Comparisons of XMPP, Signal, MQTT, Tox, Telegram

OP
sidetone

sidetone

Daemon

Reaction score: 525
Messages: 1,311


It says, that for Telegram, encryption isn't the default, while being stored on servers. Also, that its encryption is weak and not built by experts.

It recommends Signal instead.


This says that they can tell when you're online, therefore who you're talking to. For most purposes, that's not so bad.

There was an update to this one saying that its MTProto encyption was later improved to be recognized as secure.


Signal, like Telegram, requires a phone number. It seems like a replacement upgrade over Telegram.

Nothing may be "secure", if it needs your mobile phone number to register, IMO.
 
OP
sidetone

sidetone

Daemon

Reaction score: 525
Messages: 1,311

Signal is recommended by many authors and at least two organizations. Looks more trustworthy than Telegram.


From this Thread valuable-news-2020-03-02.74304, it mentions that the EU recommends Signal for its staff.


When bandwidth isn't an issue, XMPP. When bandwidth is an issue for anyone being communicated with, I still have to consider others' opinions.

Someone, Thread how-is-sip-simple-for-an-xmpp-alternative.76331, said SIP/SIMPLE is really good. IMO only if everyone involved has the know how to secure that. That option is unavailable on most clients.
 
OP
sidetone

sidetone

Daemon

Reaction score: 525
Messages: 1,311

vigole

Well-Known Member

Reaction score: 531
Messages: 450

Telegram server-side code is closed source, but its client is open source. Signal is open source. I'm not enough knowledgeable to vet any of them. Some people have done it. I have take their word for it. I thinks I should say Signal is probably more secure than Telegram. I've never recommended using Telegram to anyone and I don't trust them.

[EDIT]:
I hate to say it, but as far as I know the only way of secure communication is TNO (Trust no one!):
Choose a password, share it with you partner, write down your message in a text file, encrypt it with a AES program (use your password), and finally send the encrypted file. The medium doesn't matter; email, messenger, etc.
 

olli@

Aspiring Daemon
Developer

Reaction score: 712
Messages: 693

From a practical point of view …

The problem is, if you want to communicate with your friends, you either have to use what they use, or try to convince them to use something else. For me, the latter has turned out to be rather difficult and unsuccessful. In other words, I won’t be able to convince all of them to switch to a certain messaging app. Most of my friends and relatives use either WhatsApp or Telegram, so that’s what I use, too. Personally I prefer Telegram, and in fact I managed to convince a few of them to switch to Telegram – Not because it is more secure, but because it has some nice features, like animated stickers (I think WhatsApp has these now, too, but I’m not sure), higher member limits on channels, and so on.

What I like about Telegram is the open client API that is very easy to use. I’ve written several Telegram bots and client programs in Python, for example a simple IRC-Telegram gateway for my personal use.

As far as security and trustworthiness are concerned … I consider all messaging apps as basically insecure, no matter what. I wouldn’t type my credit card number into any of them, no matter if open source, E2E encryption or whatever. For me, these apps are just for chatting with friends, equivalent to meeting in a restaurant. I wouldn’t say my credit card number loudly there either, or write it onto a table napkin. For really secure communication I would not use a messaging app. And in particular I would not do that on a regular Android or Apple device.
 
Last edited:

mjollnir

Daemon

Reaction score: 699
Messages: 1,154

UseCrypt messaging for phones, as an alternative to Signal? But this application charges a fee.
You get what you pay for... Charging a (moderate) fee or asking for voluntary donations is the only way to achieve that your personal data & metadata is not monetarized, since services have costs, right? Electricity, hardware, manpower for software development & maintainance, all cost money. The attitude that (internet) services are free of charge is shere dumbness & naivitee... If someone wants me to communicate via one of the data kraken services, I just don't do it & explain to that person that I can't take anyone serious who uses such so-called free services. Often the reply is to ask for alternatives, and we have some, see above. This may be strict, but it makes me feel good.
 
OP
sidetone

sidetone

Daemon

Reaction score: 525
Messages: 1,311

You get what you pay for... Charging a (moderate) fee or asking for voluntary donations is the only way to achieve that your personal data & metadata is not monetarized, since services have costs, right?
I was saying it was different in that regard, that it charges a fee, a monthly one. That's fine. It may be more difficult for people who've used the service to return to it, to communicate months later. To maintain use of it, or to convince others to try it, who don't know if they'll use it for other purposes. If that service is really needed, like private email, then its use can be paid for.

I brought up UseCrypt, because it deserved mention as an application.

Really, for a phone, the phone is paid for and the monthly service is paid for. The phone itself and the way apps are accessed should be secure from Facebook like apps. Ironically, most phones use Google's Android. I use my computer for messaging, sometimes a phone. Usually, others mainly use their phones for communicating.

Not everything charges a fee, especially opensource. People contribute to it, and services that use them are often non-profit. Their costs are largely covered. People often donate to what they like. In comparison to Facebook, they're for profit, and it's in their nature to make as much as they can off in a greedy way of imposing on people's data. Not all for profits that don't charge are as infringing as them. If a for profit offers something for free, it's their right to make money off of advertisements, but not in a way that's invasive and annoying as Facebook (which owns Whatsapp). DuckDuckGo is able to do that. "You get what you pay for" is usually ok for having nothing or something with less features, but it's no justification for what Facebook does.

For third world countries, there needs to be full security that's accessible and doesn't have too much overhead or nothing.

