From 39fb5cf5448b0ddd50be92cfb63de85c8e1c6287 Mon Sep 17 00:00:00 2001 From: He4eT Date: Mon, 6 Apr 2026 09:15:29 +0200 Subject: [PATCH 01/38] posts: encrypted_XMPP: initial draft --- src/pages/posts/2026/encrypted_XMPP.md | 53 ++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 src/pages/posts/2026/encrypted_XMPP.md diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md new file mode 100644 index 0000000..44577bc --- /dev/null +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -0,0 +1,53 @@ +--- + +layout: post +lang: 'en' +year: '2026' +date: '2026-04-07' +section: 'posts' + +title: 'encrypted_XMPP' +description: 'Secure and private messaging with XMPP and OMEMO encryption.' + +--- + +# End-to-End Encryption in XMPP with OMEMO + +I find it funny that twenty years ago I was already trying +to promote XMPP over ICQ to my classmates. +At that time, the proprietary messenger once again made life harder +for users of alternative clients. +That’s when I realized that I prefer protocols over services. + +I didn’t have much success back then, +but fortunately, XMPP (and I hope I have too) +has continued moving forward over the past two decades. +It has developed slowly, sometimes awkwardly, but still. + +Here I won’t talk about why XMPP is great or how to use it. +You can check + + this guide +(one of many) and I’d rather not write another one. +In this post, I want to focus specifically on end-to-end encryption +and the practical aspects of using it. + +## Draft + +Мне кажется забавным, что двадцать лет назад я уже пытался продвигать своим +одноклассникам XMPP в качестве замены ICQ. +Тогда проприетарный мессенджер начал в очередной раз +вставлять палки в колёса альтернативным +клиентам и я в первый раз ярко осознал, +что "протоколы" мне нравятся гораздо больше чем "сервисы". + +В тот раз я больших успехов достигнуть не получилось, +но, к счастью, все эти два десятилетия XMPP не стоял на месте, +а неторопливо и неуверено развивался. + +Рассказывать, чем XMPP хорош и как им пользоваться я не буду, +об этом можно почитать в этом гайде, я лучше не напишу. +В этом посте я хочу обсудить вопрос конкретно вопрос e2e-шифрования +и практические аспекты его использования. From c0c191c1f587d11cd4819d9401c8cf146b262e5e Mon Sep 17 00:00:00 2001 From: He4eT Date: Mon, 6 Apr 2026 10:52:41 +0200 Subject: [PATCH 02/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 44 ++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 44577bc..2c9425b 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -34,6 +34,35 @@ You can check In this post, I want to focus specifically on end-to-end encryption and the practical aspects of using it. +## Trade-offs Between Safety and Convenience + +Unfortunately, things that are truly secure are rarely convenient. +They often require some initial efforts and a bit of ongoing attention. + +Telegram, which used to be a benchmark for messenger usability +before its long dive into enshitification, +really draws the line between convenience and security. +Regular chats are easy and flexible, +but "secret" chats come with a full set of limitations: +they’re one-on-one only, +can’t be synced to another device, +aren’t available on desktop at all, +and so on. + +All commercial so-called "secure" messengers, like Signal or WhatsApp, +end up with pretty much the same limitations, +because it's tricky to make end-to-end encrypted chats +work the way users expect. + +Luckily, protocols and cryptography don’t care about +convenience or user expectations. +Many XMPP clients let you do almost anything you’re trying to do. +Sometimes it’s clunky and unintuitive, +sometimes it’s the kind of freedom that lets you shoot yourself in the foot. + +In general, the XMPP experience today +could be described as a "WhatsApp with benefits and frictions". + ## Draft Мне кажется забавным, что двадцать лет назад я уже пытался продвигать своим @@ -51,3 +80,18 @@ and the practical aspects of using it. об этом можно почитать в этом гайде, я лучше не напишу. В этом посте я хочу обсудить вопрос конкретно вопрос e2e-шифрования и практические аспекты его использования. + +--- + +К сожалению, действительно безопасные вещи редко удаётся сделать удобными. +Они часто требуют каких-то усилий на старте +и какого-то периодического внимания к себе. + +Пользователи Телеграма (который до затяжной спирали эншифтикации можно было +смело назвать образцом юзабилити среди мессенджеров) могут, например, +чётко увидеть эту границу между удобством и безопасностью: +секретные и обычные чаты. +Секретные чаты бывают только 1 на 1, их нельзя перенести на другое устройство, +а на десктопе они вообще недоступны. + + From e219ad07dc79e12a4b033bcf535dfa33971e6ad2 Mon Sep 17 00:00:00 2001 From: He4eT Date: Mon, 6 Apr 2026 12:03:42 +0200 Subject: [PATCH 03/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 2c9425b..30e85f4 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -62,6 +62,8 @@ sometimes it’s the kind of freedom that lets you shoot yourself in the foot. In general, the XMPP experience today could be described as a "WhatsApp with benefits and frictions". +It's kinda funny, considering that WhatsApp’s protocol +is actually based on XMPP, but incompatibly altered and defederated. ## Draft From 89a193971aae528a4069aff5c27210d051c32000 Mon Sep 17 00:00:00 2001 From: He4eT Date: Mon, 6 Apr 2026 12:21:46 +0200 Subject: [PATCH 04/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 30e85f4..919db23 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -65,6 +65,16 @@ could be described as a "WhatsApp with benefits and frictions". It's kinda funny, considering that WhatsApp’s protocol is actually based on XMPP, but incompatibly altered and defederated. +The comparison above sounds messy, but XMPP actually +gives you a lot of handy features. +Your chats are secured with Signal-grade end-to-end encryption, +and you can use it from as many devices as you want, +all at the same time, +anonymously, +without being tied to any single service. +This post is here to show how to use all of that +intentionally and safely. + ## Draft Мне кажется забавным, что двадцать лет назад я уже пытался продвигать своим From a52760e71c0e4e85a24f2f43965f27a216226643 Mon Sep 17 00:00:00 2001 From: He4eT Date: Mon, 6 Apr 2026 13:01:44 +0200 Subject: [PATCH 05/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 919db23..f7213c4 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -34,6 +34,29 @@ You can check In this post, I want to focus specifically on end-to-end encryption and the practical aspects of using it. +## Short Glossary + +**End-to-end encryption** is a way to keep your chats truly private. + +Only you and the person you’re messaging can read the messages. +Not even the server owner or your carrier has the keys +needed to decrypt or modify them. + +**XMPP** is a protocol made for instant messaging. + +The cool thing? The X stands for Extensible, +which basically means you can add almost any feature through XEPs: +audio and video calls, +encryption, +file transfer, +sync across devices, +text markup, +and even stories! + +The ugly thing? The X stands for Extensible, +which means it’s pretty hard to find two applications +that support the same subset of XEPs. + ## Trade-offs Between Safety and Convenience Unfortunately, things that are truly secure are rarely convenient. From 1c6a769e6687d5849f1a8df0ef58e5a0e36bdf33 Mon Sep 17 00:00:00 2001 From: He4eT Date: Mon, 6 Apr 2026 13:28:21 +0200 Subject: [PATCH 06/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index f7213c4..b58e581 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -36,26 +36,19 @@ and the practical aspects of using it. ## Short Glossary -**End-to-end encryption** is a way to keep your chats truly private. - +**End-to-end encryption** is a way to keep your chats truly private.
Only you and the person you’re messaging can read the messages. Not even the server owner or your carrier has the keys needed to decrypt or modify them. -**XMPP** is a protocol made for instant messaging. +**XMPP** is an extensible protocol for instant messaging. -The cool thing? The X stands for Extensible, -which basically means you can add almost any feature through XEPs: -audio and video calls, -encryption, -file transfer, -sync across devices, -text markup, -and even stories! - -The ugly thing? The X stands for Extensible, -which means it’s pretty hard to find two applications -that support the same subset of XEPs. +**OMEMO** is a widely supported XMPP Extension Protocol (XEP) +for secure multi-client end-to-end encryption. +You can read more about +it on a dedicated page by Daniel Gultsch. ## Trade-offs Between Safety and Convenience From 77bb66fbfa8aa397732e935b5c9244d389939e72 Mon Sep 17 00:00:00 2001 From: He4eT Date: Mon, 6 Apr 2026 13:56:28 +0200 Subject: [PATCH 07/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index b58e581..02ea5bf 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -42,6 +42,7 @@ Not even the server owner or your carrier has the keys needed to decrypt or modify them. **XMPP** is an extensible protocol for instant messaging. +It's open, decentralized, and mature. **OMEMO** is a widely supported XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption. From 47286f9e69c60a9decdb537a5bb13d1668fae65c Mon Sep 17 00:00:00 2001 From: He4eT Date: Mon, 6 Apr 2026 14:04:40 +0200 Subject: [PATCH 08/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 02ea5bf..a0426b7 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -77,21 +77,19 @@ Many XMPP clients let you do almost anything you’re trying to do. Sometimes it’s clunky and unintuitive, sometimes it’s the kind of freedom that lets you shoot yourself in the foot. +It might sound messy, but XMPP actually +gives you a lot of handy features. +Your chats are secured with Signal-grade end-to-end encryption, +and you can use as many devices as you want, +all at the same time, +without being tied to any single service. +This post is here to show how to use it intentionally and safely. + In general, the XMPP experience today could be described as a "WhatsApp with benefits and frictions". It's kinda funny, considering that WhatsApp’s protocol is actually based on XMPP, but incompatibly altered and defederated. -The comparison above sounds messy, but XMPP actually -gives you a lot of handy features. -Your chats are secured with Signal-grade end-to-end encryption, -and you can use it from as many devices as you want, -all at the same time, -anonymously, -without being tied to any single service. -This post is here to show how to use all of that -intentionally and safely. - ## Draft Мне кажется забавным, что двадцать лет назад я уже пытался продвигать своим From b865797d8ff45164ee7994159f5776431d6547af Mon Sep 17 00:00:00 2001 From: He4eT Date: Mon, 6 Apr 2026 14:10:01 +0200 Subject: [PATCH 09/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 33 -------------------------- 1 file changed, 33 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index a0426b7..94d4f76 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -89,36 +89,3 @@ In general, the XMPP experience today could be described as a "WhatsApp with benefits and frictions". It's kinda funny, considering that WhatsApp’s protocol is actually based on XMPP, but incompatibly altered and defederated. - -## Draft - -Мне кажется забавным, что двадцать лет назад я уже пытался продвигать своим -одноклассникам XMPP в качестве замены ICQ. -Тогда проприетарный мессенджер начал в очередной раз -вставлять палки в колёса альтернативным -клиентам и я в первый раз ярко осознал, -что "протоколы" мне нравятся гораздо больше чем "сервисы". - -В тот раз я больших успехов достигнуть не получилось, -но, к счастью, все эти два десятилетия XMPP не стоял на месте, -а неторопливо и неуверено развивался. - -Рассказывать, чем XMPP хорош и как им пользоваться я не буду, -об этом можно почитать в этом гайде, я лучше не напишу. -В этом посте я хочу обсудить вопрос конкретно вопрос e2e-шифрования -и практические аспекты его использования. - ---- - -К сожалению, действительно безопасные вещи редко удаётся сделать удобными. -Они часто требуют каких-то усилий на старте -и какого-то периодического внимания к себе. - -Пользователи Телеграма (который до затяжной спирали эншифтикации можно было -смело назвать образцом юзабилити среди мессенджеров) могут, например, -чётко увидеть эту границу между удобством и безопасностью: -секретные и обычные чаты. -Секретные чаты бывают только 1 на 1, их нельзя перенести на другое устройство, -а на десктопе они вообще недоступны. - - From 1cc052b3a2e8027f8f77041efa4c58c60a8d103b Mon Sep 17 00:00:00 2001 From: He4eT Date: Tue, 7 Apr 2026 01:03:45 +0200 Subject: [PATCH 10/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 94d4f76..53671a7 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -22,7 +22,7 @@ That’s when I realized that I prefer protocols over services. I didn’t have much success back then, but fortunately, XMPP (and I hope I have too) has continued moving forward over the past two decades. -It has developed slowly, sometimes awkwardly, but still. +It has developed slowly, sometimes awkwardly, but steadily. Here I won’t talk about why XMPP is great or how to use it. You can check @@ -67,7 +67,7 @@ aren’t available on desktop at all, and so on. All commercial so-called "secure" messengers, like Signal or WhatsApp, -end up with pretty much the same limitations, +end up with pretty similar limitations, because it's tricky to make end-to-end encrypted chats work the way users expect. @@ -76,13 +76,14 @@ convenience or user expectations. Many XMPP clients let you do almost anything you’re trying to do. Sometimes it’s