An opensource framework allows interoperable and inter-organizational use between different offerings (or servers). Signal can't be compared in this category, because it is simply an opensource client offered by one provider or organization, and not a standard for interoperable use: it can be compared to other opensource apps on a separate merit.
If one wants to host their own server or wants a choosing that is interoperable with others, or a choice of software clients to use, then an opensource messaging standard or framework is the way to go.
IETF recognized frameworks
IETF recognizes XMPP (Extensible Messaging and Presence Protocol) and SIP (Session Initiation Protocol) as opensource standards for secure communication. IAX (Inter-Asterisk eXchange 2) which is associated with Asterisk is acknowledged by IETF, but not at the level of a standard by this governing organization. MGCP (Media Gateway Control Protocol) is an IETF opensource framework for VOIP that has been surpassed by SIP and IAX.
IAX (eaks) makes up for some shortcomings of SIP. SIP is not practical for use behind a NAT, but IAX is.
There is overlap between XMPP/Jingle and SIP/Simple. XMPP was intended for text communications, and as a Jingle extension to allow voice and video. SIP was intended for voice communication, but later added Simple for text communication.
OASIS recognized frameworks
AMQP (Advanced Message Queuing Protocol), MQTT (Message Queuing Telemetry Transport) and CAP (Common Alerting Protocol) are open standards recognized by OASIS. CAP is an important but more specific offering by OASIS.
MQTT is meant for Internet of Things (IoT) or device communication. MQTT is useful for automation, logistics, manufacturing, smart home, energy and transportation. For some IoT purposes, MQTT can be used in place of Bluetooth. MQTT-SN addresses very constrained networks. Eclipse organization takes an active interest in MQTT. See: net/mosquitto and net/py-paho-mqtt
AMQP is an open standard for secure business messaging. It's used by a lot of financial firms. See: net/rabbitmq
CAP is an XML implementation used for emergency alerts. It's used by National Oceanic and Atmospheric Administration (NOAA), Emergency Alert Services (EAS), FEMA and other agencies.
W3C
World Wide Web Consortium (W3C) is an open standards platform organization for the Internet. International Digital Publishing Forum (IDPF) was an opensource standards organization which has merged with W3C in 2016. ePub was fostered by IDPF, and it is now under W3C. WebRTC is an open-source standard by W3C for VOIP communication on the web through an API. For an API, JavaScript is mentioned.
More
LwM2M (Lightweight Machine to Machine) is an open specification by OMA (Open Mobile Alliance) Specworks, which IPSO (Internet Protocol for Smart Objects) Alliance has merged with. JupiterMesh is an open specification by Zigbee. These are for hardware and IoT communication.
Secure authentication and encryption of streams
For secure communication, OMEMO or PGP is needed for XMPP. It is easy to verify whether OMEMO or PGP are switched on. OMEMO is an opensource technology originally developed for Signal messenger. Jingle and other file or media transports still need additional encryption.
SIP needs both SIPS (SIP Secure) and SRTP (Secure RTP) for secure communication, but this requires a professional to set up devices on both ends of the line. It is difficult to confirm whether SIP communications are encrypted, or when they become unencrypted, unless it is set up by an expert in such a way that calls drop the moment they become insecure. Many software offerings don't have SIPS availability: PJSIP. SIPS negotiates a link between clients and servers, then SRTP transports voice directly from client to client.
SRTP ports and port options:
* Asterisk ports have net/pjsip and SRTP options: both must be enabled
* net/pjsip has an EXTSRTP option, which must be enabled
* EXSRTP and SRTP options both pull in the net/libsrtp2 library
* net/libsrtp was long depreciated and replaced by a newer version, libsrtp2, because it conflicted with OpenSSL in base of previous FreeBSD versions
* audio/baresip is an SIP client which had the srtp option: DTLS_SRTP is now available as an option, but is marked as broken
For IAX, RSA key exchange or MD5 hashing only secures the authentication handshake. The communication stream also requires a dynamic key (aes128) or VPN.
MQTT's authentication is too basic to allow secure conversation, however it can use SSL/TLS.
CoAP (Constrained Application Protocol) is a framework from IETF as an alternative to MQTT, but it provides no security mechanisms.
Sources
If one wants to host their own server or wants a choosing that is interoperable with others, or a choice of software clients to use, then an opensource messaging standard or framework is the way to go.
