Modern XMPP project discussion - 2025-03-20


  1. erebion

    Why isn't ATM (https://github.com/olomono/atm?tab=readme-ov-file) used in a lot more clients?

    đź‘Ť 1
  2. erebion

    Pub Key verification is sooo annoying :/

  3. erebion

    I use four devices, my boyfriend uses three. Then he logs in to a fourth device. Suddenly start reading long hex numbers to each other for a couple minutes.

  4. erebion

    This is currently my biggest annoyance and the reason most people reject the idea of using XMPP: It's too annoying to verify keys.

  5. erebion

    So I'm really curious why this isn't in, like, every client?! :D

  6. Link Mauve

    erebion, no, most people don’t ever verify keys.

  7. erebion

    Have you considered that my "most people" does not fully overlap with your "most people"?

  8. Link Mauve

    I was talking about most people, not people around you that I don’t know.

  9. Zash

    Consider upvoting or filing feature requests in clients. Client devs may be more likely to implement it if they see that there is demand.

  10. Kris

    > Why isn't ATM (https://github.com/olomono/atm?tab=readme-ov-file) used in a lot more clients? because if you outsource device verification like that you might as well not do it at all.

  11. lovetox

    yeah .. its like, if your threat model is really that you believe that somebody intercepts your communication, why would you trust some automatic key verify thingy

  12. lovetox

    and if thats not your threatmodel, why do you not simply use blind trust which most clients support.

  13. mathieui

    Kris, I would disagreee, cross-signing/cross-approving keys is a useful feature that can significantly the friction of using E2EE securely

  14. mathieui

    Kris, I would disagreee, cross-signing/cross-approving keys is a useful feature that can significantly reduce the friction of using E2EE securely

  15. lovetox

    but it does only reduce the friction if someone decides for themself they want friction and disable blind trust

  16. mathieui

    I said securely

  17. mathieui

    I do agree with Link Mauve in that most users will never ever try to verify a key

  18. mathieui

    but that does not mean we should give up any way to make the serious route less painful

  19. Kris

    like in some limited ways it is more secure than trust-on-first-use, and in some other ways it is less secure. And overall it just doesn't seem worth it IMHO

  20. lovetox

    i think the problem is blind trust before verification

  21. lovetox

    some users use blind trust, then they think at a later point, lets verify some device, scan some qr codes, hey fun

  22. lovetox

    but now the device thinks you are serious about encryption, suddenly the next device will not be trusted blindly anymore because you verified manually before

  23. mathieui

    lovetox, that is a case that some (client-side) automated device management could help with

  24. lovetox

    yes, im not arguing its useless, it just mostly hits the nerds, and they can endure a bit of pain :D

  25. lovetox

    nah im half joking, but thats kind of the cost/benefit thoughts i have on this

  26. lovetox

    like on my list are always 10 more features that will have immense more impact

  27. Kris

    indeed, if someone wants to touch rather complex e2ee stuff, updating a client to support OMEMO 0.8.x would bring much more benefits than this convenience feature of dubious benefit.

  28. Kris

    or adding MLS for group chats

  29. MattJ

    erebion: out of curiosity, you say "this is the reason most people reject the idea of using XMPP" - what do those people use instead?

  30. MattJ

    I can only think of Signal or Matrix. Signal uses manual verification of keys (or rather, "safety numbers"), and Matrix... I'm always hearing complaints about their E2EE verification prompts and stuff (and it has introduced security issues for them)

  31. MattJ

    So I'd love to hear more if I'm missing something

  32. erebion

    Matrix and Signal, yes

  33. erebion

    With exactly that as their reason

  34. erebion

    E2EE in Matrix is buggy, but cross signing is not really painful, at least not as much as having m * n key verifications done. 1 verification can in most cases be a lot less than m * n.

  35. erebion

    I can talk to my boyfriend using Matrix, Signal and XMPP. We disliked the first two, for various reasons, now we settled on thr latter. We had this many verifications: 1 - Matrix 1 - Signal 12 - XMPP I use every one of those on 4 device, my boyfriend uses them on 3 devices.

  36. erebion

    Matrix cross-signs keys, so that after verifying once, others know what keys to trust. Signal does something similar, coupled with the process of adding another device by scanning a QR code.

  37. erebion

    Oh and I forgot I even have to verify my own OMEMO keys. If my tired sleepy brain did not miscalculate, that's 37 key verifications, just so that I can talk to my boyfriend.

  38. erebion

    He even says we should not log in on more devices as that is too annoying.

  39. Squeaky Latex Folf

    I just tested Dino and Gajim with the Orca screen reader and the result is that both are almost completely unusable

  40. Squeaky Latex Folf

    I almost just want to write my own XMPP client. QXmpp looks really neat.

  41. Squeaky Latex Folf

    But I prefer Rust over C++, but xmpp-rs seems less mature. And I love Qt.

  42. Squeaky Latex Folf

    But I prefer Rust over C++, but xmpp-rs seems less mature. And I love the way Qt looks and feels.

  43. Kris

    does Signal even support multiple real devices?

  44. Kris

    afaik they only do some hack for "linked" devices for the desktop app

  45. Kris

    Squeaky Latex Folf, you tried Kaidan?

  46. Squeaky Latex Folf

    Kind of. It looks too much WhatsApp-like

  47. Squeaky Latex Folf

    I prefer a more QtWidgets-like look

  48. Kris

    but does it work with a screenreader?

  49. Squeaky Latex Folf

    Haven't tried yet

  50. Kris

    afaik the Kirigami toolkit that Kaidan uses has gotten some specific efforts for accessibility

  51. Kris

    but I might misremember