he4et/oddsquat
1
0
Fork 0
mirror of https://github.com/He4eT/oddsquat.git synced 2026-05-04 20:37:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

posts: encrypted_XMPP: update draft

Browse source
This commit is contained in:
He4eT 2026-04-16 00:49:06 +02:00 committed by Alexey
commit 3b86481104
1 changed files with 33 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

66
src/pages/posts/2026/encrypted_XMPP.md
View file

@ -22,25 +22,25 @@ using alternative clients, which was quite annoying.
After yet another round of this pointless battle After yet another round of this pointless battle
I realized clearly that I prefer protocols over services. I realized clearly that I prefer protocols over services.
I didnt have much success back then, I didn't have much success back then,
but fortunately, XMPP (and I hope I have too) but fortunately, XMPP (and I hope I have too)
has continued moving forward over the past two decades. has continued moving forward over the past two decades.
It has developed slowly, sometimes awkwardly, but steadily. It has developed slowly, sometimes awkwardly, but steadily.
Here, I wont talk about why XMPP is great or how it works. Here, I won't talk about why XMPP is great or how it works.
You can check You can check
<a <a
href='https://contrapunctus.codeberg.page/the-quick-and-easy-guide-to-xmpp.html' href='https://contrapunctus.codeberg.page/the-quick-and-easy-guide-to-xmpp.html'
target='_blank'> target='_blank'>
this guide</a> this guide</a>
(one of many) and Id rather not write another one. (one of many) and I'd rather not write another one.
In this post, I want to focus specifically on end-to-end encryption In this post, I want to focus specifically on end-to-end encryption
and the practical aspects of using it. and the practical aspects of using it.
## Short Glossary ## Short Glossary
**End-to-end encryption** is a way to keep your chats truly private.<br> **End-to-end encryption** is a way to keep your chats truly private.<br>
Only you and the person youre messaging can read the messages. Only you and the person you're messaging can read the messages.
Not even the server owner has the keys needed to decrypt or modify them. Not even the server owner has the keys needed to decrypt or modify them.
**XMPP** is an extensible protocol for instant messaging. **XMPP** is an extensible protocol for instant messaging.
@ -82,9 +82,9 @@ before its long dive into enshitification,
really draws the line between convenience and security. really draws the line between convenience and security.
Regular chats are easy and flexible, Regular chats are easy and flexible,
but "secret" chats come with a full set of limitations: but "secret" chats come with a full set of limitations:
theyre one-on-one only, they're one-on-one only,
cant be synced to another device, can't be synced to another device,
arent available on desktop at all, aren't available on desktop at all,
and so on. and so on.
All commercial so-called "secure" messengers, like Signal or WhatsApp, All commercial so-called "secure" messengers, like Signal or WhatsApp,
@ -92,12 +92,12 @@ end up with pretty similar limitations,
because it's tricky to make end-to-end encrypted chats because it's tricky to make end-to-end encrypted chats
work the way users expect. work the way users expect.
Luckily, protocols and cryptography dont care about Luckily, protocols and cryptography don't care about
convenience or user expectations. convenience or user expectations.
Many XMPP clients let you do almost anything youre trying to do. Many XMPP clients let you do almost anything you're trying to do.
Sometimes its clunky and unintuitive, Sometimes it's clunky and unintuitive,
sometimes its the kind of freedom that lets you shoot yourself in the foot. sometimes it's the kind of freedom that lets you shoot yourself in the foot.
At the end of the day, youd better understand what youre doing. At the end of the day, you'd better understand what you're doing.
It might sound messy, but for that price, XMPP actually It might sound messy, but for that price, XMPP actually
gives you a lot of handy features: gives you a lot of handy features:
@ -108,7 +108,7 @@ without being tied to any proprietary service.
In general, the XMPP experience today In general, the XMPP experience today
could be described as a "WhatsApp with benefits and frictions". could be described as a "WhatsApp with benefits and frictions".
It's kinda ironic, considering that WhatsApps protocol It's kinda ironic, considering that WhatsApp's protocol
is actually based on XMPP, but incompatibly altered and defederated. is actually based on XMPP, but incompatibly altered and defederated.
### Keys, Fingerprints and Trust ### Keys, Fingerprints and Trust
@ -123,10 +123,10 @@ and can derive a hash from them, commonly called a fingerprint.
Keys are usually managed automatically by the XMPP client, Keys are usually managed automatically by the XMPP client,
and in normal use you should never need to handle them manually. and in normal use you should never need to handle them manually.
In fact, you probably dont even need to know what they look like. In fact, you probably don't even need to know what they look like.
A fingerprint lets you identify a specific client of your contact A fingerprint lets you identify a specific client of your contact
and verify that it hasnt been spoofed. and verify that it hasn't been spoofed.
Fingerprints for an account are not secret: Fingerprints for an account are not secret:
clients publish their own fingerprints to the XMPP server clients publish their own fingerprints to the XMPP server
and automatically receive the fingerprints of others. and automatically receive the fingerprints of others.
@ -194,14 +194,14 @@ some data to a new device.
### Message Correction ### Message Correction
Its worth keeping in mind that It's worth keeping in mind that
features that seem simple and straightforward at first glance, features that seem simple and straightforward at first glance,
such as message editing and deletion, such as message editing and deletion,
actually rely on client-side implementation actually rely on client-side implementation
and may not behave for your recipient the way you expect. and may not behave for your recipient the way you expect.