clunky and unintuitive, sometimes it’s the kind of freedom that lets you shoot yourself in the foot. +At the end of the day, you’d better understand what you’re doing. -It might sound messy, but XMPP actually -gives you a lot of handy features. -Your chats are secured with Signal-grade end-to-end encryption, +It might sound messy, but for that price, XMPP actually +gives you a lot of handy features: +your chats are secured with Signal-grade end-to-end encryption, and you can use as many devices as you want, all at the same time, -without being tied to any single service. +without being tied to any proprietary service. This post is here to show how to use it intentionally and safely. In general, the XMPP experience today From 755035f97853025f1322fa202c8ed2b1a944e76a Mon Sep 17 00:00:00 2001 From: He4eT Date: Tue, 7 Apr 2026 01:05:45 +0200 Subject: [PATCH 11/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 53671a7..ae4eb8c 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -88,5 +88,5 @@ This post is here to show how to use it intentionally and safely. In general, the XMPP experience today could be described as a "WhatsApp with benefits and frictions". -It's kinda funny, considering that WhatsApp’s protocol +It's kinda ironic, considering that WhatsApp’s protocol is actually based on XMPP, but incompatibly altered and defederated. From 59abfb674e27b3cbe663fb5d5baac24187278958 Mon Sep 17 00:00:00 2001 From: He4eT Date: Tue, 7 Apr 2026 10:58:06 +0200 Subject: [PATCH 12/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 101 ++++++++++++++++++++++++- 1 file changed, 100 insertions(+), 1 deletion(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index ae4eb8c..c3a0aa7 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -51,7 +51,18 @@ it on a dedicated page by Daniel Gultsch. -## Trade-offs Between Safety and Convenience +## Basic Concepts + +Here I'm going to explain some basic ideas behind e2e. + +Вы можете пропустить этот раздел +Если основные концепции и терминология вам знакомы, +то можете смело пропустить этот раздел +и перейти к особенностям их практического применения касательно XMPP. + +Или даже сразу перейти к описанию workflow, которого я придерживаюсь сам. + +### Trade-offs Between Safety and Convenience Unfortunately, things that are truly secure are rarely convenient. They often require some initial efforts and a bit of ongoing attention. @@ -90,3 +101,91 @@ In general, the XMPP experience today could be described as a "WhatsApp with benefits and frictions". It's kinda ironic, considering that WhatsApp’s protocol is actually based on XMPP, but incompatibly altered and defederated. + +### Keys, Fingerprints and Trust + +Как и положено любому ассиметричному шифрованию, +в OMEMO используются приватные и публичные ключи. + +Приватные обычно как-то автоматически управляются XMPP клиентом +и в норме вам никогда не стоит трогать их руками. +Возможно, вам лучше даже и не знать, +как они выглядят. + +Публичные ключи принято называть отпечатками пальцев. +Список фингерпринтов для конкретного аккаунта +не является чем-то секретным или важным. +Клиентские приложения сами анонсируют свои фингерпнинты +и обычно автоматически пополняют список чужих. +Значение имеют только те фингерпринты, которые вы пометили как довереные. + +В идеале, человек должен лично при встрече +или по уже довереному и безопасному каналу связи +сказать вам "Да, фингерпринт XXX принадлежит моему устройству" +и только после этого вы помечаете XXX доверенным. +Обычно в интерфейсе это просто проставление чекбокса или сканирование QR-кода. +Политику доверия и недоверия можно поменять в настройках вашего клиента, +некоторые клиенты для удобства довериют любым новым фингерпринтам по умолчанию, +но я не стал бы рекомендовать использовать такую политику. + +Список доверенных фингерпринтов используется в момент отправки сообщения: +ни один клиент, кроме перечисленных в списке на момент зашифровки, +не сможет его впоследствии расшифровать. +Передать как-то доверие в прошлое невозможно. + +## Реалии OMEMO и XMPP + +### Chat History and Synchronisation + +Вообще, XMPP поддерживает хранение истории переписок на сервере. +За это отвечает `XEP-0313: Message Archive Management`. + +В реальности поддержка этого XEP, +политика хранения истории и особенно сроки хранения сообщений +зависят от конкретного сервера. +Рассчитывать на бессрочное по-умолчанию хранение всех переписок не стоит. + +Чаще всего ответственность за хранение переписок лежит исключительно на вас +и это разумное место для применения local-first подхода. + +С практической точки зрения +проще всего рассматривать серверный архив сообщений +как некоторый кэш, который выручит вас по возвращении +из непродолжительного офлайна +или поможет с синхронизацей текущей переписки между разными устройствами. + +За бесшовное переключение между клиентами отвечает +`XEP-0280: Message Carbons`. +До его внедрения можно было переключиться с телефона на лэптоп +и пялиться в загруженную историю переписки, +состоящей только из входящих сообщений от собеседника. +Отправка своих же сообщений ещё и самому себе -- это довольно неочевидная фича. + +Важно, что при использовании e2e шифрования, +упомянутая выше концепция доверенных отпечатков пальцев +распространяется и на свои клиенты тоже! + +Для бесшовной синхронизации исходящих сообщений +все ваши клиенты должны считать фингерпринты друг друга доверенными, +иначе можно столкнуться с ситуацией, +когда не получается прочитать своё же сообщение. + +Логичное, но неприятное следствие: +Новый клиент, который не был в списке доверенных на момент отправки сообщений, +получив лог из MAM не сможет их расшифровать. +Теоретически, перепаковка сообщений +на старых доверенных клиентах вроде как возможна, +но на практике, никто такое не имплементировал. + +Если вы хотите использовать больше чем одно клиентское приложение, +на одном или нескольких устройствах, +то прежде чем общаться с кем-либо, +нужно авторизоваться во всех своих клиентах +и добавить в каждый из них все фингерпринты всех остальных. +Так вы никогда не столкнётесь с раздражающей ситуацией, +когда не можете прочитать сообщения, которые сами же кому-то отправляли. + +## Mindset +## Before the Start +## Checking the Keys +## In case of fire From d56506351e76e0c78fb86bf955ad97956c1bbd01 Mon Sep 17 00:00:00 2001 From: He4eT Date: Tue, 7 Apr 2026 13:34:59 +0200 Subject: [PATCH 13/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index c3a0aa7..ac920bf 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -159,11 +159,12 @@ is actually based on XMPP, but incompatibly altered and defederated. До его внедрения можно было переключиться с телефона на лэптоп и пялиться в загруженную историю переписки, состоящей только из входящих сообщений от собеседника. -Отправка своих же сообщений ещё и самому себе -- это довольно неочевидная фича. +Отправка своих же сообщений ещё и самому себе +на уровне протокола -- это довольно неочевидная фича. -Важно, что при использовании e2e шифрования, +Тут важно упомянуть, что при использовании e2e шифрования, упомянутая выше концепция доверенных отпечатков пальцев -распространяется и на свои клиенты тоже! +распространяется и на свои клиенты тоже. Для бесшовной синхронизации исходящих сообщений все ваши клиенты должны считать фингерпринты друг друга доверенными, @@ -172,18 +173,18 @@ is actually based on XMPP, but incompatibly altered and defederated. Логичное, но неприятное следствие: Новый клиент, который не был в списке доверенных на момент отправки сообщений, -получив лог из MAM не сможет их расшифровать. +получит историю из MAM, но не сможет её расшифровать. Теоретически, перепаковка сообщений на старых доверенных клиентах вроде как возможна, -но на практике, никто такое не имплементировал. +но на практике, никто такое пока не имплементировал. -Если вы хотите использовать больше чем одно клиентское приложение, -на одном или нескольких устройствах, -то прежде чем общаться с кем-либо, -нужно авторизоваться во всех своих клиентах -и добавить в каждый из них все фингерпринты всех остальных. -Так вы никогда не столкнётесь с раздражающей ситуацией, -когда не можете прочитать сообщения, которые сами же кому-то отправляли. +Тут же стоит отметить, что такие простые и понятные на первый взгляд фичи +как редактирование и удаление сообщений вообще-то полагаются на +клиентский код и могут не сработать у вашего собеседника так, +как вы этого ожидаете. +Ими можно пользоваться, +это удобно и некоторые клиенты их отлично поддерживают, +но полагаться на них для сокрытия чего-либо не стоит. ## Mindset ## Before the Start From 32a4df554d42f76a340c6622abc054d0673eb0a1 Mon Sep 17 00:00:00 2001 From: He4eT Date: Sun, 12 Apr 2026 11:44:39 +0200 Subject: [PATCH 14/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 66 ++++++++++++++++---------- 1 file changed, 42 insertions(+), 24 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index ac920bf..80a4807 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -38,8 +38,7 @@ and the practical aspects of using it. **End-to-end encryption** is a way to keep your chats truly private.
Only you and the person you’re messaging can read the messages. -Not even the server owner or your carrier has the keys -needed to decrypt or modify them. +Not even the server owner has the keys needed to decrypt or modify them. **XMPP** is an extensible protocol for instant messaging. It's open, decentralized, and mature. @@ -55,7 +54,6 @@ it on a  Date: Sun, 12 Apr 2026 16:58:40 +0200 Subject: [PATCH 15/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 181 ++++++++++++++++++++++++- 1 file changed, 176 insertions(+), 5 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 80a4807..40e199e 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -50,6 +50,12 @@ it on a dedicated page by Daniel Gultsch. +Хочу также отметить, +что я буду использовать слово Client для обозначения конкретных инстансов +приложений на пользовательских устройствах. В документации, связанной с OMEMO +для этого использвется термин Device, но мне он кажется запутывающим: +в реальности на одном устройстве может быть несколько независимых клиентов. + ## Basic Concepts Here I'm going to explain some basic ideas behind e2e. @@ -144,6 +150,7 @@ OMEMO творит какую-то магию с жонглированием к Передать как-то доверие в прошлое, увы, невозможно. ## Реалии OMEMO и XMPP +## Особенности OMEMO и XMPP ### Chat History @@ -194,7 +201,7 @@ OMEMO творит какую-то магию с жонглированием к но на практике, никто такое пока не имплементировал и важные вещи придётся пересылать вручную. -### Message Editing +### Message Correction Тут же стоит отметить, что такие простые и понятные на первый взгляд фичи как редактирование и удаление сообщений вообще-то полагаются на @@ -204,7 +211,171 @@ OMEMO творит какую-то магию с жонглированием к это удобно и некоторые клиенты их отлично поддерживают, но полагаться на них для сокрытия чего-либо не стоит. -## Mindset -## Before the Start -## Checking the Keys -## In case of fire +### Maintenance + +OMEMO был задуман как решение, которое после настройки не требует какого-то +дополнительного вмешательства. +Можно считать, что этой заявленной цели удалось достичь +и при наличии базового понимания работы протокола и регулярном онлайне +никаких сюрпризов быть не должно. + +Всё обслуживание заключается в регулярных бэкапах и +уведомлении своих контактов о фингерпринтах, +которые стоит добавить в список доверенных или убрать из него. +В нашем локальном хакспейсе мы даже проводим для этого регулярные события =) + +## Step-by-step guide + +Представим, что у меня есть аккаунт jid@some.server и несколько устройств: +телефон, ноутбук и настольный компьютер. +Сначала я опишу воркфлоу общими словами, +а потом дам уточнения про использование конкретных приложений. + +Я предпочитаю следовать такому майндсету: +С одной стороны, +у меня есть мобильное устройство, +которое всегда со мной и практические всегда онлайн: +на нём я храню полную историю переписок и получаю уведомления в реальном +времени. +С другой стороны, у меня есть несколько десктопных приложений: +я открываю их только когда мне нужно обсудить что-нибудь с использованием +клавиатуры или копи-пастинга. +Мне нравится думать о них, как о приложениях-сателлитах. + +### Before the Start + +Первым делом мне нужно сгенерировать на каждом устройстве приватные ключи. +Обычно это происходит автоматически. + +Потом я должен на каждом своём устройстве добавить остальные: +телефон должен считать все мои компьютеры доверенными устройствами, +а компьютеры доверять друг другу и телефону. + +Фингерпринты публичные, +их можно даже разместить у себя на какой-нибудь личной странице. +Вот, например, моя: https://oddsquat.org/about/keys/ + +### Start the Conversation in Person + +Предположим, я встретил Алису и мы решили обменяться контактами. +Я открыл на телефоне специальный QR-код, +затем Алиса считала его своим клиентом. +В этот QR-код уже зашиты фингерпринты всех моих устройств, так что +дополнительных действий не требуется. +Аналогично, я своим мобильным клиентом считываю QR-код с экрана Алисы. + +Теперь мы оба уверены, что в переписке будем участвовать именно мы, +а все наши сообщения будут доступны на всех наших устройствах и только на них. + +### Start the Conversation Online + +Предположим, что мы начали обсуждать что-то с Бобом где-то в сети +(на форуме, в федиверсе, не важно) и решили продолжить обсуждение в мессенджере. + +Боб инициирует переписку, я слепо доверяю первому устройству, +с которого он мне написал и уже потом мы обмениваемся в переписке +фингерпринтами остальных наших устройств, если они есть. +Такая стратегия называется ToFu. + +Опять же Боб может убедиться, что я это я с помощью