freedombonee/doc/EN/app_xmpp.org

8.7 KiB

/free/freedombonee/src/commit/f065fe9182c8c37edc0413d5e238d8376d1cec57/doc/EN/images/logo.png

XMPP/Jabber

Most people know XMPP as "Jabber" and it's sometimes regarded and an old protocol once used by Google and Facebook but which is no longer relevant. However, it still works and if appropriately configured, as it is on Freedombone, can provide the best chat messaging security currently available.

With regard to chat apps you might have read a lot of stuff about end-to-end security. That's important, but to also protect the metadata of who sends messages to who the data needs to be onion routed (wrapped in multiple layers of routing encryption), and that's something which most popular chat apps don't provide. Also beware of chat apps which fundamentally rely upon Google's infrastructure. You can be sure that they extensively data mine everything and will be able to reconstruct your social graph if that's at all technically feasible, then pass that to whatever governments they're friendly with or trying to lobby.

A well written article on the state of XMPP and how it compares to other chat protocols can be found here.

Using with Gajim

In mid 2016 Gajim became the first desktop XMPP client to support the OMEMO end-to-end security standard, which is superior to the more traditional OTR since it also includes multi-user chat and the ratcheting mechanism pioneered by Open Whisper Systems. To install it:

su -c 'echo "deb ftp://ftp.gajim.org/debian unstable main" > /etc/apt/sources.list.d/gajim.list'
sudo apt-get update
sudo apt-get -y install gajim-dev-keyring
sudo apt-get -y install git tor python-dev python-pip gajim-nightly
mkdir ~/.local/share/gajim/plugins -p
cd ~/.local/share/gajim/plugins
git clone https://github.com/omemo/gajim-omemo
sudo pip install protobuf==2.6.1, python-axolotl==0.1.35

Open Gajim and enter your XMPP address and password.

Go to Edit/Preferences and select the Advanced tab. Under Global Proxy select Tor and the Close button. Then select Edit/Plugins and make sure that OMEMO is active (ticked), then select the Close button.

Go to Edit/Accounts, select your account then the Connection tab. Ensure that Use custom hostname/port is checked and enter your onion address there as the hostname (it can be found on the About screen of the administrator control panel). Using the onion address will give you better protection against correlation attacks within the Tor network. Also under Proxy select Tor.

When you start a conversation make sure that the OMEMO box is ticked. You can also click on the keys button and trust various fingerprints. Both sides will need to do that before an encrypted chat can start.

If you wish to make backups of the OMEMO keys then they can be found within:

~/.local/share/gajim

If you wish to use OpenPGP to encrypt your messages then go to Edit/Accounts, select your account and then the Personal Information tab. You can then choose your GPG key. When initiating a chat you can select the Advanced button and then select Toggle OpenPGP Encryption. OpenPGP is not as secure as OMEMO, but does allow you to use XMPP in a similar style to email in that the recipient of the message does not necessarily need to be online at the same time that you send it.

Using with Profanity

The Profanity shell based user interface and is perhaps the simplest way to use XMPP from a laptop. It's also a good way to ensure that your OTR keys are the same even when logging in from different laptops or devices, and it also means that if those devices later become compomised then there are no locally stored OTR keys to be found.

ssh username@domain -p 2222

Then select XMPP. Generate an OTR key with:

/otr gen

Then to start a conversation using OTR:

/otr start otherusername@otheruserdomain

or if you're already in an insecure chat with someone just use:

/otr start

Set a security question and answer:

/otr question "What is the name of your best friends rabbit?" fiffi

On the other side the user can enter:

/otr answer fiffi

For the most paranoid you can also obtain your fingerprint:

/otr myfp

and quote that. If they quote theirs back you can check it with:

/otr theirfp

If the fingerprints match then you can be pretty confident that unless you have been socially engineered via the question and answer you probably are talking to who you think you are, and that it will be difficult for mass surveillance systems to know the content of the conversation. For more details see this guide

When accessed via the user control panel the client is automatically routed through Tor and so if you are also using OTR then this provides protection for both message content and metadata.

Using with Jitsi

Jitsi can be downloaded from https://jitsi.org

On your desktop/laptop open Jitsi and select Options from the Tools menu.

Click Add to add a new user, then enter the Jabber ID (yourusername@yourmaindomainname). Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online).

From the File menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security.

When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select View Certificate and enable the checkbox to trust the certificate, then select Continue Anyway. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer.

You can also see this video as an example of using OTR.

Using with Ubuntu

The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the off the record feature, but since it's the default it's what many users will have easy access to.

Open System Settings and select Online Accounts, Add account and then Jabber.

Enter your username (username@domainname) and password.

Click on Advanced and make sure that Encryption required and Ignore SSL certificate errors are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click Done and set your Jabber account and Empathy to On.

Using Tor Messenger

Tor Messenger is a messaging client which supports XMPP, and its onion routing enables you to protect the metadata of chat interactions to some extent by making it difficult for an adversary to know which server is talking to which. You can download Tor Messenger from torproject.org and the setup is pretty simple.

Using with Android/Conversations

Install F-Droid

Search for and install Orbot and Conversations.

Add an account and enter your Jabber/XMPP ID and password.

From the menu select Settings then Expert Settings. Select Connect via Tor and depending on your situation you might also want to select Don't save encrypted messages. Also within expert settings select Keep in foreground. This will enable you to still receive notifications when your device is in standby mode with the screen turned off.

From the menu select Manage accounts and add a new account.

Jabber ID: myusername@mydomain
Password:  your XMPP password
Hostname:  mydomain (preferably your xmpp onion address)
Port:      5222

Then select Next. When chatting you can use the lock icon to encrypt your conversation. OMEMO is the recommended type of encryption. It's also going through Tor, so passive surveillance of the metadata should not be easy for an adversary.