Freedombone Blog

Freedom in the Cloud

XMPP simplification

The XMPP app on Freedombone has been improved a little by going to a single configuration file and also using the Debian package. Previously it was using a very hacky nightly version of Prosody, and the reasons for that are historical and no longer apply.

For most of the time that the Freedombone project has been going XMPP was being renovated and having all of the features which you would expect from a modern chat app added. Things like end-to-end security, working avatars and client state indication. So if you wanted to run Conversations on Android and have all of the server tests pass you needed to be compiling a recent version of Prosody from source. Debian moves at a glacial pace, but now the Debian packaged version is good enough.

The previous XMPP notifications system has also been replaced with sendxmpp, and this reduces the amount of maintenance needed.

XMPP may be old but it's still one of the most practical IM systems. An XMPP server can run even on the most minimal single board computer - unlike certain other chat systems that could be mentioned - and also supports the use of onion addresses. Many people are unaware that WhatsApp is really just an XMPP server with a proprietary client app and federation turned off.

The Ecosystem is Moving Away from Monoliths

At the recent 36C3 Moxie Marlinspike - the developer of the Free Software chat app Signal - gave a talk about the problems involved with with decentralization. It was recorded by accident and then later taken down from CCC's media site, but essentially it was an elaboration upon a blog post which he wrote in 2016.

Even in 2016 it was a contested opinion that decentralized or federated systems could not compete with monolithic ones, but in the intervening years the case for decentralization has become stronger. So while the ecosystem has moved, Moxie's opinions have remained stuck in 2016. "Move fast and break things" is no longer considered a desirable mission statement, even within silicon valley.

In 2020 running a global chat system from a monolithic server on AWS, and in a manner which requires you to give out your mobile phone number, doesn't seem like all that great of an idea from a security and general ethics point of view. For example, how do we know that "ghost members" aren't being added to chat groups, as GCHQ suggested? Who is auditing Moxie's server and who else at Amazon has physical access to it? Use of phone numbers also opens up a variety of security problems. And that's even before wading into the quagmire that is the Electron-based desktop client.

Undoubtedly there are problems remaining to be solved in the decentralized chat space. If you've ever tried using OMEMO for group chat on Conversations then you'll know what I mean. It soon turns into a comedy of errors, because every participant needs to have the public key of every other participant. Assuming that people often have a couple of devices this makes it a 4N^2 problem. It needs to become possible to do secure group chat with 20 people without requiring herculean coordination efforts.

Matrix/Synapse may be doing better with its private chat room feature, but there also need to be usability improvements to eliminate the key verification nightmare.

So the ecosystem is moving. Not in Moxie's direction, but it is moving. An easy prediction is that the next decade will be more volatile than the last. Expect economic, political and environmental shocks. The last decade may have been the era of tech monoliths, but in the turbulent future those systems are going to fail, and fail hard.