The main problem with this article is that all the points apply equally to other services, but the article frames it such that it implies the problems are unique to XMPP.<p>Half the article is dedicated to obsessing that the server can see your IP address. This is true of every internet service, and is how the internet works. Tools to solve this (e.g. Tor, VPNs) are well known and established solutions if you need to hide your IP from websites and services you use.<p>Common alternatives to XMPP that people may recommend include Signal and Matrix, but both certainly see your IP address just as easily.<p>XMPP uses passwords for authentication, rather than phone numbers. Since the server needs to use the password to verify you are you, there should be no surprise that it is sent to the server when you create your account or change your password. Just like any website or service that utilizes passwords for authentication.<p>Pretty much everything else listed is solved by verified end-to-end encryption, which is the primary solution to these problems regardless of any platform or protocol you use. Again, not a problem with XMPP specifically.<p>Instead of focusing on helping educate people sensibly about these things, the article seems to be a lot of biased scaremongering.<p>Full disclosure: I'm actively involved in various XMPP projects, including the XMPP Standards Foundation, Prosody and Snikket. Obviously I have a very keen interest in protocol design, secure online communication and the various available platforms/tools.
The article is a weird mix, partially very relevant information [0], partially just saying "using XMPP without E2E encryption is… not E2E encrypted" which is a weird ting to get worked up about. Maybe I’m missing something here?<p>[0]: And honestly, something I have not thought about. I host my own XMPP server (Prosody) with only 2 accounts, mine and my wife’s, so it doesn’t affect me. But obviously you can’t expect everyone to just host their own server.
I was not really expecting XMPP to do anything else by default, to be honest. If you want end-to-end encryption, the hard thing is to do the initial key exchange in a way that the server can't just MITM. It is extremely rare that somebody compares the "security numbers" of services like Signal to be sure there is no interposer. One solution might be to do key exchange by a completely separate third party.<p>Or, instead of running your own server, you could just move the server completely into the client (and maybe have an external server only to buffer encrypted messages while you are offline). I wonder, is it possible to send P2P data from one cell phone to another nowadays? It used to be impossible to have any incoming open port, but I think in some circumstances you can use CGNAT hole punching, connect to other users on your carrier directly, or even use IPv6?
These points are good to know, but as others pointed out they apply to email, Matrix, ActivityPub and other federated protocols. I believe we have published a rather comprehensive security/privacy FAQ here: <a href="https://joinjabber.org/faqs/security/" rel="nofollow">https://joinjabber.org/faqs/security/</a><p>Let me know if you find some information missing in there!<p>PS: I don't understand why the infosec-handbook.eu article appears posted on november 1 2021. It was published in August 2018, see also: <a href="https://web.archive.org/web/20201208132104/https://infosec-handbook.eu/tags/xmpp/" rel="nofollow">https://web.archive.org/web/20201208132104/https://infosec-h...</a>
Is there a better alternative that meets the following constraints:<p>* standards based: i.e. it has demonstrated commitment to openness and universality<p>* multi stakeholder: i.e. it has momentum<p>* can self host: i.e. power can reside with communities<p>* has clients that support encrypted video chat: i.e. I can use it today.<p>XMPP does that.
This article triggers one of my current pet peeves. It treats privacy and anonymity as more or less the same thing. Anonymity is a sort of privacy related to identity, but it is not required that you are anonymous to have privacy. Everyone can know that I am sending encrypted messages to other people but those messages are still private. Anonymity should be discussed as a special case.<p>Having said that, XMPP can be quite anonymous in practice. There are public XMPP servers running on hidden services. XMPP servers do not insist that you give them any personal information at all. In particular they normally do not require a phone number.
I wonder why did they choose to investigate plain text connection to XMPP server instead of SSL or TLS ? As far as I recall there's "starttls" command on standard 5222 port, after that things get encrypted and all their tcpdump tricks fail. Almost none of the XMPP clients use plain text connection nowadays.