Comparisons of XMPP, Signal, MQTT, Tox, Telegram

sidetone

Daemon

Reaction score: 544
Messages: 1,330

XMPP is said to have a lot of overhead, in part because it uses XML.
Telegram markets itself as being very secure, but I've seen past comments that were dubious about this.
MQTT is lightweight. There isn't much about its use for messaging. There is an example of one at the project Eclipse Paho, http://www.eclipse.org/paho/

Is MQTT seen as an alternative for instant messaging, apart from its use in small device communication?

Edits: Signal as an alternative to Telegram.

Tox?
 
Last edited:

shkhln

Daemon

Reaction score: 663
Messages: 1,647

Telegram markets itself as being very secure, but I've seen past comments that were dubious about this.
There two separate concerns with Telegram: their protocol and their security claims. The encryption was discussed to death already and is not really worth revisiting here. See https://news.ycombinator.com/item?id=16097793 for summary.

Their claims are highly misleading regardless of whether their protocol has any security holes. Telegram is not designed to resist mass surveillance: it does not use e2e encryption by default (afaik, e2e is also not supported in the official desktop client); it stores contacts and message history centrally; and they even have plans to make it into a payment network, which would require them to have accurate information about actual real life user identities.

Now, optional e2e is inherently dangerous since the act of its activation itself might be a sensitive information. You don't necessarily want third parties to know you've considered something interesting enough to properly encrypt. More so, I don't think users should decide what data is actually important: things that typical user would consider sensitive like nude pictures, medical test results, financial documents aren't really that interesting to the government (think about it, with the exception of nude pictures, they already have access to that data). It is the more mundane things that need protection from mass surveillance the most: where have you been at a certain date (location metadata), whom you talked to (metadata again), what are your shared interests (can be determined from regular chatter). Even state-of-the-art Signal doesn't quite solve that problem: it protects chat contents, but not metadata. Telegram does nothing of the sort.
 
OP
sidetone

sidetone

Daemon

Reaction score: 544
Messages: 1,330

I would like to bring TOX to the list.
I tried to communicate with Tox, to a user with a Windows computer, they said, they had to give up access to their files and available audio and webcams in order to use it. I discourage and don't expect someone to communicate using a bundled a program that asks for that. Perhaps it was the client, or the put together package for that version of Tox that did that. Whomever put that package together, abused user trust in exchange for convenience.

Most users use Windows, that aren't able to conveniently compile out of the box, in order for a specific application to communicate properly with a BSD machine.
 
OP
sidetone

sidetone

Daemon

Reaction score: 544
Messages: 1,330

This reminds me. If a client, its application, protocol and server are securely encrypted from end to end, knowing how Google collects data, is the Android OS on the phone able to read data on the end display on the messaging application?

Google has been more responsible with data than Facebook, but they use that for marketing, to eventually figure out what you want to buy, before you do. That, requires user trust, which we know will be for monetary purposes.

Similar for iPhones. IIRC, according to Telegram's website, Apple granted 70% of requests for encrypted data to the Chinese government. (perhaps because they do business there). Apple did try to gain credibility at one time for iPhones being secure, by refusing to hand over keys or backdoors to criminal investigators to access data.

There are trust issues with Telegram. There is, however, the case, that they haven't given up access keys to certain governments, and got banned for it, which seems to be a good thing. shkhln 's points on the vulnerability of Telegram, still come in to play. The current reputation of Telegram seems to be in contrast to its reputation last year, but that doesn't necessarily mean its current reputation is accurate.
 

shkhln

Daemon

Reaction score: 663
Messages: 1,647

There is, however, the case, that they haven't given up access keys to certain governments
It really doesn't matter what Telegram says, how pure are their intentions, whether they are affiliated with FSB, etc. They don't have the ability to protect the data stored on their servers. If somebody wants access to it badly enough, they will have access.


And you won't know anything about that from the news.
 

tingo

Daemon

Reaction score: 500
Messages: 2,288

FWIW, MQTT has gained popularity with the "Internet Of Things" movement. I use it with Home Assistant to get data from some external sensors, for example. And at our local makerspace, MQTT is pretty much the "bus" for all automation we do, including the door locks / door openers.
 

ronaldlees

Aspiring Daemon

Reaction score: 331
Messages: 764

Not to mention any particular messaging apps by name, but IMO the publicity put out by various governments all over the world to "not use" a particular application is probably meant to build a false sense of security. Because, as shkhln mentioned, a single person or small group of persons is easy to intimidate. That said, I won't discount that some messaging app developers might be very brave people who can stand their ground. For my teabag opinion, the best bet is: "Don't use *any* messaging app, and meet in a dark coffee shop with no cameras or entangled photon generators, and exchange keys on paper."
 
