Over the past few years I have gone through a bunch of different apps and protocols to find the best one for “securely” communicating with my family and friends.
I ended up with the amazing XMPP protocol and my family/friends frequently use its clients to contact me.
Monal for IOS and Cheogram/Conversations/Quicksy for Android. The android app I install depends on if I can get F-Droid on their phone or not.
It’s been great with OMEMO encryption and the clients/apps available for XMPP. But sometimes I have issues introducing people to it.
Jabber (friendly name for xmpp) sounds silly to say. The clients all have weird names. And after trying the Signal mobile app it feels more focused than what anyone in the XMPP community has whipped up.
But the capabilities of XMPP makes it better.
Signal Cons (immediete)
- Centralized
- Single app
- Phone numbers
XMPP/Jabber Cons
- Picking server
- Apps are sort of less friendly
What really scares me about Signal is the centralization. Any nerd can easily host an XMPP server these days. But Signal from what I’ve heard really wants us to use their server.
If XMPP gets more attention I’m sure we can get people supporting projects and creating better apps.
I keep seeing people recommended Signal instead.
This is a bit of a tired ramble. What I wanna know is why anyone is preferring Signal over XMPP apps. I assume it might be not knowing about it. Tell me what you use to message people.
Most people don’t understand what is instance and do not want to do 3 step registration if they can do 2 step registration on Signal. Also, if I understand correctly, xmpp protocol and client didn’t support stickers and Signal added that feature and gifs? Not sure
Protocol and client are different. I know Cheogram has some kind of sticker thing, but I don’t think it’s as robust as what Signal probably has. I can download Signal stickerpacks to use on Cheogram (the xmpp client), but using them was a tad difficult.
TBH it’s worrying, but at the same time, it’s better to have people on something that’s somewhat Privacy-respecting.
Baby steps, you know. BTW how many here are familiar with GNU-Jami ?
I tried using Jami with a very technical friend. The android version kinda seemed to work, though a little glitchy. The desktop linux/windows version was complete garbage, completely unusable.
Jami is a mess, when i tried it first it starting calling as it were to receive a phone call. The second time i tried it on 3 devices, out of which 2 could contact each other lol. My last attempt was when I needed to send a few strings from a (internet connected) VM to its host machine*, installed Jami on both and the 2 instances couldn’t talk to each other. Joke of a program, really.
- i know i could do it much easier
Joke of an app ??
Not really
If the devs put work into making the backend work instead of adding shiny new features, maybe it would gain some usage, but if an IM doesn’t work between 2 devices, which is its most basic job, and this continues over span of almost a decade, it’s just not something anyone but its developers can use.
What’s that? GNU-Jami?
Very similar to Signal, but Libre software & has no phone-number requirement https://jami.net/
Oh okay! Didn’t recognize the GNU in there. Was there a trademark issue in the past?
No I don’t think so. It’s a high-priority GNU project
I used xmpp with otr encryption… maybe also omemo, it rings a bell. This was some years ago. But it was barely usable. Otr refused to connect at times and only unecrypted worked, messages were encrypted with wrong keys or something and history became unreadable. It worked on the desktop, but then not on the phone, only with this and that client, but not those. It was a confusing mess and I had to stop using it. If it works today, thats great.
Android’s bullshit made me quit XMPP. We needed instant messages to be instant but Android kept making that harder and harder until it was impossible.
With Signal we’re still fighting but it works a little bit better due to integration with the messenger service or whatever it’s called. Dunno, maybe XMPP can work with that as well by now.
Sigh, I want my Linux phone where I can control battery life vs availability myself.
There’s nothing wrong with Signal’s centralization model in a worrying sense. It acts only as a clueless message relay, and it has near-zero information on any of its users, even as it delivers messages from person to person. The only information Signal knows is if a phone number is registered and the last time it connected to the server. There is great care taken to make sure everything else is completely end-to-end encrypted and unknowable, even by subpoena.
The only real issue with Signal’s centralization is that if Signal the company goes down, then all clients can no longer work until someone stands up a new server to act as a relay again. Signal isn’t the endgame of privacy, but it’s the best we have right now for a lot of usecases, and it’s the only one I’ve had any luck converting normies to as it’s very polished and has a lot of features. IMO, by the time the central Signal server turns into an actual problem we’ll hopefully have excellent options available to migrate to.
Also TMK, the only reason you still need a phone number for Signal is to combat spam. You can disable your phone number being shown to anyone else in the app and only use temporary invite codes to connect with people, so I don’t count the phone number as a huge problem, though the requirement does still annoy me as it makes having multiple accounts more difficult and asserts a certain level of privilege.
