t ? I’m not sure if phone XMPP clients support XMPP + GPG instead :confused: Is it for the same reason (your IP could be revealed) ? Either way it would still be an option if something happened to Tox and Riot one day and need a replacement… :confused:

The primary issue with XMPP (and many other communication protocols) is that server-side parties can read and modify anything. The server admin can, for example, see all of your contacts, all group memberships, and even your password. We posted an article about this (; however, some people are convinced that our findings apply to all communication protocols. This isn’t the case.

In this case, OMEMO (if applied correctly) only protects your message content. You still expose your contact lists, groups, device metadata, etc. in cleartext.

On the other hand, OpenPGP (GPG) won’t fix this either and comes with other issues like no support for Perfect Forward Secrecy.

Thanks :smiley:

For now I guess I will just hope Tox or Riot don’t dissappear so I can use them for people I trust. I guess for “strangers” I’m still looking and hoping something comes out in the near future :smiley: (an example would be someone you met in a video game - I wouldn’t want some of those people knowing my IP when I turn my VPN off for better performance)

That’s a good detailed paper/article , thanks !

It is not insecure. It uses a proven method Double Ratchet Algorithm which is used with many types of instant messaging programs.

Tox & Riot seem ok for those CLOSE TO YOU interpersonally, or for the Riot chat rooms, as adding contacts or video calling could reveal your IP.

In fact I think that’s quite the opposite. Tox and Riot excel at being used with strangers. You can use them with a VPN or with Tor, unlike Signal which is still bound to a phone number.

Any kind of instant messaging that has VOIP will establish a peer-to-peer connection, including XMPP. This will reveal your IP address unless you’re using Tor or a VPN. For text communications it won’t. The reason for this is most instant messengers try to establish a direct route for VOIP as to keep latency down and provide a clear picture without choppy sound.

I wouldn’t be too worried about revealing your IP address in these circumstances, as there isn’t a whole lot they can do with it. Unless you’ve opened ports on your modem’s firewall and are also running some service from your internet connection that is vulnerable, you shouldn’t have any issues. (If you were doing this you’d know).

Something to keep in mind about OMEMO though is it won’t secure alternate channels of communication, ie VOIP. Additionally not all XMPP clients even support VOIP.

Do not use XMPP with PGP. This lacks forward secrecy, unlike OMEMO, the same rules apply, your VOIP communications won’t be end-to-end encrypted (E2EE).

Also, make sure to see our instant messaging page.

Riot isn’t going anywhere, it is the reference client for the network Matrix. Not to long ago they got $8.5M for further development. There are many governments around the world ie. the French government which are funding it to use as a platform for their communications.

Very soon we’re going to prioritize the federated section see: instant-messenger: list federated above centralized #1701. We’re waiting for Matrix to turn E2EE on by default for private communications.

Like XMPP it is federated, meaning there are literally thousands of servers which all interconnect to each other. This means if one server went offline you could simply pick up your conversation on another server. There is a list of some unofficial but reliable servers at Hello Matrix.

Matrix, (ie Riot) is perfectly ideal for this. At least your communications voice and video communications will also be end-to-end encrypted (E2EE).

I don’t think any service provides E2EE for 1-to-many VOIP communications as the server needs to mix video feeds and send them out to the clients.

Very soon Matrix is going to be the primary messenger we recommend. We’re basically waiting for E2EE to be on by default (which it is in development version).

Thanks :smiley: I love these programs ! I didn’t think to use Tor so I just searched online about tunneling through Tor and I’m going to set these up :slight_smile: For Tox its right on their wiki and it looks like Pidgin & Gajim supports Tor as well :smiley: Probably can with the Riot app too, or just use the web version in Tor Browser. hurrayy, or of course run a VPN connection

Note that using Tor or a VPN will likely introduce considerable latency to your VOIP communications.

If you’re using VOIP I wouldn’t bother trying to hide your IP address as they will be seeing your face and hearing your voice anyway.

If you’re not using VOIP then they won’t be able to get your IP as messages go through the server and peer-to-peer connections are not established (this is in the case of Riot (Matrix), and XMPP).

Tox is always peer-to-peer, and relies on no servers so they will always see your IP. There is not a whole lot they can actually do with that information though.

hmmm good point, and good to know about tox

I would give Jami a try. If it works well for your use case, you should go for it. At least until Riot or Tox become better

Give a try to Briar though it doesn’t support VOIP but still best P2P messenger.

Problem is, it’s Android only. Not even PC client exists

I wanted to give Signal a try, but PC version requires additional verification form time to time, and it really annoys me. Though it is much more reliable than Wire, when it comes to message delivery and notifications (on Android)

1 Like