this post was submitted on 09 Feb 2026
134 points (95.3% liked)

Open Source

44457 readers
111 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
134
Best apps for private messaging (www.privacyguides.org)
submitted 1 week ago by Maragato@lemmy.world to c/opensource@lemmy.ml
91 comments fedilink hide all child comments
 

Hello. I am looking for an alternative to Telegram and I prefer an application that uses decentralised servers. My question is: why is the xmpp+omemo protocol not recommended on websites when it is open source and decentralised? The privacyguides.org website does not list xmpp+omemo as a recommended messaging service. Nor does this website include it in its comparison of private messaging services.

https://www.privacyguides.org/en/assets/img/cover/real-time-communication.webp

Why do you think xmpp and its messaging clients such as Conversations, Movim, Gajim, etc. do not appear in these guides?

you are viewing a single comment's thread
view the rest of the comments
[–] u_tamtam@programming.dev 1 points 4 days ago (1 children)

The specification only seems to say that message content are encrypted, making no mention of encrypting any other data than message content.

Correct, what's not encrypted are things like typing notifications, read markers, recipients. Which was my whole point: this is inferred easily by the server anyway: it hosts your account and your contacts list already, it routes your messages to recipients and across the whole network. You can't really operate without this level of trust. Neither in XMPP nor in Signal.

Also, just because you self host it doesn’t make the unencrypted (meta)data any less dangerous.

You seem to hold a very naive take on all of this. This is the basis of federation. In a centralised system (Signal), everyone must trust that the one provider to act (and keeps acting) in good faith. Federation loosens this by having you trust a provider of your choice, and by giving you the ability to move on otherwise. Zero-trust is only theoretically achievable with peer-to-peer, but we have yet to come-up with a system that is performant and efficient enough at scale to be deemed usable. P2P networks often resort to edge gateways to do some caching or connection brokering, and at that point you are back to the same tradeoffs as with federation, only with more steps and worse results.

That just makes your server the point of failure.

Always was, always will be. Like I said, remove the server and you are onto something… Make it work well, and you will be the first, and do the world a great service.

By your logic, why encrypt at all?

E2EE is one mitigation against one type of threat. Not a silver bullet.

[–] u_tamtam@programming.dev 1 points 4 days ago

Some thoughts from "Asahi Lina" that sums it up: https://phanpy.social/#/vt.social/s/116054925440220855

You simply can't have your E2EE cake and eat it too. Sorry.

At the end of the day, decentralization (with data portability) is more valuable than E2EE if your concern is data mining. That can be done without all the major issues of E2EE.