Comparisons of XMPP, Signal, MQTT, Tox, Telegram

OP
sidetone

sidetone

Daemon

Reaction score: 719
Messages: 1,573


It says, that for Telegram, encryption isn't the default, while being stored on servers. Also, that its encryption is weak and not built by experts.

It recommends Signal instead.


This says that they can tell when you're online, therefore who you're talking to. For most purposes, that's not so bad.

There was an update to this one saying that its MTProto encyption was later improved to be recognized as secure.


Signal, like Telegram, requires a phone number. It seems like a replacement upgrade over Telegram.

Nothing may be "secure", if it needs your mobile phone number to register, IMO.
 
OP
sidetone

sidetone

Daemon

Reaction score: 719
Messages: 1,573

Signal is recommended by many authors and at least two organizations. Looks more trustworthy than Telegram.


From this Thread valuable-news-2020-03-02.74304, it mentions that the EU recommends Signal for its staff.


When bandwidth isn't an issue, XMPP. When bandwidth is an issue for anyone being communicated with, I still have to consider others' opinions.

Someone, Thread how-is-sip-simple-for-an-xmpp-alternative.76331, said SIP/SIMPLE is really good. IMO only if everyone involved has the know how to secure that. That option is unavailable on most clients.
 
OP
sidetone

sidetone

Daemon

Reaction score: 719
Messages: 1,573

vigole

Daemon

Reaction score: 1,239
Messages: 1,140

Telegram server-side code is closed source, but its client is open source. Signal is open source. I'm not enough knowledgeable to vet any of them. Some people have done it. I have take their word for it. I thinks I should say Signal is probably more secure than Telegram. I've never recommended using Telegram to anyone and I don't trust them.

[EDIT]:
I hate to say it, but as far as I know the only way of secure communication is TNO (Trust no one!):
Choose a password, share it with you partner, write down your message in a text file, encrypt it with a AES program (use your password), and finally send the encrypted file. The medium doesn't matter; email, messenger, etc.
 

olli@

Daemon
Developer

Reaction score: 1,218
Messages: 1,108

From a practical point of view …

The problem is, if you want to communicate with your friends, you either have to use what they use, or try to convince them to use something else. For me, the latter has turned out to be rather difficult and unsuccessful. In other words, I won’t be able to convince all of them to switch to a certain messaging app. Most of my friends and relatives use either WhatsApp or Telegram, so that’s what I use, too. Personally I prefer Telegram, and in fact I managed to convince a few of them to switch to Telegram – Not because it is more secure, but because it has some nice features, like animated stickers (I think WhatsApp has these now, too, but I’m not sure), higher member limits on channels, and so on.

What I like about Telegram is the open client API that is very easy to use. I’ve written several Telegram bots and client programs in Python, for example a simple IRC-Telegram gateway for my personal use.

As far as security and trustworthiness are concerned … I consider all messaging apps as basically insecure, no matter what. I wouldn’t type my credit card number into any of them, no matter if open source, E2E encryption or whatever. For me, these apps are just for chatting with friends, equivalent to meeting in a restaurant. I wouldn’t say my credit card number loudly there either, or write it onto a table napkin. For really secure communication I would not use a messaging app. And in particular I would not do that on a regular Android or Apple device.
 
Last edited:

Mjölnir

Daemon

Reaction score: 1,495
Messages: 2,114

UseCrypt messaging for phones, as an alternative to Signal? But this application charges a fee.
You get what you pay for... Charging a (moderate) fee or asking for voluntary donations is the only way to achieve that your personal data & metadata is not monetarized, since services have costs, right? Electricity, hardware, manpower for software development & maintainance, all cost money. The attitude that (internet) services are free of charge is shere dumbness & naivitee... If someone wants me to communicate via one of the data kraken services, I just don't do it & explain to that person that I can't take anyone serious who uses such so-called free services. Often the reply is to ask for alternatives, and we have some, see above. This may be strict, but it makes me feel good.
 
OP
sidetone

sidetone

Daemon

Reaction score: 719
Messages: 1,573

You get what you pay for... Charging a (moderate) fee or asking for voluntary donations is the only way to achieve that your personal data & metadata is not monetarized, since services have costs, right?

I was saying it was different in that regard, that it charges a fee, a monthly one. That's fine. It may be more difficult for people who've used the service to return to it, to communicate months later. To maintain use of it, or to convince others to try it, who don't know if they'll use it for other purposes. If that service is really needed, like private email, then its use can be paid for.

I brought up UseCrypt, because it deserved mention as an application.

Really, for a phone, the phone is paid for and the monthly service is paid for. The phone itself and the way apps are accessed should be secure from Facebook like apps. Ironically, most phones use Google's Android. I use my computer for messaging, sometimes a phone. Usually, others mainly use their phones for communicating.