моей страницы с ключами, +а я могу убедиться, что Боб на форуме -- тот же самый Боб, попросив его +прислать мне фингерпринты прямо в личных сообщениях на том же самом форуме или +отдельно посредством email, например. + +В идеальном случае, +у Боба тоже есть какая-то публичная страница с фингерпринтами. +Тогда мы оба можем независимо убедиться, +что мы именно те, за кого себя выдаём =) + +### New or Lost Devices + +Если я решил начать использовать +какое-то новое устройство или установить куда-нибудь +ещё одно клиентское приложение, +то первым делом я должен добавить его в список доверенных клиентов +на остальных моих существующих устройствах. + +Если я по каким-либо причинам потеряю любое из своих устройств +или зачем-то удалю один из своих приватных ключей, +то первым делом я должен исключить такой клиент из списка доверенных +на остальных моих устройствах. + +После актуализации моих личных списков доверенных устройств +стоит сообщить об изменениях моим собеседникам по довереным каналам. +Я могу просто попросить Алису считать мой новый QR-код при следующей встрече, +а Бобу отправить сообщение о том, +что утраченому устройству доверять больше не стоит, +настоящих сообщений с него уже никогда не придёт. + +## Client Applications + +Этот раздел описывает особенности применения OMEMO для конкретных клиентов, +которыми я пользуюсь сам. + +### Conversations, Monocles and Other Forks + +Conversation - это современное полнофункциональное чат-приложение. +Оно поддерживает всё, что должно поддерживать: +переписки, звонки, отправку фотографий и файлов. +У него есть несколько форков, в которых UX может отличаться, +но core-фичи работают абсолютно одинаково. + +На экране с информацией о конакте (в том числе и о своём аккаунте) +можно увидеть список фингерпринтов, +вручную отметить галочкой доверенные или отозвать доверие. + +Упростить все эти рутинные вещи призвана система с QR-кодами: +прямо на главном можно показать свой код или считать чужой. +Так верификация устройств при личной встрече становится простой и ненапряжной. + +Правило большого пальца - сканируй QR-код при каждом удобном случае. + +### Dino + +Это лёгкий GUI-клиент, построенный на GTK фреймвоке. +Опять же, все вопросы доверия и недоверия +можно легко решить на экране "Детали контакта" с помощью чекбоксов. + +К сожалению, по умолчанию, Dino настроен на автоматическое доверие +новым фингерпринтам, я рекомендую эту функцию отключить. + +### Profanity + +Это могучий TUI-клиент, +где всё-всё-всё реализовано через встроенную систему команд. + +Если вы зачем-то намерены им пользоваться, +то ниже вас ожидает небольшой читшит по использованию OMEMO, +но я настойчиво рекомендую ознакомиться с полной документацией самостоятельно. + +- Генерация ключа и добавление своих устройств: + ```text + /omemo gen + /omemo trust me@some.server some-cool-fingerprint-01 + /omemo trust me@some.server another-cool-fingerprint + /omemo qrcode + ``` + +- Увидеть список своих или чужих fingerprint'ов: + ```text + /omemo fingerprint me@some.server + /omemo fingerprint alice@another.server + ``` + Доверенные будут помечены как `trusted`. + +- Начать зашифрованный диалог: + ```text + /omemo start alice@another.server + ``` + +- Добавить чужой фингерпринт в список доверенных: + ```text + /omemo trust alice@another.server some-cool-fingerprint-02 + /omemo trust alice@another.server some-cool-fingerprint-03 + /omemo trust bob@another.server some-cool-fingerprint-04 + ``` + +- Перестать доверять кокретному клиенту: + ```text + /omemo untrust alice@another.server some-cool-fingerprint-02 + ``` From 73ae7522608e8234dbd009631ee5667315e17297 Mon Sep 17 00:00:00 2001 From: He4eT Date: Tue, 14 Apr 2026 15:03:34 +0200 Subject: [PATCH 16/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 40e199e..fdaa897 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -15,7 +15,7 @@ description: 'Secure and private messaging with XMPP and OMEMO encryption.' I find it funny that twenty years ago I was already trying to promote XMPP over ICQ to my classmates. -At that time, the proprietary messenger once again made life harder +At the time, the proprietary messenger kept making life harder for users of alternative clients. That’s when I realized that I prefer protocols over services. @@ -50,21 +50,21 @@ it on a dedicated page by Daniel Gultsch. -Хочу также отметить, -что я буду использовать слово Client для обозначения конкретных инстансов -приложений на пользовательских устройствах. В документации, связанной с OMEMO -для этого использвется термин Device, но мне он кажется запутывающим: -в реальности на одном устройстве может быть несколько независимых клиентов. +**Client**, in this post, +means a specific instance of an XMPP application on a user device. +
OMEMO-related documentation uses the term Device, +but I find it potentially confusing: +in practice, a single physical device can run multiple independent clients. ## Basic Concepts -Here I'm going to explain some basic ideas behind e2e. +This section introduces some basic ideas behind end-to-end encryption. -Если основные концепции и терминология вам знакомы, -то можете смело пропустить этот раздел -и перейти к особенностям их практического применения касательно XMPP. - -Или даже сразу перейти к описанию workflow, которого я придерживаюсь сам. +If you're already familiar with the concepts and terminology, +you can skip ahead to how end-to-end encryption affects the XMPP user experience +or jump straight to the step-by-step workflow I personally use. ### Trade-offs Between Safety and Convenience From efaf5a7c7ec6bba72d16dcd3f31ef6f288814174 Mon Sep 17 00:00:00 2001 From: He4eT Date: Tue, 14 Apr 2026 15:57:41 +0200 Subject: [PATCH 17/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 67 ++++++++++++-------------- 1 file changed, 32 insertions(+), 35 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index fdaa897..3b52397 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -108,46 +108,43 @@ is actually based on XMPP, but incompatibly altered and defederated. ### Keys, Fingerprints and Trust -OMEMO построен вокруг Double Ratchet Algorithm. -Там внутри всё очень интересно, -но нам для практического применения важно только то, -что каждый клиент пользователя хранит в себе какие-то там ключи, -и умеет получать из них какой-то там хэш, -который принято называть fingerprint. +OMEMO is based on the Double Ratchet Algorithm. +While the internal details are quite interesting, +for practical purposes it's enough to know that +each client stores some cryptographic keys +and can derive a hash from them, commonly called a fingerprint. -Ключи обычно как-то автоматически управляются XMPP клиентом -и в норме вам никогда не стоит трогать их руками. -Возможно, вам лучше даже и не знать, как они выглядят. -Единственное, что с ними нужно делать -- -держать в секрете и бэкапить при необходимости. +Keys are usually managed automatically by the XMPP client, +and in normal use you should never need to handle them manually. +In fact, you probably don’t even need to know what they look like. +The only thing you need to do is keep them secret +and back them up if necessary. -Фингерпринт позволяет отличать конкретный -клиент собеседника и быть уверенным, что его не подмененили. -Список фингерпринтов для конкретного аккаунта -не является чем-то секретным: -клиентские приложения сами анонсируют свои фингерпнинты на сервере -и автоматически пополняют список чужих. -Значение имеют только те, -которые вы пометили как фингерпринты довереных клиентов. +A fingerprint lets you identify a specific client of your contact +and verify that it hasn’t been spoofed. +Fingerprints for an account are not secret: +clients publish their own fingerprints to the XMPP server +and automatically receive the fingerprints of others. +Only fingerprints you explicitly mark as trusted are relevant. -В идеале, человек должен лично при встрече -или по уже довереному и безопасному каналу связи -сказать вам "Да, фингерпринт XXX принадлежит моему устройству" -и только после этого вы помечаете XXX доверенным. -Обычно в интерфейсе это просто проставление чекбокса или сканирование QR-кода. +In an ideal scenario, the contact should confirm in person +or through an already trusted and secure communication channel +that the fingerprint belongs to their device, +and only then you mark it as trusted. +In most XMPP clients this is simply done by ticking a checkbox +or by scanning a QR code. -Некоторые клиенты для удобства пользователя -довериют любым новым фингерпринтам контактов по-умолчанию, -но я не стал бы рекомендовать использовать такую политику, -это легкомысленно и небезопасно. -Политики доверия или недоверия -можно посмотреть или поменять в настройках вашего клиента. +If your client automatically trusts all new fingerprints by default, +I strongly recommend disabling this behavior in the settings. -Список доверенных фингерпринтов используется в момент отправки сообщения: -OMEMO творит какую-то магию с жонглированием ключами и -ни один клиент, кроме перечисленных в списке на момент зашифровки, -не сможет его впоследствии расшифровать. -Передать как-то доверие в прошлое, увы, невозможно. +The list of trusted fingerprints is used at the moment a message is sent. +Behind the scenes, OMEMO performs a certain amount of key management, +and only the clients that are present in the trusted list +at the time of encryption will be able to decrypt the message later. + +It's important to understand that trust cannot be applied retroactively: +it's not possible to "extend" trust to new clients +after a message has already been encrypted and sent. ## Реалии OMEMO и XMPP ## Особенности OMEMO и XMPP From 07a44e6aadaaf1583f87a49db5ad8033ca27ccd5 Mon Sep 17 00:00:00 2001 From: He4eT Date: Tue, 14 Apr 2026 16:14:57 +0200 Subject: [PATCH 18/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 33 +++++++++++--------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 3b52397..4ba96d1 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -134,9 +134,6 @@ and only then you mark it as trusted. In most XMPP clients this is simply done by ticking a checkbox or by scanning a QR code. -If your client automatically trusts all new fingerprints by default, -I strongly recommend disabling this behavior in the settings. - The list of trusted fingerprints is used at the moment a message is sent. Behind the scenes, OMEMO performs a certain amount of key management, and only the clients that are present in the trusted list @@ -146,28 +143,26 @@ It's important to understand that trust cannot be applied retroactively: it's not possible to "extend" trust to new clients after a message has already been encrypted and sent. -## Реалии OMEMO и XMPP -## Особенности OMEMO и XMPP +## Practical Aspects of OMEMO and XMPP ### Chat History -Вообще, XMPP поддерживает хранение истории переписок на сервере. -За это отвечает **XEP-0313: Message Archive Management**. +In theory, XMPP supports server-side message history storage via +**XEP-0313: Message Archive Management**. -В реальности поддержка этого XEP, -политика хранения истории и особенно сроки хранения сообщений -зависят от конкретного сервера. -Рассчитывать по-умолчанию на бессрочное хранение всех переписок не стоит. +In practice, support for this XEP, +as well as retention policies and message lifetime, +depends on the specific server. +You should never assume that all conversations are stored +indefinitely by default. -В конечном счёте, -ответственность за хранение переписок лежит исключительно на вас -и это разумное место для применения local-first подхода. +At the end of the day, keeping your chat history is your responsibility, +and this is a good place to apply a local-first approach. -С практической точки зрения -проще всего рассматривать серверный архив сообщений -как некоторый кэш, который выручит вас по возвращении -из непродолжительного офлайна -или поможет с синхронизацей текущей переписки между разными устройствами. +From a practical standpoint, +the server-side archive is better considered a cache: +it can help you handle recent messages after a short period offline +or synchronize conversations across multiple devices. ### Synchronisation From 6065693999719fb418c2fb2aa448158584c620db Mon Sep 17 00:00:00 2001 From: He4eT Date: Tue, 14 Apr 2026 18:37:45 +0200 Subject: [PATCH 19/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 83 ++++++++++++-------------- 1 file changed, 39 insertions(+), 44 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 4ba96d1..3c9c7ba 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -155,70 +155,65 @@ as well as retention policies and message lifetime, depends on the specific server. You should never assume that all conversations are stored indefinitely by default. +From a practical standpoint, +the server-side MAM archive is better considered a cache: +it can help you handle recent messages after a short period offline +or synchronize conversations across multiple devices. At the end of the day, keeping your chat history is your responsibility, and this is a good place to apply a local-first approach. -From a practical standpoint, -the server-side archive is better considered a cache: -it can help you handle recent messages after a short period offline -or synchronize conversations across multiple devices. ### Synchronisation -За бесшовное переключение между клиентами отвечает +Seamless switching between clients is handled by **XEP-0280: Message Carbons**. -До его внедрения можно было переключиться с телефона на лэптоп -и пялиться в загруженную историю переписки, -состоящей только из входящих сообщений от собеседника. -Отправка своих же сообщений ещё и самому себе -на уровне протокола -- это довольно неочевидная фича. +Before its introduction, only incoming messages were synced between devices, +while your own outgoing messages were not. +Protocol-level mirroring of your own messages +is a rather non-obvious feature :D -Тут важно упомянуть, что при использовании e2e шифрования, -упомянутая выше концепция доверенных отпечатков пальцев -распространяется и на свои клиенты тоже. +It's important to note that with end-to-end encryption, +the concept of trusted fingerprints also applies to your own clients. +For seamless synchronisation of outgoing messages, +all your clients must trust each other's fingerprints. +A new client, +or an old one that was not trusted at the time messages were sent, +will receive the full history from MAM but will not be able to decrypt it. +
