Modern XMPP project discussion - 2025-11-14

> Why is Matrix so much more popular among people than XMPP, if Matrix is so incredibly slow? Marketing, mostly. ↺

Public IRC-style channels are also more visible than the private chats XMPP is more popular for.

> there are also some nice non-federated chat server options like Stout (former Revolt), Zulip, Rocketchat and so on. For a small chat server for a university project they are probably also suitable. I think Rocket.Chat is planning to migrate to Matrix full, I've heard something, but can't remember details. ↺

Other than that, Rocket.Chat does not have a good selection of clients. Desktop clients are slow and Electron, mobile app have limits for push unless you pay... If Rocket.Chat looks interesting, prose.im might also be interesting to look at.

> The only real solution to that is passwordless logins. Btw, is WebAuthn in XMPP a thing? ↺

Not quite, but some folk are working on an equivalent SASL mechanism

Combined with the FAST XEP, that will bring us equivalent (stronger, actually) authentication

I just would like to authenticate with my Yubikey

It's one of very few things that are critical to me and for which I cannot do that currently

I think there is a prosody module for Yubikey auth, no?

Yeah-ish

It uses the pre-FIDO2 OTP stuff, in PLAIN (which allows it to not require special client support to work)

I wouldn't generally recommend it as a nice usable solution

Hello. Is there a reason why it seems that most public channels have E2E encryption off?

Because there is no reason to do e2ee in a chat anyone can join.

> Because there is no reason to do e2ee in a chat anyone can join. From the POV of someone hosting a server, it would give plausible deniability. Personally, there's no way I'm hosting anything unless I can prove I don't know what's going on. ↺

What else?

You can't prove that with a e2ee enabled public chat either.

Yes I can. If it's E2E I can't know what's going on

You can join it and see yourself.

Oh....

This defense is useless against law enforcement.

It's not useless. Big companies use it

There is a special legal excemption for infrastructure providers, which is not applicable to private chat hosts.

Their defense is that they're a "platform" or whatever (Section 230 in the USA)

(ianal)

But if you want to ignore that argument, then there is also a technical argument, and that is that OMEMO doesn't work well in chats where the participating devices change often.

Maybe once that is solved with MLS you will see more e2ee enabled group chats, but it will still be pretty pointless for public ones. ✏

> But if you want to ignore that argument, then there is also a technical argument, and that is that OMEMO doesn't work well in chats where the participating devices change often. Could you give me more information? ↺

Yeah I think it also just provides a false sense of security

you do realize messages here and in gajim are logged too right

Any one of these 117 participants (maybe all of them) could be a federal agent

wow this one got it logged for 6 years

> you do realize messages here and in gajim are logged too right Yeah the situation is a bit shit. What you're telling me is that on groups, you actually have better privacy on WhatsApp than on here. ↺

On WhatsApp, provided that Facebook didn't push a hacked client to your phone, I can be confident that on a channel with 5 people, only those 5 people can read the messages.

"Depends on your threat model", as they say. But the defaults matter. ✏

I see it as having better visibility. At least when you join the group it links you to the weblog

> On WhatsApp, provided that Facebook didn't push a hacked client to your phone, I can be confident that on a channel with 5 people, only those 5 people can read the messages. Are you confusing private and public MUCs maybe? ↺

Private group chats on XMPP absolutely support OMEMO

> Private group chats on XMPP absolutely support OMEMO it still doesn't scale well right? but a few people should be okay ↺

I've never tested the limits really. Most I've had in a private group chat was like 10 people probably

> Private group chats on XMPP absolutely support OMEMO I'm not familiar with the terminology, I'm very new to XMPP. But I find it crazy that e.g. the default seems to be that on channels the conversations are logged (and then indexed). Even WhatsApp isn't that bad. What does "public" entail? That you don't need to be invited? That should be orthogonal to encryption. The default for any channel should be that it can't be read to anyone but the participants. ↺

> On WhatsApp, provided that Facebook didn't push a hacked client to your phone, I can be confident that on a channel with 5 people, only those 5 people can read the messages. It wouldn't be a "hacked" client. They can push anything they want and you'd be none the wiser. There should be no assumption of privacy on proprietary chat platforms. ↺

joao: if you just create a private group chat with your friends for example, it will have E2EE support.

We keep getting distracted :-) This is about modern XMPP, yes? We're not discussing just how it is, we're also discussing how it could be better. Regardless of implementation details, do you agree that "only the participants can read the group messages should be the default", yes or no?

