I think XMPP.
Depends on what you consider to be important for being “safe”.
Using matrix as is out of the box is relatively secure but you need to be aware that a lot of metadata ends up on the servers of a UK based for-profit & venture capital funded company (New Vector).
Xmpp on the other hand requires a bit more research to find a good server and client, but it can be made to be extremely secure, especially when self-hosting and/or using Tor for connecting to it.
IMHO there is no silver-bullet and every option comes with trade-offs. Depending on you needs other options like Threema, Signal and Telegram with their e2ee & open-source clients but centralized servers can also be worthwhile to look at.
Using matrix as is out of the box is relatively secure but you need to be aware that a lot of metadata ends up on the servers of a UK based for-profit & venture capital funded company (New Vector).
Using 3rd party clients should really be encouraged.
metadata is not encrypted as per matrix protocol, it’s not the client’s fault
Would it even be possible to encrypt some basic metadata? I doubt that.
Mostly no, but the best way to deal with such meta-data is not to store it, or at least delete it as soon as possible. Which is the exact opposite of what Matrix does.
What kind of metadata are we talking about?
This issue has a general overview.
xmpp encrypts everything, metadata included
it’s not easy and makes the protocol really hard to implement but it is possible
Hmm, sadly that isn’t the case, a lot of metadata on XMPP is also exchanged only TLS transport encrypted and is thus available on the server in clear text. The main difference to Matrix is that it generates and exchanges much less metadata and most XMPP servers are configured to delete all the metadata after a relatively short period of time.
🤔 that does seem to be the case, maybe i was thinking of signal (it truly encrypts all metadata)
Getting end-to-end encryption work seamlessly is difficult on XMPP, and you would end up not secure. Matrix does have very good defaults and has e2ee enabled by default. It also has a different passphrase to decrypt history if you need to change the device.
Edit: typo.
I guess you made a typo and mean XMPP. But getting e2ee working on XMPP is also super seamless and easy when using the Android Conversations client or one of it’s forks. On Matrix it is also only super easy and seamless with one client, i.e. the webbased Element.
Corrected the sentence. I last used XMPP with Conversations on mobile and Movim on the web about 3 to 4 years ago. Many of my contact had hard time enabling e2ee. I had to visit them to walk them thru the trust process. Other wise, the would just see scrambled text.
I use Monocles Chat, a fork of blabber.im, which is a fork of Conversations.
OMEMO encryption works by default, and (for me) was a little bit more seamless than setting it up for Element.
Element has a slightly awkward “verification” process, and also the backing up of encryption keys, and verifying other devices, just tends to confuse new users (imo).
Element sees this as levels of trust.
- Not encrypted
- Encrypted but untrusted
- Encrypted and trusted
- Encrypted and trusted but conversation has an untrusted device.
Verification process is for people you interact with outside of Matrix like IRL or phone, etc.
This is no longer the case for Conversations, it works super seamless out of the box.
Sadly Movim only very recently added experimental e2ee and it isn’t fully usable yet. But I am hopeful that it will be in a few months.
only super easy and seamless with one client, i.e. the webbased Element
But the Webbased client’s security model is simply broken. E2EE in the browser is simply not possible.
Getting end-to-end encryption work seamlessly is
difficulteasy on XMPPFixed that for you. :)
As ibsaid previously my statements are based on an old experience. Much has changed today.
default setting is that admins can easily inject their own key without user noticing it.
additional to that: gajim sends files over jingle without encryption in e2ee chats dino does not offer reliable e2ee for group chat. it is difficult to verify keys in conversations because these settings are hidden afaik.
This needs to be qualified a bit… if the convenience feature for enabling e2ee by default and automatically exchanging keys with other devices is enabled (which can be turned off easily in most clients), then yes a new device can be introduced by a server admin in theory, but even then most clients will clearly switch to a encrypted-but-unverified display next to each message (in Gajim for example it will show a only half-filled shield next to each message, I think in Conversations it switched from a green to a yellow sign).
As for file sending, these are (usually still transport encrypted) fall-back modes to the modern e2ee OMEMO encrypted file sending used by most popular clients. Yes it would be probably better to disable them all together and/or put a big warning, but they are not the regular way attachments are shared these days. If you make sure you use a correctly configured XMPP server then you basically never run into this issue.
I think in Conversations it switches from a green to a yellow sign).
