Easy XMPP: What are we doing here? (opens in new tab)

I recently tried riot.im and I'm realy blown away by the good UI they have and how easy it is to get started to develop your own stuff.

It is a shame that nothing by the likes exists in the XMPP-sphere.

EDIT: As a side note: Daniel Gultsch from the conversations-fame is doing a great job by providing/developing a realy awesome XMPP client for android and pushing the standard forward.

These would be my concerns about potential differences between Signal and an 'Easy XMPP' client; would someone who knows Signal say whether these are accurate?:

* Signal users are not anonymous; Signal requires users' phone numbers.

* Signal is centralized. Is there a way to run your own Signal server?

* Signal uses Google Chrome on the desktop (and Android?) and Google Play Services (or some part of them) on Android (I don't know about iOS). Whatever you think of Google's intentions, they are one of the leading surveillance organizations in the world. Signal users must trust Google.

* Is Signal's system (not user data) fully open and transparent, end-to-end?

* Would I need to trust Signal more than I would need to trust Jabber?

----

EDIT: I came across this comment from Moxie in late 2015 which addresses some of these issues and provides a broader view:

https://news.ycombinator.com/item?id=10665520

If we were going to rank our priorities, they would be in this order:

1) Make mass surveillance impossible.

2) Stop targeted attacks against crypto nerds.

It's not that we don't find #2 laudable, but optimizing for #1 takes precedence when we're making decisions.

If you don't want to use your phone number, don't use it. You can register with any GV, Twilio, Voicepulse, or other throwaway VoIP number.

If you don't want to run Chrome, use Chromium instead.

If you don't want to use Google Play Services, use GcmCore.

The world you want this software for is not the world that everyone else lives in. You can certainly make it work in that world with a little effort, but because of how we've prioritized our objectives, that's not the default experience.

> A single decision by Moxie or a single court order in some country can make Signal unavailable to a large part of its user base.

This is a great point made later on the thread.

And already happened in some countries, for example, with whatsapp.

Social pressure was big enough to revert it in a reasonable time, but time is very relative on how much you or your business relies on it.

The real issue is federated IM vs non-federated IM. Anyone can make a IM system work off a single server. People do it all the time and we have had a series of incompatible IM systems in the past. Signal and Whatsapp are just the current flavours. Soon they will be gone and there will be new hotness. At this point I consider any non-federating IM system to be part of the problem.

As mentioned by someone in the linked thread, part of the user problem is that users can't even conceive of a federated IM system and don't know what one might be like. Asking someone to get a XMPP client so they can communicate with you normally just ends in confusion. There is no download button on the xmpp.com site.

* https://mail.jabber.org/pipermail/standards/2017-January/031...

I think the issue with XMPP is the myriad of XEPs (XMPP extensions) which are optional, causing excessive fragmentation.

Some clients are excellent, like conversations.im. The problem is accidental complexity. Perhaps a solution would be to have a meta XEP that aggregates a few basic XEPs and defines a minimum common denominator.

I have 0 friends using signal so it's hard to give it a try: Did they fix the multiple devices end-to-end problem? Can I continue a conversation from my smartphone on my desktop? (should be possible by mirroring the conversations and having 2 keys). This was what killed OTR for me (and that it fails on unstable mobile connections, and the setup).

It would (will..?) be a crying shame to see XMPP grind to a halt - but I suspect, sadly, that the honest answer to the question is "not one heck of a lot really". I don't know if it got started too early, or moved too slowly, or what - but in the end, it missed its boat.

The advantage of slack over jabber is not only that the client doesn't suck (it's just electron) but that the server logs and creates a continuous experience for the user no matter if hes on mobile, in a browser or both.

People who care more about convenience than freedom and privacy can and do use Skype, iMessage, and Snapchat. If you give up freedom and privacy to make a more convenient client, you're not improving the freedom and privacy situation, you're just making more of the miserable proprietary software that we're trying to get away from.

If it's not free software, you have neither freedom nor privacy. If it's not decentralized or federated, you have neither freedom nor privacy. The only contenders for freedom and privacy are XMPP and Matrix. All the others are contenders for money and popularity, but not for freedom and privacy.

Popularity and money are useful and not inherently incompatible with freedom and privacy, but they are secondary. Creating a new application that is not federated or decentralized does not help, no matter how much more popular or convenient it is.

competition is healthy

Signal is a centralized point of failure and surveillance.

Why can't I run my own signal server? Why doesn't the client support this?

We need something like Signal that that isn't under the control of a single party.

What federated / decentralized protocols have been actual successes? For what protocols can I set up my own server in my house or in some cloud service, and have a comparable experience to using a major provider's service (modulo scalability and personal sysadmin effort)?

I'm worried that the only ones seem to be email and the web, both of which came into existence when the internet was small and academic and it was natural for universities to decentralize. And running email on your own is getting increasingly hard because of spam and IP reputation. (We seem to have more-or-less won the war on spam, but at the cost of making email much less decentralized than it used to be.)

There's a mention of BitTorrent elsewhere in these comments, and there might be an argument for Bitcoin. But even for IRC, people tend not to run their own servers (although they could); there are a very small number of IRC networks, run by random people.

I would love to see a decentralized and federated team chat app along the lines of Slack or Discord, but I'm having trouble believing that such a thing would have a chance of success in a post-1995 internet.

I think the real issue here is that too many people conflate XMPP the protocol with the various XMPP based services (most of the smaller free public services do this). If we tell people to "go sign up for an XMPP account" it's obviously going to be too complicated; they're going to search, find the XSF websites or a bunch of random libraries and protocol information, and give up. Meanwhile, companies can use XMPP and build their own brand around chat products based on it (while never mentioning it, because their users don't care) and regardless of whether they choose to federate or not they can reap the benefits of a community of protocol developers, the plethora of libraries, and maybe even existing client and server code.