Yes, even your own messages. -Для бесшовной синхронизации исходящих сообщений -все ваши клиенты должны считать фингерпринты друг друга доверенными, -иначе можно столкнуться с ситуацией, -когда не получается прочитать своё же сообщение. - -Логичное, но неприятное следствие: -Новый клиент или старый, -который не был в списке доверенных на момент отправки сообщений, -получит историю из MAM, но не сможет её расшифровать. -Да, даже ваши сообщения. -Теоретически, перепаковка сообщений -на старых доверенных клиентах вроде как возможна, -но на практике, никто такое пока не имплементировал -и важные вещи придётся пересылать вручную. +In theory, re-encrypting messages on already trusted clients +could solve this issue, but no XMPP client implements it yet. +So in practice you may need to manually resend +important messages to a new device. ### Message Correction -Тут же стоит отметить, что такие простые и понятные на первый взгляд фичи -как редактирование и удаление сообщений вообще-то полагаются на -клиентский код и могут не сработать у вашего собеседника так, -как вы этого ожидаете. -Ими можно пользоваться, -это удобно и некоторые клиенты их отлично поддерживают, -но полагаться на них для сокрытия чего-либо не стоит. +It’s worth keeping in mind that +features that seem simple and straightforward at first glance, +such as message editing and deletion, +actually rely on client-side implementation +and may not behave for your recipient the way you expect. + +They’re fine to use and are well supported in some clients, +but you shouldn’t rely on them to hide anything. ### Maintenance -OMEMO был задуман как решение, которое после настройки не требует какого-то -дополнительного вмешательства. -Можно считать, что этой заявленной цели удалось достичь -и при наличии базового понимания работы протокола и регулярном онлайне -никаких сюрпризов быть не должно. +OMEMO was designed as a set-it-and-forget-it solution, +and it mostly succeeds in that goal. +If you have a basic understanding of how the protocol works +and check in online from time to time, +there shouldn’t be any surprises. -Всё обслуживание заключается в регулярных бэкапах и -уведомлении своих контактов о фингерпринтах, -которые стоит добавить в список доверенных или убрать из него. -В нашем локальном хакспейсе мы даже проводим для этого регулярные события =) +All maintenance comes down to making regular backups +and notifying your contacts +when fingerprints are added or no longer valid +so they can keep their trust list up to date. ## Step-by-step guide -Представим, что у меня есть аккаунт jid@some.server и несколько устройств: +Представим, что у меня есть аккаунт me@some.server и несколько устройств: телефон, ноутбук и настольный компьютер. Сначала я опишу воркфлоу общими словами, а потом дам уточнения про использование конкретных приложений. From f167c069151475f182cf765d4c9d0a3187b0a442 Mon Sep 17 00:00:00 2001 From: He4eT Date: Wed, 15 Apr 2026 17:14:54 +0200 Subject: [PATCH 20/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 49 +++++++++++++------------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 3c9c7ba..0da380d 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -185,7 +185,7 @@ will receive the full history from MAM but will not be able to decrypt it. In theory, re-encrypting messages on already trusted clients could solve this issue, but no XMPP client implements it yet. So in practice you may need to manually resend -important messages to a new device. +some data to a new device. ### Message Correction @@ -211,36 +211,37 @@ and notifying your contacts when fingerprints are added or no longer valid so they can keep their trust list up to date. -## Step-by-step guide +## Step-by-step Guide -Представим, что у меня есть аккаунт me@some.server и несколько устройств: -телефон, ноутбук и настольный компьютер. -Сначала я опишу воркфлоу общими словами, -а потом дам уточнения про использование конкретных приложений. +Let’s say I have a XMPP account, me@some.server, +and a few devices: a phone, a laptop, and a desktop computer. +First I’ll describe my mindset at a high level, +then I’ll add some notes about specific clients. -Я предпочитаю следовать такому майндсету: -С одной стороны, -у меня есть мобильное устройство, -которое всегда со мной и практические всегда онлайн: -на нём я храню полную историю переписок и получаю уведомления в реальном -времени. -С другой стороны, у меня есть несколько десктопных приложений: -я открываю их только когда мне нужно обсудить что-нибудь с использованием -клавиатуры или копи-пастинга. -Мне нравится думать о них, как о приложениях-сателлитах. +### Client Roles + +On the one hand, I have my phone. +It’s almost always with me and almost always online. +That’s where I keep the full chat history and get real-time notifications. + +On the other hand, I have a couple of desktop applications. +I only open them when I need to discuss something using my keyboard +or move some text between devices. +I like to think of them as ad-hoc or satellite clients. ### Before the Start -Первым делом мне нужно сгенерировать на каждом устройстве приватные ключи. -Обычно это происходит автоматически. +First, enable OMEMO encryption on every client if it isn't enabled by default. +The client will usually generate the keys and fingerprint automatically. -Потом я должен на каждом своём устройстве добавить остальные: -телефон должен считать все мои компьютеры доверенными устройствами, -а компьютеры доверять друг другу и телефону. +The next step is to add all clients to the trust list on each device: +my phone should trust all my computers, +and my computers should trust each other as well as my phone. -Фингерпринты публичные, -их можно даже разместить у себя на какой-нибудь личной странице. -Вот, например, моя: https://oddsquat.org/about/keys/ +Fingerprints do not have to be secret, so they can be published on +your website or even on social media profiles. +Here is my page with the fingerprints: +https://oddsquat.org/about/keys/ ### Start the Conversation in Person From e08a52b636cfec5b56ce908487494cfd58b789ec Mon Sep 17 00:00:00 2001 From: He4eT Date: Wed, 15 Apr 2026 17:33:27 +0200 Subject: [PATCH 21/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 45 +++++++++++++------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 0da380d..af868a6 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -245,35 +245,36 @@ https://oddsquat.org/about/keys/ ### Start the Conversation in Person -Предположим, я встретил Алису и мы решили обменяться контактами. -Я открыл на телефоне специальный QR-код, -затем Алиса считала его своим клиентом. -В этот QR-код уже зашиты фингерпринты всех моих устройств, так что -дополнительных действий не требуется. -Аналогично, я своим мобильным клиентом считываю QR-код с экрана Алисы. +Let’s say I meet Alice, +we start talking, and decide to continue the conversation online. -Теперь мы оба уверены, что в переписке будем участвовать именно мы, -а все наши сообщения будут доступны на всех наших устройствах и только на них. +I open a special QR code on my phone, and Alice scans it with her client. +This QR code already contains the fingerprints of all my devices, +so no extra steps are needed. + +Then I do the same and scan the QR code from Alice’s screen +with my mobile client. + +Now we are both sure that it’s really us in the conversation, +and that all messages will be available on all our devices and only on them. ### Start the Conversation Online -Предположим, что мы начали обсуждать что-то с Бобом где-то в сети -(на форуме, в федиверсе, не важно) и решили продолжить обсуждение в мессенджере. +Let’s say Bob and I start discussing something +on a forum or in the Fediverse, +and then decide to move to XMPP. -Боб инициирует переписку, я слепо доверяю первому устройству, -с которого он мне написал и уже потом мы обмениваемся в переписке -фингерпринтами остальных наших устройств, если они есть. -Такая стратегия называется ToFu. +Bob starts the chat. I trust the first device he messages me from, +and then we exchange fingerprints for our other devices, if we have any. +This approach is called TOFU (Trust On First Use). -Опять же Боб может убедиться, что я это я с помощью моей страницы с ключами, -а я могу убедиться, что Боб на форуме -- тот же самый Боб, попросив его -прислать мне фингерпринты прямо в личных сообщениях на том же самом форуме или -отдельно посредством email, например. +Bob can confirm it’s really me using my page with fingerprints. +I can confirm it’s really him by asking him to send his fingerprints +in a private message on the same forum or via email. -В идеальном случае, -у Боба тоже есть какая-то публичная страница с фингерпринтами. -Тогда мы оба можем независимо убедиться, -что мы именно те, за кого себя выдаём =) +Ideally, Bob also has a public page with his fingerprints. +That way, we can both independently verify +that we are who we say we are. ### New or Lost Devices From 202d46ec7db5c341cce8d11ca7b1addbd7fc4be4 Mon Sep 17 00:00:00 2001 From: He4eT Date: Wed, 15 Apr 2026 17:49:02 +0200 Subject: [PATCH 22/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 28 ++++++++++++-------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index af868a6..7ca4376 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -278,23 +278,21 @@ that we are who we say we are. ### New or Lost Devices -Если я решил начать использовать -какое-то новое устройство или установить куда-нибудь -ещё одно клиентское приложение, -то первым делом я должен добавить его в список доверенных клиентов -на остальных моих существующих устройствах. +If I start using a new device or install another client application, +the first thing I do is add it to the list of trusted clients +on my existing devices. -Если я по каким-либо причинам потеряю любое из своих устройств -или зачем-то удалю один из своих приватных ключей, -то первым делом я должен исключить такой клиент из списка доверенных -на остальных моих устройствах. +If I lose one of my devices or delete any private keys, +the first thing I do is remove the corresponding client +from the trusted list on my other devices. -После актуализации моих личных списков доверенных устройств -стоит сообщить об изменениях моим собеседникам по довереным каналам. -Я могу просто попросить Алису считать мой новый QR-код при следующей встрече, -а Бобу отправить сообщение о том, -что утраченому устройству доверять больше не стоит, -настоящих сообщений с него уже никогда не придёт. +Once I’ve updated my personal list of trusted devices, +I should inform my contacts through trusted channels. + +I can simply ask Alice to scan my new QR code the next time we meet, +and send Bob a message introducing my new client or letting him know +that the lost device is no longer trusted +and that no real messages will ever come from it again. ## Client Applications From 9a5bf505776203a1a1909a2e3cce6b0692c422b4 Mon Sep 17 00:00:00 2001 From: He4eT Date: Wed, 15 Apr 2026 18:12:28 +0200 Subject: [PATCH 23/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 35 +++++++++++++------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 7ca4376..a369f16 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -286,8 +286,8 @@ If I lose one of my devices or delete any private keys, the first thing I do is remove the corresponding client from the trusted list on my other devices. -Once I’ve updated my personal list of trusted devices, -I should inform my contacts through trusted channels. +Once I’ve updated all my personal lists, +I should inform my contacts about changes via trusted channels. I can simply ask Alice to scan my new QR code the next time we meet, and send Bob a message introducing my new client or letting him know @@ -296,26 +296,27 @@ and that no real messages will ever come from it again. ## Client Applications -Этот раздел описывает особенности применения OMEMO для конкретных клиентов, -которыми я пользуюсь сам. +This section describes how OMEMO is used in specific client applications +that I personally use. -### Conversations, Monocles and Other Forks +### Conversations and Forks -Conversation - это современное полнофункциональное чат-приложение. -Оно поддерживает всё, что должно поддерживать: -переписки, звонки, отправку фотографий и файлов. -У него есть несколько форков, в которых UX может отличаться, -но core-фичи работают абсолютно одинаково. +Conversations is a modern, fully featured chat application for Android. +It supports everything a messaging app should support: +chats, voice calls, and sharing photos and files. -На экране с информацией о конакте (в том числе и о своём аккаунте) -можно увидеть список фингерпринтов, -вручную отметить галочкой доверенные или отозвать доверие. +There are several forks of it where the UI or UX may differ, +but the core features work exactly the same. +I personally use Monocles Chat. -Упростить все эти рутинные вещи призвана система с