MAM and other supported features for XMPP..

Kittenpirate wrote...
According to https://gultsch.de/compliance.html, Riseup does not use MAM as well as many other features of XMPP. Is there a reason or specific security flaw involved with using MAM? It seems if all messages are forced to use encryption by the server, there is no problem with using MAM. Does Riseup's XMPP server force encryption or keep logs?

Thanks.
Upvote | 1
Flag for Review
Cyanolyca turcosa ecua4944
Urraca De Cuello Negro replied...
Hi,

Sorry it takes this long to reply, but we have to prioritize some tickets according to the urgency.

Riseup doesn't support MAM, the reason for this is that it requires enforcing encryption which is not something we can do beacuse of some of the clients some users are currently using. Turning on MAM and Carbons to support OMEMO are both problematic as we cannot enforce encryption today and turn them on will increase the data we retain.

Our xmpp server doesn't keep logs.
Upvote | 0
Flag for Review
Caska replied...
Hi there,

I am a little confused, I am not sure I understand the relation between enforcing encryption and setting up MAM and Carbons, and something about OMEMO.

I would love to see MAM and Carbons deployed on riseup as it would greatly improve user-experience. Having to try and resend every other message because the recipient is out of coverage or just temporarily disconnected is no fun. I haven't tried having contacts use two clients simultaneously on riseup yet but I can already imagine the headache it is to explain why they won't receive their messages on both devices.

I hardly see people accommodate if there is no major benefit, and where I am at it's an uphill battle to move people off Signal (centralised and requiring a phone number), so every step of the way I have to be careful when trying to show fellow activists a new solution. Riseup comes in handy as most already have an account there (yay decentralisation /s) and you provide XMPP, thank you for that, but not so helpful if we don't even come to par with other messaging solutions.

I contribute to various XMPP projects and I operate my own private and public services, happy to provide help if necessary.
Upvote | 0
Flag for Review
Cyanolyca turcosa ecua4944
Urraca De Cuello Negro replied...

XMPP is a very old service where we haven't been able to force e2e encryption of messages because some folks cannot use that feature in their several-years-old-setup. Keeping a copy of the messages in clear text is something we don't want to do.

One of the most common ways to intercept activists communications has been using the multicasting abilties for different techonologies so messages gets delivered to a 3rd party, since our services try to address problems on this groups it's not really an option to enable this.

But, it's been a while this was mentioned and we are in the process of fully remove our XMPP service in the upcoming year or the next one. XMPP brings a problem we cannot solve regarding the contacts and at this point there are better solutions for the communications problems more or less battleground tested so it will be a good time to do this.

Upvote | 0
Flag for Review