Follow

Via Lemmy

XMPP: Admin-in-the-middle · InfoSec Handbook – your friendly and open-minded InfoSec community

XMPP isn't privacy-friendly if you don't control the server.

infosec-handbook.eu/articles/x

@lps Very interesting read but doesn't this apply to every messenger that isn't on ones own server and doesn't use end-to-end encryption?

@ericbuijs I would assume the answer to that would be yes:( I think what this article is pointing out, I could be wrong, is that XMPP is not a silver bullet for this reason. I recently took another look at SSB/Manyverse again and after reading more about it realized that it too, relies on Hubs to store your data, so you need to trust them. I, for one, look forward to the day when XMPP can be self-hosted easily on a plug and play Single Board Computer -- I'm looking at you @PINE64

@lps I agree, XMPP is by it's users often presented as a silver privacy bullet but can be vulnerable to any server admin with malicious intent.

It all makes me think about the warning of Eben Moglen who called the system which centralizes servers and the servers centralize their logs a recipe for disaster.

I haven't looked into the Manyverse so I didn't realize that the Hubs were servers. Maybe Briar as a full peer-to-peer messenger?

@ericbuijs I have tried another app that works surprisingly well called anonymous messenger which is truly p2p through tor and doesn't use a lot of battery looks promising:) f-droid.org/en/packages/com.dx

@ericbuijs but currently I'm using my yunohost XMPP which is great, love those guys! Just wish there was an option for anyone to host at home with no technical skills.

@lps. Interesting. I haven't played with the XMPP on my Yunohost (yet). Perhaps it's time I start working with it myself. That was my idea after all to self host stuff that's on someone else's server.

@ericbuijs
If you have yunohost it's likely already working after confirming that a few ports are open....just remember users must be created via the SSO admin panel. One thing that I've personally had issues with is VoIP calls however, that's another beast, it requires coturn to make connections outside the network:(

@ericbuijs
Actually you have nothing to do on your Yunohost server, it's enabled by default. Your XMPP ID is your email address. Just get yourself an XMPP client on your desktop or your phone, and you're good to go!

And it also supports OMEMO encryption.

Dino is a nice client on Linux. There's Gajim of course but I find its UI quite dated. It's being overhauled, it'll be interesting to see when it's ready.

On Android I use the blabber.im client with my own server.
@lps

@ericbuijs @lps
I can't believe I never checked F-droid for xmpp clients. 😳

@normandc
Blabber is great, I like monocles chat as well, a fork of a fork;)
@ericbuijs

@lps
I now remember why I installed blabber from the Google Play Store. I created an account for my mom on my server, and set her up with a xmpp client on her phone so we could exchange our cat pictures. 😸

I did it remotely so I didn't want her to deal with F-droid. I installed blabber first on my phone to check it out. I mostly use Dino on my Pinephone, that is before my Mobian install got borked.
@ericbuijs

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!