QR-кодами: -прямо на главном можно показать свой код или считать чужой. -Так верификация устройств при личной встрече становится простой и ненапряжной. +On the contact details screen (including your own account), +you can see a list of published fingerprints +and manually mark them as trusted or revoke trust. -Правило большого пальца - сканируй QR-код при каждом удобном случае. +To simplify all these routine operations, a QR-code-based system is used: +You can show your own QR code or scan other people’s codes +directly from the main screen. +This makes device verification during in-person meetings simple and effortless. ### Dino From d51908a57d8334896c6d4c92c285a4af350f93c5 Mon Sep 17 00:00:00 2001 From: He4eT Date: Wed, 15 Apr 2026 18:43:22 +0200 Subject: [PATCH 24/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index a369f16..dab94d2 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -309,7 +309,7 @@ There are several forks of it where the UI or UX may differ, but the core features work exactly the same. I personally use Monocles Chat. -On the contact details screen (including your own account), +On the Contact Details screen (including your own account), you can see a list of published fingerprints and manually mark them as trusted or revoke trust. @@ -320,12 +320,19 @@ This makes device verification during in-person meetings simple and effortless. ### Dino -Это лёгкий GUI-клиент, построенный на GTK фреймвоке. -Опять же, все вопросы доверия и недоверия -можно легко решить на экране "Детали контакта" с помощью чекбоксов. +Dino is a lightweight GTK-based GUI client. -К сожалению, по умолчанию, Dino настроен на автоматическое доверие -новым фингерпринтам, я рекомендую эту функцию отключить. +It can be considered a fully functional one, +although some non-essential features are still not supported or implemented. +For example, +it is not possible to clear local chat history using built-in methods :D + +Trust and untrust decisions can be easily managed +in the Encryption tab of the Conversation Details window. + +It is important to note that, by default, Dino is configured +to automatically trust new fingerprints. +I recommend disabling this feature. ### Profanity From 7a9c22f951009754f902107309f457f99daba5cc Mon Sep 17 00:00:00 2001 From: He4eT Date: Wed, 15 Apr 2026 18:53:57 +0200 Subject: [PATCH 25/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index dab94d2..1950f92 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -336,14 +336,14 @@ I recommend disabling this feature. ### Profanity -Это могучий TUI-клиент, -где всё-всё-всё реализовано через встроенную систему команд. +Profanity is a powerful TUI client +where everything is controlled through a built-in command system. -Если вы зачем-то намерены им пользоваться, -то ниже вас ожидает небольшой читшит по использованию OMEMO, -но я настойчиво рекомендую ознакомиться с полной документацией самостоятельно. +If you somehow intend to use it, +below you will find a small cheat sheet for using OMEMO. +However, I strongly recommend reading the full documentation. -- Генерация ключа и добавление своих устройств: +- Generate a key and add your other clients: ```text /omemo gen /omemo trust me@some.server some-cool-fingerprint-01 @@ -351,26 +351,26 @@ I recommend disabling this feature. /omemo qrcode ``` -- Увидеть список своих или чужих fingerprint'ов: +- View the list of your own or someone else’s fingerprints: ```text /omemo fingerprint me@some.server /omemo fingerprint alice@another.server ``` - Доверенные будут помечены как `trusted`. + Trusted ones will be marked as `trusted`. -- Начать зашифрованный диалог: +- Start an encrypted conversation: ```text /omemo start alice@another.server ``` -- Добавить чужой фингерпринт в список доверенных: +- Add fingerprints to the trusted list: ```text /omemo trust alice@another.server some-cool-fingerprint-02 /omemo trust alice@another.server some-cool-fingerprint-03 /omemo trust bob@another.server some-cool-fingerprint-04 ``` -- Перестать доверять кокретному клиенту: +- Revoke trust for a specific client: ```text /omemo untrust alice@another.server some-cool-fingerprint-02 ``` From 96b59ff9be9a9e0812ac8820296e5aebd4b4ee32 Mon Sep 17 00:00:00 2001 From: He4eT Date: Wed, 15 Apr 2026 19:44:40 +0200 Subject: [PATCH 26/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 1950f92..12b8e71 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -117,8 +117,6 @@ and can derive a hash from them, commonly called a fingerprint. Keys are usually managed automatically by the XMPP client, and in normal use you should never need to handle them manually. In fact, you probably don’t even need to know what they look like. -The only thing you need to do is keep them secret -and back them up if necessary. A fingerprint lets you identify a specific client of your contact and verify that it hasn’t been spoofed. From eb0e83a8d639c4fd92bc5d02179b51e8619219fd Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 00:45:44 +0200 Subject: [PATCH 27/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 80 +++++++++++++++++--------- 1 file changed, 52 insertions(+), 28 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 12b8e71..8b07a9a 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -14,17 +14,20 @@ description: 'Secure and private messaging with XMPP and OMEMO encryption.' # End-to-End Encryption in XMPP with OMEMO I find it funny that twenty years ago I was already trying -to promote XMPP over ICQ to my classmates. -At the time, the proprietary messenger kept making life harder -for users of alternative clients. -That’s when I realized that I prefer protocols over services. +to get people to switch to XMPP. + +For a long time, ICQ was extremely popular around me, +but the proprietary messenger kept breaking things for people +using alternative clients, which was quite annoying. +After yet another round of this pointless battle +I realized clearly that I prefer protocols over services. I didn’t have much success back then, but fortunately, XMPP (and I hope I have too) has continued moving forward over the past two decades. It has developed slowly, sometimes awkwardly, but steadily. -Here I won’t talk about why XMPP is great or how to use it. +Here, I won’t talk about why XMPP is great or how it works. You can check widely supported +XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption. You can read more about it on a how end-to-end encryption affects the XMPP user experience + href='#practical-aspects-of-omemo-and-xmpp'>how end-to-end encryption affects the XMPP user experience or jump straight to the step-by-step workflow I personally use. + href='#step-by-step-guide'>step-by-step workflow I personally use. ### Trade-offs Between Safety and Convenience @@ -99,7 +105,6 @@ your chats are secured with Signal-grade end-to-end encryption, and you can use as many devices as you want, all at the same time, without being tied to any proprietary service. -This post is here to show how to use it intentionally and safely. In general, the XMPP experience today could be described as a "WhatsApp with benefits and frictions". @@ -108,7 +113,9 @@ is actually based on XMPP, but incompatibly altered and defederated. ### Keys, Fingerprints and Trust -OMEMO is based on the Double Ratchet Algorithm. +OMEMO is based on the + + Double Ratchet Algorithm. While the internal details are quite interesting, for practical purposes it's enough to know that each client stores some cryptographic keys @@ -209,9 +216,9 @@ and notifying your contacts when fingerprints are added or no longer valid so they can keep their trust list up to date. -## Step-by-step Guide +## Step-by-Step Guide -Let’s say I have a XMPP account, me@some.server, +Let’s say I have a XMPP account, `me@some.server`, and a few devices: a phone, a laptop, and a desktop computer. First I’ll describe my mindset at a high level, then I’ll add some notes about specific clients. @@ -224,13 +231,12 @@ That’s where I keep the full chat history and get real-time notifications. On the other hand, I have a couple of desktop applications. I only open them when I need to discuss something using my keyboard -or move some text between devices. -I like to think of them as ad-hoc or satellite clients. +or share some text between devices. +I like to think of them as satellite clients. ### Before the Start First, enable OMEMO encryption on every client if it isn't enabled by default. -The client will usually generate the keys and fingerprint automatically. The next step is to add all clients to the trust list on each device: my phone should trust all my computers, @@ -238,29 +244,32 @@ and my computers should trust each other as well as my phone. Fingerprints do not have to be secret, so they can be published on your website or even on social media profiles. -Here is my page with the fingerprints: -https://oddsquat.org/about/keys/ +Here is my page with the fingerprints, for example: +
+ https://oddsquat.org/about/keys/ + ### Start the Conversation in Person Let’s say I meet Alice, -we start talking, and decide to continue the conversation online. +we start talking, and then decide to continue the conversation online. I open a special QR code on my phone, and Alice scans it with her client. This QR code already contains the fingerprints of all my devices, -so no extra steps are needed. +so no extra steps are needed on her phone. +After that, I do the same and scan her QR code as well. -Then I do the same and scan the QR code from Alice’s screen -with my mobile client. +Later at home, I manually mark her devices as trusted on my computers +using the trusted list on my phone, and she does the same. -Now we are both sure that it’s really us in the conversation, +Now we are both sure that it is really us in the conversation, and that all messages will be available on all our devices and only on them. ### Start the Conversation Online Let’s say Bob and I start discussing something on a forum or in the Fediverse, -and then decide to move to XMPP. +and then decide to continue the discussion on XMPP. Bob starts the chat. I trust the first device he messages me from, and then we exchange fingerprints for our other devices, if we have any. @@ -301,7 +310,7 @@ that I personally use. Conversations is a modern, fully featured chat application for Android. It supports everything a messaging app should support: -chats, voice calls, and sharing photos and files. +chats, voice calls, video calls, and sharing files of any kind. There are several forks of it where the UI or UX may differ, but the core features work exactly the same. @@ -312,7 +321,7 @@ you can see a list of published fingerprints and manually mark them as trusted or revoke trust. To simplify all these routine operations, a QR-code-based system is used: -You can show your own QR code or scan other people’s codes +you can show your own QR code or scan other people’s codes directly from the main screen. This makes device verification during in-person meetings simple and effortless. @@ -321,7 +330,7 @@ This makes device verification during in-person meetings simple and effortless. Dino is a lightweight GTK-based GUI client. It can be considered a fully functional one, -although some non-essential features are still not supported or implemented. +although some non-essential features are still not implemented. For example, it is not possible to clear local chat history using built-in methods :D @@ -338,7 +347,7 @@ Profanity is a powerful TUI client where everything is controlled through a built-in command system. If you somehow intend to use it, -below you will find a small cheat sheet for using OMEMO. +you can find a small cheat sheet for the `/omemo` command below. However, I strongly recommend reading the full documentation. - Generate a key and add your other clients: @@ -372,3 +381,18 @@ However, I strongly recommend reading the full documentation. ```text /omemo untrust alice@another.server some-cool-fingerprint-02 ``` + +## Late Disclaimer + +This post was originally intended as a collection of answers to questions +I had when I first started using XMPP with OMEMO. + +It isn’t meant to be exhaustive or formal, +but rather to clarify the practical side of things +and reduce that initial feeling of being lost +when you keep running into +"The message was not encrypted for this device" +over and over again. + +From now on, I hope you won’t encounter errors like this +or any other issues with end-to-end encryption in XMPP. From 3b864811040ad0a4174a825d32bda2942306e7e6 Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 00:49:06 +0200 Subject: [PATCH 28/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 66 +++++++++++++------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 8b07a9a..51e5b41 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -22,25 +22,25 @@ using alternative clients, which was quite annoying. After yet another round of this pointless battle I realized clearly that I prefer protocols over services. -I didn’t have much success back then, +I didn't have much success back then, but fortunately, XMPP (and I hope I have too) has continued moving forward over the past two decades. It has developed slowly, sometimes awkwardly, but steadily. -Here, I won’t talk about why XMPP is great or how it works. +Here, I won't talk about why XMPP is great or how it works. You can check this guide -(one of many) and I’d rather not write another one. +(one of many) and I'd rather not write another one. In this post, I want to focus specifically on end-to-end encryption and the practical aspects of using it. ## Short Glossary **End-to-end encryption** is a way to keep your chats truly private.