IETF recognized frameworks
IETF recognizes XMPP (Extensible Messaging and Presence Protocol) and SIP (Session Initiation Protocol) as opensource standards for secure communication. IAX (Inter-Asterisk eXchange 2) which is associated with Asterisk is acknowledged by IETF, but not at the level of a standard by this governing organization. MGCP (Media Gateway Control Protocol) is an IETF opensource framework for VOIP that has been surpassed by SIP and IAX.
IAX (eaks) makes up for some shortcomings of SIP. SIP is not practical for use behind a NAT, but IAX is.
There is overlap between XMPP/Jingle and SIP/Simple. XMPP was intended for text communications, and as a Jingle extension to allow voice and video. SIP was intended for voice communication, but later added Simple for text communication.
OASIS recognized frameworks
AMQP (Advanced Message Queuing Protocol), MQTT (Message Queuing Telemetry Transport) and CAP (Common Alerting Protocol) are open standards recognized by OASIS. CAP is an important but more specific offering by OASIS.
MQTT is meant for Internet of Things (IoT) or device communication. MQTT is useful for automation, logistics, manufacturing, smart home, energy and transportation. For some IoT purposes, MQTT can be used in place of Bluetooth. MQTT-SN addresses very constrained networks. Eclipse organization takes an active interest in MQTT. See: net/mosquitto and net/py-paho-mqtt
AMQP is an open standard for secure business messaging. It's used by a lot of financial firms. See: net/rabbitmq
CAP is an XML implementation used for emergency alerts. It's used by National Oceanic and Atmospheric Administration (NOAA), Emergency Alert Services (EAS), FEMA and other agencies.
W3C
World Wide Web Consortium (W3C) is an open standards platform organization for the Internet. International Digital Publishing Forum (IDPF) was an opensource standards organization which has merged with W3C in 2016. ePub was fostered by IDPF, and it is now under W3C. WebRTC is an open-source standard by W3C for VOIP communication on the web through an API. For an API, JavaScript is mentioned.
More
LwM2M (Lightweight Machine to Machine) is an open specification by OMA (Open Mobile Alliance) Specworks, which IPSO (Internet Protocol for Smart Objects) Alliance has merged with. JupiterMesh is an open specification by Zigbee. These are for hardware and IoT communication.
Secure authentication and encryption of streams
For secure communication, OMEMO or PGP is needed for XMPP. It is easy to verify whether OMEMO or PGP are switched on. OMEMO is an opensource technology originally developed for Signal messenger. Jingle and other file or media transports still need additional encryption.
SIP needs both SIPS (SIP Secure) and SRTP (Secure RTP) for secure communication, but this requires a professional to set up devices on both ends of the line. It is difficult to confirm whether SIP communications are encrypted, or when they become unencrypted, unless it is set up by an expert in such a way that calls drop the moment they become insecure. Many software offerings don't have SIPS availability: PJSIP. SIPS negotiates a link between clients and servers, then SRTP transports voice directly from client to client.
SRTP ports and port options:
* Asterisk ports have net/pjsip and SRTP options: both must be enabled
* net/pjsip has an EXTSRTP option, which must be enabled
* EXSRTP and SRTP options both pull in the net/libsrtp2 library
* net/libsrtp was long depreciated and replaced by a newer version, libsrtp2, because it conflicted with OpenSSL in base of previous FreeBSD versions
* audio/baresip is an SIP client which had the srtp option: DTLS_SRTP is now available as an option, but is marked as broken
For IAX, RSA key exchange or MD5 hashing only secures the authentication handshake. The communication stream also requires a dynamic key (aes128) or VPN.
MQTT's authentication is too basic to allow secure conversation, however it can use SSL/TLS.
CoAP (Constrained Application Protocol) is a framework from IETF as an alternative to MQTT, but it provides no security mechanisms.
Sources
- https://www.ietf.org
- https://www.oasis-open.org
- https://www.w3.org/
- asteriskdocs.org
- https://www.eclipse.org: MQTT and CoAP, IoT Protocols
- Thread xmpp-basics-security-constrained-networks.77220
- Thread comparisons-of-xmpp-signal-mqtt-tox-telegram.65834
- eclipse.org: MQTT 101 – How to Get Started with the lightweight IoT Protocol
Last edited:
