Hi! Glad to see XMPP on the HN first page this morning :)

I'm working on a social-network and IM web platform (for 12 years already!), fully built on XMPP https://movim.eu/.

Thanks to its extensibility and the PubSub XMPP standard (see https://xmpp.org/extensions/xep-0060.html) you can easily build social-network like features. The standard is pretty simple, it's Atom 1.0 transport within PubSub (see https://xmpp.org/extensions/xep-0277.html).

For those that likes RSS/Atom you can also easily publish Atom newsfeed to PubSub (see https://github.com/edhelas/atomtopubsub) and follow your favorite website using your XMPP account and with real-time pushed articles. Here is ArsTechnica as an example https://mov.im/?node/news.movim.eu/ArsTechnica

XMPP is not only for IM, but way more than that ;)

The article describes XMPP as "secure" by highlighting TLS (protecting data in transit only) and experimental OMEMO (protecting a small part of an XMPP message only if enabled and working). What about other crucial security features, see https://www.eff.org/deeplinks/2018/03/building-secure-messen...?

Then, XMPP is described as "privacy respecting" mostly because you can use a nickname instead of a phone number for your account. What about all of the cleartext data and metadata that can be accessed by parties on the XMPP server, like the XMPP server admin, see https://infosec-handbook.eu/articles/xmpp-aitm/?

This logic implies that e-mail is also secure and privacy respecting.

Encryption is "activily bein worked on", sound about right - I never got encryption to work across two of my own devices with a third party.

Yet I do not understand why a rewrite of messaging as [matrix] was necessary, when XMPP was already there and matrix did not even have an edit-message feature on release, perhaps not even now.

It angers me so much when my browser tries to connect to a port other than 80 or 443 and the firewall pops up [0] and even more if I decline the request and it keeps popping up because the page doesn't understand that I don't want to accept this.

Other than that, I absolutely love XMPP. It's the platform my servers and applications use to inform me of events, and with Conversations [1] there's a really nice Android app as a client.

[0] https://matrix.cactus.chat:8448/_matrix/client/r0/register?k...

[1] https://conversations.im/

I'm not going to say that you can't build a secure messaging system with XMPP, but you should be skeptical of any analysis that suggests that XMPP is secure because it uses TLS, and "engineers are working on E2EE to add even more security". The security you get from TLS in these systems is not meaningful, and by the "it uses TLS" definition, virtually every messaging system is "secure".

On XMPP, encryption is optional and not even the default.

I'm very unlikely to recommend it to anyone over alternatives that default to end to end encryption, or even require it.

How about XMPP performance on low-performance networks like mobile ones?

I believe poor networking performance was one of the reasons XMPP had to be customised in WhatsApp and overall didn't become as widely used as I'd like it to be :)

Is it still the case? Or was that problem addressed at standard level somehow?

As a former XMPP fan, I think XMPP is extremely interesting in light of Moxie's recent web3 post [1], and most specifically the part:

> A protocol moves much more slowly than a platform. After 30+ years, email is still unencrypted; meanwhile WhatsApp went from unencrypted to full e2ee in a year.

You could replace email with XMPP in that sentence. (In fact, I'd bet Moxie was specifically thinking of XMPP when he wrote that.)

I remember when Google introduced voice/video, and provided a library (libjingle) to help other clients add the feature. It never really got picked up. Perhaps it was the state of the driver ecosystem at the time that made it hard for clients to reliably support such streams (PulseAudio was still new at the time, and GStreamer wasn't as mature), that was in excess of what open-source maintainers could provide.

Google eventually decided (reasonably, in retrospect and IMHO) it was easier to turn its chat into its own platform than try and drag a protocol with it. They were certainly dealing with problems that no-one else did. For example, they were very late to enable federation, much to the annoyance of the community, because Google had to deal with spam at a scale no-one else did, and wanted to make sure they had the protocols to deal with that, which no-one else in the community wanted to deal with.

(Of course after that I cannot give Google any credit for their chat client merry-go-round, and they've burned any goodwill I had for them on that front! [2] )

Perhaps we'll reach a point where the feature-set for a chat client will settle, and once again a federated protocol can emerge. I no longer believe XMPP is it.

[1] https://moxie.org/2022/01/07/web3-first-impressions.html

[2] https://arstechnica.com/gadgets/2021/08/a-decade-and-a-half-...

Edit: that said, I think XMPP had a lot of great ideas, and I'm glad it still pops up now and again.

XMPP is many thing, but I doubt it could be described as secure. Yes it has SASL auth, TLS and you can run it on an intranet, but thats not the same as secure.

Thanks for the article! Just to nitpick:

> Moreover, the protocol has been audited by a third party.

Some implementations have been audited, unfortunately far from all! There's a lot of things to audit and/or improve related to privacy and security in the XMPP ecosystem: i would personally recommend to read this FAQ: https://joinjabber.org/faqs/security/

> Also, on this page, you can track the progress of OMEMO integration in XMPP clients (applications)

This is true, but based on estimated progress not something measured by a test suite. For example poezio is marked 100% but i keep having OMEMO problems with it (not blaming the poor poezio-omemo maintainer who's working on it alone mostly).

> Only the nickname is displayed if you participate in a group chat or a channel (here, the XMPP extension called MUC, the acronym for Multi-User Chat, is used).

Except for the room operators! The MUC server admins have access to all addresses, as well as room admins. Also, some rooms are public in which case everyone can read everyone's address (like a mailing list).

Was waiting for this after two top posts about IRC.

I am not seeing the value in discussing privacy at the protocol level. Sure I share what I want to share with the other party but that is not where the privacy violations occur. The host of the service (like FB) will suck up all data and use it to mine info on me. That is where the leak is.

I can't even convince security professionals to install Signal, let alone something that requires installing a specific client configuration that may not be identical across platforms. If it's not e2ee by default I'd rather just stick to my current social graph.

XMPP is dead and I'm very happy about that.

The only people who still use XMPP in a significant capacity are the likes of Nintendo (for the Switch push notifications system) and it is pretty out of reach for any average citizen.

XMPP as a protocol for engineering and science is fantastic. As a set of standards it's well designed. Performant, flexible, and powerful. As a general, average Joe software however it fucking sucks big time. And it is precisely this flexibility that makes it suck. It's not just flexible, it's a mess. And mobile support in 2021 is atrocious.

There's a reason why Telegram's very shitty protocol is vastly more popular for average Joes than XMPP ever was.

XMPP was designed by engineers, for engineers. Which is good for this very specific set of engineering problems and essentially useless for everyone else.

Want secure communication? Use Signal, Threema, hell even Telegram is more secure in its default canonical protocol implementations than XMPP. And stop beating the dead horse XMPP is.

How can accounts be distributed? What would prevent impersonation?

Isn't that Jabber? Haven't heard of XMPP in a while.

It's trivially easy to log messages and content on an xmpp server. It's not a secure protocol at all, just because it uses tls in transport.