Major Discord
kiwifarms.net
- Joined
- Jun 3, 2021
Hi everyone,
I was recently checking some stuff for XMPP for myself and I thought it may be worthwhile to make a thread. The purpose of this thread is to provide useful information for those who are looking for a small scale secure instant messaging solution and wish to use XMPP for that purpose. The information given below reflects the situation as of end of 2024.
What is XMPP?
XMPP = Extensible Messaging and Presence Protocol . As the name suggests, it is just a communication protocol, which helps to exchange instant messages (IMs). The analogue would be the general notion of an e-mail. You can register an email address at different providers and still communicate with each other. Same with XMPP. More information is available at: https://providers.xmpp.net/about/ (archive link: https://archive.is/i3IHp).
Why should you care?
XMPP is easy to host (hence, you can also host an XMPP instance yourself). This also means that you can easily make an account ASAP without giving away your phone number/ID/soul and start communicating (more on this below). It also has state-of-the-art encryption, so your communication should be secure (as long as you actually enable the encryption, more on this, again, later). This provides a pretty solid IM-solution for those who don't want to give out their phone numbers or for those who value their privacy.
How to Get Started?
First of all, you need an account on some XMPP provider/instance/server. For now, let us assume that you are not hosting yourself. In this case a good place to start is: https://providers.xmpp.net/ (archive link: https://archive.is/6nxim). I myself just selected one of the category A providers. From my experience they are pretty similar to each other. Usually you do not need any information (even an associated e-mail address) for registering an account. If any instance wants an additional information, feel free to switch. The precise provider doesn't matter as long as they have implemented the required extensions.
What are XMPP Extensions?
XMPP by itself is pretty old and bare-bones. The idea behind it is to be as lightweight as possible and to allow additional functionality via extensions - this includes E2EE, ability to get messages on multiple devices and so on and so forth. This is why it is important that your selected provider has implemented the necessary extensions. The information on the implemented extensions is available sometimes on the website, but also in the server information, which you see when you log into it. The list of all possible extensions can be found in here: https://xmpp.org/extensions/ (archive link: https://archive.is/dQoHB). For me, the most important ones are:
How does the Encryption work in XMPP?
Broadly speaking, XMPP supports PGP and OMEMO encryption methods. People say you shouldn't use PGP anymore, since OMEMO provides a better solution. If you know what PGP is and how to use it, then most likely you know what advantages/disadvantages it has for you. If you don't know what PGP is, you can learn about it, for example, from this article: https://proton.me/blog/what-is-pgp-encryption (archive link: https://archive.is/S1j0k) (or just search for a different one or a video).
Generally speaking, if you don't want to bother with any of this, just use OMEMO encryption. This is the recommendation for the XMPP. OMEMO uses the same encryption method (double-ratched algorithm) as Signal. It is modern, secure and people like it.
What Clients should I Use?
So far we covered what the XMPP is and how to make an account using one of the publicly available providers. Once you made the account, you need to use a software (XMPP client) to login into your account and to use it. There are various clients and in all honesty none of them are very good. A comprehensive list is available on: https://xmpp.org/software/ (archive link: https://archive.is/SnIk1). Here are some personal comments:
Windows - Gajim. I think this is the only one which is still actively maintained. Interface is not as clean or straightforward but gets the job done.
Android - Conversations. Is snappy and seems to work. I did have a few times where it missed the messages and did not get the ones that I got on my desktop client.
iOS - This one is difficult. I don't think there is a good XMPP client for iOS. Monal and Siskin are the ones that people use but both seem to be buggy.
Linux - Gajim and Dino seem to be what most people use. I think some people also use Pidgin, but I don't like it.
Using XMPP
So now we have the account and we can just use the XMPP. Just add the other person and start chatting, there is not really much else to explain. However, I want to use this section for some personal comments.
I was recently checking some stuff for XMPP for myself and I thought it may be worthwhile to make a thread. The purpose of this thread is to provide useful information for those who are looking for a small scale secure instant messaging solution and wish to use XMPP for that purpose. The information given below reflects the situation as of end of 2024.
What is XMPP?
XMPP = Extensible Messaging and Presence Protocol . As the name suggests, it is just a communication protocol, which helps to exchange instant messages (IMs). The analogue would be the general notion of an e-mail. You can register an email address at different providers and still communicate with each other. Same with XMPP. More information is available at: https://providers.xmpp.net/about/ (archive link: https://archive.is/i3IHp).
Why should you care?
XMPP is easy to host (hence, you can also host an XMPP instance yourself). This also means that you can easily make an account ASAP without giving away your phone number/ID/soul and start communicating (more on this below). It also has state-of-the-art encryption, so your communication should be secure (as long as you actually enable the encryption, more on this, again, later). This provides a pretty solid IM-solution for those who don't want to give out their phone numbers or for those who value their privacy.
How to Get Started?
