Cleanup 2.0 instant messenger page #1836
No reviewers
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1836
Loading…
Reference in New Issue
No description provided.
Delete Branch "pr-p2p_cleanup"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes: https://github.com/privacytoolsIO/privacytools.io/issues/1835
Some interesting articles about it (just for future reference, not linked on the site).
https://deploy-preview-1836--privacytools-io.netlify.app/software/real-time-communication/
Deploy preview for privacytools-io ready!
Built with commit
b20cb664c5
https://deploy-preview-1836--privacytools-io.netlify.app
Thanks
@ -148,0 +116,4 @@
<li>Allows you to choose who to trust your data with by choosing between multiple "public" servers.</li>
<li>Often allows for third party clients which can provide a more native, customized, or accessible experience.</li>
<li>Generally a less juicy target for governments wanting <a href="#exploiting-centralized-networks">backdoor access to everything</a> as the trust is decentralized. The server may be hosted independently from the organization developing the software.</li>
<li>Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)</li>
I wonder if this should be alphabetized.
@ -148,0 +116,4 @@
<li>Allows you to choose who to trust your data with by choosing between multiple "public" servers.</li>
<li>Often allows for third party clients which can provide a more native, customized, or accessible experience.</li>
<li>Generally a less juicy target for governments wanting <a href="#exploiting-centralized-networks">backdoor access to everything</a> as the trust is decentralized. The server may be hosted independently from the organization developing the software.</li>
<li>Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)</li>
@ -148,0 +116,4 @@
<li>Allows you to choose who to trust your data with by choosing between multiple "public" servers.</li>
<li>Often allows for third party clients which can provide a more native, customized, or accessible experience.</li>
<li>Generally a less juicy target for governments wanting <a href="#exploiting-centralized-networks">backdoor access to everything</a> as the trust is decentralized. The server may be hosted independently from the organization developing the software.</li>
<li>Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)</li>
Taking another look at Kontalk, it looks like it requires phone numbers, and additionally uses openpgp for group chat so that would indicate no PFS.
Also looks like the encryption is some custom thing not documented. They were looking at doing OpenPGP, but now that's looking like OMEMO.
@ -148,0 +116,4 @@
<li>Allows you to choose who to trust your data with by choosing between multiple "public" servers.</li>
<li>Often allows for third party clients which can provide a more native, customized, or accessible experience.</li>
<li>Generally a less juicy target for governments wanting <a href="#exploiting-centralized-networks">backdoor access to everything</a> as the trust is decentralized. The server may be hosted independently from the organization developing the software.</li>
<li>Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)</li>
Removing XMPP recommendations, as all future clients must support E2EE by default. This is something we've discussed in the past thoroughly.
While Matrix does not at this moment, https://github.com/vector-im/riot-web/issues/6779#issuecomment-614822531 is imminent, so we make an exception for that.
I disagree on delisting of XMPP as I understand Conversations to still fullfil the criteria.
In general I see XMPP as a bit complicated case as the specification doesn't require E2EE and will not be doing that as E2EE is not required for everything that XMPP does. I guess they could be asked if it could be required for client compliance.
@ -204,2 +178,2 @@
<li><a href="https://bitmessage.org">Bitmessage</a> is a decentralized, encrypted, peer-to-peer, trustless communications protocol that can be used by one person to send encrypted messages to another person, or to multiple subscribers.</li>
</ul>
<div class="container">
<div class="row">
Is anyone using it?
I think delisting XMPP from federated protocols is a disservice.
Has OMEMO enabled by default, but I am not willing to clear data on my setup to confirm.
@ -204,2 +178,2 @@
<li><a href="https://bitmessage.org">Bitmessage</a> is a decentralized, encrypted, peer-to-peer, trustless communications protocol that can be used by one person to send encrypted messages to another person, or to multiple subscribers.</li>
</ul>
<div class="container">
<div class="row">
The reason I left retroshare was because it appears to have continuous development. They haven't had a release in a while.
To be honest it looks more like a collaboration platform. It could very well be removed from this particular page. Maybe this would be better moved to another section in another PR?
The issue is one client that does this isn't really enough.
We want to in the future make a criteria for the instant messenger page that all recommendations must have E2EE on by default for private chat. Allowing XMPP to remain means we can never do that.