> joao: if you just create a private group chat with your friends for example, it will have E2EE support. That's already great, thank you. ↺

> But I find it crazy that e.g. the default seems to be that on channels the conversations are logged (and then indexed). This is not a default. Some big project rooms only do this so information doesn't get lost in the abyss

> We keep getting distracted :-) > > This is about modern XMPP, yes? We're not discussing just how it is, we're also discussing how it could be better. > > Regardless of implementation details, do you agree that "only the participants can read the group messages should be the default", yes or no? Define "participant"? If literally anyone can join it and start logging messages. ↺

joao: this is the default if you create a room in gajim 2.4.0 - it creates a private group. Granted these toggles are entirely client-side so you'd have to deal with love.tox or any dev of your chosen software

It seems like you've fallen into the exact issue I'm talking about, where you have a false sense of security in public WhatsApp channels

https://xmpp.muoi.me:443/upload/4c2d341d9f0ed7d19fdfaa765d01191720dafd2c/q6OBPods3TDmZunh8SgqcCYP24eXWUgycdNO7O6POJ/6148e302-da9b-4208-8437-9a2d9ee0e0a6.png

I jsut created this xmpp:secret@salas.redlibre.es?join But it looks like the server forced it to be "non-anonymous", not sure what that means

i do have a problem that anyone with the muc address can still request to join it

> I jsut created this > xmpp:secret@salas.redlibre.es?join > But it looks like the server forced it to be "non-anonymous", not sure what that means that means your real xmpp address is revealed ↺

> i do have a problem that anyone with the muc address can still request to join it Big Mike, what do you think about this ↺

That's another question I had - Why do people care? I could give you the same argument: caring about home address gives you a false sense of security.

> i do have a problem that anyone with the muc address can still request to join it Not sure what this even looks like ↺

> Not sure what this even looks like my bad. Should've set it to members only ↺

Can you request to join this: xmpp:ucaxaqoy@muc.loqi.im?join

> That's another question I had - Why do people care? > I could give you the same argument: caring about home address gives you a false sense of security. Well like you said it's about having sane defaults ↺

> Can you request to join this: > xmpp:ucaxaqoy@muc.loqi.im?join no I can't. I think I understand the problem now: I still can see that the room exists, and metadata like member count and whatnot ↺

You can see member count?

a lot actually

https://redlibre.es:5443/upload/822cb270f441b66d87cdfe4c16e5f463bc98fa72/oHku45BBOhPS54yjrtg602JAQglevGV1urFtqX3b/2025-11-14-144501_471x329_scrot.png

https://xmpp.muoi.me:443/upload/4c2d341d9f0ed7d19fdfaa765d01191720dafd2c/RqSvEOeEGyp5GkWKOCgyErK8MdIYRMFAyba8znBQay/a26b9fee-9d73-4718-bbfb-51e400852807.png

Hey this is really good UI

> https://xmpp.muoi.me:443/upload/4c2d341d9f0ed7d19fdfaa765d01191720dafd2c/RqSvEOeEGyp5GkWKOCgyErK8MdIYRMFAyba8znBQay/a26b9fee-9d73-4718-bbfb-51e400852807.png that's kinda problematic 😅 if I can't join I shouldn't be able to see these stuff ↺

It's weird that you can see so much, yes.

sure you can set a long name to avoid enumeration from bad actors but that just delay the discovery

plus it's not changeable so

Nothing in this screenshot is private data

It's configuration for a groupchat, thousands of others have the same config

And you need the exact address to even find that

it proves that a group exist. That's still something

You cannot enumerate that

It's a random string

The same you could start to guess what people uploaded to http server and try random strings

private groups in gajim are 6-letters long by default i think. Maybe if we get a sha256 address then it's different

Uneccesary, a Sha protects much more then the adress

i'm just saying an address should be that long

or just longer, but I understand your point that it in itself is not a big problem

Btw you could probably find the same thing on whatsapp

They just don't tell you their protocol

I tend to agree. This transparency is why I'm having this conversation in the first place

anyways joao: the problem with encryption in large groups is that devices change often, and omemo needs to query fingerprints of all devices to send messages to everybody. So it doesn't scale well I'd wager whatsapp and signal has the same problem too, if someone can confirm what they're doing that'd be great

> anyways joao: the problem with encryption in large groups is that devices change often, and omemo needs to query fingerprints of all devices to send messages to everybody. So it doesn't scale well > > I'd wager whatsapp and signal has the same problem too, if someone can confirm what they're doing that'd be great I'm on agroup with 120 people on whatsapp. I don't see any problems (But i"m sure if there were problems they'd hide them) ↺

i'm not sure if that group's encrypted. Besides, with a group as big as this I'd treat my speech as public statement

Devices change a few times a day. This isn't exactly "big data"....