Note that Signal is not a company, it’s an NGO. Would you say that Wikipedia is at risk of disappearing because it’s centralized?
Yep, I forgot it’s not a company. The point stands though; someone has to pay for the servers and administration, and if they run out of money or the foundation falls apart, then the problem happens in the same way. I don’t know much about Wikipedia’s structure, but I would guess it’s a similar situation in terms of needing money to stay running and also being able to be salvaged by the community if it does go down.
I like signal but they do probably know who you talk to, when you talk to them, your IP, their IP, and size of your messages. The fact that they are pretending they can’t get this info with just server side changes worries me
Check their transparency log for subpoenas etc: https://signal.org/bigbrother/
Are they legally required to publish that?
No, and in fact they have fought to unseal and publish the articles they have. The point is that if you read the subpoenas, they request a lot of data from Signal and Signal can only ever return the phone number, account creation date, and last connected timestamp. So either Signal is consistently lying to various governments or they actually don’t have any of that data. Signal’s client is also open-source and has been audited, and they have published many blogposts about how the technology works.
I’d strongly recommend digging deeper into this and trusting the auditors and experts instead of dismissing it based on lazy and cynical guesses. If you don’t trust anyone you’re welcome to read the source code of the client yourself. Soatok recently posted an 8-part series going through Signal’s encryption that you can read as a primer: https://soatok.blog/2025/02/18/reviewing-the-cryptography-used-by-signal/.
Since they are not required to publish these they could be publishing only the ones that make them look good. You might also notice that they haven’t published any for over a year. I know how siglan works and I trust the client and the security. I even recommend it. But let’s not pretend they are INCAPABLE of building your social graph
Since you’ve clearly not read or comprehended any of the subpoenas that I linked, nor the encryption analysis, nor read any of Signal’s blogposts, I see no point with responding any further. You are spreading FUD, and I question your motives.
I’m not the one that is not listening. I don’t care about the ones they post. I care about the ones they don’t. I trust they client code. I don’t trust ANYONES server side code. Their encryption is top of the line and an industry standard. But is DOES NOT hide your IP, the time of the day you send messages
ONCE AGAIN (this is the third time I’m saying this) I like and recommend signal. I have no evil motives nor I’m trying to be paranoid. But let’s not pretend they are perfect.
If you are hurt because I said mean things about a company you base your personality on, that is not my problem.
From the blog you provided. Next time. Read your sources
In the absolute worst case, a totally malicious Signal Server can perform traffic analysis to correlate the IP address assigned to the messages arriving with the delivery token for a recipient.
And
Sealed Sender cannot totally hide the recipient (else the server wouldn’t know where to route the messages).
Edit: removed the word “moron”. I’m not a native English speaker and I thought it meant something else. It seems its like “retard” which I wouldn’t use as an insult. I’ve used it so much…
Signal is really simple and has a sizable userbase now. I’ve worked with people in non-tech companies and they’ll have signal installed because theres someone in management that cares for security to a degree and does official nonofficial team communication with signal
Element/Matrix I think has a chance. The newest Element X app looks a lot better on the phone and on desktop. It’s progressing to good user experience
I totally agree with you. But!
But Signal from what I’ve heard really wants us to use their server.
Signal doesn’t have their own servers. Instead, they rent servers from 4 companies, 3 of them is Google, Amazon, and Microsoft. So Signal is relying on Big Tech and if Big Tech decides that enough is enough, they can easily shut Signal down.
THAT is what I find most terrifying. And why not use their own server? Not enough money, but they are working on it (good).
And to make it a little bit worst: Signal depends on a third party company for sending out SMS. Your phone number is therefore handled by not Signal, but by yet another company, highly likey an American company. And they are against privacy invading companies at the same time they are one. Oh, the irony.
You want sources? Sure.
- https://signal.org/legal/ (below “Information we may share”)
- https://signal.org/blog/signal-is-expensive/
Don’t get me wrong, I absolutely love the idea of Signal. But there is flaws that makes Signal more privacy invading than privacy friendly.
That’s the part that makes me nervous. If I get a bunch of people locked on Signal, then they take away services or change how they run the servers, then it would be a hassle to move people to a completely new interface.
Yeah. Let say Signal goes down because of Big Tech and lets say that 50% of their users use Signal as their only messaging app. What will happen then? Hysteria!
No, XMPP all the way for me until Signal becomes decentralized with zero external connections and when they also have removed the phone number requirement.
If the worst part about Signal is having a third party send you an SMS to confirm your phone number then that’s amazing.
