XMPP Service Operators - 2023-12-28


  1. kilroy

    XMPP-Server *xmpp.pingu.at* is going down by the end of this year. This is, what the admin says... https://woodquarter.pingu.at/jabber.php (German web page) Note on our own behalf: In view of the current news coverage and the growing impression in recent years that the EU states are willing to significantly increase the pressure of surveillance (data retention, chat control, state-enforced root certificate) and to make service operators responsible for the content of the users acting on the server, I see myself forced to deactivate the private XMPP server at the end of 2023. I no longer consider XMPP to be a recommendable and up-to-date chat protocol, as it cannot protect users in accordance with the current possible threats. In particular, the protection of *meta data* is not guaranteed. Furthermore, user data is stored on XMPP servers that would have to be handed over to the state, if requested. As a server operator, I do not want to take on this responsibility. For data protection reasons, I therefore recommend the use of SimpleX (https://simplex.chat/), because all relevant data is only stored on the end devices. The proxy servers only contain untraceable, encrypted data packets. So if you have connection problems with this server soon, you know why.

  2. micaela

    Has JET made any progress?

  3. moparisthebest

    lol so silly

  4. techmetx11

    kilroy: EU takes one step (GDPR) and then takes a hundreds of thousands of steps backwards

  5. Menel

    They discuss all this.. Nothing exists yet. And hopefully most of it never will.

  6. Menel

    Of course taking control over a sever is nothing new and exists worldwide.

  7. moparisthebest

    I decided to look at SimpleX again to refresh my memory of how they "have no metadata", they "solve" this by "having multiple servers, and your client picks servers for each chat randomly, so no server has all your metadata" except... 2 seconds of investigation reveals that *they* run all the servers, so *they* have all your metadata, and we are back to Signal-level "we pinky promise we won't look" "security", it's all so tiresome...

  8. moparisthebest

    once again XMPP is superior, as only your server, and your clients has any metadata about your communications, and you can each run your own

  9. moparisthebest

    once again XMPP is superior, as only your server, and your contact's server has any metadata about your communications, and you can each run your own

  10. kilroy

    > They discuss all this.. > Nothing exists yet. And hopefully most of it never will. Hopefully, yes. Hope is the last thing to die. But one thing has long been true: Meta data matters. We should minimize it.

  11. deport

    >Meta data matters. We should minimize it. I read this as "Meta data matters. We should mine it." lol

  12. deport

    I had to read again to get it right

  13. moparisthebest

    I agree, and we already do, XMPP already has far less metadata than any of the other alternatives that lie about having less metadata (Signal, SimpleX, whatever)

  14. ibikk

    moparisthebest: everyone can run smp Servers, I think: https://simplex.chat/docs/server.html

  15. moparisthebest

    > moparisthebest: everyone can run smp Servers, I think: https://simplex.chat/docs/server.html sure, and *checks notes* no clients will connect to them without manual configuration, which means in practice, everyone uses the ones ran by simplex themselves

  16. kilroy

    moparisthebest: > they run all the servers, so they have all your metadata... No,no :-) This is not true. They solve it by having no user IDs. The SMP servers are absolutely not comparable with XMPP-Servers. SMP servers have not user data stored. They are simply dump relay servers with encrypted data packets. And in addition, everybody can run their own SMP-Servers and configure the clients, to use them. Please do not spread false information based on a lack of knowledge. SimpleX has a very good documentation. You have the chance, to get all the information. Concerning meta data: Have a look here: https://www.messenger-matrix.de/messenger-matrix-en.html

  17. moparisthebest

    no thanks, I already know that XMPP is best and everything else is worthless and/or snake oil

  18. kilroy

    LOL

  19. kilroy

    I don't want to go into the subject in depth here. I just wanted to inform you. Thank you!

  20. ☭Mike Yellow

    kilroy is the owner of the SimpleX room on XMPP: xmpp:simplex@conference.conversations.im?join

  21. ☭Mike Yellow

    Surely they approve SimpleX.

  22. ☭Mike Yellow

    Surely they approves SimpleX.

  23. MattJ

    While moparisthebest is uncompromisingly opinionated as ever, I'll note that "metadata" includes IP addresses and timing information that may not be explicitly part of the protocol

  24. moparisthebest

    and timing and size of messages, all of which can be trivially de-anonymized to determine who is messaging who when you run *all the servers in the network*

  25. kilroy

    ☭Mike Yellow: I just wanted to correct misinformation. I am not advertising SimpleX here.

  26. Licaon_Kter

    Simplex ~has~needs: message server, file server, group server and identity server, right?

