If you’ve ever tried to find a private and secure option for instant messaging, you likely noticed that IM comes in three main flavors: centralized, federated, and peer-to-peer (P2P).
The centralized model (Signal), while convenient for users, ought to be avoided whenever possible as you have no control over what software runs on the servers and are making yourself dependent on one entity. When the server goes down, you can’t use the service. This was demonstrated a few years ago when Elon Musk tweeted about Signal and because of the enormous number of new users, it was basically unusable for over a week.
P2P solutions (Briar), ideally over Tor, are probably the most secure but, as there are no servers, both sender and recipient need to be online at the same time for a message to be sent which is less than ideal for everyday use.
Federated options, such as XMPP, seem to be the most reasonable choice for instant messaging as they don’t require all parties to be connected to the Internet simultaneously while remaining resilient to attacks and mass surveillance - if one server goes down, you can simply switch to a different one; there’s no single entity to subpoena. You can also host your own server.
What is XMPP
XMPP (Extensible Messaging and Presence Protocol), formerly known as Jabber, is a communications protocol which utilizes XML. It has many applications but is most commonly used for instant messaging.
It’s federated, meaning it uses a client-server architecture but there’s no one central server; users of different servers can interact with one another - kind of like e-mail.
To get through to someone on the XMPP network, one needs to know their JID (Jabber ID). JIDs are structured the same way e-mail addresses are, comprising of a username, an at sign, and the domain name of the server on which the user’s account resides, for example
username@example.com .
Messages sent over the XMPP network are not encrypted by default - make sure to enable some kind of encryption!
Encryption options
XMPP is extensible and hence there are a number of encryption methods available. Some clients, for example Gajim, require you to install extensions for these while other ones might have them preinstalled.
-
OMEMO - probably the best option for most purposes. It’s based on the Signal Protocol and provides multi-end to multi-end encryption, allowing messages to be synchronized securely across multiple clients. Read more here.
-
OpenPGP - the good old PGP encryption. You can add a public key to your account to make it easy for people to find it. You don’t have to encrypt messages yourself - it happens automatically. When you receive an encrypted message, you’ll be prompted for your private key’s password to decrypt it.
-
OTR - this extension has been made obsolete in favor of OMEMO. Don’t use it.
Choosing software
The choice of client and server software, especially the former, can be quite overwhelming - there are lots of options. Here are some recommendations to make it easier.
Client:
-
Windows - Gajim
-
Android - Conversations
-
iOS - ChatSecure, Monal
Server:
-
Prosody - lightweight; allows you to run an XMPP server on Tor or I2P
-
ejabberd - very feature-rich but heavy on resources
Choosing a server
If you don’t host your own server, you’ll have to choose one of the public ones.
The most popular server is jabber.org but I discourage you from using it. Why? Take a look at the Matrix protocol. In theory it’s federated but because almost everyone uses the matrix.org server, the network is basically centralized. For a federated network to be healthy, users should be spread out among many servers.
Another reason why I’m not recommending Matrix is because the server software is a resource hog so it’s more expensive to self-host.
So, what server should you use? If you have a friend who has an XMPP server, use it. If not, check out this non-exhaustive list of public servers. It’s probably best to choose one which is geographically close to you. You can also use servers on the Tor Network or I2P.
Make sure the server of your choice passes this compliance test! The site also shows a few randomly chosen compliant servers every time you reload the page - this might actually be a better way of choosing a server than the list I linked to.
Creating an account
Most public servers allow registration through a client app. You simply provide the domain name of a server, username, and password; you may also be asked to fill in a captcha. This is called in-band registration. Some servers also allow registration through their website.
Summary
Having read this post, you should now be familiar with the basics of XMPP - what it is, how it roughly works, what encryption methods are available, what software to use, and how to create an account.
Of course, making your family switch to it is a challenge (if you have any success with it, let me know) but there’s no reason not to try getting your tech-savvy friends interested in it. Send them this article - it’s literally a 5 minute read - and hope for the best. Insisting won’t work.
Fun fact: WhatsApp is based on XMPP but their implementation of it is absolutely proprietary and owned by FBIBook so don’t use it. Still, it speaks volumes in terms of how good XMPP is. And it technically makes it the most popular IM protocol in the world.