@soatok same here, but with august 18 for me

RE: https://furry.engineer/users/soatok/statuses/112879830539550564

@soatok [it won’t]

@soatok@furry.engineer feel free to ignore this if you're busy or whatever, but i would like to know why isn't XMPP + OMEMO a real Signal alternative?

Can someone explains to me what's a Matrix evangelist?

@soatok@furry.engineer i personally don't understand that reasoning, http isn't encrypted by default either, you certainly can make it very secure with ssl or over tor/i2p

@soatok louder for the people in the back! XMPP evangelists really need a dressing down about this too -.-" (Thanks to my involvement in Kitten/SASL I have had an … unpleasant amount of exposure to XMPP evangelists)

@soatok @mook also it’s less like HTTPS and more like encrypting content sent via HTTP. Metadata still gets out and only some of the contents are protected

@soatok I believe you: you're the cryptography expert after all, I have no reason to not believe your say.

I will take time to read the whole thread once I'm done dealing with another fur about a mh- issue.

@soatok@furry.engineer i did have in mind hidden services, which are still just http, or xmpp or irc whatever protocol is being served, Signal is a specific server/client platform, xmpp+omemo is a protocol/encryption standard, the things that make up signal could be imlemented in an insecure way, many other platforms use signals encryption optionally, idk whatsapp

@mook@possum.city @soatok@furry.engineer i think the problem is that you know beforehand whether you're connecting to a server that has encryption enabled or not, which is the case with HTTPS but not in chat protocols where encryption is toggleable

though with HTTPS there is an unencrypted fallback if the target's certificate is invalid (is no traffic better than unencrypted traffic? i'm inclining to yes)

@tapesinside@floofy.city @soatok@furry.engineer a server can absolutely tell whether another xmpp server has omemo available and disable unencrypted comms, there's also things you can do with xmpp like run it as a hidden service

@soatok@furry.engineer @mook@possum.city can you link/explain some research about WhatsApp? since it's still used in a lot of the world by almost everyone, it'd be interesting to see/read how well have they implemented E2EE

@tapesinside @soatok

Recommends Wire and Whasapp

lol, I’m gonna dip out from this conversation but, just seems like an arbitrary bar i’m sorry, also false equivalence between an open protocol that has a variety of server and client implementations, and a centralized service/app owned by a private organization, an app that only works on smartphones, which are all backdoored, let’s be real ( and the desktop app has a history of known vulns ) So yeah XMPP is not a competitor to Signal, they’re in different ball parks, but you can do encrypted messages voice and video calls just as well if not better, the idea that XMPP is insecure because it’s possible to use it without encryption, i just find that arbitrary. I suppose no one should use nginx or apache because they can serve unencrypted http

@soatok @mook there's a second message in here too: The saving grace for XMPP could be an implementation of MLS over XMPP, if and *only if* done properly because XMPP is extensible and generic enough to make that possible safely.
But right now XMPP lacks several of the requirements to be able to do that and given the culture around the protocol I do not have hopes for this to change anytime soon.

@soatok @mook Yes! and exactly that is what the culture around XMPP will not allow for because of the holy grail of "backwards compatibility" which is why I personally have given up on trying to make XMPP secure after two attempts ;)

@soatok actually i want to know, is Signal's security is good?

@soatok I read your GitHub Gist, then the pawb.social post and it's UNBELIEVABLE.

As always, you managed to attract war once again in a gist. But the most unsettling is indeed the Matrix evangelists on pawb.social!

I couldn't believe how we managed to attract so much of them on pawb.social but also let them flaming each other.

I definitively now know today what's a Matrix evangelist thanks to a single pawb.social post!

@soatok I need a Signal alternative because I don't want to rely on a phone number that I could easily lose in the future. Are there any at all?

@soatok just for context because i haven't been following whats happened. did you _ever_ had a reply from them?

@soatok Olm or Megolm? Also which official library do you mean, there are multiple I could think of which are maintained and under the matrix-org

@soatok @mook given that, would deltachat technically fit the bill? Since it's just "here's someone's public key and now you encrypt and send them smol emails", more or less. I mean, obviously it's not quite as "friendly" as Signal, but... (and being email it's gonna leak loads of metadata)

@soatok The product decisions appear to have improved, or maybe I'm just growing tired. It used to be Users: "We want backups" Signal: "We've heard you. You get GIFs with a privacy proxy." U: "Uhh, backups or migration?" S: "Yes, you'll get sticker packs." U: "..." S: "Stories!"

They now have backups, migration (though not between universes) and non-phone number identities.
Though I think there's still also still this cryptocurrency that depends on SGX for security.

@henryk
Wait, do they have lost device backups working on iOS now?
@soatok

@henryk @soatok Afaik Signal still requires a phone number to sign up and after the three-day paranoia-fueled anxiety attack I experienced after what Telegram did with my fucking phone number the instant I signed up, that is a cold-hard trauma-affected non-starter for me.

