In October 2023, Jabber.ru, “the largest Russian XMPP messaging service”, discovered that both Hetzner and Linode had been targeting them with Machine-In-The-Middle (MITM) attacks for up to 6 months. MITM attacks are when an unauthorised third party intercepts traffic intended for someone else. At the point of interception, the attacker can inspect and even modify that traffic. TLS was created to mitigate this; all communication between the two parties is encrypted, so the third party sees nothing but gibberish (ciphertext).
TLS is great, but it’s actually not enough when the attacker owns your network, as in Jabber.ru’s situation. Jabber.ru rented servers from Hetzner and Linode, who altered their network’s routing setup to obtain TLS certificates for Jabber.ru’s domains and successfully carry out a MITM. When connecting to an XMPP server, most clients are only configured to look for a valid certificate. A valid certificate matches the service’s domain name, is not expired, and is authorised by a known and trusted Certificate Authority (CA). If the client sees a certificate that’s signed by an unknown CA or whose expiry has passed or the domain in the cert doesn’t match the service domain or any combination of those, it’s considered invalid; the client should terminate the connection before transmitting sensitive data, such as the user’s password.
Because Hetzner and Linode controlled Jabber.ru’s network, they were able to meet all of those conditions. XMPP clients would just accept the rogue (but valid!) certificates and continue along as normal, unaware that they were actually connecting to a rogue server that forwarded their traffic (possibly with modifications) to the proper server.
A fairly straightforward mitigation involves DNS-based Authentication of Named Entities, or DANE. This is just a standard way to securely communicate to clients what certificate keys they should expect when connecting. When clients initiate a connection to the XMPP server, they receive a TLS certificate that includes a public key. If the server admin has implemented DANE, the client can verify that the public key they received matches what the server administrator said they should receive. If they don’t match, the client should terminate the connection before transmitting sensitive data.
[…]
Some posts here indicate people don’t know the basics & are still feverishly explaining why they are so smart that they gave an NED-funded app their phone number like this is somehow defensible. Or worse posting that blog where “Soatok” argues stickers + ease of use trump technical concerns in the end. Please do not let some niche skill monopoly turn you into an egomaniac, if you are even really part of one 🤨
What is your comment on the article talking about? I’m out of the loop
Oh god you don’t want to know, it was this dude arguing abt stuff solely from the perspective of people who go to furry conventions (im not being glib this is seriously what he used to reason abt which messenger is best), trying to get furries to stop using Telegram and switch to Signal. I can’t believe people take that guy seriously. I saw him get on an alt pretending to be his furry wife to go “grrrr back off” at people in Github threads who tried to point out issues with Signal or problems with his arguments against using XMPP.
My overarching issue is that Delta Chat and XMPP and the only ones using proper fucking W3C standards like Lemmy but people want to go mucking about with stuff dependent on US fed funding. Why do we only get offended at Firefox taking shady NGO funding? They’re all that bad and switching to the EU won’t fix anything
Jeez well at least we know where the bar is so we can have more alternatives get there overtime. Do you recommend Delta Chat and XMPP for daily usage or still in beta?
XMPP is great, drop in replacement for discord. Movim and Cheogram have some unique benefits like an encrypted Twitter (Movim lets you access its features with an external XMPP account so your info stays together even if the social media site part is only accessible in browser) and a phone + SMS gateway respectively. Phone gateway can be tricky to set up depending on what providers are available in your region but it’s worth it for obvious professional and personal reasons. Like getting calls on laptop when your damn phone is off while running or hiking, broken, under your ass asleep, etc. I use both of those daily.
More reliable than Matrix IMO since I don’t rate the key backup system or the clients of the latter highly even tho my main concern is the long-term dependency of the project on western govts vs the truly international and mature xmpp ecosystem. Using backup files is really not that hard IMO. I have never not had Matrix break, server or client, shit is always breaking agaauahagah just happened 4 days ago ans today. Just basic shit like unverifying for no discernible reason and breaking backups
Delta Chat feels beta but it’s quite well made, the beta feel is from it relying on email under the hood, not suitable for group chats larger than, say, 50 people who are closely affiliated. No real moderation features. It’s actually an awesome conventional email client. I figure everyone has some version of this infinite mail combo but I make tutanota emails, tutanota is not compatible with other email clients its just to make other emails compatible with IMAP bc it has a code based recovery system. The Arcane Chat app makes it easy to juggle lots of the resulting accounts on there. Custom notifications for everything which IMO is super important bc who wants to look at their phone all the time, get the info via sound
On both Delta and XMPP I mostly just do collaboration with groups of under 4 dozen people and bots for RSS and bridges to other chat services. Delta is reliable if you make an offline command while hiking as soon as you have an idea, and then reconnect to a cell tower. That kind of blend of syncing and offline access since for security it’s extremely device-based
Also the webxdc apps are exciting but rudimentary, impressive for how few devs there are involved. The timetracker and the realtime collaborative editor are actually a daily usage thing for me since they can be Android launcher shortcuts or be kept open as full windows external to Delta Chat on desktop. They’re technically in Cheogram but only that one client so there’s no XMPP client ready to be compatible with the apps desktop side AFAIK.
I should really write a proper guide for this. It’s not that complicated, but the resources are spread out a bit and the devs have zero marketing skillz
Would love a guide definitely will try to get it setup too. If you make the guide please let me know because it sounds awesome!!
Within a week promise I am wrapping up my other stupid ptojrcys and im flush with Husband Points i have leeway now 🫡