There is no button called: verify key or something in conversations. It is a hidden setting. Do you know how to verify a contact without using the qr code? It’s a hidden setting and most users won’t know it. Neither does it give you info that you can verify keys by scanning qr code. How should a user know? Not. So they stick to default settings, and the default setting is, that an admin can inject keys anytime they want, without user noticing.
As for file sending, these are (usually still transport encrypted)
I’ve mentioned Gajim, not any client. Gajim uses jingle without transport encryption.
You can either make e2ee easy to use and enable it by default, or you can try to make people understand what they are doing to protect them from edge cases. Conversations does the former, while not making the latter impossible.
Could more emphasis be put on the latter? Maybe, but then people would complain about it being difficult to use and understand.
That people don’t understand e2ee and assume that it somehow makes your communication magically secure is a social problem and not a technical one. All the above things you mention are not difficult to understand or do in the Conversations GUI, but they require a basic understanding of e2ee, which you can’t teach in a GUI.
In the end IMHO it is better to have many people using e2ee even in a less secure form, as most people don’t really need strong e2ee anyways. But by having many people use e2ee, it can’t be used to single out the few people that really need higher opsec, but those few really need to understand what they are doing and teach their contacts accordingly.
You can either make e2ee easy to use and enable it by default, or you can try to make people understand what they are doing to protect them from edge cases. Conversations does the former, while not making the latter impossible.
…the “edge case” that e2ee should protect from third parties such as an admin to read the messages. A new key could create a pop up window that informs the user. If user doesn’t care, there can be an option for “never show again”. Having a function that says “verify key”, should also be expected from an app that argues to have secure e2ee implementation.
as most people don’t really need strong e2ee anyways.
Most people don’t need any. It’s infosec larping what people do. And then software developers build software for LARPing.
XMPP is more safe, I can’t remember what exactly but I remember the whole XMPP vs Matrix thing, and matrix has this metadata problem, that spreads like a literal virus; instead of exchanging individual messages- entire chats while encrypted is stored in each server you federate. in regards to privacy Matrix isn’t the best. on top of that most people sign up matrix on matrix.org so that’s a huge chunk of metadata.
However, your family and friends are sometimes boomers when it comes to signing up for xmpp. so what I’d do is use both and spoonfeed them every step of the way to use xmpp. I’d like to make an easy guide for xmpp one day.
However, your family and friends are sometimes boomers when it comes to signing up for xmpp. so what I’d do is use both and spoonfeed them every step of the way to use xmpp. I’d like to make an easy guide for xmpp one day.
Right, like my parents, lol. When I created a private XMPP server for family, what I did was create their accounts and tell them, “Download Conversations onto your phone, and here is your login.” That worked for them…
As far as guides go, I have seen so many. I often direct strangers to joinjabber.org, but I do not know how effective it is. I feel like it’s too much for normies even though they try to make it simple. Any service that involves choosing a provider and creating a login is out the window for 99% of people.
I’m not an encryption or security expert or anything, but the thing that you have to be careful about with Matrix is that you are going to find yourself most of the time chatting in rooms which log messages forever. That’s not the case with every room; it depends on the settings, participants, and certain events that might cause the room to stop existing in the future or lose its copies of the messages, but generally what you are looking at is the system the way its designed fights against losing that kind of information. (Matrix federation makes the room copied onto as many servers as it can.) You will just want to be mindful of how you chat on there, for example don’t say things you don’t want someone to look up 10 years from now. It’s kind of a privacy nightmare, but you can just try being careful, for example by staying pseudonymous, and if you mess up somewhere delete those messages.
The difference here with XMPP is that, while servers can log chat rooms, most of the time they are configured not to. History is usually temporary just for convenience (that is, offline messaging) and may go back anywhere from a few days to a few weeks. Chat rooms live on only one server that hosts them, so they are not duplicated onto other servers.
In either case, clients could still be logging and so on, so you should always be mindful of how much you trust both the service and the people you are communicating with. E2EE is available on both platforms, which you should utilize anyhow, but mainly I’m talking about public chat rooms.
Matrix probably by default, because most Matrix clients already support E2E out-of-the-gate (Element, Mirage, FluffyChat for iOS, Syphon for Android, KDE NeoChat, nheko). Though you could also have E2E on XMPP, it’d just require more effort to find the appropriate plugins/settings on your part, than with Matrix.
Though you could also have E2E on XMPP, it’d just require more effort to find the appropriate plugins/settings on your part, than with Matrix.
That may be the case with some older clients, but the client I use has it enabled by default…
Test