XMPP, A Comeback Story: A 20 Year Old Messaging Protocol For Robust, Private and Decentralized Communications
Everyone loves a comeback story. Can a 20 year old overlooked technology make a comeback as a completely decentralized, free, and scalable technology for the growing masses of people who value freedom and privacy?
Watch On Odysee
Watch on Flote
#TBOT Challenge
After reading this article, you'll be able to do the following:
Easy
- Signup for an XMPP service anonymously.
- Set it up on your phone and computer
- Join the #TBOT XMPP Group, tbot@group.chat.above.im
Teebot wants you to follow us on these alternative social platforms:
#TakeBackOurTech Mastodon Community
Telegram Channel
Telegram Discussion
Odysee
Flote
Hive
Minds
Introduction
I just got back from a tour around the country promoting revolutionary technologies, and I had plenty to say about XMPP. It is a secure, reliable, decentralized, and extensible protocol for messaging, calling, and much much more.
We first started working with XMPP after realizing we didn't have a secure way to communicate with our designers, developers, administrators, and other creatives around the world. We tried many chat solutions (RocketChat, Matrix, NextCloud) but landed on XMPP because it had the following characteristics:
- Truly Decentralized and Federated (meaning people from different servers can talk to each other while no central authority can have influence on another server unlike Matrix)
- End-To-End Encryption (unlike Telegram, unless you're using secret chats)
- Cross-Platform Applications (Desktop, Web, and Mobile)
- Multi-Device Synchronization (available on most servers)
- Voice and Video Calling (available on most servers)
Through exploration, we found that all of these features exist in XMPP and that it was easy enough to run it for ourselves. Other communities may find value in running XMPP for their personal communications, and there are many public servers that make it widely available for individuals.
XMPP has a huge potential to replace platforms like Telegram, Signal, and WhatsApp, although its use hasn't reached mass consciousness. Rather then spread awareness of friendly and open technologies like these, big tech companies preferred to build their proprietary solutions ontop of XMPP and market those instead - so you may have been using XMPP this whole time without even knowing it.
Instead of depending on proprietary centralized chat platforms like Telegram, WhatsApp and Signal we believe that truly decentralized platforms like XMPP can achieve and surpass our needs.
Take Back Our Tech is one of the first organizations pushing for the adoption of XMPP to a wider community, and this article is an important first step as a technological overview. By the end of this article you will be able to get yourself setup with an XMPP account and device as well as objectively evaluate an XMPP service provider.
What is XMPP?
XMPP also known as Jabber is an open protocol and was released over 20 years ago in 1999 by Jeremie Miller. It gained community support and together with the Internet Engineering Task Force (IETF), the XMPP protocol was developed along with XMPP server applications that could be ran by anyone.
Today, the XMPP Standards Foundation is responsible for the development of new extensions to the protocol that be optionally implemented by any server and client. These extensions - called XEPs (XMPP Extension Protocols) have been used to transform the protocol into a full-featured set of technologies.
Extensions include multi-user chats, different forms of end to end encryption, multi-device policy, file transfers, voice and video calls.
Communication platforms like WhatsApp, Google Talk, and Zoom use or used XMPP under the hood, and others like Facebook and Microsoft allowed for XMPP intercompatibility. This year we hope to see communities - not corporations - taking advantage of this technology to communicate freely and securely.
How It Works
At its core, XMPP allows you to send messages over a network. These messages are structured as XML. The core technologies allow for encryption and authentication, presence notifications (how you tell someone is online), and contact lists.
XMPP is federated, meaning that
Users can sign up to an XMPP service provider (which we have listed below) by creating a Jabber ID - which looks like an email address.
For instance, Above Agency provides an XMPP service in the Above Privacy Suite. Your XMPP address or Jabber ID would read `yourname@chat.above.im`
This address or ID can be used to identify and connect with you, and you can use the addresses of other individuals. Once you add another user to your contacts or roster, you are able to see their presence (whether they're online), and communicate with them through your mutually supported modules. This is unencrypted messaging at its core, but XMPP extensions can allow you to send end to end encrypted messages, voice messages, files, and make voice and video calls.
The Ecosystem
Since XMPP is an open protocol, developers are free to make different implementations of the software. This will include client and server applications.
Server applications provide XMPP services users can connect to, and client applications are how users access the service from their devices. Due to the decentralized nature of the protocol, some servers may implement more features than others, and some clients may differ as well. Providers of XMPP servers (technologists or groups that actually run the servers) are free to run them how they please, so the configuration of extensions, restrictions, and logging may differ in the space.