  27. kilroy

    moparisthebest: > can be trivially de-anonymized to determine who is messaging who when you run *all the servers in the network* simply wrong Temporary anonymous pairwise identifiers Out-of-band Key exchange 2-layers of End-to-end encryption Additional layer of server encryption Message mixing to reduce correlation Unidirectional message queues Multiple layers of Content padding

  28. Menel

    Maybe we need to create a raspberry pi flashable snikketOS. If you have all your Metadata at home... *you* have all the Metadata

  29. micaela

    kilroy: have they actually implemented circuit rotation? Or are they still persisting the path of all chats which effectively acts as a long term identifier?

  30. Menel

    This may be the time to move that discussion to the simplex room

  31. jonas’

    Menel, not sure if you're joking, but I actually have a checkout of the rpi image build tools somewhere because of exactly that line of thought

  32. moparisthebest

    kilroy: and it's all worthless snake oil when the same company runs all the servers, owns all the implementations, and can unilaterally change (and push updates to) the clients and servers at their whim, that's the last I'll say on the subject here

  33. jonas’

    and yeah, moparisthebest, kilroy, micaela, please move this to xmpp:simplex@conference.conversations.im?join.

  34. Menel

    jonas’: not joking. The biggest issue left there is setting up a domain then. (and this should I plmaybe put in the snikket room too🙂)

  35. hello

    > Maybe we need to create a raspberry pi flashable snikketOS. > If you have all your Metadata at home... > *you* have all the Metadata having shipped rpi's to normal users (non-admins), it can work

  36. Menel

    *probably

  37. hello

    the vast majority of issues were around people's ISP and NAT/CGNAT

  38. deimos

    why dino can't remember my nickname is....sigh

  39. micaela

    Menel: bashrc did that with libreserver and it uses onions

  40. moparisthebest

    I have a plan for automatic domains and firewall bypass for hosting Snikket at home, just gotta get back to it...

  41. kilroy

    jonas’: It is still on the roadmap: "SMP queue redundancy and rotation (manual is supported)."

  42. kilroy

    ah, sorry, micaela was asking...

  43. Martin

    > Maybe we need to create a raspberry pi flashable snikketOS. > If you have all your Metadata at home... > *you* have all the Metadata Only if you do not interact with other servers.

  44. Licaon_Kter

    ...and if your users don't install clients from Play or Appstore

  45. savagepeanut

    > the vast majority of issues were around people's ISP and NAT/CGNAT Add precondigured yggdrasil to the theoretical Snikkit OS :)

  46. Menel

    Martin: in 99,9% I don't 🙂 (beside public channels) and yes client Metadata is in the hands of clients. For every app or service.

  47. Martin has contacts on many servers.

  48. moparisthebest

    Martin: but server A only had metadata about your contacts on server A, server B only... etc, much different than a "network" where all the servers are ran by the same entity, or where all data is replicated across all servers...

  49. Martin

    Of course.

  50. karolyi

    crossposting from #TBOT, valuable information for those who care/interested: okay, so in light of the recent XMPP MitM attack: setting CAA records is not the ultimate solution against having illegitimate certs: the CAA record is not checked by browsers once one accepted CA gets subverted/goes rogue, it can issue certificates for any domain, in which case CAA is worth jack shit it's only working assuming all CAs will check the CAA records and refuse issuing certificates for domains that are set up with these records rob braxman basically proposed the same solution what I had in mind earlier: https://odysee.com/@RobBraxmanTech:6/Pki-x2:2 also, make sure you know that when using cloudflare for your domains, it will put CAA records into your CF-managed DNS zone: https://developers.cloudflare.com/ssl/edge-certificates/troubleshooting/caa-records/

  51. jonas’

    it is known: channelbinding and DANE are the way to go for xmpp

  52. karolyi

    hear hear

  53. Licaon_Kter

    karolyi: aint CF a mitm itself? Lol

  54. karolyi

    it is

  55. karolyi

    by definition

  56. Menel

    https://share.snikket.de/yObcgQyGID0UG4MDGZzubQVv/Imagepipe_4.webp

  57. Menel

    😎

  58. karolyi

    what client is this?

  59. Menel

    (DANE 👍) Cheogram (android)

  60. karolyi

    thanks. I'm trying to convince the guy behind fairemail about it being possible :)

  61. Licaon_Kter

    karolyi: go easy on Marcel, you can either nerd snip him or make him take the app down in the Play store :))

  62. karolyi

    nah, he's a cool guy, we're having a civil conversation

  63. karolyi

    the point isn't to implement it right away, but to keep it in the back of his mind

  64. karolyi

    thanks for the tip on cheogram though, I've removed blabber.im and installed it

  65. oxpa

    I see mitm of j.ru still makes some noise. Would have never guessed... But I have a related question: I also happenned to manage juick.com. And if you check certificate for i.juick.com it was issued yesterday (27-th of december). But I can't find this cert in crt.sh. Does anyone know if there is a known issue with crt.sh?

  66. oxpa

    I'm sorry if the question is not xmpp related, but I'm not sure where else can I ask this

  67. oxpa

    looking at some names here: by j.ru I mean jabber.ru, just to make it clear