@Aaron @jerry @cwcopa thing is, the issue is not just about future e-mail that is going to be written and sent. It's about all past encrypted e-mails. And that's why it's so problematic, and that's why I can see how EFF's recommendation made a lot of sense.

It was about protecting past communication.

Plus, everyone should really have 2 secure channels. Just in case. Use Signal.

0
0
@rysiek Let's not use Signal though. They require a phone number, actively discourage alternative clients and it is plainly centralised.
0
0
rysiek ✅
Follow

@xrevan86 please give me a better solution for journalists from across the world, without a way of physically meeting, and with a need for good crypto, a mobile and desktop client, and a way to share files securely.

A lot are still using Telegram or Viber. We tried pushing Tox but it was nigh-unusable to regular people. Briar is interesting, but still barely out the gate. Wire is tempting, but we barely moved people to Signal from Telegram, Viber, WhatsApp.

· Web · 0 · 0

@xrevan86 we had to make a decision 3 years ago and Wire was not ready yet. Signal was the only viable option. And it took 3 years to move most of people in our network to Signal. Not doing this again, Signal provides great security, and while I personally hate the fact that it's centralized (or even server based at all), I have to live with that.

0
1
@rysiek Wire is more acceptable as it doesn't require a phone number, yes.
I personally think !xmpp does meet those requirements.
0
0

@xrevan86 I used to run 2 XMPP servers. Tried setting up audio communication, and MUC, and send files, and it was always a major pain in the arse, and barely worked if worked at all.

XMPP is not a solution in any way, shape, or form, until they fix the "random XEPs implemented by random clients/servers" bullshit.

As to Wire, if I had to make this decision today, Wire would probably be it. But I am not going to move hundreds of people to Wire right now; Signal is good enough.

1
5

@xrevan86 XMPPs security (i.e. OTR) is an add-on, just like PGP/GPG for e-mail. There is friction, there is additional attack surface, and it fails every now and then. End to end encryption cannot be an afterthought.

3
1
@rysiek @xrevan86
What about OMEMO?
Even though it is unfortunately does not fix XEP problem
0
0

@Skoll3 @xrevan86 let me know when most main XMPP clients (Pidgin, Gajim, Adium, Coccinella, Miranda IM, Psi, anything else?) and main servers (if implementation is needed there; prosody, ejabberd, others?) implement it.

0
1
@rysiek Nice to see dead-ish clients in the list. I guess there mere existence turns the answer to a literal never :-/.
0
0

@Skoll3 @xrevan86 and what does it tell you about a piece of software or a secure communication tool if even the privacy-minded techies are not inclined to use it?..

0
1
@rysiek If the alternatives to it that privacy-minded techies do use are Signal and Telegram (yes, there are those too), then I don't know. It only inclines me to be even more stubborn.
0
0
@rysiek Especially because some other people try to get me from XMPP to these "better" networks (privacy-aware techie people). "Just register with your phone number on a central server, install an Electron client and you're all set."
It simply doesn't cut it for me, so !xmpp stays as the only good solution.
1
1

@xrevan86 I am not trying to convince you to drop XMPP.

I am explaining why XMPP is not a solution in my case.

There is an important difference between the two.

0
0

@rysiek @xrevan86 the difference is very important, yet it's hard to tell whether someone is trying to convince your or not even in real life.

0
0
@rysiek @xrevan86 Setting up the XEPs is an annoyance and I think Conversations is the only viable XMPP client. But so long as everything is set up on the server side it just works.

Anything non-federated isn't going to scale. That includes Signal, and Signal has a lot of other problems besides. I can't run Signal without trusting Moxie's server.
3
2

@bob @xrevan86 well it works on *your* server. What about other servers?

We need a clear standard, implemented by and testable against the majority of servers and clients.

Otherwise it's a clusterfsck.

0
2
@rysiek @xrevan86 This is what #freedombone is about, but also ejabberd and prosody need to ship with a default set of xeps which pass all the Conversations tests. If that happened life would be easier.
1
1

@bob @xrevan86 if that happened, XMPP would perhaps become a contender again.

Right now it simply is not.

And I say this as a person who was promoting XMPP back when it was called Jabber.

0
2
@bob ejabberd pretty much does. And Prosody… not so much.
Is Prosody the evil in this equation :-)?
0
0
@rysiek The XEPs that are expected from a modern XMPP client are pretty clear, so if you see a client that doesn't work it out then either it has slow development, dead or doesn't care.
It's like with email: there are lots of dead clients, and people don't expect them to comply with modern standards, they either move on or grow a beard %).
Otherwise I can only think of one solution to the "problem", the one Signal chose – forbid alternatives.
0
0
@rysiek So you think vendor lock-in is not a bad thing?
0
0

@xrevan86 on the contrary, do a little google search for my name and let's talk after you do. Such keywords as "technomonopolies" might be useful, too.

But I have to secure communications of non-techies, today, and in a way that works. XMPP is nowhere near being able to do this.

I am looking at Briar though, with a lot of hope.

0
1
@rysiek That's what I expect of one from fediverse by default :-).
Yet my pseudo-arguement that Signal will do for you because it hates diversity worked oddly well.
0
0

@rysiek @xrevan86
I think you misunderstood Xrevan's point:

Can we have an open standard with multiple client implementations without it becoming unusable for a group of non-tech journalists supported by a single infosec expert?

0
0

@Wolf480pl @xrevan86 yes.

Surprisingly, e-mail is exactly that.

Signal could be that, if it opened the server and enabled federation.

Wire could be that if more people pick it up, but I have to choose my battles and that's not the hill I am willing to die on.

Briar hopefully, one day, in an ideal world.

0
0
@xrevan86 @rysiek servers support of that are more of as problem
plus
>conversations does not have OTR
>pidgin and xabber does not have OMEMO (yet)
0
0
@skoll3 Pidgin has support for OMEMO the same way as OTR: via a third-party plugin called lurch. Pidgin is barely an XMPP client so don't expect more.
And Xabber apparently doesn't implement OMEMO in fears of FSB %).
1
0
@bob Conversations is the flagship !xmpp client, no doubt.
But I wouldn't call the only viable one, Gajim and Psi on desktop are doing a good job.
There's also ChatSecure on iOS but I don't know how good it is, it is actively developed though.
0
0
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!