ADIL 🦂 丰 ₿ ⚡ on Nostr: XMPP IM criticisms: You can follow any advise on the client XMPP setup but the main ...
XMPP IM criticisms:
You can follow any advise on the client XMPP setup but the main issue with the protocol is not your endpoint. The issue is the is the XMPP protocol and related infrastructure.
There are two things you wana do
1. content of the message (privacy setup),
2. identity (anonymity setup)
Don't mistake those two things!!
1. Privacy
is ensured on XMPP with the OTR or OMEMO encryption. The issue is that the key exchange in between the communication parties is not foolproof. You both *MUST* check the fingerprints through a separate secure channel. This is in large scale not practiced. If you don't check it right, the underlying infrastructure of the XMPP allows the adversary to MITM you and read your messages.
2 Anonymity
is ensured with Tor here. Tor tries to conceal you IP only and nothing more. But Tor, as a low latency network, cannot protect you from revealing your behavioral patterns, your social graph, your login and log out time, the number of messages sent and received at any time, the sender and receiver of the messages, their precise volume and so on *from the XMPP server* and any adversary that can monitor that server.
My advice is - don't use XMPP! if possible at all and use something more resistant like SimpleX, Briar, CWTCH... and similar solutions that mitigate those leaks and diminish or even make impossible those related attacks from the active as well as passive adversaries.
You can follow any advise on the client XMPP setup but the main issue with the protocol is not your endpoint. The issue is the is the XMPP protocol and related infrastructure.
There are two things you wana do
1. content of the message (privacy setup),
2. identity (anonymity setup)
Don't mistake those two things!!
1. Privacy
is ensured on XMPP with the OTR or OMEMO encryption. The issue is that the key exchange in between the communication parties is not foolproof. You both *MUST* check the fingerprints through a separate secure channel. This is in large scale not practiced. If you don't check it right, the underlying infrastructure of the XMPP allows the adversary to MITM you and read your messages.
2 Anonymity
is ensured with Tor here. Tor tries to conceal you IP only and nothing more. But Tor, as a low latency network, cannot protect you from revealing your behavioral patterns, your social graph, your login and log out time, the number of messages sent and received at any time, the sender and receiver of the messages, their precise volume and so on *from the XMPP server* and any adversary that can monitor that server.
My advice is - don't use XMPP! if possible at all and use something more resistant like SimpleX, Briar, CWTCH... and similar solutions that mitigate those leaks and diminish or even make impossible those related attacks from the active as well as passive adversaries.