Using SimpleX over XMPP (OMEMO)

Support
21

This is written by a quite respected cryptographer with 10 years of experience. I’m not saying we should add his quotes, but we can reference this article in the wiki - experienced users can familiarize themselves with this XMPP review for additional information. Or “Some experts believe that the OMEMO version should be studied in various clients—old versions may not have been updated for a long time, while new versions may still be in the testing phase (experimental)”.
A disclaimer in bold red font: WARNING? I think test functions should only be applied in a tester environment. I don’t think you would recommend using Whonix test functions even with a note saying ‘caution: for testers only!’. Yes, users should make their own choice, but this can also be indicated. Yesterday, I showed this to a friend who uses XMPP on his phone. It caused him surprise and now he is in doubt about which client to use - one with stable function versions or one with experimental features.

But I will trust your opinion, Patrick, If you think these are weak arguments that are not worth considering, then I trust your judgment. The opinion of a security developer is key in this matter.

2 Likes
22

There’s a large number of software labeled “alpha” or “beta”. That has to be taken with a grain of salt. This does not necessarily imply “security issues”.

Due to the inflationary use of these words, I introduced tags such as “developers-only” and “testers-only” tags because alpha, beta seems to be not well understood terminology by many readers.

Also version numbers lower than 1.0 imply “issues”, “unfinished”, “alpha” or “beta”. But there are many. [1] That does not necessarily imply “insecurity” either.

It has to be clarified what “testing” and “experimental” is supposed to mean. Does it mean that the protocol might make incompatible changes in the future to optimize performance or does it mean that authors are worried that plaintext might be send instead of encryption or that the encryption can be decrypted? This should not be assumed. It needs to be asked or stated directly.

For example, Tor used to state in its log message after start:

This is experimental software. Do not rely on it for strong anonymity.

It required opening a ticket to clarify this and change this wording.

Similar discussion for Whonix: Whonix experimental for how long

Minor contradictions, confusing, outdated or non-deal wording might also be found in the wiki. Once reported, things can be updaetd, clarified.

In conclusion, these words are not to be over interpreted after extended periods of time. Simply nobody working on rewording from nowadays perspective.

[1]

dpkg -l | grep --fixed-strings " 0."

[2] Confusing log about "experimental software" with stable versions (#2474) · Issues · Legacy / Trac · GitLab

Please provide references.

I’ve tried to find references using perplexity:

  • soatok cryptographer

  • soatok cryptographer vs djb

1 Like