-Only you and the person you’re messaging can read the messages. +Only you and the person you're messaging can read the messages. Not even the server owner has the keys needed to decrypt or modify them. **XMPP** is an extensible protocol for instant messaging. @@ -82,9 +82,9 @@ before its long dive into enshitification, really draws the line between convenience and security. Regular chats are easy and flexible, but "secret" chats come with a full set of limitations: -they’re one-on-one only, -can’t be synced to another device, -aren’t available on desktop at all, +they're one-on-one only, +can't be synced to another device, +aren't available on desktop at all, and so on. All commercial so-called "secure" messengers, like Signal or WhatsApp, @@ -92,12 +92,12 @@ end up with pretty similar limitations, because it's tricky to make end-to-end encrypted chats work the way users expect. -Luckily, protocols and cryptography don’t care about +Luckily, protocols and cryptography don't care about convenience or user expectations. -Many XMPP clients let you do almost anything you’re trying to do. -Sometimes it’s clunky and unintuitive, -sometimes it’s the kind of freedom that lets you shoot yourself in the foot. -At the end of the day, you’d better understand what you’re doing. +Many XMPP clients let you do almost anything you're trying to do. +Sometimes it's clunky and unintuitive, +sometimes it's the kind of freedom that lets you shoot yourself in the foot. +At the end of the day, you'd better understand what you're doing. It might sound messy, but for that price, XMPP actually gives you a lot of handy features: @@ -108,7 +108,7 @@ without being tied to any proprietary service. In general, the XMPP experience today could be described as a "WhatsApp with benefits and frictions". -It's kinda ironic, considering that WhatsApp’s protocol +It's kinda ironic, considering that WhatsApp's protocol is actually based on XMPP, but incompatibly altered and defederated. ### Keys, Fingerprints and Trust @@ -123,10 +123,10 @@ and can derive a hash from them, commonly called a fingerprint. Keys are usually managed automatically by the XMPP client, and in normal use you should never need to handle them manually. -In fact, you probably don’t even need to know what they look like. +In fact, you probably don't even need to know what they look like. A fingerprint lets you identify a specific client of your contact -and verify that it hasn’t been spoofed. +and verify that it hasn't been spoofed. Fingerprints for an account are not secret: clients publish their own fingerprints to the XMPP server and automatically receive the fingerprints of others. @@ -194,14 +194,14 @@ some data to a new device. ### Message Correction -It’s worth keeping in mind that +It's worth keeping in mind that features that seem simple and straightforward at first glance, such as message editing and deletion, actually rely on client-side implementation and may not behave for your recipient the way you expect. -They’re fine to use and are well supported in some clients, -but you shouldn’t rely on them to hide anything. +They're fine to use and are well supported in some clients, +but you shouldn't rely on them to hide anything. ### Maintenance @@ -209,7 +209,7 @@ OMEMO was designed as a set-it-and-forget-it solution, and it mostly succeeds in that goal. If you have a basic understanding of how the protocol works and check in online from time to time, -there shouldn’t be any surprises. +there shouldn't be any surprises. All maintenance comes down to making regular backups and notifying your contacts @@ -218,16 +218,16 @@ so they can keep their trust list up to date. ## Step-by-Step Guide -Let’s say I have a XMPP account, `me@some.server`, +Let's say I have a XMPP account, `me@some.server`, and a few devices: a phone, a laptop, and a desktop computer. -First I’ll describe my mindset at a high level, -then I’ll add some notes about specific clients. +First I'll describe my mindset at a high level, +then I'll add some notes about specific clients. ### Client Roles On the one hand, I have my phone. -It’s almost always with me and almost always online. -That’s where I keep the full chat history and get real-time notifications. +It's almost always with me and almost always online. +That's where I keep the full chat history and get real-time notifications. On the other hand, I have a couple of desktop applications. I only open them when I need to discuss something using my keyboard @@ -251,7 +251,7 @@ Here is my page with the fingerprints, for example: ### Start the Conversation in Person -Let’s say I meet Alice, +Let's say I meet Alice, we start talking, and then decide to continue the conversation online. I open a special QR code on my phone, and Alice scans it with her client. @@ -267,7 +267,7 @@ and that all messages will be available on all our devices and only on them. ### Start the Conversation Online -Let’s say Bob and I start discussing something +Let's say Bob and I start discussing something on a forum or in the Fediverse, and then decide to continue the discussion on XMPP. @@ -275,8 +275,8 @@ Bob starts the chat. I trust the first device he messages me from, and then we exchange fingerprints for our other devices, if we have any. This approach is called TOFU (Trust On First Use). -Bob can confirm it’s really me using my page with fingerprints. -I can confirm it’s really him by asking him to send his fingerprints +Bob can confirm it's really me using my page with fingerprints. +I can confirm it's really him by asking him to send his fingerprints in a private message on the same forum or via email. Ideally, Bob also has a public page with his fingerprints. @@ -293,7 +293,7 @@ If I lose one of my devices or delete any private keys, the first thing I do is remove the corresponding client from the trusted list on my other devices. -Once I’ve updated all my personal lists, +Once I've updated all my personal lists, I should inform my contacts about changes via trusted channels. I can simply ask Alice to scan my new QR code the next time we meet, @@ -321,7 +321,7 @@ you can see a list of published fingerprints and manually mark them as trusted or revoke trust. To simplify all these routine operations, a QR-code-based system is used: -you can show your own QR code or scan other people’s codes +you can show your own QR code or scan other people's codes directly from the main screen. This makes device verification during in-person meetings simple and effortless. @@ -358,7 +358,7 @@ However, I strongly recommend reading the full documentation. /omemo qrcode ``` -- View the list of your own or someone else’s fingerprints: +- View the list of your own or someone else's fingerprints: ```text /omemo fingerprint me@some.server /omemo fingerprint alice@another.server @@ -387,12 +387,12 @@ However, I strongly recommend reading the full documentation. This post was originally intended as a collection of answers to questions I had when I first started using XMPP with OMEMO. -It isn’t meant to be exhaustive or formal, +It isn't meant to be exhaustive or formal, but rather to clarify the practical side of things and reduce that initial feeling of being lost when you keep running into "The message was not encrypted for this device" over and over again. -From now on, I hope you won’t encounter errors like this +From now on, I hope you won't encounter errors like this or any other issues with end-to-end encryption in XMPP. From 3263be22c9bf3ae988719a985e9b3ea72e384764 Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 00:55:58 +0200 Subject: [PATCH 29/38] typograf: add common/punctuation/apostrophe --- tools/typograf.js | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/typograf.js b/tools/typograf.js index 2319865..2b7ed50 100644 --- a/tools/typograf.js +++ b/tools/typograf.js @@ -25,6 +25,7 @@ const tp = new Typograf({ const enabledRules = [ 'common/nbsp/*', + 'common/punctuation/apostrophe', 'common/punctuation/quote', 'en-US/dash/main', 'ru/dash/main', From e53110547d46e03251715c95ceecfce4c12c3897 Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 01:18:42 +0200 Subject: [PATCH 30/38] posts: encrypted_XMPP: linting --- src/pages/posts/2026/encrypted_XMPP.md | 477 ++++++++++++++----------- 1 file changed, 262 insertions(+), 215 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 51e5b41..909e317 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -11,346 +11,392 @@ description: 'Secure and private messaging with XMPP and OMEMO encryption.' --- -# End-to-End Encryption in XMPP with OMEMO +# End-to-End Encryption in XMPP with OMEMO -I find it funny that twenty years ago I was already trying -to get people to switch to XMPP. +I find it funny that twenty years ago I was already trying +to get people to switch to XMPP. -For a long time, ICQ was extremely popular around me, +For a long time, ICQ was extremely popular around me, but the proprietary messenger kept breaking things for people using alternative clients, which was quite annoying. -After yet another round of this pointless battle -I realized clearly that I prefer protocols over services. +After yet another round of this pointless battle +I realized clearly that I prefer protocols over services. -I didn't have much success back then, -but fortunately, XMPP (and I hope I have too) +I didn’t have much success back then, +but fortunately, XMPP (and I hope I have too) has continued moving forward over the past two decades. -It has developed slowly, sometimes awkwardly, but steadily. +It has developed slowly, sometimes awkwardly, but steadily. -Here, I won't talk about why XMPP is great or how it works. +Here, I won’t talk about why XMPP is great or how it works. You can check this guide -(one of many) and I'd rather not write another one. -In this post, I want to focus specifically on end-to-end encryption -and the practical aspects of using it. +(one of many) and I’d rather not write another one. +In this post, +I want to focus specifically on end-to-end encryption +and the practical aspects of using it. ## Short Glossary -**End-to-end encryption** is a way to keep your chats truly private.
-Only you and the person you're messaging can read the messages. -Not even the server owner has the keys needed to decrypt or modify them. +**End-to-end encryption** is a way +to keep your chats truly private.
+Only you and the person you’re messaging can read the messages. +Not even the server owner has the keys +needed to decrypt or modify them. -**XMPP** is an extensible protocol for instant messaging. -It's open, decentralized, and mature. +**XMPP** is an extensible protocol for instant messaging. +It’s open, decentralized, and mature. -**OMEMO** is a widely supported XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption. You can read more about -it on a dedicated page by Daniel Gultsch. + target='_blank'>dedicated page by Daniel Gultsch. -**Client**, in this post, -means a specific instance of an XMPP application on a user device. +**Client**, in this post, +means a specific instance +of an XMPP application on a user device.
OMEMO-related documentation uses the term Device, -but I find it potentially confusing: -in practice, a single physical device can run multiple independent clients. +but I find it potentially confusing: +in practice, a single physical device +can run multiple independent clients. ## Basic Concepts -This section introduces some basics of end-to-end encryption. +This section introduces some basics of end-to-end encryption. -If you're already familiar with the concepts and terminology, +If you’re already familiar with the concepts and terminology, you can skip ahead to how end-to-end encryption affects the XMPP user experience -or jump straight to the step-by-step workflow I personally use. + href='#practical-aspects-of-omemo-and-xmpp'>how end-to-end encryption + affects the XMPP user experience, +or jump straight to the step-by-step workflow I personally use. ### Trade-offs Between Safety and Convenience Unfortunately, things that are truly secure are rarely convenient. -They often require some initial efforts and a bit of ongoing attention. +They often require some initial efforts +and a bit of ongoing attention. -Telegram, which used to be a benchmark for messenger usability +Telegram, which used to be a benchmark for messenger usability before its long dive into enshitification, really draws the line between convenience and security. Regular chats are easy and flexible, -but "secret" chats come with a full set of limitations: -they're one-on-one only, -can't be synced to another device, -aren't available on desktop at all, -and so on. +but “secret” chats come with a full set of limitations: +they’re one-on-one only, +can’t be synced to another device, +aren’t available on desktop at all, +and so on. -All commercial so-called "secure" messengers, like Signal or WhatsApp, -end up with pretty similar limitations, -because it's tricky to make end-to-end encrypted chats +All commercial so-called “secure” messengers, like Signal or WhatsApp, +end up with pretty similar limitations, +because it’s tricky to make end-to-end encrypted chats work the way users expect. -Luckily, protocols and cryptography don't care about -convenience or user expectations. -Many XMPP clients let you do almost anything you're trying to do. -Sometimes it's clunky and unintuitive, -sometimes it's the kind of freedom that lets you shoot yourself in the foot. -At the end of the day, you'd better understand what you're doing. +Luckily, protocols and cryptography don’t care about +convenience or user expectations. +Many XMPP clients let you do almost anything you’re trying to do. +Sometimes it’s clunky and unintuitive, +sometimes it’s the kind of freedom +that lets you shoot yourself in the foot. +At the end of the day, you’d better understand what you’re doing. -It might sound messy, but for that price, XMPP actually -gives you a lot of handy features: +It might sound messy, but for that price, XMPP actually +gives you a lot of handy features: your chats are secured with Signal-grade end-to-end encryption, -and you can use as many devices as you want, -all at the same time, -without being tied to any proprietary service. +and you can use as many devices as you want, +all at the same time, +without being tied to any proprietary service. -In general, the XMPP experience today -could be described as a "WhatsApp with benefits and frictions". -It's kinda ironic, considering that WhatsApp's protocol -is actually based on XMPP, but incompatibly altered and defederated. +In general, the XMPP experience today +could be described as a “WhatsApp with benefits and frictions”. +It’s kinda ironic, considering that WhatsApp’s protocol +is actually based on XMPP, but incompatibly altered and defederated. ### Keys, Fingerprints and Trust -OMEMO is based on the - +OMEMO is based on the Double Ratchet Algorithm. While the internal details are quite interesting, -for practical purposes it's enough to know that +for practical purposes it’s enough to know that each client stores some cryptographic keys -and can derive a hash from them, commonly called a fingerprint. +and can derive a hash from them, commonly called a fingerprint. -Keys are usually managed automatically by the XMPP client, -and in normal use you should never need to handle them manually. -In fact, you probably don't even need to know what they look like. +Keys are usually managed automatically by the XMPP client, +and in normal use you should never need to handle them manually. +In fact, you probably don’t even need to know what they look like. -A fingerprint lets you identify a specific client of your contact -and verify that it hasn't been spoofed. -Fingerprints for an account are not secret: -clients publish their own fingerprints to the XMPP server -and automatically receive the fingerprints of others. -Only fingerprints you explicitly mark as trusted are relevant. +A fingerprint lets you identify +a specific client of your contact +and verify that it hasn’t been spoofed. +Fingerprints for an account are not secret: +clients publish their own fingerprints to the XMPP server +and automatically receive the fingerprints of others. +Only fingerprints you explicitly mark as trusted are relevant. -In an ideal scenario, the contact should confirm in person -or through an already trusted and secure communication channel -that the fingerprint belongs to their device, -and only then you mark it as trusted. -In most XMPP clients this is simply done by ticking a checkbox -or by scanning a QR code. +In an ideal scenario, the contact should confirm in person +or through an already trusted and secure communication channel +that the fingerprint belongs to their device, +and only then you mark it as trusted. +In most XMPP clients this is simply done +by ticking a checkbox +or by scanning a QR code. -The list of trusted fingerprints is used at the moment a message is sent. -Behind the scenes, OMEMO performs a certain amount of key management, -and only the clients that are present in the trusted list -at the time of encryption will be able to decrypt the message later. +The list of trusted fingerprints +is used at the moment a message is sent. +Behind the scenes, +OMEMO performs a certain amount of key management, +and only the clients that are present in the trusted list +at the time of encryption +will be able to decrypt the message later. -It's important to understand that trust cannot be applied retroactively: -it's not possible to "extend" trust to new clients -after a message has already been encrypted and sent. +It’s important to understand +that trust cannot be applied retroactively: +it’s not possible to “extend” trust to new clients +after a message has already been encrypted and sent. -## Practical Aspects of OMEMO and XMPP +## Practical Aspects of OMEMO and XMPP ### Chat History -In theory, XMPP supports server-side message history storage via +In theory, XMPP supports server-side message history storage via **XEP-0313: Message Archive Management**. -In practice, support for this XEP, -as well as retention policies and message lifetime, -depends on the specific server. +In practice, support for this XEP, +as well as retention policies and message lifetime, +depends on the specific server. You should never assume that all conversations are stored -indefinitely by default. -From a practical standpoint, -the server-side MAM archive is better considered a cache: -it can help you handle recent messages after a short period offline -or synchronize conversations across multiple devices. +indefinitely by default. +From a practical standpoint, +the server-side MAM archive is better considered a cache: +it can help you handle recent messages after a short period offline +or synchronize conversations across multiple devices. -At the end of the day, keeping your chat history is your responsibility, -and this is a good place to apply a local-first approach. +At the end of the day, +keeping your chat history is your responsibility, +and this is a good place to apply a local-first approach. ### Synchronisation -Seamless switching between clients is handled by +Seamless switching between clients is handled by **XEP-0280: Message Carbons**. Before its introduction, only incoming messages were synced between devices, while your own outgoing messages were not. -Protocol-level mirroring of your own messages -is a rather non-obvious feature :D +Protocol-level mirroring of your own messages +is a rather non-obvious feature :D -It's important to note that with end-to-end encryption, -the concept of trusted fingerprints also applies to your own clients. -For seamless synchronisation of outgoing messages, -all your clients must trust each other's fingerprints. -A new client, -or an old one that was not trusted at the time messages were sent, -will receive the full history from MAM but will not be able to decrypt it. +It’s important to note that with end-to-end encryption, +the concept of trusted fingerprints also applies to your own clients. +For seamless synchronisation of outgoing messages, +all your clients must trust each other’s fingerprints. +A new client, +or an old one that was not trusted +at the time messages were sent, +will receive the full history from MAM +but will not be able to decrypt it.