I'm not sure "popular clients" is a good thing to look at; Skype UI isn't great (and really bad if you use the IM part of it).

On this topic; I wouldn't mind hosting my own XMPP service, but most clients aren't good enough (specially on Android). I can't advocate for a service (protocol?) that can't offer some basics that are covered and seamless everywhere else (eg, sending files, showing media files in the client itself, etc).

I understand standards are slow, but when I think how difficult was to get avatar support everywhere... it makes me sad.

After many years, I gave up on XMPP recently for "internal family" communications. I'm using Telegram now, although it really bothers me that I need a phone to start using it.

The technical merits and drawbacks of XMPP aside, deployment only works if there's an appetite from deployers. For high-visibility consumer chat that average people use, this appetite has vanished.

Around the mid-2000s, IM networks started getting tired of constantly changing their protocols to thwart third-party reverse engineering efforts like Microsoft logging into AIM, libpurple (Pidgin), or Trillian. But then Google Talk appeared [1] in 2006 inside the coveted invite-only Gmail, supporting XMPP, and significantly raised the bar.

So interoperability became a tool to maintain market share. The underdogs WLM and Yahoo started seamless interop [1] in July 2006, while Google Talk and AIM started a limited interop [1] in 2007. AIM briefly dabbled with XMPP it in 2008 [2] (great source -- see comments for AIM's response).

In the meantime, Facebook opened up for everyone, introduced Chat and rapidly lured away the myspace/AIM generation, becoming a major player in chat. Facebook introduced XMPP in February 2010 [3] but discontinued it [4] in 2015 after having deprecated it the year prior. This neatly coincided with their announcement to monetize the Messenger ecosystem, in ways that require a captive client [5].

Other vendors are similarly pursuing monetization within the client -- Snapchat and Kik as a content portal [6][7][8][9], Google as a context-aware assistant, Microsoft is lost at sea, Whatsapp as a Facebook data mining scheme, the Asian apps as a combination of all other techniques and microtranactions -- when anyone can bring a third-party client, their monetization strategy suffers. This makes XMPP's deployment future exceedingly bleak, perhaps restricted solely to corporate deployments.

[1] https://news.ycombinator.com/item?id=11114518 [2] https://web.archive.org/web/20080120143857/http://florianjen... [3] http://web.archive.org/web/20100318030410/http://developers.... [4] https://developers.facebook.com/docs/chat [5] https://developers.facebook.com/blog/post/2015/03/25/introdu... [6] https://news.ycombinator.com/item?id=11935956#11941090 [7] https://news.ycombinator.com/item?id=12000854#12002773 [8] https://news.ycombinator.com/item?id=12206846#12207459 [9] https://news.ycombinator.com/item?id=12272973#12273447

I wanted to like XMPP, but I never did. It drowns developers in complexity so they never get around to solving anything interesting or useful.

Bonus: I once discovered I had two of the main culprits for XMPP getting one of its worst misfeatures (lack of sensible framing) in the same room so I got to yell at them for it.

XMPP was form over function. And it wasn't even pleasant form.

The fundamental problem with decentralized messaging these days is push notifications. Apple, at least, makes it very hard for you to deliver APNS notifications without running a centralized server. XMPP and IRC will never work as well as a centralized service until the notification architecture changes.

> A single decision by Moxie or a single court order in some country can make Signal unavailable to a large part of its user base.

I think the solution here would be a "lightweight" federation of 3 or 4 entities following a common charter and covering a wide geographical area. If one drops out for some reason, the others will still ensure the service remains alive.

I think there is still place for an end to end encrypted Jabber app with an option to self host the server. This would avoid the single point of failure issue that Signal has (Signal servers being blocked in certain countries).

Has anyone tried https://coy.im/ ?

The context of the discussion ("Easy XMPP") is an attempt to fix the UX of XMPP clients, which starts with a set of small steps documented in the pages linked from https://wiki.xmpp.org/web/Easy_XMPP

XMPP is still pretty relevant in the server to server space and in large companies requiring a scalable API which offers async, full duplex comms over a single socket connection and offers libraries and message brokers in pretty much every language.

That said I do believe some of our XMPP customers are starting to look around and ask for REST/Websocket based APIs as their new dev team hires look to reinvent the wheel ;)

Seriously speaking though - I think XMPP missed the boat as far as messaging goes. Smart phone apps took everyone unawares and XMPP didn't move fast enough to provide a solution for low power devices on high latency networks.

That said I wonder if there is a future in which XMPP does prove to be a compelling solution. I wouldn't put money on it, but even today a full duplex API which is highly secure, async and which offers schema enforced validation of your messages sounds pretty damn compelling. That said there is a lot of progress with things like STOMP, RabbitMQ etc. providing the pieces necessary to replace XMPP.

It's a pity since XMPP makes it so damn easy to build reliable, realtime apps.

Ricochet.im uses tor hidden services for messaging. No signup, no choosing your own name, no logging, since it uses tor hidden services, whatever security improvments tor gets, it should get. A while ago when there was an explosion in the number of hidden services running, I think it was this program. Thoughts?

We don't need another federated network. Administrators of those nodes are putting themselves into danger. What we need to develop is a purely decentralized p2p network that is resistant to censorship and eavesdropping.

Well it would be enough to have one proper client for each platform. On Android Conversations, iOS Chatsecure now with OMEMO as well. Desktop.. not sure. But to be honest, I think I'll prefer Matrix with Riot right now.