Comparisons of XMPP, Signal, MQTT, Tox, Telegram

XMPP is said to have a lot of overhead, in part because it uses XML. Also, each message must pass through servers that were used for establishing the connection, rather than more directly afterwards.

Telegram markets itself as being very secure, but I've seen past comments that were dubious about this. Aside from that, Signal is a better alternative than Telegram. Signal is secure by default, while Telegram leads the assumption that it is, when it isn't.

MQTT, which is lightweight, is intended for IOT (small device communication). The project Eclipse Paho is a rare example of its use for messaging. MQTT's security is too basic for secure conversation.

Matrix is basically a proprietary derivative of XMPP.

Also discussions about TOX.
Last edited:
Telegram markets itself as being very secure, but I've seen past comments that were dubious about this.

There are two separate concerns with Telegram: their protocol and their security claims. The encryption was discussed to death already and is not really worth revisiting here. See for summary.

Their claims are highly misleading regardless of whether their protocol has any security holes. Telegram is not designed to resist mass surveillance: it does not use e2e encryption by default (afaik, e2e is also not supported in the official desktop client); it stores contacts and message history centrally; and they even have plans to make it into a payment network, which would require them to have accurate information about actual real life user identities.

Now, optional e2e is inherently dangerous since the act of its activation itself might be a sensitive information. You don't necessarily want third parties to know you've considered something interesting enough to properly encrypt. More so, I don't think users should decide what data is actually important: things that typical user would consider sensitive like nude pictures, medical test results, financial documents aren't really that interesting to the government (think about it, with the exception of nude pictures, they already have access to that data). It is the more mundane things that need protection from mass surveillance the most: where have you been at a certain date (location metadata), whom you talked to (metadata again), what are your shared interests (can be determined from regular chatter). Even state-of-the-art Signal doesn't quite solve that problem: it protects chat contents, but not metadata. Telegram does nothing of the sort.
Last edited:
I would like to bring TOX to the list.
I tried to communicate with Tox, to a user with a Windows computer, they said, they had to give up access to their files and available audio and webcams in order to use it. I discourage and don't expect someone to communicate using a bundled a program that asks for that. Perhaps it was the client, or the put together package for that version of Tox that did that. Whomever put that package together, abused user trust in exchange for convenience.

Most users use Windows, that aren't able to conveniently compile out of the box, in order for a specific application to communicate properly with a BSD machine.
This reminds me. If a client, its application, protocol and server are securely encrypted from end to end, knowing how Google collects data, is the Android OS on the phone able to read data on the end display on the messaging application?

Google has been more responsible with data than Facebook, but they use that for marketing, to eventually figure out what you want to buy, before you do. That, requires user trust, which we know will be for monetary purposes.

Similar for iPhones. IIRC, according to Telegram's website, Apple granted 70% of requests for encrypted data to the Chinese government. (perhaps because they do business there). Apple did try to gain credibility at one time for iPhones being secure, by refusing to hand over keys or backdoors to criminal investigators to access data.

There are trust issues with Telegram. There is, however, the case, that they haven't given up access keys to certain governments, and got banned for it, which seems to be a good thing. shkhln 's points on the vulnerability of Telegram, still come in to play. The current reputation of Telegram seems to be in contrast to its reputation last year, but that doesn't necessarily mean its current reputation is accurate.
There is, however, the case, that they haven't given up access keys to certain governments

It really doesn't matter what Telegram says, how pure are their intentions, whether they are affiliated with FSB, etc. They don't have the ability to protect the data stored on their servers. If somebody wants access to it badly enough, they will have access.


And you won't know anything about that from the news.
FWIW, MQTT has gained popularity with the "Internet Of Things" movement. I use it with Home Assistant to get data from some external sensors, for example. And at our local makerspace, MQTT is pretty much the "bus" for all automation we do, including the door locks / door openers.
Not to mention any particular messaging apps by name, but IMO the publicity put out by various governments all over the world to "not use" a particular application is probably meant to build a false sense of security. Because, as shkhln mentioned, a single person or small group of persons is easy to intimidate. That said, I won't discount that some messaging app developers might be very brave people who can stand their ground. For my teabag opinion, the best bet is: "Don't use *any* messaging app, and meet in a dark coffee shop with no cameras or entangled photon generators, and exchange keys on paper."
I've used XMPP extensively throughout years and convinced many people to try it. A secure and simple, rock solid open standard proto, offering tons of clients, many of which open source. Currently I talk through XMPP with a group of close friends and with my girlfriend.

On computer I always rely on net-im/profanity, while on Android I use Conversations (GPL-3.0; could hope for MIT or BSDv2/3-clause but sadly largest part of open source software released for Android is either GPL-3.0 or Apache-2.0; screw their Linux kernel).

SMS and E-mails for everything else.

I would have tried TOX, but I haven't seen reason for doing this so far outside curiosity
About motive, intent and marketing by companies offering apps and services, to separate themselves from eavesdropping competitors, in this case, I'm relating it to instant messaging.

Keeping in mind, that Apple tries to make itself look trustworthy by not offering backdoors to criminal investigators. In turn, Telegram pointing out that Apple has given up access to about %50 of requested records to the Chinese government, which does not share the same ideas of freedom of expression and human rights as other nations.
I might try net/linphone, which uses SIP.

XMPP carries too much data in the form of opening and closing tags, which doesn't work well on congested or underdeveloped networks. I read that data is not peer-to-peer after the handshake to the server, which means data can't go directly to computers without making a stop at the server. So, after the handshake connection, the data must make extra inconvenient trips sometimes around the globe.
So, just to throw this out there about Telegram: I have outgoing rules in my pfsense FW at home. I block outbound to a couple of geographic regions known to be hostile in terms of hacking/phishing/malware activity. Telegram was originally written in one of those countries. I found that once I installed it on my phone (android), I had a lot of outbound traffic to that country from my phone. The Telegram servers are (were) not hosted in that country. I asked about this on an android forum and (yes, this is hearsay), a member mentioned that the devs who wrote Telegram were originally from said country.

To me, this is a communication channel left in by the devs, for whatever reason. It might be fine, but it might not. Once I removed Telegram, the traffic stopped.

My .02

So, I'll have to revise this statement because now I am not seeing any of this traffic. Perhaps this was unrelated to Telegram when I first checked and I misread the traffic destination or what, I don't know. I am actually back using telegram on my iPhone and I have not seen anything like this in my firewall anymore.
Last edited:
It started as you said. IIRC, the owner moved to another country, maybe Britain.

I believe there were politics involved and I am not trying to knock the Telegram devs, I just found the traffic the app generated to be disturbing. Then again I am a paranoid security guy so that goes with the territory.
It's reasonable until knowing what that traffic is about, which may be difficult or impossible to really know. Excessive traffic doesn't belong.
Hi there.

I really like XMPP and use it for years for some thousands of users whitouth problems and with a very small machine.

Here is my how-to install an XMPP server under FreeBSD using Openfire with internal and external authentication .

It's in my native language, but all the commands are in blue for people that just want to follow them.

XMPP seems to be the way to go over Telegram. A setback about XMPP is, XML takes up more bandwidth when internet connection speeds are unreliable or slow.

An inconvenience is, when I have XMPP open on two different hardwares, one can get the message, while the other doesn't, and there's no option to turn it off on a mobile phone. On Telegram, all receiving devices get the message.