Moving from WhatsApp to Signal is an important action, right now. WhatsApp’s parent company, Meta, has been involved in several cases of election interference: America in 2016, Trinidad and Tobago …
Could you explain a bit? I see main issue with Signal (though I’m not an expert, and they’re not strictly related to security): it’s centralized (and the server isn’t even open-source).
The question is also a lot about your threat model right?
The encryption being crap really does not depend on the threat model. Sure, in some threat models you may not need e2ee at all but in that case, what’s wrong with WhatsApp?
The issue with XMPP is that security really was an afterthought. Not only is e2ee an optional extension, but there are actually 2 incompatible extensions, each with multiple versions. Then you have some clients not implementing either, some clients implementing the older, less secure one. Some implement the newer one but older version of the spec with known issues. And of course, the few clients that implement it well become incompatible with other clients that don’t if you enable e2ee, so it is disabled by default.
That is all before you start looking into security audits or metadata harvesting.
Your reasoning would hold up if 80% of xmpp wasn’t running on Conversations or forks of it, that all support OMEMO and OpenPGP.
Your criticisms are too broad with few serious negatives. What makes extensions powerful is that they can easily change the rules without breaking the underlying system. If your client sucks, get another?
You have choices, but if your problem is metadata, whoooo boy.
That’s their problem. If their messages aren’t encrypted, it isn’t like you won’t be aware of it. Request that they use a modern client and get with the times. None of this is an actual problem without easy solutions.
Then let us know when they are solved. Until then, I have a lot more hope in matrix than XMPP. They at least seems to be making progress in the right direction, although they are not there yet either.
Could you explain a bit? I see main issue with Signal (though I’m not an expert, and they’re not strictly related to security): it’s centralized (and the server isn’t even open-source).
The question is also a lot about your threat model right?
The encryption being crap really does not depend on the threat model. Sure, in some threat models you may not need e2ee at all but in that case, what’s wrong with WhatsApp?
The issue with XMPP is that security really was an afterthought. Not only is e2ee an optional extension, but there are actually 2 incompatible extensions, each with multiple versions. Then you have some clients not implementing either, some clients implementing the older, less secure one. Some implement the newer one but older version of the spec with known issues. And of course, the few clients that implement it well become incompatible with other clients that don’t if you enable e2ee, so it is disabled by default.
That is all before you start looking into security audits or metadata harvesting.
Your reasoning would hold up if 80% of xmpp wasn’t running on Conversations or forks of it, that all support OMEMO and OpenPGP.
Your criticisms are too broad with few serious negatives. What makes extensions powerful is that they can easily change the rules without breaking the underlying system. If your client sucks, get another?
You have choices, but if your problem is metadata, whoooo boy.
https://news.ycombinator.com/item?id=32780665
https://github.com/matrix-org/synapse/issues/9133
https://www.reddit.com/r/PrivacyGuides/comments/q7qsty/is_matrix_still_a_metadata_disaster/
So much cope you didn’t even notice no one mentioned matrix. We are comparing XMPP with Signal.
Also, you really think saying only 20% of your chats are insecure is somehow making it better?
That’s their problem. If their messages aren’t encrypted, it isn’t like you won’t be aware of it. Request that they use a modern client and get with the times. None of this is an actual problem without easy solutions.
Then let us know when they are solved. Until then, I have a lot more hope in matrix than XMPP. They at least seems to be making progress in the right direction, although they are not there yet either.
Signal remains the best option for now.