Also we have to get rid of any messenger that requires your mobile phone number as your unique identifier, even much-lauded #Signal. It locks you inside the conventional, easy-to-track phone infrastructure. Try #Conversations instead, on a WiFi-only device. It uses the decentralized XMPP and works like a charm.
@kensanata @ralph @hinterwaeldler
It’s all about tradeoffs, right? Whether phone number leaking is a big deal largely depends on your threat model. Some people need to keep that number private. Others assume the attacker knows it already.
Network effects matter too. Many are already using Signal. More have heard of it.
“Is Signal ideal?” isn’t the question but rather “Is Signal better for my situation than what I use today?”
@mkb @hinterwaeldler @ralph @kensanata #CopperheadOS has a good list in the usage guide: https://copperhead.co/android/docs/usage_guide#messaging
#Conversations is at the top of the list most recommended, then #Signal, then #WhatsApp and others.
@uranther @kensanata @ralph @hinterwaeldler Cool. Conversations is a new one to me. I’ll check it out.
@mkb @uranther @kensanata @ralph @hinterwaeldler Do it, you won't regret it. If you want to read more about the rationale behind some of the design choices, check out https://gultsch.de/. It's really the best there is at the moment.
@uranther @kensanata @hinterwaeldler @mkb What's a recommended xmpp server for conversations?
@ralph @uranther @kensanata @hinterwaeldler @mkb I recommend dismail.de. Conversations with OMEMO on LineageOS or Replicant and dismail.de are the perfect combination. But the good thing is, you can choose for yourself. Check the feature compliance on https://conversations.im/compliance/ and the availability on https://status.conversations.im/historical/ and make your own choice, that's what's so great about it :)
@resist_berlin @uranther @kensanata @hinterwaeldler @mkb Yeah, about that. It would be much more helpful with a list of xmpp servers that does support those extensions. Instead of everyone having to do that research. But someone will probably write that list soon :)
@ralph @uranther @kensanata @hinterwaeldler @mkb I guess that's the price of federation... Users will have to make *some* choices on their own again. Having *the one* go-to service would ruin the entire idea. But I understand the problem, I will probably make a list of 5-10 recommended services in the future and explicitly say that they're equally good. It's like buying things in real like, not one choice will be ideal but several will be reasonably good. People need to get used to that.
@resist_berlin @uranther @kensanata @hinterwaeldler @mkb Sorry, I should probably clarify. I meant server software in case I want to run it myself. Great with a service list though!
@ralph @uranther @kensanata @hinterwaeldler @mkb Oh, sorry, totally didn't get that. People usually use ejabberd or prosody, both are good choices. And they're easy to set up, but fairly difficult to fine tune if you want to support all current XEPs. Tried it myself, achieved about 90% of what I wanted, eventually gave up. Unless you're really willing, it's a good idea to leave this to the specialised guys. Especially if you want to have full OMEMO support and http upload etc... Not fun.
@resist_berlin @uranther @kensanata @hinterwaeldler @mkb Just means there's room for improvement. It'll happen :)
@resist_berlin @ralph @uranther @kensanata @hinterwaeldler @mkb I had good success with ejabberd. In recent versions it's as easy as uncommenting a few lines in the config file and setting up a few port forwards and DNS entries. The bigger problem was that nobody wanted to change from e.g. Hangouts to XMPP and the transport doesn't support photo attachments properly.
@mbirth @resist_berlin @ralph @uranther @kensanata @hinterwaeldler
I find the human angle to be the bigger hurdle most of the time. Convincing people to change behavior is hard. Either they don’t think it’s important or they are so overwhelmed they give in to security nihilism and don’t think they stand a chance.
@mkb @resist_berlin @ralph @uranther @kensanata @hinterwaeldler Mostly, they're just lazy. "I already have WhatsApp with all my buddies on it, why should I switch? And I don't even need an account with WhatsApp, why should I have to create one with <insert alternative>?"
@mkb @kensanata @hinterwaeldler Definitely. It's always about trade offs.
@mkb @kensanata @ralph @hinterwaeldler Signal has almost no advantages over WhatsApp or Threema. It is just marketed differently, to a different target group. Almost all modern messengers have some from of e2e-encryption, so Signal is not that special there, plus it is centralised, uses a strong selector as your identifier, key management is a nightmare and the main developer is not trustworthy. If you can, move away from Signal. Slowly, but steadily.
@resist_berlin @kensanata @ralph @hinterwaeldler Yeah, I certainly don’t mean to suggest Signal is perfect. Like you said, using phone numbers is a problem for many threat models. All three chat apps are centralized which has disadvantages also.
IIRC, Threema’s protocol is secret so hasn’t been rigorously analyzed by the community. WhatsApp’s privacy policy explicitly gives them permission to share with FB which makes it a nonstarter for me. YMMV.
@resist_berlin @kensanata @ralph @hinterwaeldler TBH I’ve installed Wickr and Threema but don’t know anybody else using them so for all I know the UX is amazing on both.
briar: messagner with meshnet, encyption, forum, blog.... Show more
briar: messagner with meshnet, encyption, forum, blog.... Show more
@thomas
xmpp is great, and it's always great to not depend on one system.
If briar get's out of beta I will symbly use both and email.
briar: messagner with meshnet, encyption, forum, blog.... Show more
@paulfree14 @resist_berlin I can see it being useful during concerts / big events, where phone networks die due to heavy load. I can't find my friends because I have no reception and so on... Coordination during mass protests...
But how can mesh networks scale? If I'm in bad luck, my phone is the only mesh-node that connects two parts of the network. Will my phone have to transmit EVERY message (even the ones from other users) between the two network parts?
@resist_berlin @hinterwaeldler
* oh, sry I just shorty visited their webpage again and now I'm not shure if it's really a #meshnet or 'just' #p2p
here's an explaination of meshnetworking:
https://en.m.wikipedia.org/wiki/Mesh_networking
@resist_berlin @hinterwaeldler
...thought to make meshnetworks scale, you'll need to make shure that there are enough nodes.
briar: messagner with meshnet, encyption, forum, blog.... Show more
@resist_berlin Is that available on iOS?
@taoeffect No, but you can try chatsecure instead. It supports xmpp and omemo and works well, it just has stricter key management. I.e. you have to confirm every new fingerprint your contacts might have before writing to them. Apart from that, its the go-to XMPP+OMEMO solution for iOS :)
@resist_berlin Ah, yes I have it installed but these protocols require you to be online, unrealistic for mobile and in general.
@taoeffect True, sorry I forgot about that aspect on iOS. Conversations handles it really well, but I know that Chatsecure clients appear offline most of the time to other XMPP clients. *If you know* however that someone uses Chatsecure - as do some family members of mine - you get used to it. Afaik you can still write to Chatsecure whenever you want and it will receive the message, right? And if not there should be a workaround? Sorry again, I'm not that familiar with the Apple world :/
@resist_berlin Hmm. I dunno, it seems to just not send if they’re not online
@taoeffect What combination of messengers are you talking about? If you mean Chatsecure <-> Chatsecure, there could be some problems, never tried that. But I know that Conversations <-> Chatsecure works reasonably well :) Would be interesting to learn more about a Chatsecure-only world...
@ralph I totally agree with "we have to get rid of any messenger that requires your mobile phone number as your unique identifier." This has been annoying me for quite a while, now.