First of all, you need an account on some XMPP provider/instance/server. For now, let us assume that you are not hosting yourself. In this case a good place to start is: https://providers.xmpp.net/ (archive link: https://archive.is/6nxim). I myself just selected one of the category A providers. From my experience they are pretty similar to each other. Usually you do not need any information (even an associated e-mail address) for registering an account. If any instance wants an additional information, feel free to switch. The precise provider doesn't matter as long as they have implemented the required extensions.
What are XMPP Extensions?
XMPP by itself is pretty old and bare-bones. The idea behind it is to be as lightweight as possible and to allow additional functionality via extensions - this includes E2EE, ability to get messages on multiple devices and so on and so forth. This is why it is important that your selected provider has implemented the necessary extensions. The information on the implemented extensions is available sometimes on the website, but also in the server information, which you see when you log into it. The list of all possible extensions can be found in here: https://xmpp.org/extensions/ (archive link: https://archive.is/dQoHB). For me, the most important ones are:
- XEP-0280: Message Carbons - if you use the same account on phone/PC/multiple devices this makes it so each device gets all the messages, regardless of which device was active at that moment in time.
- XEP-0313: Message Archive Management/MAM - this gives the feature of having your message history stored on the server. Example - if you connect a new device, in theory, you can get all the previous messages from the server (this doesn't always work, more on this later).
- XEP-0363: HTTP File Upload - allows you to upload media and all sorts of files using the server.
- XEP-0384: OMEMO Encryption - for E2EE.
How does the Encryption work in XMPP?
Broadly speaking, XMPP supports PGP and OMEMO encryption methods. People say you shouldn't use PGP anymore, since OMEMO provides a better solution. If you know what PGP is and how to use it, then most likely you know what advantages/disadvantages it has for you. If you don't know what PGP is, you can learn about it, for example, from this article: https://proton.me/blog/what-is-pgp-encryption (archive link: https://archive.is/S1j0k) (or just search for a different one or a video).
Generally speaking, if you don't want to bother with any of this, just use OMEMO encryption. This is the recommendation for the XMPP. OMEMO uses the same encryption method (double-ratched algorithm) as Signal. It is modern, secure and people like it.
What Clients should I Use?
So far we covered what the XMPP is and how to make an account using one of the publicly available providers. Once you made the account, you need to use a software (XMPP client) to login into your account and to use it. There are various clients and in all honesty none of them are very good. A comprehensive list is available on: https://xmpp.org/software/ (archive link: https://archive.is/SnIk1). Here are some personal comments:
Windows - Gajim. I think this is the only one which is still actively maintained. Interface is not as clean or straightforward but gets the job done.
Android - Conversations. Is snappy and seems to work. I did have a few times where it missed the messages and did not get the ones that I got on my desktop client.
iOS - This one is difficult. I don't think there is a good XMPP client for iOS. Monal and Siskin are the ones that people use but both seem to be buggy.
Linux - Gajim and Dino seem to be what most people use. I think some people also use Pidgin, but I don't like it.
Using XMPP
So now we have the account and we can just use the XMPP. Just add the other person and start chatting, there is not really much else to explain. However, I want to use this section for some personal comments.
- Activating the encryption. When you start chatting, it may be that the encryption is disabled or OMEMO is not enabled. always double-check this. Usually it is easy to find in the settings or in the chat window. Probably each client has a setting where you can enable OMEMO by default.
- OMEMO and messaging history. I was not able to reliably use the Message Archive Management to retrieve message history from the server. I talked with the server admin about this issue - it seems that something goes wrong and it is not clear what. I tried on multiple servers and still no luck. The message history seems a general problem for multi-device E2EE messengers. My recommendation here would be: back up the history yourself it is important for you. Conversations on Android allows export and for Gajim I think you just need to backup the entire Gajim folder, which will contain all the history and shared files.
- Getting your account banned. I had the case when my account was randomly banned. After I talked with the server admin, he said it has to do with the way he filtered for spam accounts. The point here is - if you get banned and you have no clue why, just contact the server admin, it could've been a small mistake which can be reversed ASAP.
- Why don't my favourite privacy guides mention XMPP? As far as I understood this has to do with the fact that XMPP per se is not secure. It depends on the extensions and due to many providers the XMPP ecosystem is fragmented. I found some discussions here useful: https://discuss.privacyguides.net/t/why-not-xmpp (archive link: https://archive.is/oOWXo).
- Self-hosting. I have not hosted an XMPP server myself so I do not wish to comment on it here. However, other people have covered it. Here are some links.
- From Luke Smith: https://landchad.net/prosody/ (archive link: https://archive.is/ieulM) and https://landchad.net/ejabberd/ (archive link: https://archive.is/2I2Y0).
- Mental Outlaw: https://youtu.be/Ot_EmQ8xdJw (not really an important or very good video imo, so I see no sense in attaching it to this post. Just search for "how to setup an xmpp server" in case this gets taken down).
