Table of Contents
My OMEMO Fingerprints:
- Desktop
- 3de41588 35ed8306 f15fcef2 df9597cf 0010616a 0ef3a342 d73210ca 2ecc3804
- Pinephone
- c5d3d784 1c61c90a ba3239ae dfad3c86 26f86447 dfdc56d8 56683736 1eff1d68
- Pinebook Pro
- e4bdf989 2bb30839 72956dcd 45b83d82 1a6210e9 8472b813 3a971a8b 53db7023
- X230
- 09bc826a 641c240a 6c1682f7 7b01efed a50258c3 5be3ef1e a7064c5d 7f917872
1. How to invite someone else
If you want to invite someone else to momi.ca, just message the admins (xmpp: anjan -at- momi.ca or colinl@momi.ca) and they will get an invite link for you. Note: you can chat with users from other servers on the XMPP network (@anydomain) with your @momi.ca account.
2. Android
2.1. Setup
- Install fdroid to get conversations for free
- Install conversations from fdroid
- Tap the invite link and follow the onscreen instructions in conversations
- If tapping the invite link doesnt open conversations, copy paste the invite link into the url of your phone’s web browser and press go.
- Conversations will prompt you to disable battery optimizations. Make sure you do so.
- If you forget to disable battery optimizations, follow the instructions on this website: https://dontkillmyapp.com/
2.2. Usage Tips
- Notifications are disabled by default on group chats.
- To enable notifications in a group chat: open the group chat, press the three dots on top right, and tap “enable notifications”
- Make sure you disable encryption for large group chats. Otherwise, you will be stuck on a “Trust OMEMO Fingerprints” screen when sending a message to the group chat.
- To fix: Open the group chat and tap the lock on the top right. Choose unencrypted.
- Some phones have trouble with notifications not working.
- To fix: Conversations (main screen) three dots on top right => Settings => Expert Settings => Run service in foreground (at the bottom)
3. Iphone
3.1. Setup
- Get invited
- Install chatsecure from app store
- Enable notifications for chatsecure:
- Ensure there a green switch next to chatsecure on “Background App Refresh”:
- Ensure there a green switch next to “Background App Refresh” on Chatsecure settings:
Have fun!
3.2. Notifications Issues
On iOS, if you notice that you’re not getting message notifications, your push connection may have been lost. This usually happens if you don’t use the app for awhile. You can reset it by doing the following in ChatSecure:
- Tap the gear
- Tap the (i) button beside your account
- Tap “Server Information”
- Tap “Reset”
Now you can exit settings.
If you see an ’X’ under push registration, then it needs to be reset.
This issue occurs on iOS devices because Apple doesnt allow apps to stay connected to 3rd party push servers, and intentionally forces the connection closed to encourage the use of iMessage. Consider a different platform that respects your freedoms1.
4. Trustworthiness
Read the TrustworthyTM Organizations using Fdroid and Conversations section if you want quick reassurance with an argument from authority (ie. you think no one uses this). Read the First Principles section for a more correct argument using first principles and an explanation of the limitations.
4.1. TrustworthyTM Organizations using this Technology
4.1.1. F-droid
Fdroid is regularly cited by security researchers in academia in papers on security on Android. Fdroid has over a thousand citations on google scholar. See: https://f-droid.org/en/2020/03/04/f-droid-is-a-key-source-for-academics-and-researchers.html
Fdroid does novel research regarding how to find malware: https://f-droid.org/en/2020/01/16/tracking-the-trackers.html
For a reputable news sources covering google’s terrible approach to moderating malware when compared to fdroid, see: Android Users: To Avoid Malware, Try the F-Droid App Store - Wired
I consider F-droid the only trustworthy appstore on Android.
4.1.2. XMPP
XMPP is widely used by Facebook, slack, etc. 2 , 3. For explanation of why their usage is so problematic for your privacy, read the First Principles section.
4.2. Argument Using First Principles
Facebook, Slack, etc. used to allow you to connect to their services while having an account @anotherdomain.com similar to email 2 , 3. However, since these companies make their money mining your data, allowing users to keep even some of their data private was against their business model 6. As such, they removed this feature. Furthermore, these services are run by companies which need to exponentially increase their profit every year. Communication platforms are inherently limited by the number of people that need their services. When the communication platform captures 90% of the market as a result of the network effect, the only way to turn the exponential profit increase the shareholders require is by abusing the users to a greater extent. The issue is the social structure of big tech corporations that produces the symptoms of centralization and a disregard for privacy. Fortunately, an alternative social organization can be understood by non-tech heads and tech heads alike!
What is the alternative social organization to Tech megacorps?
- Free software 7
Here, free refers to freedom NOT price. These freedoms are ensured by the software license and give the user the freedom to use, study, modify, and redistribute unmodified/modified copies of the software. These freedoms matter for non-programmers too! Consider the scientific process of peer review in which people with different financial interests review the content. Similarly, with free software, users with different financial interests can collectively and individually control the software on their computers. In contrast, with the proprietary program, only the proprietor is allowed to know what the program is doing and modify it. With nonfree software, studying what the program is doing is often illegal according to the terms of services of the program. The absolute power given to proprietary software companies by the end user license agreement often corrupts them 8.
- Federated network services
If the users believe the network (or server operator) is not sufficiently fulfilling their duties, they can switch with federated network services. For example, if you switch email providers from Gmail to Hotmail or Yahoo Mail you can still communicate with your old friends on Gmail. Any service that doesnt allow this should be resisted at all costs because it’s an artificial constraint that forces users to stick with a provider that mines their data just to communicate with their friends.
To encourage this alternative social organization, I run my own server which allows you to connect using @anotherdomain.com (federation), use free software apps, and use the best encryption (OMEMO) available so even the server operator (anjan) cannot read your messages 9. I pay the money for the server out of my own pocket (24$ a month) and run the maintenance myself (about 1-2 hours a week). I pay with time and money so you don’t have to. =)
4.2.1. Limitations of this Approach
I cannot guarantee that the operating system you are using or the other apps on your phone are not spyware 10. Similarly, the person you are sending messages to may have malware on their devices. Furthermore, OMEMO does not encrypt the time the message was sent and the message’s sender/recipient(s). This is for obvious reasons - my server needs to know who to give to the message to. One method for some metadata (correspondence and timestamp) privacy is using something peer-to-peer which sends messages from one phone to another phone without a server (Briar). However, consider that peer-to-peer is inherently less reliable for message transfer than using a server protocol. For a message to be sent to your recipient, your phone and your recipients phone must be online at the same time for however long the data transfer takes. This is espicially problematic on cellular networks where the network connection is unreliable. The server requirement of XMPP is a trade off between usability and privacy. You must somewhat trust your server provider. Finally, getting your friends to switch to XMPP can also be problematic.
4.2.2. Conclusion
Compared to the messaging services data harvesting corporations provide, you can be much more confidant the messaging app on your phone isn’t the one leaking all your data. Furthermore, since the software is controlled by the users (it’s free software), you can be certain the most secure feature will be enabled by default. Compare this to data harvesting corporations that give you “the option” to disable malicious features. Since it’s not free software, user’s are forbidden from checking if the option does what it says. Furthermore, the option is often hidden deep in the settings such that most people don’t even bother enabling it. XMPP is not a perfect solution but we live in a world where people unironically repeat “I have nothing to hide” when confronted with the grim reality that everything they do and say is kept on record forever by a few corporations. At this point, we can work on taking steps towards a better world or we can rationalize the control corporations’ business models have on us with “I have nothing to hide”.
Many times, I’ve seen arguments made like this: “I’d try Mastodon, but I already have Twitter followers”, or “I’d like to use OSM, but Google Maps has better data for my city”, or, in my case, “I’d like to use sr.ht, but GitHub has better discoverability”.
Platforms for which popularity improves the utility of the service are skewed in favor of the incumbents. New platforms face a chicken-and-egg problem. You have to decide - will you help it, or exacerbate it? Those are the only two choices you have.
Don’t let that cool new platform die in obscurity while you wait for it to become popular.
Source: Drew DeVault - Mastodon
Footnotes:
TODO: Document mobile platforms that respect user freedoms
Sharwood, Simon (March 9, 2018). “Slack cuts ties to IRC and XMPP, cos they don’t speak Emoji”. Retrieved May 11, 2020.
Zoom. “Facebook and Google To Discontinue XMPP Chat Protocol”. Retrieved May 11, 2020.
XMPP. XMPP - FAQ. Retrieved May 11, 2020
ISODE (July 10, 2012). Isode Provides Low-Bandwidth XMPP for NATO Arctic Tiger 2012. Retrieved May 11, 2020
Gultsch, Daniel (May 8th, 2019). A pathway to a well regulated instant messaging market. Retrieved May 11, 2020.
GNU Operating System (July 29, 2019). “What is free software?”. Retrieved May 11, 2020.
GNU Operating System. Proprietary Software Is Often Malware. Retrieved May 11, 2020.
OMEMO has been audited. See: Radically Open Security (June 1, 2016). OMEMO: CRYPTOGRAPHIC ANALYSIS REPORT. Retrieved May 11, 2020
To remove this data leak, consider using an operating system that’s 100% free software and only installing free software applications.