this post was submitted on 09 Feb 2026
103 points (94.8% liked)

Open Source

44288 readers
664 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
103
Best apps for private messaging (www.privacyguides.org)
submitted 1 day ago by Maragato@lemmy.world to c/opensource@lemmy.ml
83 comments fedilink hide all child comments
 

Hello. I am looking for an alternative to Telegram and I prefer an application that uses decentralised servers. My question is: why is the xmpp+omemo protocol not recommended on websites when it is open source and decentralised? The privacyguides.org website does not list xmpp+omemo as a recommended messaging service. Nor does this website include it in its comparison of private messaging services.

https://www.privacyguides.org/en/assets/img/cover/real-time-communication.webp

Why do you think xmpp and its messaging clients such as Conversations, Movim, Gajim, etc. do not appear in these guides?

you are viewing a single comment's thread
view the rest of the comments
[–] Neptr@lemmy.blahaj.zone 19 points 1 day ago (2 children)

Here is a blog post by a widely respected cryptographer on why XMPP+OMEMO is not secure: https://soatok.blog/2024/08/04/against-xmppomemo/

[–] artyom@piefed.social 3 points 1 day ago (2 children)

This post is 1.5 years old and outdated.

[–] Hazematman@lemmy.ca 2 points 1 day ago

Do you know if there is a more up to date description of xmpp e2ee without having to read the spec. Specifically interested in stuff like how much metadata is leaked.

[–] Neptr@lemmy.blahaj.zone 2 points 1 day ago (1 children)

What has changed?

[–] artyom@piefed.social 2 points 1 day ago (1 children)

They updated OMEMO

[–] Neptr@lemmy.blahaj.zone 5 points 1 day ago

Did that fix any of the underlining issues with OMEMO use across XMPP clients, such as odd/opaque choices by the OMEMO maintainer, or the fragmentation of OMEMO versions used by clients (most being very out-of-date)?

Let me be clear: I am NOT anti-XMPP (or even OMEMO). I would love to see it succeed because I much prefer it over Matrix and other alternatives. My problem isn't with the technology, just the implementation.

[–] u_tamtam@programming.dev 0 points 1 day ago (1 children)

This blog post has been debunked as fallacious (posing as evidence what's unsubstantiated), and in bad faith (some comments, including by the protocol developers, were removed from the blog's comments section). That aside, if you are left unimpressed by the crypto jargon, all you take away from it is that Soatok really likes Signal and this isn't Signal. There have been several independent audits on OMEMO, it's used today by serious institutions and governments, it's been under more scrutiny than soatok gave it, and there's nothing knowingly insecure about it.

[–] Neptr@lemmy.blahaj.zone 10 points 1 day ago (1 children)

OMEMO leaks plenty of metadata; most things other than message contents are left unencrypted. Many of the mature XMPP use different OMEMO versions (which can be hard to tell when the client doesn't clearly state the XEP versions, like Snikket). I spent 40 min scouring Snikkets website and source repo without any clear way to determine what version of OMEMO they bundle. I said OMEMO+XMPP because no matter how secure your protocol is, the actual implementation by your largest userbases determine real-world security.

And lastly, just because "serious institutions and governments" use it doesn't make it more secure. Many European governments use Matrix, and that has even worse security, breaks forward secrecy, doesn't encrypt basically anything other than message content, etc. Many governments have critical systems that run unpatched Win 7 or older. My point is that security is independent of adoption.

[–] u_tamtam@programming.dev 1 points 3 hours ago

OMEMO leaks plenty of metadata

Could you even cite an example of such leaked metadata? I'd like to also remind you that metadata leaking to your own server (which you can chose, which you can self-host) isn't as big a deal in XMPP as it is with other services. Which is also why I can't take Soatok's opinion about and obsession for Signal seriously: when all accounts are hosted by a single actor, you have a much bigger metadata problem, and all obfuscation attempts (sealed senders being one) are ultimately defeated by simple timing and packet correlation attacks.

I spent 40 min scouring Snikkets website and source repo without any clear way to determine what version of OMEMO they bundle.

You were probably looking at a rebrand/spin of https://xmpp.org/software/conversations/ . All major XMPP clients and servers declare their compat via DOAP: https://xmpp.org/extensions/xep-0453.html

My point is that security is independent of adoption.

Correct, but in this case OMEMO is secure and is used in contexts where security actually matters. There have been multiple audits of it over the years: