Practical privacy and simple cybersecurity.
TheNewOil.org

2021 Review: XMPP

What is XMPP?

Trying to review XMPP is a lot like saying I’m gonna review soda. Sure, it’s a drink, but after that there’s so much variation that it’s hard to give a blanket review. With that in mind, let me attempt to review soda this week.

XMPP is a chat protocol – like Matrix. In fact, it is a pretty old school protocol and has been around since the early days when the internet belonged to the nerds alone. Don’t let that fool you, though, you’ve likely used it. A large number of tools you use in your daily life are powered by it, including Google and Apple push notifications and Google Cloud Messaging (now called Firebase). In the past AOL, Skype, and Facebook all experimented with supporting XMPP.

The Good

There’s a lot to love about XMPP. For starters, it can be anonymous. The key word there was “can be.” As with 99% of privacy, it’s not the tool itself but how you use it. Most servers don’t require any information to sign up, except maybe an email address and I’ve never seen one that actually verified it or rejected it for being a forwarding email address. So assuming you use a VPN, a clean hardened browser, and a unique username, congratulations. You’re more or less anonymous except against the most advanced threats. You may actually be hidden from them, too, but there are other factors involved there and this isn’t really the time or place. The point is the potential is there, probably moreso than any other chat option.

The next great thing about XMPP is that it’s decentralized. Easily. You can easily host your own server, or use any available server. This also means that some servers are located in privacy-respecting countries like Switzerland, Germany, or Iceland. Or you can host your own in one of those countries.

The final pro is the apps. Because XMPP is open source, so are the apps, which means there’s a variety to pick from. Monal (iOS) and Conversations (Android) are among the most polished and common, and should be easy to use for almost any moderately tech-comfortable user. Some of them even offer phone calling capabilities – assuming your server also offers this – allowing for a total VoIP solution for those willing to put in the work to set it up.

The Bad

XMPP’s strengths also make for its weaknesses. Because it is freely decentralized, not all servers support the same features like voice calling – or even have the latest security updates. Likewise, some are in privacy-unfriendly countries like the US or Australia. Additionally, end-to-end encryption must be manually enabled with each conversation – and depending on the client you use, that can sometimes be glitchy. Finally, on the topic of servers and decentralization, never forget that a server admin can easily see all your data, so make sure you use encryption and that you really trust the server.

To the best of my knowledge, the XMPP protocol has not been audited – though some of the clients have been. If this is incorrect, please someone contact me and let me know (with sources) and I’ll update both this blog and the site accordingly. Finally, XMPP is not always user friendly. While joining an existing server is a pretty straightforward process – and most of the best apps have made signing into that account (or making a new one) equally simple – those who are not confident with technology may be easily scared off by XMPP. It can be overwhelming, as they do not offer a default server like Matrix does. It’s entirely on the user to get set up, and unless you’re guiding someone through it they might feel overwhelmed.

Conclusion

XMPP is honestly probably the near-perfect, near-ideal solution for privacy. It’s decentralized, self-hostable (is that a word?), capable of end-to-end encryption, capable of voice calls, and open source. Perhaps the only thing keeping it from mainstream adoption is that the sheer freedom it offers can make it daunting to those who don't consider themselves “techy.” If you’ve never tried out XMPP but you’re confident with your software tinkering skills, I highly encourage you to check it out. If you like it and feel comfortable, perhaps you can be the one who guides those around you into it.

You can learn more about XMPP here and get started with their recommendations for clients and servers here.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...