Nobody would host a worldwide instant messaging (including a lot of data such as video) on its own servers. That would be incredibly costly and inefficient. Designing for E2E (nothing critical happening on the server) is the way to go.
I use Telegram. Eek? It’s just my wife and I though. All these things I’ve heard about Telegram? Never actually seen them in mine. I have looked at groups, but I’ve only seen memes, crypto crap, and what look like scams (“post this in 5 Reddit threads to get invited to the actual group”). There’s nothing of value out there that I’ve seen. So I just use it to message my wife, because texting wasn’t good enough when we started using it (both our phones have RCS now) and I don’t use Facebook, and she doesn’t have an iPhone (so, no iMessage).
I completely reject this notion that you have to pick one and stay with it. My messaging apps include iMessage, Session, Signal, and Telegram. I also have a fork of Telegram that lets me use it from my watch (as in, it has a watch companion; official Telegram does not). I also have Discord (need it for a couple things).
I use XMPP, and the original idea was for it to be a family chat and a way to securely ask for things on Jellyfin.
No one uses it. (XMPP, not JF)
What’s better?
No one cares. They know it’s a hassle to ask for media. They know they can only ask me in person if they don’t use it. They just won’t bother installing a client. Can’t be bothered.
Oh well, I can’t be asked, then. So we sit in this perpetual state of tug of war. I can’t be contacted, it’s complained about, the situation is explained again, they complain again, and still never resolve the situation.
Going on three years now.
I’ve been slimming down the services that I don’t personally feel the need to use. And Jellyfin is right around the chopping block. Started Jellyfin to replace costly streaming services. Only one person is using Netflix and that’s the only reason my parents are paying for it still.
I’d still use JF if no one else did. It’s convenient for streaming. The alternative would be maybe kodi and samba and that’s three steps back, two forward imo. I use xmpp for notifications a lot, its close integration with the server its on allows for using it kinda like ntfy.
Removed by mod
It does suck if you do a lot of filesharing, since files only stay in the servers for 2 days
We should definetly not make it a habit to store files for long on volunteer servers. :(
Because it’s nearly impossible to convince friends and family to use anything other than iMessage or “the text app” on their phone. The process you’ve described is basically akin to swimming the English Channel for the general public. I’d do it. But expecting anyone else to is just a pipe dream.
I’m already a social outcast and second class citizen for not using imessage. Asking my friends and family to install a whole separate app just to communicate with me puts me firmly in weirdo territory.
It can be tough trying to stick to good privacy and staying social. I can do it because I’ve set boundaries and have a passion for what I believe in.
If somebosy actually wants to contact me, they join a privacy friendly platform, or just take my email. Most people my generation do not use email for instant communication, and neither do I.
I’ve gotten myself to be someone people want to reach out to, almost entirely in an effort to promote/market FOSS. To be a likable, knowledgeable, and friendly resource. That’s how I managed to convert a lot of people. If I say anymore I really bet I could be identified from my post. 😆
Tough pursuits will never be a pipe dream. It just takes enough time and grit. And a little mojo.
Because the most useful communication apps are the ones that you can reach people on. XMPP’s lack of user friendly UX or long term support and commitment make it DOA for most normal people, which in turn makes it DOA for everyone who might want to talk to one of those normal people who are turned off by it.
Many people will tell you you have to sacrifice your principles because interface, because “normies” (which is an elitist way of telling you that non-elitist people are idiots…), etc. I say: stick to your dreams!
It’s not elitist, it’s realist. They don’t want to install Signal just as much as I don’t want to install Facebook messenger.
Yes you can nag people but it will more often than not have the same effect as when people try to convince me to install Facebook messenger.
I find this resistance weird. (From the “normies”, not the Signal users)
Most of them have phones filled with all sorts of crap that they download willy nilly, yet they only seem to put the walls up for Signal.
They can say the same about me, right? I have so many communication apps on my phone, why do I draw the line on Facebook Messenger?
Most likely you’re the only person they know on Signal and it makes more sense to them that you move to Facebook rather than moving their entire friend-sphere into Signal.
speaking of “normies” is elitist, because the term is used usually people privileged/experienced with knowledge about technology to describe people who don’t have this privilege/experience. It is implying that there would be a class of (sub-)humans who are not capable of taking the same path as the person who employs this term. I stand by the term “elitist”. In a world of diverse people, life-paths and needs, in my own experience everybody is capable of understanding the political reasons to use a piece of software over another one (because one company sucks, because their model of centralization is detrimental to freedom, because they got shady funding, because they pretend to be something else but bar free software authors to modify their software, because they’re from the USA, etc.). Everyone has their own way of understanding these things. Everyone has some arguments that will resonate better than others. Pretty much the same way you probably decided to not install Facebook messenger. Well the good news is: everybody is capable of understanding these things. It may take time and effort, it may make elitist people realize it is not as easy as they first thought it would be, and require to fail and try again. It requires efforts and a humble approach as to listen to these people and take them where they are and walk a bit along the way with them.