If you are interested in signing up for an XMPP account/service, it is important to check how your client, server, and provider (if you don't run it yourself) support the different XMPP extensions. We will outline some of the best clients and servers here for your consideration, and we have included a public list of XMPP servers you can join for free.
Considerations
Although XMPP provides greater privacy for the content of your messages, you absolutely must place trust in your XMPP service provider. Although there is no way for them to see the content of your messages if you use encryption (like OMEMO or OpenPGP), they have the ability to collect metadata about your activity by observing your connections.
Although this is not unlike any other messaging platform, it should be addressed. Your XMPP service provider will know your IP address (inherently), and when you are sending messages based on the packets you are sending. By running the server, either through packet observation, server utilities or reading the database, your service provider will be able to see information about your contacts, when you are messaging, and could potentially spoof conversations with you.
Just like any other software service, you must put a lot of trust in your XMPP provider. You can protect yourself by using a VPN to obfuscate your IP address, avoid linking use of the service with your identity, and always use encryption whenever possible.
You as the user must make your judgement by evaluting the provider's transparency, data retention policies, reputation, security, and more. With all this being said, there is little chance of a well known XMPP server turning hostile.
Signing Up For A XMPP Service
Signing up for an XMPP service is relatively easy, providers ask for only a username and password. Some providers will ask for an email, but this is usually optional and only used for password resets.
Always save your XMPP credentials somewhere safe, this is a good opportunity to use the password manager in your open-source survival toolkit.
Remember, your XMPP/Jabber ID will take the form:
<username>@<your providers domain>
You only need this and the password to login to your XMPP client of choice, whether that is on web, desktop, or mobile.
Evaluating an XMPP Service
Below we have included lists and singular XMPP service providers. Keep in mind each provider and their server will be different in multiple ways.
XMPP servers will differ based on:
- The XEP (XMPP Extensions) the provider implements as part of their service which gives users access to more features.
- Their security configurations, the strength of their encryption ciphers, the reputation of their certificates.
- Their data retention policies
Once you have a server you want to evaluate, you can enter its domain in the following tools.
Evaluating Security
You can use the IM Observatory to test the security of an XMPP server. You can check the client to server encryption or the server to server encryption.
Evaluating Extensions
You can use the following tool to check what extensions are implemented. We have put a list of popular extensions and their features below so you can cross-reference any server you check.
- XEP-0045: Multi-User Chat, Allows you to create your own chat rooms
- XEP-0384: OMEMO Encryption, Lets you have multi-device end to end encryption
- XEP-0357: Push Notifications, Push notifications for mobile
- XEP-0363: HTTP File Upload, Send files to your contacts
- XEP-0191: Blocking Command, Lets you block communications with other users
Evaluating Data Retention Policies
Some servers will provide data retention policies while others will not. Here are some key things to remember.
- Although your messages are sent through the server, your messages will be sent and stored encrypted if encryption is enabled. We recommend you use OMEMO encryption at all times. If encryption is off, the server administrators will be able to read the content of your messages if they are saved on the server.
- When having one on one conversations, messages may be stored on the XMPP server using MAM (Message Archive Management) which allows messages to sync across multiple devices. There is usually a time limit or message limit which retain the messages until those thresholds are crossed. Some servers do not use MAM at all, which means messages are not stored on the servers as soon as they are delivered. This also means that messages do not sync across devices and the first device to receive it is the one that retains the message. Of course, these messages are not readable if sent with encryption.
- MUCs (multi user chatrooms) are usually public and unencrypted, anything sent through there will be stored based on the server's retention policy for multi user chatrooms. The creators of these chatrooms can also set their rooms to be invite only and to not retain any messages - meaning that messages are only delivered to those who are online.
Singular XMPP Providers
Above Agency: Above Privacy Suite
We, the good folks behind #Take Back Our Tech run our own XMPP service! Our mission is to provide the most reliable and private communication services as part of the Above Privacy Suite. We started running this service this year so that customers of the above.phone could have reliable encrypted messaging, calls, and video calls without needing to trust a third party.
- No IP logging
- Rated A for both client & server security
- Allows for multi-device OMEMO encryption, Jingle (end to end encrypted voice and video calls), message archive management (for cloud sync)
- Allows users to create their own chat rooms (Multi User Chatrooms)
You can buy the standalone Above Privacy Suite here.
404 City
One of the top 7 largest public XMPP servers in the world with excellent security and support for extensions. Actively being improved and easy to use.
XMPP.IS
A long standing XMPP server with great transparency and privacy policies.
Other XMPP Providers
If you'd like to evaluate your own servers, here is a list of public instances. Please make sure to perform your own assessment by reading any privacy or data retention policies along with the tools above.
XMPP Clients
One of the best things about XMPP is that you can use it from any device. Computers, web browsers, and phones! Many XMPP clients vary in what extensions they support and how they support them. For instance, the popular XMPP desktop client Gajim can make phone calls, but only to other people on Gajim, not people on their mobile. We have outlined the features of several popular clients here for you. Disclaimer: Not all clients have been evaluated by us.
How To Use The Clients
After registering for a service, simply install the clients on your device and login with your Jabber ID and password. It should be pretty straightforward.
Desktop
Gajim (Linux, Windows)
- Robust messenger that supports many XMPP extensions.
- Supports OMEMO and OpenPGP encryption
- Supports file and image uploads
Dino (Linux)
- Modern design
- Supports OMEMO and OpenPGP encryption
- Support files uploads, read receipts, avatars
Monal.im (macOS)
Mobile
Blabber.im (Android, F-Droid)
- A fork of the conversations client, optimized for mobile experience
- Easy to use OMEMO encryption
- Share pictures, voice messages, and files
- Make audio & video calls
- Create private and public chats
Conversations.im (Android, F-Droid)
- The original full-featured XMPP client.
Snikket (Android, F-Droid, iOS)
- Another fork of Conversations, designed to work with the Snikket XMPP server.
Siskin.im (iOS)
- Lightweight modern client
- Supports OMEMO encryption
- Share photos and files
- Make voice and video calls
Using XMPP
Signing in
Although signing in will differ from client to client, its usually the same thing. Login with your Jabber ID and password.
Adding A Contact
Within your client, you can add a new contact using their Jabber ID. You can start messaging them immediately, however they need to add you to their contact list as well in order for the both of you to see each other's presence (online / offline), and to be able to use other functionality like calling.
Enabling encryption
The location of the encryption toggle may differ from client to client, but look for the Lock icon. Once both parties are contacts you can click the lock icon to see the other parties fingerprints. Each contact has a fingerprint for each device they are currently signed into. There will be a button or icon next to each fingerprint allowing you to 'trust' that fingerprint. When fingerprints are trusted, your messages will be encrypted for that device.
If your contact gets a new device you may be prompted to trust new fingerprints. You may want to verify whether your contact has gotten another device before trusting the new device incase their account has been hijacked.
Making voice and video calls
If both parties add each other as contacts and both clients support voice or video calling, you may see an icon to start a call with each other. Keep in mind, not all clients can call with each other - mobile applications such as Blabber have the best support for video and voice calling.
Simply tap in the phone icon and then select whether you want a video or voice call. These calls are end to end encrypted. Both devices must first find each other, and then exchange temporary encryption keys before initiating the call. This can take a while when starting a new call, but subsequent calls in the same session are much faster to connect.
Call quality / connection stability depends upon a number of factors including the latency between the XMPP servers, and any VPN or Tor connections servers that may be involved.
Sending files
You can send files by hitting the paperclip icon in most clients. Many clients support the inline display of pictures. Blabber.im even has an option to play GIFs automatically. Enjoy end to end encrypted file transfers.
Joining Group Chats
You can find a group chat using their ID, which looks very similar to a users' ID, but will usually have an extra segment on the domain of the server.
Join the official Take Back Our Tech XMPP channel.
tbot@group.chat.above.im
Looking for other rooms to join? There aren't many - we are pioneers in this space, but a lot of technology and XMPP-related rooms can be found here.
XMPP Servers
As discussed in the 'Considerations' section, you must put a bit of trust in your XMPP provider. Comunities that require ownership of all communication should consider running their own XMPP server, here are a few options for them:
Snikket
We celebrate Snikket as a choice for a community XMPP server for its easy-setup and useful web interface. Snikket makes it incredibly easy to invite new users by invite link to public or private XMPP groups. It works alongside the Snikket app to provide a cohesive experience with all of the advanced features that were discussed in this article.
Check out their Quick Start guide if you have some experience setting up servers.
Conclusion
You now know everything you need to know about XMPP and I invite you to get started immediately by completing the TBOT XMPP Challenge.
#TBOT Challenge
After reading this article, you can do the following:
Easy
- Signup for an XMPP service anonymously.
- Set it up on your phone and computer
- Join the #TBOT XMPP Group, tbot@group.chat.above.im
Once you've completed this challenge, feel free to share your XMPP ID with people you trust - or if you're down to chat with strangers, then share with us on the TBOT Telegram Discussion Group.
Teebot wants you to follow us on these alternative social platforms:
Official #TakeBackOurTech Community
Telegram Channel
Telegram Discussion
Odysee
Hive
Minds
Take Back Our Tech Newsletter
Join the newsletter to receive the latest updates in your inbox.