Theyre fine to use and are well supported in some clients, They're fine to use and are well supported in some clients,
but you shouldnt rely on them to hide anything. but you shouldn't rely on them to hide anything.
### Maintenance ### Maintenance
@ -209,7 +209,7 @@ OMEMO was designed as a set-it-and-forget-it solution,
and it mostly succeeds in that goal. and it mostly succeeds in that goal.
If you have a basic understanding of how the protocol works If you have a basic understanding of how the protocol works
and check in online from time to time, and check in online from time to time,
there shouldnt be any surprises. there shouldn't be any surprises.
All maintenance comes down to making regular backups All maintenance comes down to making regular backups
and notifying your contacts and notifying your contacts
@ -218,16 +218,16 @@ so they can keep their trust list up to date.
## Step-by-Step Guide ## Step-by-Step Guide
Lets say I have a XMPP account, `me@some.server`, Let's say I have a XMPP account, `me@some.server`,
and a few devices: a phone, a laptop, and a desktop computer. and a few devices: a phone, a laptop, and a desktop computer.
First Ill describe my mindset at a high level, First I'll describe my mindset at a high level,
then Ill add some notes about specific clients. then I'll add some notes about specific clients.
### Client Roles ### Client Roles
On the one hand, I have my phone. On the one hand, I have my phone.
Its almost always with me and almost always online. It's almost always with me and almost always online.
Thats where I keep the full chat history and get real-time notifications. That's where I keep the full chat history and get real-time notifications.
On the other hand, I have a couple of desktop applications. On the other hand, I have a couple of desktop applications.
I only open them when I need to discuss something using my keyboard I only open them when I need to discuss something using my keyboard
@ -251,7 +251,7 @@ Here is my page with the fingerprints, for example:
### Start the Conversation in Person ### Start the Conversation in Person
Lets say I meet Alice, Let's say I meet Alice,
we start talking, and then decide to continue the conversation online. we start talking, and then decide to continue the conversation online.
I open a special QR code on my phone, and Alice scans it with her client. I open a special QR code on my phone, and Alice scans it with her client.
@ -267,7 +267,7 @@ and that all messages will be available on all our devices and only on them.
### Start the Conversation Online ### Start the Conversation Online
Lets say Bob and I start discussing something Let's say Bob and I start discussing something
on a forum or in the Fediverse, on a forum or in the Fediverse,
and then decide to continue the discussion on XMPP. and then decide to continue the discussion on XMPP.
@ -275,8 +275,8 @@ Bob starts the chat. I trust the first device he messages me from,
and then we exchange fingerprints for our other devices, if we have any. and then we exchange fingerprints for our other devices, if we have any.
This approach is called TOFU (Trust On First Use). This approach is called TOFU (Trust On First Use).
Bob can confirm its really me using my page with fingerprints. Bob can confirm it's really me using my page with fingerprints.
I can confirm its really him by asking him to send his fingerprints I can confirm it's really him by asking him to send his fingerprints
in a private message on the same forum or via email. in a private message on the same forum or via email.
Ideally, Bob also has a public page with his fingerprints. Ideally, Bob also has a public page with his fingerprints.
@ -293,7 +293,7 @@ If I lose one of my devices or delete any private keys,
the first thing I do is remove the corresponding client the first thing I do is remove the corresponding client
from the trusted list on my other devices. from the trusted list on my other devices.
Once Ive updated all my personal lists, Once I've updated all my personal lists,
I should inform my contacts about changes via trusted channels. I should inform my contacts about changes via trusted channels.
I can simply ask Alice to scan my new QR code the next time we meet, I can simply ask Alice to scan my new QR code the next time we meet,
@ -321,7 +321,7 @@ you can see a list of published fingerprints
and manually mark them as trusted or revoke trust. and manually mark them as trusted or revoke trust.
To simplify all these routine operations, a QR-code-based system is used: To simplify all these routine operations, a QR-code-based system is used:
you can show your own QR code or scan other peoples codes you can show your own QR code or scan other people's codes
directly from the main screen. directly from the main screen.
This makes device verification during in-person meetings simple and effortless. This makes device verification during in-person meetings simple and effortless.
@ -358,7 +358,7 @@ However, I strongly recommend reading the full documentation.
/omemo qrcode /omemo qrcode
``` ```
- View the list of your own or someone elses fingerprints: - View the list of your own or someone else's fingerprints:
```text ```text
/omemo fingerprint me@some.server /omemo fingerprint me@some.server
/omemo fingerprint alice@another.server /omemo fingerprint alice@another.server
@ -387,12 +387,12 @@ However, I strongly recommend reading the full documentation.
This post was originally intended as a collection of answers to questions This post was originally intended as a collection of answers to questions
I had when I first started using XMPP with OMEMO. I had when I first started using XMPP with OMEMO.
It isnt meant to be exhaustive or formal, It isn't meant to be exhaustive or formal,
but rather to clarify the practical side of things but rather to clarify the practical side of things
and reduce that initial feeling of being lost and reduce that initial feeling of being lost
when you keep running into when you keep running into
"The message was not encrypted for this device" "The message was not encrypted for this device"
over and over again. over and over again.
From now on, I hope you wont encounter errors like this From now on, I hope you won't encounter errors like this
or any other issues with end-to-end encryption in XMPP. or any other issues with end-to-end encryption in XMPP.