this post was submitted on 21 Jun 2025
1032 points (97.2% liked)
Technology
71754 readers
3714 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Could you explain a bit? I see main issue with Signal (though I'm not an expert, and they're not strictly related to security): it's centralized (and the server isn't even open-source).
The question is also a lot about your threat model right?
The encryption being crap really does not depend on the threat model. Sure, in some threat models you may not need e2ee at all but in that case, what's wrong with WhatsApp?
The issue with XMPP is that security really was an afterthought. Not only is e2ee an optional extension, but there are actually 2 incompatible extensions, each with multiple versions. Then you have some clients not implementing either, some clients implementing the older, less secure one. Some implement the newer one but older version of the spec with known issues. And of course, the few clients that implement it well become incompatible with other clients that don't if you enable e2ee, so it is disabled by default.
That is all before you start looking into security audits or metadata harvesting.
Your reasoning would hold up if 80% of xmpp wasn't running on Conversations or forks of it, that all support OMEMO and OpenPGP.
Your criticisms are too broad with few serious negatives. What makes extensions powerful is that they can easily change the rules without breaking the underlying system. If your client sucks, get another?
You have choices, but if your problem is metadata, whoooo boy.
https://news.ycombinator.com/item?id=32780665
https://github.com/matrix-org/synapse/issues/9133
https://www.reddit.com/r/PrivacyGuides/comments/q7qsty/is_matrix_still_a_metadata_disaster/
So much cope you didn't even notice no one mentioned matrix. We are comparing XMPP with Signal.
Also, you really think saying only 20% of your chats are insecure is somehow making it better?
That's their problem. If their messages aren't encrypted, it isn't like you won't be aware of it. Request that they use a modern client and get with the times. None of this is an actual problem without easy solutions.
Then let us know when they are solved. Until then, I have a lot more hope in matrix than XMPP. They at least seems to be making progress in the right direction, although they are not there yet either.
Signal remains the best option for now.