> I think there is a prosody module for Yubikey auth, no? I'd need one for ejabberd. I have both ejabberd and Prosody, but the one where I'd have most use is ejabberd right now. ↺

>> I think there is a prosody module for Yubikey auth, no? > I'd need one for ejabberd. I have both ejabberd and Prosody, but the one where I'd have most use is ejabberd right now. 👎 ↺

> Devices change a few times a day. This isn't exactly "big data".... when you query from/to a gazillion servers, it aint exactly reliable ✏ ↺

Ahhhhh right so that's the difference vs whatsapp

They have control how they handle that. Whereas XMPP is federated.

That's a big difference correct

The bigger the group the more chance we cannot encrypt to every device because of some issue, then you will have a lot of inconsistencies

But the main reason is the current e cryption scheme does not scale well

https://xmpp.muoi.me:443/upload/4c2d341d9f0ed7d19fdfaa765d01191720dafd2c/SZKw35HHUCJudU8lGmnRSykAD2p5tN62bjhaEEil01/99fd42a4-09f0-416d-9cce-1165e322e51b.png

thought this room might appreciate some memes

That's not a meme, that's common sense

Calling a contacts list a "roster" is one of the most autistic things I've seen in my life

Can we please leave insults out of this MUC ?

We should have a bot that goes like "I'd just like to interject for a moment. What you're refering to as MUC, is in fact a channel"

Roster? I hardly know her!

joao, dont forget xmpp and the community exists long before smartphones and whatsapp

so terminology is decades old, nobody was sitting in a room a year ago and went "We should call it roster"

occupant and participant does have their uses tho. The former is generally someone who doesn't have voice and the latter does

talking about "voice" and "permission to speak" also looks odd when you're just texting hahah

they might need to change, but i'm fine with them as is

> so terminology is decades old, nobody was sitting in a room a year ago and went "We should call it roster" That's so a Gen X thing to say ↺

OK roster

>> so terminology is decades old, nobody was sitting in a room a year ago and went "We should call it roster" > That's so a Gen X thing to say ❤️ ↺

> Calling a contacts list a "roster" is one of the most autistic things I've seen in my life No it's not. Roster is a roster

And replacing the term "avatar" with something else is extremely weird

> That's so a Gen X thing to say > OK roster Shouldn't that be OK rooster

(to fit with the Gen X thing to say)

does XMPP support audio to a channel? Like discord

Actually... I don't even knwo the details of how discord works actually

In theory yes, but there is no client implementing it.

Movim afaik wants to add something like that.

https://redlibre.es:5443/upload/822cb270f441b66d87cdfe4c16e5f463bc98fa72/rq9v9PQR189vI1DsJGsINBt97Q0Ogv3YlLkDztGj/voice-message-20251114-180400.m4a

Ah. greats a file, then you have to download the file.

Hm.

phew. Very inconsistent on my phone

> https://redlibre.es:5443/upload/822cb270f441b66d87cdfe4c16e5f463bc98fa72/rq9v9PQR189vI1DsJGsINBt97Q0Ogv3YlLkDztGj/voice-message-20251114-180400.m4a My computer stuttered ↺

This channel doesn't allow any kind of upload to show as inline or download automatically. It's an anti spam thing, and this isn't a social channel that needs something like that

> so terminology is decades old, nobody was sitting in a room a year ago and went "We should call it roster" 🤗 ↺

> Can we please leave insults out of this MUC ? What insult? Couldn't find one? o.O ↺

https://neurolaunch.com/calling-someone-autistic-as-an-insult/

> https://neurolaunch.com/calling-someone-autistic-as-an-insult/ oh, that. I did not see that as an insult, but bad wording, although accurate. A lot of the world's infrastructure is designed and built by us autistics, so this might even be correct, perhaps.

Still bad wording, though.

Possibly insensitive as well

But perhaps also not entirely wrong, as I might have named it similarly myself, lol

In other words, I'm highly ambivalent

It was meant as a term of endearment, like Australians call their friends cunts.

You're not making it better.

https://www.mit.edu/~jcb/tact.html