S

Sensucht94

Guest


I've used XMPP extensively throughout years and convinced many people to try it. A secure and simple, rock solid open standard proto, offering tons of clients, many of which open source. Currently I talk through XMPP with a group of close friends and with my girlfriend.

On computer I always rely on net-im/profanity, while on Android I use Conversations (GPL-3.0; could hope for MIT or BSDv2/3-clause but sadly largest part of open source software released for Android is either GPL-3.0 or Apache-2.0; screw their Linux kernel).

SMS and E-mails for everything else.

I would have tried TOX, but I haven't seen reason for doing this so far outside curiosity
 
OP
sidetone

sidetone

Daemon

Reaction score: 544
Messages: 1,330

https://gizmodo.com/apple-isnt-your-friend-1826611293
About motive, intent and marketing by companies offering apps and services, to separate themselves from eavesdropping competitors, in this case, I'm relating it to instant messaging.

Keeping in mind, that Apple tries to make itself look trustworthy by not offering backdoors to criminal investigators. In turn, Telegram pointing out that Apple has given up access to about %50 of requested records to the Chinese government, which does not share the same ideas of freedom of expression and human rights as other nations.
 
OP
sidetone

sidetone

Daemon

Reaction score: 544
Messages: 1,330

I might try net/linphone, which uses SIP.

XMPP carries too much data in the form of opening and closing tags, which doesn't work well on congested or underdeveloped networks. I read that data is not peer-to-peer after the handshake to the server, which means data can't go directly to computers without making a stop at the server. So, after the handshake connection, the data must make extra inconvenient trips sometimes around the globe.
 
OP
sidetone

sidetone

Daemon

Reaction score: 544
Messages: 1,330

For XMPP on the phone, I use Astrachat. XMPP also works from thunderbird email client.
 

Sevendogsbsd

Aspiring Daemon

Reaction score: 524
Messages: 974

So, just to throw this out there about Telegram: I have outgoing rules in my pfsense FW at home. I block outbound to a couple of geographic regions known to be hostile in terms of hacking/phishing/malware activity. Telegram was originally written in one of those countries. I found that once I installed it on my phone (android), I had a lot of outbound traffic to that country from my phone. The Telegram servers are (were) not hosted in that country. I asked about this on an android forum and (yes, this is hearsay), a member mentioned that the devs who wrote Telegram were originally from said country.

To me, this is a communication channel left in by the devs, for whatever reason. It might be fine, but it might not. Once I removed Telegram, the traffic stopped.

My .02

So, I'll have to revise this statement because now I am not seeing any of this traffic. Perhaps this was unrelated to Telegram when I first checked and I misread the traffic destination or what, I don't know. I am actually back using telegram on my iPhone and I have not seen anything like this in my firewall anymore.
 
Last edited:
OP
sidetone

sidetone

Daemon

Reaction score: 544
Messages: 1,330

It started as you said. IIRC, the owner moved to another country, maybe Britain.
 

longimanus

New Member

Reaction score: 1
Messages: 12

On my phone/Linux laptop I use ring, now renamed jami. It works reasonably well. No signup using any personal details are required. Just pick a user name and go Jami
 

Sevendogsbsd

Aspiring Daemon

Reaction score: 524
Messages: 974

It started as you said. IIRC, the owner moved to another country, maybe Britain.
I believe there were politics involved and I am not trying to knock the Telegram devs, I just found the traffic the app generated to be disturbing. Then again I am a paranoid security guy so that goes with the territory.
 
OP
sidetone

sidetone

Daemon

Reaction score: 544
Messages: 1,330

It's reasonable until knowing what that traffic is about, which may be difficult or impossible to really know. Excessive traffic doesn't belong.
 

unix4you2

Member

Reaction score: 20
Messages: 26

Hi there.

I really like XMPP and use it for years for some thousands of users whitouth problems and with a very small machine.

Here is my how-to install an XMPP server under FreeBSD using Openfire with internal and external authentication .


It's in my native language, but all the commands are in blue for people that just want to follow them.

Regards.
 
OP
sidetone

sidetone

Daemon

Reaction score: 544
Messages: 1,330

XMPP seems to be the way to go over Telegram. A setback about XMPP is, XML takes up more bandwidth when internet connection speeds are unreliable or slow.

An inconvenience is, when I have XMPP open on two different hardwares, one can get the message, while the other doesn't, and there's no option to turn it off on a mobile phone. On Telegram, all receiving devices get the message.
 
Top