XMPP client encryption

From WIKI

XMPP-client E2E encryption - This is the encryption that XMPP clients produces. The keys are stored on devices and the message text is not available to the server.

OMEMO

Logo of OMEMO
  • Easy for use. Can be used for newbies and housewives.
  • Medium security level. The most modern encryption level. Open-source cloned protocol for Signal and WhatsApp encryption.
  • correspondence synchronization available
  • Stable working on bad internet connections
  • Not available to recover old messages after re-installing XMPP client

PGP (RSA or ECC)

Richard Stallman use PGP
  • Hard for use. Suitable for Stallman.
  • The highest level of security, but if the key is stolen from the device, it is possible to recover old deleted messages. Used by NSA, american goverement and military
  • correspondence synchronization available
  • Stable working on bad internet connections
  • Available to recover old messages after re-installing XMPP client
  • Difference ECC vs RSA

OTR

Julian Assange's and Wikileaks used OTR
Edward Snowden used OTR
  • medium difficulty for use
  • Medium security level. Julian Assange's and Wikileaks favorite cipher. OTR was used by Snowden to contact journalists.
  • correspondence synchronization is not available
  • Unstable working with bad internet connections
  • Not available to recover old messages after re-installing XMPP client

OTRv4

Developer arrested for political reasons in Ecuador. He participated in the Wikileaks team and was a friend of Julian Assange. This event left the development of a new version of encryption.

Plain text

  • Easy for use
  • Bad security level. E2E is not used. Only server-side encryption Your messages are encrypted on the way to the server, but is not encrypted at the server.
  • Correspondence synchronization by default
  • Stable working with bad internet connections
  • Available to recover old messages after re-installing XMPP client

Comparison OMEMO vs PGP vs OTR

OMEMO PGP RSA OTR Plain text
Can your ISP see the text of your messages? No No No No (Statement applies to 404.city server. The security policies of other servers may vary. By default on 404.city it is forbidden to connect to servers that have invalid certificates, invalid connection will be reset. Many servers have valide sertificate, but allow connections with other untrusted servers. Administrators justify unsafe connections by not wanting to lose users due to s2s errors. Using untrusted servers without e2e encryption allows the hackers and local goverement use Man-In-the-Middle attack)
Can your server see the text of your messages? No No No Yes


Encryption in group chats Yes (For private room. In public chats with open access, e2e encryption is fake security) No No No
Encryption files Yes Partical (Manual ecncrypt files availble) No (some clients support) No


Strong encryption Home use Military use Home use No
Recovery old history from server if key avalible (7 days for 404.city) No Yes No Yes
Independent Audit of Encryption Security Yes Yes Yes No encryption
Offline message delivery Yes Yes Message Delivery Failures Yes
User-friendly Yes No No Yes
Connect multiple devices Yes Yes No Yes

Recomendation

As part of this review. It is recommended to use OMEMO or PGP encryption, because OTR is an outdated encryption that does not support new features. The use of clear text in messages is acceptable for the transfer of of non-sensitive data.