@henryk
Yeah, no, it looks like still no support for the lost device use case yet anywhere unless they haven't updated their docs.
@soatok

@soatok sounds like they pulled a seanky move right there, but honestly, that looks like a long time coming with the rust-matrix-sdk using vodozemac for a while now

@famfo@chaos.social @soatok@furry.engineer Is that the library that's already been replaced in Element with matrix-rust-sdk? I thought they'd been saying for awhile they were deprecating it?
https://github.com/element-hq/element-web/issues/26922

@soatok at least XMPP doesn’t have a shitty leader who’s actively against federation.

I’m personally particularily fond of IRC anyway, not the new-fangled stuff.

@soatok what if I told you e2ee was very low in the list of reasons why people are interested in matrix?

@soatok by "official Olm library" you mean https://gitlab.matrix.org/matrix-org/olm, which just today got this commit https://gitlab.matrix.org/matrix-org/olm/-/commit/6d4b5b07887821a95b144091c8497d09d377f985, or the rust reimplementation?

@soatok I'm not usually the kind of person to give this kind of advice, but if your perception is that they're "trying to speak over you", you'd probably be well-served by logging off for a little while. It seems like the project has heeded words about their crypto, you don't need to constantly be on the offensive.

@soatok @mook pending regular, comprehensive pentests, could a config switch in Prosody that doesn't allow cleartext in either direction meet those requirements? you'd probably have to completely break client login and federation with older comm servers so nothing attempts to send anything unencrypted

@soatok @mook basically "make a brand new protocol that would be easy for current xmpp software to support"

@soatok Here's another piece of advice for you: criticism without any constructive element is worthless

@soatok Looks like this might be their answer: https://gitlab.matrix.org/matrix-org/olm/-/commit/6d4b5b07887821a95b144091c8497d09d377f985

@soatok That seems very short given the breadth of changes needed for most clients (add Rust build toolchain, finish C++ bindings, ship it to package managers).
Looks like Nheko hasn't even considered migrating to vodozemac yet.

@soatok how does one gain the ability to just look at code and instantly 0day a platform

@spud i can't speak for @soatok but I'm guessing he would say something about how you get to Carnegie Hall.

@soatok according to Wikipedia, LimeWire is a social network :3c

@soatok so I am *just barely* smart enough to read and vaguely understand all this. But I am curious about two things.

First, if you were trying to find a messenger that doesn't require a phone number, would you use Matrix, or something else; and

Second, just to humor me... did Signal meet your standards before they removed SMS?

@mav @soatok tangent: you no longer have to share phone numbers on signal.

@risottobias @soatok But you must have one to sign up, unless that has changed quite recently.

@soatok so to pwn applications and services one must be a self taught dhole, and skip getting a degree?

@spud @soatok Being a fox works too but no way anything else works. Maybe raccoon.

@walnut @soatok I'm (sadly) acutely aware of the state of MLS as it applies to XMPP and there's two things that are relevant here: Just adding MLS into the existing encryption UX is not going to make XMPP an encrypted messenger, even if all the necessary extensions to the transport are defined. And that latter point will also contribute to adoption being probably at best glacial if the past allows any prediction. I mean, MIX is nine years old at this point and still not supported anywhere.

@Doridian @soatok well damn. Here I thought I could do it as a college educated folf

@soatok @spud I mean there's some fox in you, maybe you got what it takes ;p

@Doridian @soatok thanks I try

@soatok oh shit. element is no longer using libolm since they've switched to vodozemac, but with quick look at alpine, it's still used by: fluffychat, nheko, gomuks, neochat (kde), chatty, mautrix bridges, weechat-matrix, ...

@lnl @soatok matrix really just went "just switch lol"

@soatok yikes.

And then people wounder why I stay on #IRC & #XMPP+#OMEMO & #PGO/MIME-emails and #Zulip for chats?

@soatok Honest question: why XMPP + OMEMO isn't a viable alternative to Signal?
I have no expertise in encryption, so I'd be thankful if you could point me to somewhere where I can inform myself, or ELI5 to me.

@narezina @soatok My best guess is there’s no forward secrecy; the metadata, at least, is visible to every involved server: who sent it and who it was sent to. There’s really no getting around that, because it doesn’t know where to send the message otherwise. Also, that there’s a chance encryption fails, depending on the clients used; Signal won’t work without it.

@soatok Thank you!

So if I understand this correctly, there are multiple things at work here: OMEMO is doing less of a stellar job encrypting mesages (unfortunately, I don't understand the issues in depth), XMPP protocol allows for unencrypted conversations, and Conversations has its bucket of issues.

I wonder if situation is better with Kaidan? Apparently they encrypt conversations by default, and use newer version of OMEMO (found here: https://www.kaidan.im/2023/05/05/kaidan-0.9.0).

@soatok OK, I'll give it another read then. Thanks again.