In our Messenger roundup we always try to look at encryption, decentralisation, privacy and the company behind the platform but , of course, usability has to be another important factor.

We have looked at XMPP in the past, and it seems to be one of the better solutions, most of all as you can host it yourself.

We've noticed and complained before about how security updates are not always applied by the administrators are 'in charge'...so you need to host it yourself, or you need to trust the administrators with your metadata. As usual there are pluses and minuses!

With WhatsApp sharing data with Facebook many people have flocked to Signal and Telegram. The first being believed to be the Gold Standard when it comes to encryption. However, Signal not only uses AWS (Amazon Web Services servers) but also Microsoft and Google servers, and now to make things even more toxic they are also using Cloudflare.

Cloudflare - why the fuss?
Cloudflare has spent the last 10 years building itself into one of the world’s largest cloud service providers, however, after recent revelations regarding their network being ‘hijacked’ by paedophiles, terrorists and drug runners as well as the continuing concerns about the way they manage data an…

Which, even with great encryption, gives me goosebumps (but not in a good way).

So connect the dots here...even if you have every message encrypted and AWS and the like can't actually see your messages, they can see your IP address which connects to the server. Amazon might already have your IP address from something that you ordered or from any other function for which you used Amazon. Perhaps Google has the IP from your phone, the problem being that they have your exact address and more, so they could use that with existing metadata to connect it to you and all your contacts now using Signal.

Now it can be argued that not much metadata is provided but that's an entirely different discussion! Point is they can find you!

This month's review - Movim

The best solution is always decentralisation and our two favourites are probably Matrix (Element) followed by Status.im. However, XMPP has been around a long time, since 1998 in fact, which makes it a super early pioneer after it was developed and deployed to allow the exchange of information and data.

This is where XMPP still shines and, importantly, you can easily host it yourself. As a great 'for instance' you could use YunoHost to set it up and even have it on your Raspberry Pi! (Oh yes, the Privacy Advocate is doing “The One with the Pi” in the Privacy Cookbookat the moment).

So XMPP is decentralized unlike Signal, Telegram, Threema and the likeand a list of free XMPP servers can be found here:

Server overview · XMPP Compliance Tester
Pick and choose your Jabber server from a list of compatible servers or check if your current server supports all required features.

Movim is an open-source decentralized social media platform. So, it's a bit more than your usual XMPP messenger and more than your usual messenger setup. Think of it as a Facebook/Messenger/Blogging community software. It is based on and compatible with all XMPP setups out there.

Movim calls its instances 'pods' and offers the following official Pods:

https://nl.movim.eu/ server hosted in The Netherlands

https://jp.mov.im/ server hosted in Japan

https://de.movim.eu server hosted in Germany

The 2020 review of Messaging Service Providers: XMPP/Conversations
In the last edition of the messenger series ‘Secure or not too secure’ we looked at Delta Chat [/the-2020-review-of-messaging-service-providers-delta-chat/] which is a provider that uses your existing email account. Personally, we’re not fans of this route as a solution but it remains your call. Th…

If you would like to host a pod for yourself get a Debian based setup and all you have to do is type

sudo apt install movim

The beauty of doing it by yourself is that you are the master of your own setup. No-one-in-the-middle, no company to trust.

The setup lets you interact with Conversations (Android), Siskin IM (iOS) and Dino (desktop) and, of course, every other XMPP platform that you may like.

Movim is more than just the chat you would usually have with an XMPP setup, as it offers Chatrooms (one-on-one and group) plus you can also organize video conferences. These calls are supported by WebRTC which means one-on-one calls are encrypted. This is kind of funny considering Movim didn't have the OMEMO chat encryption implemented even thoough it was raised in 2015 on GitHub.

E2EE (End-to-End-Encryption) on most of the better XMPP setups and apps use OMEMO or the alternative OpenPGP. Both methods are based on the Double-Ratchet-Algorithm and PEP (XEP-0163). Double Ratchet was developed for Signal, but it is also used by other messaging apps such as Wire. The good news is that OMEMO uses PFS (Perfect Forwarding Secrecy) which should ensure no 'man in the middle' attacks can occur.

Movim, however, hasn't even got E2EE integrated yet! This means the chats are not done through E2EE encryption but just server encrypted. This takes the 'privacy by design' tag of away from Movim.

Another issue with XMPP are server logs which it has! The administrators can theoretically see all your logs, which can even include your login password, contacts, messages that been sent and received (those which were not encrypted — meaning all chats on Movim) and IP address connected. Pretty much everything we just complained about on Signal,except Signal actually has encryption implemented.

Now that all ofthat is out of the way, if you host a pod yourself you do not need to rely on administrators and no-one can see the logs. XMPP and Movim are not great privacy setups when you consider metadata. The latter does not even encrypt your messages! The own setup also only secures users on your pod, once you interact with users of different pods, you need to trust other admins to not look at your logs. And of course, you always need to have the security updates in mind.

In communities, you can publish articles and stories to the federated network, Movim automatically embeds links and images to your posts, explores topics by hashtags, auto-saves drafts, follows topics or publications, comments on topics and posts etc. so you can start your own blog within Movim. (We're looking at linking our articles into Movim in the future and imbedding it with our Write.as and Ghost setup.)

A couple of the best features are that during typing you can use Markdown and your drafts are saved automatically, Movim supports stickers (oh yes that'll pleases the Telegram and Signal people), edits and deletes chat messages, supports screen sharing! Yes, just like discord, you can insert pictures and videos to your conversations, reply to messages on a conversation, share articles in the discussion and react to posts.

You can search Chatrooms, communities, tags and contacts instantly, be notified on likes, mentions and comments and invite contacts into your chat room. And of course, it has a dark and light mode, so you can take it easy on your eyes during the night.

Movim is available on F-Droid which is another big plus, it is not available on iOS but does have a web version what works.

Overall Movim has great potential to be your Telegram replacement. Hell! it is even a great addition for social media like Mastodon, perhaps even see it as your Facebook replacement!

Telegram also has no E2EE in group chats but only in secret chats. Of course, you could always have conversations in your E2EE messenger and then use Movim as your group chat, blogging federated network. However, even with all this potential Movim will not become a killer privacy app until E2EE is fully implemented. It can however be your social media app where you share your stories with like minded people. For pictures and more private conversations, use XMPP/Conversations or a more privacy focussed messenger.

As already mentioned, you can, and should, look at hosting your own instance:

https://github.com/movim/movim

Till next month's review!