Yes, even your own messages. -In theory, re-encrypting messages on already trusted clients -could solve this issue, but no XMPP client implements it yet. -So in practice you may need to manually resend -some data to a new device. +In theory, re-encrypting messages on already trusted clients +could solve this issue, but no XMPP client implements it yet. +So in practice you may need to manually resend +some data to a new device. ### Message Correction -It's worth keeping in mind that -features that seem simple and straightforward at first glance, -such as message editing and deletion, -actually rely on client-side implementation +It’s worth keeping in mind that +features that seem simple and straightforward at first glance, +such as message editing and deletion, +actually rely on client-side implementation and may not behave for your recipient the way you expect. -They're fine to use and are well supported in some clients, -but you shouldn't rely on them to hide anything. +They’re fine to use and are well supported in some clients, +but you shouldn’t rely on them to hide anything. ### Maintenance -OMEMO was designed as a set-it-and-forget-it solution, -and it mostly succeeds in that goal. -If you have a basic understanding of how the protocol works -and check in online from time to time, -there shouldn't be any surprises. +OMEMO was designed as a set-it-and-forget-it solution, +and it mostly succeeds in that goal. +If you have a basic understanding of how the protocol works +and check in online from time to time, +there shouldn’t be any surprises. -All maintenance comes down to making regular backups +All maintenance comes down to making regular backups and notifying your contacts -when fingerprints are added or no longer valid -so they can keep their trust list up to date. +when fingerprints are added or no longer valid +so they can keep their trust list up to date. ## Step-by-Step Guide -Let's say I have a XMPP account, `me@some.server`, -and a few devices: a phone, a laptop, and a desktop computer. -First I'll describe my mindset at a high level, -then I'll add some notes about specific clients. +Let’s say I have a XMPP account, `me@some.server`, +and a few devices: +a phone, a laptop, and a desktop computer. +First I’ll describe my mindset at a high level, +then I’ll add some notes about specific clients. ### Client Roles -On the one hand, I have my phone. -It's almost always with me and almost always online. -That's where I keep the full chat history and get real-time notifications. +On the one hand, I have my phone. +It’s almost always with me and almost always online. +That’s where I keep the full chat history +and get real-time notifications. -On the other hand, I have a couple of desktop applications. -I only open them when I need to discuss something using my keyboard -or share some text between devices. -I like to think of them as satellite clients. +On the other hand, I have a couple of desktop applications. +I only open them +when I need to discuss something using my keyboard +or share some text between devices. +I like to think of them as satellite clients. ### Before the Start -First, enable OMEMO encryption on every client if it isn't enabled by default. +First, enable OMEMO encryption +on every client if it isn’t enabled by default. -The next step is to add all clients to the trust list on each device: -my phone should trust all my computers, -and my computers should trust each other as well as my phone. +The next step is to add +all clients to the trust list on each device: +my phone should trust all my computers, +and my computers should trust each other +as well as my phone. -Fingerprints do not have to be secret, so they can be published on -your website or even on social media profiles. -Here is my page with the fingerprints, for example: +Fingerprints do not have to be secret, +so they can be published on +your website or even on social media profiles. +Here is my page with the fingerprints, for example:
https://oddsquat.org/about/keys/ -### Start the Conversation in Person +### Start the Conversation in Person -Let's say I meet Alice, -we start talking, and then decide to continue the conversation online. +Let’s say I meet Alice, +we start talking, +and then decide to continue the conversation online. -I open a special QR code on my phone, and Alice scans it with her client. -This QR code already contains the fingerprints of all my devices, -so no extra steps are needed on her phone. -After that, I do the same and scan her QR code as well. +I open a special QR code on my phone, +and Alice scans it with her client. +This QR code already contains +the fingerprints of all my devices, +so no extra steps are needed on her phone. +After that, I do the same +and scan her QR code as well. -Later at home, I manually mark her devices as trusted on my computers -using the trusted list on my phone, and she does the same. +Later at home, +I manually mark her devices as trusted on my computers +using the trusted list on my phone, and she does the same. -Now we are both sure that it is really us in the conversation, -and that all messages will be available on all our devices and only on them. +Now we are both sure +that it is really us in the conversation, +and that all messages will be available +on all our devices and only on them. ### Start the Conversation Online -Let's say Bob and I start discussing something -on a forum or in the Fediverse, -and then decide to continue the discussion on XMPP. +Let’s say Bob and I start discussing something +on a forum or in the Fediverse, +and then decide to continue the discussion on XMPP. -Bob starts the chat. I trust the first device he messages me from, -and then we exchange fingerprints for our other devices, if we have any. -This approach is called TOFU (Trust On First Use). +Bob starts the chat. +I trust the first device he messages me from, +and then we exchange fingerprints for our other devices, +if we have any. +This approach is called TOFU (Trust On First Use). -Bob can confirm it's really me using my page with fingerprints. -I can confirm it's really him by asking him to send his fingerprints -in a private message on the same forum or via email. +Bob can confirm it’s really me using my page with fingerprints. +I can confirm it’s really him +by asking him to send his fingerprints +in a private message on the same forum or via email. -Ideally, Bob also has a public page with his fingerprints. -That way, we can both independently verify -that we are who we say we are. +Ideally, Bob also has a public page with his fingerprints. +That way, we can both independently verify +that we are who we say we are. -### New or Lost Devices +### New or Lost Devices -If I start using a new device or install another client application, -the first thing I do is add it to the list of trusted clients -on my existing devices. +If I start using a new device +or install another client application, +the first thing I do is add it to the list +of trusted clients on my existing devices. -If I lose one of my devices or delete any private keys, -the first thing I do is remove the corresponding client -from the trusted list on my other devices. +If I lose one of my devices +or delete any private keys, +the first thing I do is remove the corresponding client +from the trusted list on my other devices. -Once I've updated all my personal lists, -I should inform my contacts about changes via trusted channels. +Once I’ve updated all my personal lists, +I should inform my contacts about changes via trusted channels. -I can simply ask Alice to scan my new QR code the next time we meet, -and send Bob a message introducing my new client or letting him know -that the lost device is no longer trusted -and that no real messages will ever come from it again. +I can simply ask Alice to scan +my new QR code the next time we meet, +and send Bob a message introducing +my new client or letting him know +that the lost device is no longer trusted +and that no real messages will ever come from it again. ## Client Applications -This section describes how OMEMO is used in specific client applications -that I personally use. +This section describes +how OMEMO is used in specific client applications +that I personally use. ### Conversations and Forks -Conversations is a modern, fully featured chat application for Android. -It supports everything a messaging app should support: -chats, voice calls, video calls, and sharing files of any kind. +Conversations is a modern, +fully featured chat application for Android. +It supports everything a messaging app should support: +chats, voice calls, video calls, and sharing files of any kind. -There are several forks of it where the UI or UX may differ, +There are several forks of it where +the UI or UX may differ, but the core features work exactly the same. -I personally use Monocles Chat. +I personally use Monocles Chat. -On the Contact Details screen (including your own account), -you can see a list of published fingerprints -and manually mark them as trusted or revoke trust. +On the Contact Details screen (including your own account), +you can see a list of published fingerprints +and manually mark them as trusted or revoke trust. -To simplify all these routine operations, a QR-code-based system is used: -you can show your own QR code or scan other people's codes +To simplify all these routine operations, +a QR-code-based system is used: +you can show your own QR code or scan other people’s codes directly from the main screen. -This makes device verification during in-person meetings simple and effortless. +This makes device verification during in-person meetings +simple and effortless. ### Dino -Dino is a lightweight GTK-based GUI client. +Dino is a lightweight GTK-based GUI client. -It can be considered a fully functional one, +It can be considered a fully functional one, although some non-essential features are still not implemented. For example, -it is not possible to clear local chat history using built-in methods :D +it is not possible to clear local chat history +using built-in methods :D -Trust and untrust decisions can be easily managed -in the Encryption tab of the Conversation Details window. +Trust and untrust decisions can be easily managed +in the Encryption tab of the Conversation Details window. -It is important to note that, by default, Dino is configured -to automatically trust new fingerprints. -I recommend disabling this feature. +It is important to note that, +by default, Dino is configured +to automatically trust new fingerprints. +I recommend disabling this feature. ### Profanity -Profanity is a powerful TUI client -where everything is controlled through a built-in command system. +Profanity is a powerful TUI client +where everything is controlled through a built-in command system. -If you somehow intend to use it, -you can find a small cheat sheet for the `/omemo` command below. -However, I strongly recommend reading the full documentation. +If you somehow intend to use it, +you can find a small cheat sheet for the `/omemo` command below. +However, I strongly recommend reading the full documentation. -- Generate a key and add your other clients: +- Generate a key and add your other clients: ```text /omemo gen /omemo trust me@some.server some-cool-fingerprint-01 @@ -358,41 +404,42 @@ However, I strongly recommend reading the full documentation. /omemo qrcode ``` -- View the list of your own or someone else's fingerprints: +- View the list of your own or someone else’s fingerprints: ```text /omemo fingerprint me@some.server /omemo fingerprint alice@another.server ``` - Trusted ones will be marked as `trusted`. + Trusted ones will be marked as `trusted`. -- Start an encrypted conversation: +- Start an encrypted conversation: ```text /omemo start alice@another.server ``` -- Add fingerprints to the trusted list: +- Add fingerprints to the trusted list: ```text /omemo trust alice@another.server some-cool-fingerprint-02 /omemo trust alice@another.server some-cool-fingerprint-03 /omemo trust bob@another.server some-cool-fingerprint-04 ``` -- Revoke trust for a specific client: +- Revoke trust for a specific client: ```text /omemo untrust alice@another.server some-cool-fingerprint-02 ``` ## Late Disclaimer -This post was originally intended as a collection of answers to questions -I had when I first started using XMPP with OMEMO. +This post was originally intended +as a collection of answers to questions +I had when I first started using XMPP with OMEMO. -It isn't meant to be exhaustive or formal, -but rather to clarify the practical side of things -and reduce that initial feeling of being lost +It isn’t meant to be exhaustive or formal, +but rather to clarify the practical side of things +and reduce that initial feeling of being lost when you keep running into -"The message was not encrypted for this device" +“The message was not encrypted for this device” over and over again. -From now on, I hope you won't encounter errors like this -or any other issues with end-to-end encryption in XMPP. +From now on, I hope you won’t encounter errors like this +or any other issues with end-to-end encryption in XMPP. From 9b2eb33e8ed16ee3d3a4107eb55766e5da20ba4b Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 01:19:01 +0200 Subject: [PATCH 31/38] posts: encrypted_XMPP: fixup hrefs --- src/pages/posts/2026/encrypted_XMPP.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 909e317..5950d81 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -163,7 +163,9 @@ that trust cannot be applied retroactively: it’s not possible to “extend” trust to new clients after a message has already been encrypted and sent. -## Practical Aspects of OMEMO and XMPP +

+ Practical Aspects of OMEMO and XMPP +

### Chat History From ac7c41b185bda6ffdf054f75e5e4f33ce6f6d440 Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 01:22:03 +0200 Subject: [PATCH 32/38] about: typograf --- src/pages/about.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/about.html b/src/pages/about.html index 204bb91..01b1af1 100644 --- a/src/pages/about.html +++ b/src/pages/about.html @@ -25,7 +25,7 @@ description: 'General info about this website and the author'

- I'm a front-end developer and a big fan of open-source, + I’m a front-end developer and a big fan of open-source, customization, and minimalist software.
Member of the BadBar crew, From c7c9a038fea3b79d0f49215ce682522cec939df3 Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 01:24:15 +0200 Subject: [PATCH 33/38] projects: typograf --- src/pages/projects.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/projects.md b/src/pages/projects.md index 6172c8d..a7593f6 100644 --- a/src/pages/projects.md +++ b/src/pages/projects.md @@ -123,7 +123,7 @@ Incomplete list of my projects and experiments. -

- Cantor MX Tastatura + Cantor MX Tastatura
@@ -141,7 +141,7 @@ Incomplete list of my projects and experiments.
- Huge custom ergonomic mechanical Dactyl-Manuform (5×6) keyboard. + Huge custom ergonomic mechanical Dactyl-Manuform (5×6) keyboard.
repository From 84bcd31301f445b11bab5c27b772ac34e5d90d83 Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 01:25:50 +0200 Subject: [PATCH 34/38] lost+found: typograf --- src/pages/lost+found.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/pages/lost+found.md b/src/pages/lost+found.md index 9a3e36e..1f247f5 100644 --- a/src/pages/lost+found.md +++ b/src/pages/lost+found.md @@ -200,7 +200,7 @@ in the middle of a conversation.
Interactive articles about physics, math, and engineering. - It's probably the best website on the entire internet.
+ It’s probably the best website on the entire internet.