My personal experience is that most people are capable of understanding such things. It may take time, but everyone is capable.
I also saw tons of elitist tech-enthusiasts and other tech-savvies “bros” not even addressing who they call “normies” out of pure lazyness, to avoid to speak outside of their own comfort zone and question their own status, and to avoid sharing their elitist knowledge.
-> “‘normies’ won’t do that” = “i am too lazy to engage meaningfully with people who do not know the same things as i know.”
That’s a major part of the problem. Elitist feedback loop…
First of all normie not an insult or a derogatory term. The term “normies” is often used in many niche communities to refer to someone outside the community. It has nothing to do with being smart, privileged or experienced. It means more like “the average user” or “the typical person”. Example: a person in the boardgaming community may refer to you as a normie, not because you’re dumb but because you don’t play hobby boardgames (check out Brass: Birmingham, what a game).
The problem isn’t about comprehending the problem, most people understand that Facebook is selling their data. They just don’t care. They would rather have their data sold than to have the trouble to move to yet another communication app. WhatsApp is working just fine, Facebook is sparking joy. They don’t care.
“Normies won’t do X” is a perfectly acceptable way to express that the hurdles are too high for the average user. The average user wants a sleek UI, a user friendly experience and most of all they want to be in the place everyone is already at. The average Joe doesn’t want to be the first guy on Simple X, they actually really want the hassle free platform everyone is already at.
Also, the next great communication app is constantly changing. It used to be IRC, ICQ, MSN Messenger, Facebook Messenger, WhatsApp, Instagram, Telegram, Signal, Matrix, Simple X, Session. I’m sorry to say that the average person is not willing to migrate that often. Facebook works, their friends are already there, they stick to it. This isn’t elitism, it’s just stating what I see.
Normies isn’t an elitist term it is a counter culture term for people outside the norm to refer to the general opinion. It is the not like us statement or the fact that there is experience that one would not understand fully unless they are in a subset group.
https://en.wikipedia.org/wiki/Normie_(slang)
was first used in its original meaning of “ordinary, normal” in English in the 1950s.[6] According to Merriam-Webster, the term “normie” appeared in the late 1980s in the United States. It was used ironically by people with disabilities in reference to the rest of the population.[2] In the late 1990s, the term was used in Alcoholics Anonymous literature to refer to individuals who were not addicted to any substances.[7]
Since the early 2000s it has been spreading on the Internet.[2][4] In the Russian-language sphere, popularization was promoted by the use of the imageboard Dvach, whose users consider themselves representatives of informal culture, which is expressed in controversial publications, non-standard political views, black humor, involvement in various subcultures.[8]
If I could get a single person to use Signal instead of Whatsapp… or even the nerds I know to use matrix instead of Discord…
There two kinds of nerds. Ones that are actually curious to try new things, and ones that conform and sully the name. It’s like tech bros vs real IT professionals.
I think the slightly more charitable division is “nerds who want to work on the tool” vs “nerds who want to use the tool to work on something else”
Some people want their discord chat to work with little effort or errors because what they’re actually interested in is some video editor, or something. And if the chat is broken, it prevents then from getting to what they really want.
I personally use XMPP, so this isn’t just to clear my own name, or anything.
I use SimpleX
Do you use simplex or do you have an account with simplex?
I use it daily
That’s honestly shocking. Where do you find other people who actually use it?
Based privacy enthusiast 🗿
I’m not going to push anyone who uses a secure decentralized FOSS chat already to signal, but someone who uses telegram/viber/whatsapp is easier to get gradually on signal, which is super low effort compared to the ones you mentioned.
I’ve tried. I’m happy that I got friends and family to move from SMS and WhatsApp to Signal. Some I got to move to e.g. matrix but that’s only a few.
Just my two cents since you asked. I agree with you but I don’t want perfect to be the enemy of good.
Why is your name red
I’m guessing you are using Voyager app. It’s because I’m your instance (sopuli) admin :)
It means they are your god and you should bow. (they’re an admin on your instance)
Ah… But there is another. The all mighty creator (app developer of voyager) whose name is in purple!
Ohh cool :)
