The OMEMO dev’s push to get many clients to drop OTR support has seriously fragmented the XMPP world :(

It seems like there must be a modern client that supports both OTR and OMEMO, but, I haven’t found one.

poVoq
link
fedilink
35M

JSXC does, but seriously… why would you even want OTR at this point? I am not aware of any real world implementation of OTRv4 and the old OTRv3 that is still somewhat common is just outdated and insecure.

There are some people that push for Ox/Pgp to be implemented in more clients though, but personally I don’t see how that would be an real improvement over either OMEMO or plain old TLS for most people.

Arthur Besse
creator
link
fedilink
25M

jackline and coyim are two XMPP+OTR clients that are actively maintained/developed, and last I checked there were still some others (plus numerous more that are not being maintained but are still widely used). it looks like the former is open to adding OMEMO while the latter is opposed to it.

in any case there are many people still using OTR on a daily basis; I know people that use separate accounts and clients to talk to their OTR and OMEMO contacts.

poVoq
link
fedilink
25M

I think the better question would be why people are not willing to switch to better clients? I had the same argument with someone using Pidgin (with OTR sometimes), and it was quite a frustrating exchange because other than “it works, why change?” they didn’t have any reason to keep using it.

Arthur Besse
creator
link
fedilink
35M

it’s the network effect; if you know a bunch of people using OTR and you switch to something that doesn’t support it then you can’t talk to those people anymore.

When OTR support started going away (as a result of the campaign against it by the OMEMO guy) a lot of people stopped using XMPP rather than adopt one of the OMEMO clients that existed at the time. (In the pre-omemo days xmpp+otr was my primary means of daily communication; today I hardly ever use xmpp at all anymore. 😞)

I am pretty dissatisfied with all of the messaging solutions that are popular today, so I’m thinking about giving OMEMO another shot… but asking around I’m realizing that I actually still might know more OTR users than OMEMO users! (hence the question in this post.)

@pep
admin
link
fedilink
25M

Poezio still supports OTR, and also supports OMEMO mostly[1].

To be honest I’m also not entirely sure why OTR was dropped. At the time when OMEMO was introduced it may have had a better crypto mechanism (based on Signal’s) but OTR has caught up with this not so long after.

One common argument I hear against OTR is that it is transport-agnostic, and this prevents features from being used and included in the encryption. But the same argument that OMEMO (0.3) prevents features from being used and included in the encryption could have been made when it was first adopted, and it is still the case today while nobody implements the latest spec version (0.8). Hopefully this should change soon.

Note that being transport-agnostic is also an argument in favor for some use-cases, such as gateways. Plug in your OTR addon of choice and chat across various bridges. Otherwise both sides of the bridge need to agree on a common encryption mechanism and a serialization format. I’m not sure there is any other use-case where this (being transport-agnostic) is actually useful though.


  1. UI and trust mangement aren’t there, but one can send and receive ↩︎

Arthur Besse
creator
link
fedilink
15M

Note that being transport-agnostic is also an argument in favor for some use-cases, such as gateways. Plug in your OTR addon of choice and chat across various bridges. Otherwise both sides of the bridge need to agree on a common encryption mechanism and a serialization format. I’m not sure there is any other use-case where this (being transport-agnostic) is actually useful though.

Yeah, there are IRC clients that support OTR for private (1:1) messages, and there are IRC to XMPP gateways… i’ve never done it myself but I have heard of people using cross-protocol OTR that way. I’m not aware of any other cross-protocol e2ee system.

Poezio still supports OTR, and also supports OMEMO mostly

poezio’s OTR support comes from potr which unfortunately relies on pycrypto which says it is “unmaintained, obsolete, and contains security vulnerabilities”. Its its OMEMO support comes from poezio-omemo which uses python-xeddsa which says “This code was not written by a cryptographer and is most probably NOT SECURE”. I haven’t looked very closely but I think python-xeddsa might actually be OK; it has some (barely) post-covid commits and is built using primitives from djb’s SUPERCOP, but pycrypto is definitely dead and should not be used anymore.

The Meta Community

A place for meta discussion about this Lemmy instance, general XMPP discussion that doesn’t fit anywhere else, and even some random off-topic chatter.

Please abide by our code of conduct. To report a CoC violation, message one of the mods.

Contributor Covenant

  • 0 users online
  • 2 users / day
  • 2 users / week
  • 3 users / month
  • 30 users / 6 months
  • 133 subscribers
  • 33 Posts
  • 75 Comments
  • Modlog