What about FreeBSD as something that is free to use? That argument doesn't apply to open-source.
 

mjollnir

Daemon

Reaction score: 699
Messages: 1,154

What about FreeBSD as something that is free to use? That argument doesn't apply to open-source.
It does. Open source projects need an intrastructure (internet services, meetings, travel grants for developers, a few full-time employees, etc.pp.). Although some costs are covered by companies using the project's "product", ordinary users are free to decide to donate, too. My signature states you're very likely paying for a Windows license when you purchase a new computer. You can get that back, and then you can decide what to do with that money. IMHO it's fair to donate that to the OS projects you're using instead of Windows, and/or support a developer; some have a link or button to donate on their personal website. They have to pay their bills, too. As of today, the FreeBSD Foundation reached less than 40% of their annual goal, and Wikipedia keeps bugging me with an invitation to donate although I already did...
 

ekvz

Active Member

Reaction score: 117
Messages: 241

It does. Open source projects need an intrastructure (internet services, meetings, travel grants for developers, a few full-time employees, etc.pp.). Though some costs are covered by companies using the project's "product", ordinary users are free to decide to donate, too. My signature states you're very likely paying for a Windows license when you purchase a new computer. You can get that back, and then you can decide what to do with that money. IMHO it's fair to donate that to the OS projects you're using instead of Windows, and/or support a developer; some have a link or button to donate on their personal website. They have to pay their bills, too. As of today, the FreeBSD Foundation reached less than 40% of their annual goal, and Wikipedia keeps bugging me with an invitation to donate although I already did...
I agree. It depends a lot on the scale and type of said projects though. Resources are ridiculously cheap. If development isn't taken into account (like done by some guy as a hobby - we all know it happens) a textbased messanger service is likely able to serve a couple 1000 people on a budget of like maybe 50€/month. At this price point there is always going to be people who will do it just for the fun of it or even because of actual altruistic motives. Large(r) or more intensive projects are a completely different topic of course.

Edit: It's not entirely the same but still: Just look at this forum. Of course a lot of the time it's what i'd call a pleasantly intellectual exchange but another part of it seems suspiciously like unpaid tech support work. Now i am not saying that this isn't fun but in a way each and every person around here is to a certain degree already an unpaid open source "worker".
 

vigole

Well-Known Member

Reaction score: 531
Messages: 450

I know it sounds radical, but developers need to eat too. If Open/Libre model doesn't work them, they have to work for corporations or/and! governments.
 

ekvz

Active Member

Reaction score: 117
Messages: 241

I know it sounds radical, but developers need to eat too. If Open/Libre model doesn't work them, they have to work for corporations or/and! governments.
It's very true. There is a lot of things i'd absolutely love to do but amount of time it would take to realize them pared with the fact those likely aren't commercially viable (at least i'd hate to corrupt the vision just to squeeze money out of it - i am pretty bad at business things anyways so i doubt trying to do so would work all that great to begin with) directly conflict with the need of putting food on the table. Sometimes it's a bit frustrating but that's life and there is nothing one can do about it so...
 
OP
sidetone

sidetone

Daemon

Reaction score: 525
Messages: 1,311

I wasn't saying, "but" as in a bad thing. I was saying it like, it was different in that way.

If I need features from UseCrypt, I'll pay for it to use them. I mentioned UseCrypt, because it deserved discussion as something neat and exceptional among otherwise free and opensource messenger applications. XMPP and SIP/SIMPLE are the only ones recognized by IETF.

Opensource developers and organizations deserve donations and appreciation. There's no way around that. I need to make a donation to an open-source project.

It's different than Wikipedia. That's a shit project that uses mob mentality to support retardedness, then pretends it's something else. I will donate to projects and charities I like and generally agree with. FreeBSD and related projects are worthy of donations. I don't agree with few things FreeBSD does, which I see as misinformed, but that's not a big enough of an issue to stop people from favoring it.


For users all in developed nations, XMPP is perfect.

If talking to people not in a developed nation, subject to poor infrastructure or blackouts for whatever reason, XMPP takes up critical bandwidth.

As for Telegram or Signal, people should probably drop Telegram for Signal. The fact that Snowden endorses Signal, makes me a bit dubious about it, however.

Even if I think a messenger application is secure, I would get worried if someone who regularly visits a country without free speech says something bad about someone in that government. I would discourage someone from saying that as long as they have to deal with those countries, even on something I think is secure, because they throw people in jail for simply criticizing.

That would be a cause for some who realize this, and not a weight on an opensource community in general. The good thing about opensource is that those who see that, are allowed to adopt it for use.
 
Last edited:

hruodr

Aspiring Daemon

Reaction score: 115
Messages: 532

Nice thread! I also wanted to investigate the issue for my server project:


Since I want standards, I though about SIP and XMPP.
 

hruodr

Aspiring Daemon

Reaction score: 115
Messages: 532

The problem is, if you want to communicate with your friends, you either have to use what they use, or try to convince them to use something else.
Well, perhaps all of them use a web browser and now there is WebRTC.
 

olli@

Aspiring Daemon
Developer

Reaction score: 712
Messages: 693

Well, perhaps all of them use a web browser and now there is WebRTC.
No, most of them use a smartphone with a native app; usually WhatsApp or Telegram. Web applications don’t work very well for this. (Telegram’s web client is actually pretty good, but it is meant to be used on a PC, not on a phone.)
 
Top