It does hurt to de-list things we once recommended, really we owe it to our readers to make the best and most succinct choices. I think we must ensure that we keep in mind with our recommendations:
@ -204,2 +178,2 @@
<li><a href="https://bitmessage.org">Bitmessage</a> is a decentralized, encrypted, peer-to-peer, trustless communications protocol that can be used by one person to send encrypted messages to another person, or to multiple subscribers.</li>
</ul>
<div class="container">
<div class="row">
Retroshare is still listed as a self-contained-networks.html#L65 as it is appropriately a self contained network of its own, instant-messaging seems like it always a secondary functionality.
@ -148,0 +116,4 @@
<li>Allows you to choose who to trust your data with by choosing between multiple "public" servers.</li>
<li>Often allows for third party clients which can provide a more native, customized, or accessible experience.</li>
<li>Generally a less juicy target for governments wanting <a href="#exploiting-centralized-networks">backdoor access to everything</a> as the trust is decentralized. The server may be hosted independently from the organization developing the software.</li>
<li>Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)</li>
Wait, so you will delist xmpp (a protocol) because not all clients have it enabled by default, but leave matrix because atm pretty much only one client has e2ee and all the rest does not even have a support for it not to mention having it by default?
At the same time keeping and promoting matrix with all it's metadata stored indefinatelly in the database?
@dngray But XMPP is a protocol and you are talking about client feature. If you are listing only clients, then of course xmpp should not be there as its a protocol, but otherwise, why not. To my knowledge there is more xmpp clients supporting OMEMO then for example matrix clients with e2ee support.
I am referring to the ecosystem of specifications. The issue is that we don't just recommend a protocol (that would be like recommending http, and not a specific web browser).
To put it more simply:
This may be the case, the issue however is that not all streams of transmission are actually E2EE (eg voice/video) and we're looking at implementing a rule (we have been for a while) that all instant messenger recommendations must do E2EE by default for private communications. We wanted to avoid the footgun of "oops that particular action was not E2EE, sorry you didn't know about that" to our readers.
Incidentally this PR only recommends Riot, currently that is the most fully featured. Fortunately for any other client (which lets face it is an advanced user at this point) can make use of pantalaimon. (We don't mention that though).
Looks good!
okay, I think this looks good
@ -148,0 +116,4 @@
<li>Allows you to choose who to trust your data with by choosing between multiple "public" servers.</li>
<li>Often allows for third party clients which can provide a more native, customized, or accessible experience.</li>
<li>Generally a less juicy target for governments wanting <a href="#exploiting-centralized-networks">backdoor access to everything</a> as the trust is decentralized. The server may be hosted independently from the organization developing the software.</li>
<li>Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)</li>
We are referring to Riot specifically because it will very shortly have E2EE on by default.
Individual XMPP servers also store metadata (or can). High security environments where that is an issue will operate non-federating Matrix and XMPP servers.
Does Riot do e2ee by default. Does it do e2ee for voip too?
@ -148,0 +116,4 @@
<li>Allows you to choose who to trust your data with by choosing between multiple "public" servers.</li>
<li>Often allows for third party clients which can provide a more native, customized, or accessible experience.</li>
<li>Generally a less juicy target for governments wanting <a href="#exploiting-centralized-networks">backdoor access to everything</a> as the trust is decentralized. The server may be hosted independently from the organization developing the software.</li>
<li>Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)</li>
Though on matrix they just DO regardless of whether you want it or not. And while others do it in logs, matrix does it in database.
Conversations already does have it on by default so not sure whats the logic behind it.
Yes, it does for 1:1 VOIP.
Not for group meetings but nobody has that at the moment. We can't have a requirement for something that doesn't exist. Jitsi is working on that though https://jitsi.org/blog/e2ee/ (group meetings in Riot use Jitsi).
@ -148,0 +116,4 @@
<li>Allows you to choose who to trust your data with by choosing between multiple "public" servers.</li>
<li>Often allows for third party clients which can provide a more native, customized, or accessible experience.</li>
<li>Generally a less juicy target for governments wanting <a href="#exploiting-centralized-networks">backdoor access to everything</a> as the trust is decentralized. The server may be hosted independently from the organization developing the software.</li>
<li>Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)</li>
The logic is if something can, then we assume it does. Particularly in a federated network. Better to assume that it does than pretend like it might not.
Unless you have a non-federating server there's really no way to know what remote servers do.
Yes it does, but the issue is a lack of other high quality clients like it for other platforms.
Future discussion about XMPP should be in our issue https://github.com/privacytoolsIO/privacytools.io/issues/1838
No Session, then?
Out of scope for this issue see https://github.com/privacytoolsIO/privacytools.io/issues/1678