Not everything charges a fee, especially opensource. People contribute to it, and services that use them are often non-profit. Their costs are largely covered. People often donate to what they like. In comparison to Facebook, they're for profit, and it's in their nature to make as much as they can off in a greedy way of imposing on people's data. Not all for profits that don't charge are as infringing as them. If a for profit offers something for free, it's their right to make money off of advertisements, but not in a way that's invasive and annoying as Facebook (which owns Whatsapp). DuckDuckGo is able to do that. "You get what you pay for" is usually ok for having nothing or something with less features, but it's no justification for what Facebook does.

For third world countries, there needs to be full security that's accessible and doesn't have too much overhead or nothing.

What about FreeBSD as something that is free to use? That argument doesn't apply to open-source.
 

Mjölnir

Daemon

Reaction score: 1,495
Messages: 2,114

What about FreeBSD as something that is free to use? That argument doesn't apply to open-source.
It does. Open source projects need an intrastructure (internet services, meetings, travel grants for developers, a few full-time employees, etc.pp.). Although some costs are covered by companies using the project's "product", ordinary users are free to decide to donate, too. My signature states you're very likely paying for a Windows license when you purchase a new computer. You can get that back, and then you can decide what to do with that money. IMHO it's fair to donate that to the OS projects you're using instead of Windows, and/or support a developer; some have a link or button to donate on their personal website. They have to pay their bills, too. As of today, the FreeBSD Foundation reached less than 40% of their annual goal, and Wikipedia keeps bugging me with an invitation to donate although I already did...
 

ekvz

Well-Known Member

Reaction score: 278
Messages: 431

It does. Open source projects need an intrastructure (internet services, meetings, travel grants for developers, a few full-time employees, etc.pp.). Though some costs are covered by companies using the project's "product", ordinary users are free to decide to donate, too. My signature states you're very likely paying for a Windows license when you purchase a new computer. You can get that back, and then you can decide what to do with that money. IMHO it's fair to donate that to the OS projects you're using instead of Windows, and/or support a developer; some have a link or button to donate on their personal website. They have to pay their bills, too. As of today, the FreeBSD Foundation reached less than 40% of their annual goal, and Wikipedia keeps bugging me with an invitation to donate although I already did...

I agree. It depends a lot on the scale and type of said projects though. Resources are ridiculously cheap. If development isn't taken into account (like done by some guy as a hobby - we all know it happens) a textbased messanger service is likely able to serve a couple 1000 people on a budget of like maybe 50€/month. At this price point there is always going to be people who will do it just for the fun of it or even because of actual altruistic motives. Large(r) or more intensive projects are a completely different topic of course.

Edit: It's not entirely the same but still: Just look at this forum. Of course a lot of the time it's what i'd call a pleasantly intellectual exchange but another part of it seems suspiciously like unpaid tech support work. Now i am not saying that this isn't fun but in a way each and every person around here is to a certain degree already an unpaid open source "worker".
 

ekvz

Well-Known Member

Reaction score: 278
Messages: 431

I know it sounds radical, but developers need to eat too. If Open/Libre model doesn't work them, they have to work for corporations or/and! governments.

It's very true. There is a lot of things i'd absolutely love to do but amount of time it would take to realize them pared with the fact those likely aren't commercially viable (at least i'd hate to corrupt the vision just to squeeze money out of it - i am pretty bad at business things anyways so i doubt trying to do so would work all that great to begin with) directly conflict with the need of putting food on the table. Sometimes it's a bit frustrating but that's life and there is nothing one can do about it so...
 
OP
sidetone

sidetone

Daemon

Reaction score: 719
Messages: 1,573

I wasn't saying, "but" as in a bad thing. I was saying it like, it was different in that way.

If I need features from UseCrypt, I'll pay for it to use them. I mentioned UseCrypt, because it deserved discussion as something neat and exceptional among otherwise free and opensource messenger applications. XMPP and SIP/SIMPLE are the only ones recognized by IETF.

Opensource developers and organizations deserve donations and appreciation. There's no way around that. I need to make a donation to an open-source project.

It's different than Wikipedia. That's a shit project that uses mob mentality to support retardedness, then pretends it's something else. I will donate to projects and charities I like and generally agree with. FreeBSD and related projects are worthy of donations. I don't agree with few things FreeBSD does, which I see as misinformed, but that's not a big enough of an issue to stop people from favoring it.


For users all in developed nations, XMPP is perfect.

If talking to people not in a developed nation, subject to poor infrastructure or blackouts for whatever reason, XMPP takes up critical bandwidth.

As for Telegram or Signal, people should probably drop Telegram for Signal. The fact that Snowden endorses Signal, makes me a bit dubious about it, however.

Even if I think a messenger application is secure, I would get worried if someone who regularly visits a country without free speech says something bad about someone in that government. I would discourage someone from saying that as long as they have to deal with those countries, even on something I think is secure, because they throw people in jail for simply criticizing.

That would be a cause for some who realize this, and not a weight on an opensource community in general. The good thing about opensource is that those who see that, are allowed to adopt it for use.
 
