XMPP client encryption
From WIKI
XMPP-client E2E encryption - This is the encryption that XMPP clients produces. The keys are stored on devices and the message text is not available to the server.
Contents
OMEMO
- Easy for use. Can be used for newbies and housewives.
- Medium security level. The most modern encryption level. Open-source cloned protocol for Signal and WhatsApp encryption.
- correspondence synchronization available
- Stable working on bad internet connections
- Not available to recover old messages after re-installing XMPP client
PGP (ECC)
- Hard for use.
- The highest level of security, but if the key is stolen from the device, it is possible to recover old deleted messages. Used by NSA, american goverement and military
- correspondence synchronization available
- Stable working on bad internet connections
- Available to recover old messages after re-installing XMPP client
- Fast cipher than ECC
- Snowden mentioned that there is an NSA backdoor in ECC encryption. The backdoor does not matter for server encryption, because RSA server encryption has a different operating principle (No e2e + TLS RSA use ECC for key verification),
PGP (RSA)
- Hard for use. Suitable for Stallman.
- The highest level of security, but if the key is stolen from the device, it is possible to recover old deleted messages. Used by NSA, american goverement and military
- correspondence synchronization available
- Stable working on bad internet connections
- Available to recover old messages after re-installing XMPP client
- Slower cipher than ECC
OTR
- medium difficulty for use
- Medium security level. Julian Assange's and Wikileaks favorite cipher. OTR was used by Snowden to contact journalists.
- correspondence synchronization is not available
- Unstable working with bad internet connections
- Not available to recover old messages after re-installing XMPP client
OTRv4
Developer arrested for political reasons in Ecuador. He participated in the Wikileaks team and was a friend of Julian Assange. This event left the development of a new version of encryption.
Plain text
- Easy for use
- Bad security level. E2E is not used. Only server-side encryption Your messages are encrypted on the way to the server, but is not encrypted at the server.
- Correspondence synchronization by default
- Stable working with bad internet connections
- Available to recover old messages after re-installing XMPP client
Comparison OMEMO vs PGP vs OTR
| OMEMO | PGP | OTR | Plain text | |
| Can your ISP see the text of your messages? | No | No | No | No (Statement applies to 404.city server. The security policies of other servers may vary. By default on 404.city it is forbidden to connect to servers that have invalid certificates, invalid connection will be reset. Many servers have valide sertificate, but allow connections with other untrusted servers. Administrators justify unsafe connections by not wanting to lose users due to s2s errors. Using untrusted servers without e2e encryption allows the hackers and local goverement use Man-In-the-Middle attack) |
| Can your server see the text of your messages? | No | No | No | Yes
|
| Encryption in group chats | Yes (For private room. In group chats with free access, e2e encryption loses its meaning) | No | No | No |
| Encryption files | Yes | Partical (Manual ecncrypt files availble) | No (some clients support) | No
|
| Strong encryption | Home use | Military use | Home use | No |
| Recovery old history from server if key avalible (7 days for 404.city) | No | Yes | No | Yes |
| Independent Audit of Encryption Security | Yes | Yes | Yes | No encryption |
| Offline message delivery | Yes | Yes | Message Delivery Failures | Yes |
| User-friendly | Yes | No | No | Yes |
| Connect multiple devices | Yes | Yes | No | Yes |
Recomendation
As part of this review. It is recommended to use OMEMO or PGP encryption, because OTR is an outdated encryption that does not support new features. The use of clear text in messages is acceptable for the transfer of of non-sensitive data.