My favorite post is the one about bicycles.
@@ -245,7 +245,7 @@ in the middle of a conversation.
Torrenting can leave traces.
Check torrent downloads and distributions - for your own or your neighbor's IP address. + for your own or your neighbor’s IP address.
@@ -300,7 +300,7 @@ in the middle of a conversation.
- Ask HN: Programmers who don't use autocomplete/LSP, how do you do it? + Ask HN: Programmers who don’t use autocomplete/LSP, how do you do it?
@@ -314,7 +314,7 @@ in the middle of a conversation.
- Your Computer Isn't Yours + Your Computer Isn’t Yours
@@ -411,7 +411,7 @@ in the middle of a conversation.
- Most software tutorials suck. Here's how to make one that doesn't. + Most software tutorials suck. Here’s how to make one that doesn’t.
From 6b5efce0c8e8866e4db9291f1a60b9cb11f6b5d6 Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 02:02:56 +0200 Subject: [PATCH 35/38] pages: reorder data fields --- src/pages/about.html | 2 +- src/pages/about/keys.md | 5 +++-- src/pages/index.ejs | 3 ++- src/pages/posts.md | 2 +- src/pages/posts/2020/initial_post.md | 9 ++++----- src/pages/posts/2020/typographic_linter.md | 9 ++++----- src/pages/posts/2024.md | 1 - src/pages/posts/2024/selfhosted_llm.md | 9 ++++----- src/pages/posts/2024/wrapped_bw_ru.md | 10 +++++----- src/pages/posts/2026.md | 6 ++++++ src/pages/posts/2026/encrypted_XMPP.md | 9 +++++---- src/pages/posts/2026/ugly_keyboards_ru.md | 9 +++++---- src/pages/test.md | 9 ++++----- 13 files changed, 44 insertions(+), 39 deletions(-) create mode 100644 src/pages/posts/2026.md diff --git a/src/pages/about.html b/src/pages/about.html index 01b1af1..f936f72 100644 --- a/src/pages/about.html +++ b/src/pages/about.html @@ -4,7 +4,7 @@ layout: post lang: 'en' title: 'about' -description: 'General info about this website and the author' +description: 'General info about this website and the author.' --- diff --git a/src/pages/about/keys.md b/src/pages/about/keys.md index e5145cc..910b8e8 100644 --- a/src/pages/about/keys.md +++ b/src/pages/about/keys.md @@ -2,12 +2,13 @@ layout: post lang: 'en' -date: '2026-04-05' -section: 'about' title: 'keys' description: 'Public keys and fingerprints.' +section: 'about' +date: '2026-04-05' + --- # Public Keys and Fingerprints diff --git a/src/pages/index.ejs b/src/pages/index.ejs index 336d045..a30b27a 100644 --- a/src/pages/index.ejs +++ b/src/pages/index.ejs @@ -1,6 +1,7 @@ --- -description: 'My own private fanzine' +description: 'My own private fanzine.' + css: - index diff --git a/src/pages/posts.md b/src/pages/posts.md index e6cbe7e..498cd8c 100644 --- a/src/pages/posts.md +++ b/src/pages/posts.md @@ -4,7 +4,7 @@ layout: post lang: 'en' title: 'posts' -description: 'Сomplete list of posts' +description: 'Сomplete list of posts.' --- diff --git a/src/pages/posts/2020/initial_post.md b/src/pages/posts/2020/initial_post.md index 42075d6..e56ee0b 100644 --- a/src/pages/posts/2020/initial_post.md +++ b/src/pages/posts/2020/initial_post.md @@ -1,16 +1,15 @@ --- layout: post - lang: 'ru' -date: '2020-11-08' - -year: '2020' -section: 'posts' title: 'initial post' description: 'Первый пост в этом фэнзине, рассказывающий о его внутреннем устойстве.' +section: 'posts' +year: '2020' +date: '2020-11-08' + --- # Initial Post diff --git a/src/pages/posts/2020/typographic_linter.md b/src/pages/posts/2020/typographic_linter.md index be94f32..245e55a 100644 --- a/src/pages/posts/2020/typographic_linter.md +++ b/src/pages/posts/2020/typographic_linter.md @@ -1,16 +1,15 @@ --- layout: post - lang: 'ru' -date: '2020-11-18' - -year: '2020' -section: 'posts' title: 'typographic linter' description: 'Prettier для текста. Автоматизация рутинной типографики.' +section: 'posts' +year: '2020' +date: '2020-11-18' + --- # Типографика как code style diff --git a/src/pages/posts/2024.md b/src/pages/posts/2024.md index d1b54b3..ecca402 100644 --- a/src/pages/posts/2024.md +++ b/src/pages/posts/2024.md @@ -4,4 +4,3 @@ layout: redirect redirectTarget: '/posts/#2024' --- - diff --git a/src/pages/posts/2024/selfhosted_llm.md b/src/pages/posts/2024/selfhosted_llm.md index 1b6cdb1..3952ce4 100644 --- a/src/pages/posts/2024/selfhosted_llm.md +++ b/src/pages/posts/2024/selfhosted_llm.md @@ -1,16 +1,15 @@ --- layout: post - lang: 'ru' -date: '2024-01-15' - -year: '2024' -section: 'posts' title: 'selfhosted LLM' description: 'Персональные LLM в docker-контейнере на твоём компьютере.' +section: 'posts' +year: '2024' +date: '2024-01-15' + --- # Your Own Private Large Language Models diff --git a/src/pages/posts/2024/wrapped_bw_ru.md b/src/pages/posts/2024/wrapped_bw_ru.md index db685e9..f55b5b7 100644 --- a/src/pages/posts/2024/wrapped_bw_ru.md +++ b/src/pages/posts/2024/wrapped_bw_ru.md @@ -1,15 +1,15 @@ --- layout: post - lang: 'ru' -date: '2024-07-27' - -year: '2024' -section: 'posts' title: 'wrapped bw' description: 'Превращаем fully-featured Bitwarden command-line interface в удобный.' + +section: 'posts' +year: '2024' +date: '2024-07-27' + --- # Интеграция Bitwarden CLI с fzf и буфером обмена diff --git a/src/pages/posts/2026.md b/src/pages/posts/2026.md new file mode 100644 index 0000000..cf8324c --- /dev/null +++ b/src/pages/posts/2026.md @@ -0,0 +1,6 @@ +--- + +layout: redirect +redirectTarget: '/posts/#2026' + +--- diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 5950d81..d3ddbc9 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -2,12 +2,13 @@ layout: post lang: 'en' + +title: 'encrypted XMPP' +description: 'Secure and private messaging with XMPP and OMEMO encryption.' + +section: 'posts' year: '2026' date: '2026-04-07' -section: 'posts' - -title: 'encrypted_XMPP' -description: 'Secure and private messaging with XMPP and OMEMO encryption.' --- diff --git a/src/pages/posts/2026/ugly_keyboards_ru.md b/src/pages/posts/2026/ugly_keyboards_ru.md index 3b3adb6..9a72747 100644 --- a/src/pages/posts/2026/ugly_keyboards_ru.md +++ b/src/pages/posts/2026/ugly_keyboards_ru.md @@ -2,12 +2,13 @@ layout: post lang: 'ru' + +title: 'ugly keyboards' +description: 'Почему нас окружают уродливые клавиатуры и что с этим можно сделать.' + +section: 'posts' year: '2026' date: '2026-03-18' -section: 'posts' - -title: 'ugly_keyboards' -description: 'Почему нас окружают уродливые клавиатуры и что с этим можно сделать.' --- diff --git a/src/pages/test.md b/src/pages/test.md index 727d8fb..7066777 100644 --- a/src/pages/test.md +++ b/src/pages/test.md @@ -1,16 +1,15 @@ --- layout: post - lang: 'en' -date: '2020-10-30' - -year: '2020' -section: 'posts' title: 'markdown test page' description: 'A test document written using the Markdown language.' +section: 'posts' +year: '2020' +date: '2020-10-30' + --- # Markdown: Syntax From 5845885ce8515d8f24ee4e8fe5b1bf1a26783be2 Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 03:11:28 +0200 Subject: [PATCH 36/38] posts: encrypted_XMPP: update draft --- src/pages/posts/2026/encrypted_XMPP.md | 55 ++++++++++++++++---------- 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index d3ddbc9..723a216 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -57,7 +57,7 @@ XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption. You can read more about it on a dedicated page by Daniel Gultsch. **Client**, in this post, @@ -143,13 +143,10 @@ clients publish their own fingerprints to the XMPP server and automatically receive the fingerprints of others. Only fingerprints you explicitly mark as trusted are relevant. -In an ideal scenario, the contact should confirm in person +In an typical scenario, the contact should confirm in person or through an already trusted and secure communication channel that the fingerprint belongs to their device, and only then you mark it as trusted. -In most XMPP clients this is simply done -by ticking a checkbox -or by scanning a QR code. The list of trusted fingerprints is used at the moment a message is sent. @@ -226,8 +223,8 @@ but you shouldn’t rely on them to hide anything. ### Maintenance -OMEMO was designed as a set-it-and-forget-it solution, -and it mostly succeeds in that goal. +OMEMO was designed as a set-it-and-forget-it solution +and mostly succeeds in that goal. If you have a basic understanding of how the protocol works and check in online from time to time, there shouldn’t be any surprises. @@ -306,12 +303,7 @@ Let’s say Bob and I start discussing something on a forum or in the Fediverse, and then decide to continue the discussion on XMPP. -Bob starts the chat. -I trust the first device he messages me from, -and then we exchange fingerprints for our other devices, -if we have any. -This approach is called TOFU (Trust On First Use). - +Before starting the chat, Bob can confirm it’s really me using my page with fingerprints. I can confirm it’s really him by asking him to send his fingerprints @@ -321,6 +313,16 @@ Ideally, Bob also has a public page with his fingerprints. That way, we can both independently verify that we are who we say we are. +In an alternative scenario, +where there has been no prior communication or public pages +and only a single JID is known, +things play out a bit differently: +Bob starts the chat, +I trust the first device he messages me from, +and then we exchange fingerprints for our other devices, +if we have any. +This approach is called TOFU (Trust On First Use). + ### New or Lost Devices If I start using a new device @@ -351,7 +353,10 @@ that I personally use. ### Conversations and Forks -Conversations is a modern, + + Conversations is a modern, fully featured chat application for Android. It supports everything a messaging app should support: chats, voice calls, video calls, and sharing files of any kind. @@ -359,7 +364,10 @@ chats, voice calls, video calls, and sharing files of any kind. There are several forks of it where the UI or UX may differ, but the core features work exactly the same. -I personally use Monocles Chat. +I personally use + Monocles Chat. On the Contact Details screen (including your own account), you can see a list of published fingerprints @@ -374,7 +382,10 @@ simple and effortless. ### Dino -Dino is a lightweight GTK-based GUI client. + + Dino is a lightweight GTK-based GUI client. It can be considered a fully functional one, although some non-essential features are still not implemented. @@ -392,11 +403,14 @@ I recommend disabling this feature. ### Profanity -Profanity is a powerful TUI client + + Profanity is a powerful TUI client where everything is controlled through a built-in command system. If you somehow intend to use it, -you can find a small cheat sheet for the `/omemo` command below. +you can find a small cheat sheet for the `omemo` command below. However, I strongly recommend reading the full documentation. - Generate a key and add your other clients: @@ -444,5 +458,6 @@ when you keep running into “The message was not encrypted for this device” over and over again. -From now on, I hope you won’t encounter errors like this -or any other issues with end-to-end encryption in XMPP. +From now on, I hope you won’t encounter such errors +or any other issues +connected to end-to-end encryption in XMPP. From 4d748478791590fe911508585912d8f60ccf1f65 Mon Sep 17 00:00:00 2001 From: He4eT Date: Thu, 16 Apr 2026 03:13:51 +0200 Subject: [PATCH 37/38] posts: encrypted_XMPP: update date --- src/pages/posts/2026/encrypted_XMPP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/posts/2026/encrypted_XMPP.md b/src/pages/posts/2026/encrypted_XMPP.md index 723a216..74a34bf 100644 --- a/src/pages/posts/2026/encrypted_XMPP.md +++ b/src/pages/posts/2026/encrypted_XMPP.md @@ -8,7 +8,7 @@ description: 'Secure and private messaging with XMPP and OMEMO encryption.' section: 'posts' year: '2026' -date: '2026-04-07' +date: '2026-04-16' --- From a29b3e9e6706107bfbc14150604e8014b6207e69 Mon Sep 17 00:00:00 2001 From: He4eT Date: Wed, 22 Apr 2026 03:50:01 +0200 Subject: [PATCH 38/38] projects: unify articles --- src/pages/projects.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/projects.md b/src/pages/projects.md index a7593f6..175f32f 100644 --- a/src/pages/projects.md +++ b/src/pages/projects.md @@ -107,7 +107,7 @@ Incomplete list of my projects and experiments.
- A lightweight SpaceAPI server with both web and REST interfaces. + Lightweight SpaceAPI server with both web and REST interfaces.
repository