Last edited:

hruodr

Aspiring Daemon

Reaction score: 215
Messages: 778

Nice thread! I also wanted to investigate the issue for my server project:


Since I want standards, I though about SIP and XMPP.
 

hruodr

Aspiring Daemon

Reaction score: 215
Messages: 778

The problem is, if you want to communicate with your friends, you either have to use what they use, or try to convince them to use something else.

Well, perhaps all of them use a web browser and now there is WebRTC.
 

olli@

Daemon
Developer

Reaction score: 1,218
Messages: 1,108

Well, perhaps all of them use a web browser and now there is WebRTC.
No, most of them use a smartphone with a native app; usually WhatsApp or Telegram. Web applications don’t work very well for this. (Telegram’s web client is actually pretty good, but it is meant to be used on a PC, not on a phone.)
 

ekvz

Well-Known Member

Reaction score: 278
Messages: 431

a fake .docx file

Jeez, how long has this been going on? 10 years, 15 years, ... and people still aren't wise to the fact that opening random word documents is a bad idea. PDF had it's problems/exploits but at least there are some viewers that are pretty trustworthy in regards to not doing stupid things. In any case it's absolutely irresponsible for MS to not have put up a big fat warning about the potencial consequences of opening documents of unclear origin when macros are enabled by now. Given their tendency to track things they likely even know those documents originated from emails and are opened for the first time but still seem to do nothing about it (and why does a word processor even have access to OS functions?). Way to go...
 

vigole

Daemon

Reaction score: 1,239
Messages: 1,140

From Outlook/Thunderbird to Libre/MS Office, if you have macro/script enabled in your client, you shouldn't open any documents [period]
  • Disable all marco, scripting, addon, OLE, etc in LibreOffice (1) and MSOffice (2)
  • All scripting in document is bad! WSF, VBA, JXA, ECMAscript (JavaSCripp/TypeScript), AppleScript, Basic, Python, BeanShell, etc.
  • Disable remote content in emails (3)
  • Read mails in plain text (4)
  • Disable inline attachments in email clients (5)
  • Respect others by sending them text-only email (6)
Who need script/macro in documents (pdf, docx, etc)? docx is a zip package file and could be opened with zip software (*)
Nobody need scrips in email. Same goes for spreadsheet (Excel,...). If you need to script spreadsheet, it's a sign. You are using the wrong program. Maybe you should use SPSS, R or python.

(1) LibreOffice: Tool | Options | LibreOffice | Security => (Options) & (Macros)
(2) MS Office: File | Help | Options | Trust centre | so forth and so on! (sorry I don't have MS Office)
(3) Thunderbird | Tools | Options | Privacy & Security | Uncheck "allow remote content in message"
(4) Thunderbird | View | Message Body as | plain text
(5) Thunderbird | View | Uncheck "Display attachment inline"
(6) Thunderbird | Tools | Account settings | choose an account => | Composition & addressing | Uncheck "compose message in HTML format"
(*) https://www.loc.gov/preservation/digital/formats/fdd/fdd000397.shtml
 
OP
sidetone

sidetone

Daemon

Reaction score: 719
Messages: 1,573


Says contact lists can be uploaded by Signal and Telegram, and this information is insecure.

Its results are from the PDF, All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers.

Signal's contact information is hashed, but there's not a lot of users, so that information can be found.
 

getopt

Aspiring Daemon

Reaction score: 616
Messages: 866

sidetone thanks for pointing to this new paper, as the linked PDF is worth reading in full.

Contact crawling is not limited to these messengers. It's a general problem mainly with mobile devices and interests may exist that such problems persist.
 

olli@

Daemon
Developer

Reaction score: 1,218
Messages: 1,108

By the way, you can refuse access to your contacts for any app. I did that with Telegram on my Android smartphone. It still works fine, the only difference is that I cannot select from my contacts within Telegram, but I have to enter it manually. So it’s a small inconvenience, but I’m fine with that. (I also disabled access to camera and microphone for Telegram because I use it only for textual messaging.)
 

getopt

Aspiring Daemon

Reaction score: 616
Messages: 866

Beware of communication partners who work around security (policies) for a convenient usage.

Contact data are sensitive and have to be protected!

Readers of the above mentioned study who understood that even hashes are no meaningful protection won't create any unencrypted files with their contacts.

This is an example of the human factor in sensitive communications and their storage. One never knows what ideas pop up on the other side for a "better user experience". Convenience ever has been opposed to security.
 

vigole

Daemon

Reaction score: 1,239
Messages: 1,140

Apparently same goes for OfficeHours. Two days ago I was looking for more information on "how to participate in OfficeHours", as it was announced in the newsletter. I think that program is going to use some google tech too. Email Ranting on these subjects are always appropriate. Also it's nice to have similar rant in the Off-topic section of the FreeBSD Forums too.
Latecomer TL;DR: YAY!
 
Top