Follow

@Aaron@boringpeople.org @jerry @cwcopa thing is, the issue is not just about future e-mail that is going to be written and sent. It's about all past encrypted e-mails. And that's why it's so problematic, and that's why I can see how EFF's recommendation made a lot of sense.

It was about protecting past communication.

Plus, everyone should really have 2 secure channels. Just in case. Use Signal.

@rysiek Let's not use Signal though. They require a phone number, actively discourage alternative clients and it is plainly centralised.

@xrevan86 please give me a better solution for journalists from across the world, without a way of physically meeting, and with a need for good crypto, a mobile and desktop client, and a way to share files securely.

A lot are still using Telegram or Viber. We tried pushing Tox but it was nigh-unusable to regular people. Briar is interesting, but still barely out the gate. Wire is tempting, but we barely moved people to Signal from Telegram, Viber, WhatsApp.

@xrevan86 we had to make a decision 3 years ago and Wire was not ready yet. Signal was the only viable option. And it took 3 years to move most of people in our network to Signal. Not doing this again, Signal provides great security, and while I personally hate the fact that it's centralized (or even server based at all), I have to live with that.

@rysiek Wire is more acceptable as it doesn't require a phone number, yes.
I personally think !xmpp does meet those requirements.

@xrevan86 I used to run 2 XMPP servers. Tried setting up audio communication, and MUC, and send files, and it was always a major pain in the arse, and barely worked if worked at all.

XMPP is not a solution in any way, shape, or form, until they fix the "random XEPs implemented by random clients/servers" bullshit.

As to Wire, if I had to make this decision today, Wire would probably be it. But I am not going to move hundreds of people to Wire right now; Signal is good enough.

@xrevan86 XMPPs security (i.e. OTR) is an add-on, just like PGP/GPG for e-mail. There is friction, there is additional attack surface, and it fails every now and then. End to end encryption cannot be an afterthought.

@rysiek @xrevan86
What about OMEMO?
Even though it is unfortunately does not fix XEP problem

@Skoll3 @xrevan86 let me know when most main XMPP clients (Pidgin, Gajim, Adium, Coccinella, Miranda IM, Psi, anything else?) and main servers (if implementation is needed there; prosody, ejabberd, others?) implement it.

@rysiek Nice to see dead-ish clients in the list. I guess there mere existence turns the answer to a literal never :-/.

@Skoll3 @xrevan86 and what does it tell you about a piece of software or a secure communication tool if even the privacy-minded techies are not inclined to use it?..

@rysiek If the alternatives to it that privacy-minded techies do use are Signal and Telegram (yes, there are those too), then I don't know. It only inclines me to be even more stubborn.
@rysiek Especially because some other people try to get me from XMPP to these "better" networks (privacy-aware techie people). "Just register with your phone number on a central server, install an Electron client and you're all set."
It simply doesn't cut it for me, so !xmpp stays as the only good solution.

@xrevan86 I am not trying to convince you to drop XMPP.

I am explaining why XMPP is not a solution in my case.

There is an important difference between the two.

@rysiek @xrevan86 the difference is very important, yet it's hard to tell whether someone is trying to convince your or not even in real life.

@rysiek @xrevan86 Setting up the XEPs is an annoyance and I think Conversations is the only viable XMPP client. But so long as everything is set up on the server side it just works.

Anything non-federated isn't going to scale. That includes Signal, and Signal has a lot of other problems besides. I can't run Signal without trusting Moxie's server.

@bob @xrevan86 well it works on *your* server. What about other servers?

We need a clear standard, implemented by and testable against the majority of servers and clients.

Otherwise it's a clusterfsck.

@rysiek @xrevan86 This is what #freedombone is about, but also ejabberd and prosody need to ship with a default set of xeps which pass all the Conversations tests. If that happened life would be easier.

@bob @xrevan86 if that happened, XMPP would perhaps become a contender again.

Right now it simply is not.

And I say this as a person who was promoting XMPP back when it was called Jabber.

@bob ejabberd pretty much does. And Prosody… not so much.
Is Prosody the evil in this equation :-)?
@rysiek The XEPs that are expected from a modern XMPP client are pretty clear, so if you see a client that doesn't work it out then either it has slow development, dead or doesn't care.
It's like with email: there are lots of dead clients, and people don't expect them to comply with modern standards, they either move on or grow a beard %).
Otherwise I can only think of one solution to the "problem", the one Signal chose – forbid alternatives.

@xrevan86 on the contrary, do a little google search for my name and let's talk after you do. Such keywords as "technomonopolies" might be useful, too.

But I have to secure communications of non-techies, today, and in a way that works. XMPP is nowhere near being able to do this.

I am looking at Briar though, with a lot of hope.

@rysiek That's what I expect of one from fediverse by default :-).
Yet my pseudo-arguement that Signal will do for you because it hates diversity worked oddly well.

@rysiek @xrevan86
I think you misunderstood Xrevan's point:

Can we have an open standard with multiple client implementations without it becoming unusable for a group of non-tech journalists supported by a single infosec expert?

@Wolf480pl @xrevan86 yes.

Surprisingly, e-mail is exactly that.

Signal could be that, if it opened the server and enabled federation.

Wire could be that if more people pick it up, but I have to choose my battles and that's not the hill I am willing to die on.

Briar hopefully, one day, in an ideal world.

@xrevan86 @rysiek servers support of that are more of as problem
plus
>conversations does not have OTR
>pidgin and xabber does not have OMEMO (yet)
@skoll3 Pidgin has support for OMEMO the same way as OTR: via a third-party plugin called lurch. Pidgin is barely an XMPP client so don't expect more.
And Xabber apparently doesn't implement OMEMO in fears of FSB %).
@bob Conversations is the flagship !xmpp client, no doubt.
But I wouldn't call the only viable one, Gajim and Psi on desktop are doing a good job.
There's also ChatSecure on iOS but I don't know how good it is, it is actively developed though.
Sign in to participate in the conversation
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!