- public xmpp servers are shutting down one after the other
- xmpp ties your identity to the server you register with, when there's technology to tie your identity to a cryptographic hash (you can use DHT to find people)
- servers are not optional in xmpp, when in reality most of the time when you message people they're also online, so peer2peer would be fine there (especially for server outages like the server I used frequently had)
- One usecase where you need servers is to save power on mobile devices. XMPP doesn't support push notification
- end-to-end encryption is an total afterthought in xmpp
- basic things like sending pictures, voice or videochat never work
- xmpp is an laughably over complex standard created by a committee
- pgp is totally unusable for normal users
You're totally right re: DHT and cryptohashes for identification being a fairly ideal solution. PeerJS/WebRTC (part of HTML5 -- supported by Chrome and Firefox) support NAT-busting and are fairly secure. I'm slowly piecing together a comm-project addressing the larger issue because I'm tired of being complacent, with the intention of funding it eventually off of Exchange add-ins dual-licensed as open as I can while ensuring organizations above the size of 250 employees have to pay licensing fees.
That being said, what protocol isn't over-complex which has worked out well? Either you have things like SMTP which are just spec'd out by one or two dudes and submitted as an RFC where tons of stones were left unturned (leaving such a mess w/r/t maildir vs mbox not to mention the whole end-user problem of authentication, if you remember the sysadmin hell of trying to configure pop-before-smtp and a bunch of other problems during the late 90s, my god, it was horrid) -- or you have an over-spec Java2EE situation where everything is over-specified to an insane degree that implementations take teams and teams to get full compliance.
I ask this sincerely, with no snark - what protocol should one build crypto into?
I have to disagree on this. XMPP follows the same model as email, where your identity is tied to a domain name, and I think it is about as good model as possible in our current internet. The key is that you really really should have your own domain, which then allows you to switch service providers at will without disrupting your identity. Of course I admit that it is bit idealistic viewpoint.
How fast and what is your source for this? There are 146 public Jabber servers listed on IM Observatory right at the moment:
* https://www.xmpp.net/directory.php
I've personally never used a public Jabber server because I want my Jabber ID to refer to my domain.
*though I'm always a little anti-"pgp can't be used by normal users." If the situation requires the security that PGP provides, users can frequently be made to learn. (That being said, Glenn Greenwald couldn't be bothered to set up PGP to talk to Snowden until someone got him up to speed. [0])
[0]: https://theintercept.com/2014/10/28/smuggling-snowden-secret...
Just because you don't require servers, doesn't mean that you can't have servers optionally as a relay. Your client tell would tell the clients of your contacts to send messages to a server specified by you when they can't reach you directly. For instance the server could be run by the company behind the messaging app you're using and could send you push notifications. You could still switch the server at will without loosing your identity.
1: https://otr.cypherpunks.ca/ 2: https://github.com/WhisperSystems/Signal-Android/wiki/Protoc... 3: http://conversations.im/omemo/
There really is no reason to use non-FS encryption over FS encryption for ciphertext sent over the wire.
I guess offline contacts is a use case against OTR, though whisper's certainly has that sorted out already. https://whispersystems.org/blog/advanced-ratcheting/
Another reason is that OTR is not multi-party. mpOTR [1] was suggested by OTR authors (Ian Goldberg et al.), but I am not sure you can find at least one peer who has it installed, and it is not maintained. So for XMPP conferences you may still want to go with OpenPGP.
They're also working on an Axolotl rachet implementation: https://matrix.org/git/olm/ It's not integrated yet, sadly, but I'm eagerly awaiting seeing it jump in as a first-class supported feature.
---
Key-leak healing is an interesting function out-of-the-box, but if your priv key gets uploaded accidentally, odds are so did your DH Identity/Ratchet/Chain keys as well, effectively rendering you "fully compromised". It only offers protection in an instance where you keep your keys compartmentalized.
Is there a general consensus within the crypto community as to whether a) this is conceptually sound, and b) if there's an audited implementation? It's so so easy to mess up and have that error be overlooked (i.e. the OpenSSL debacle), which makes me want to just stick with the tried and true GPG DH/ELG setup with PKI and revocation. Definitely a real interesting project to watch and a real interesting take on perfect-forward secrecy though! Thanks for your feedback. If you see this, read my other post in this thread and e-mail me, I'd love your feedback.
[1]http://rdist.root.org/2008/02/05/tlsssl-predictable-iv-flaw/
It might work for tech savvy users but frankly I don't think most people have it in them to correctly and securely manage the lifecycle (creation, access, storage, usage) of a key.
This transport security from your client to the server only secures the first hop. It does not prevent eavesdropping on server-to-server connections, or on the connection of the receiving user if they do not also use SSL/TLS.
