XMPP insecure? OTR enough?


I’ve one question about the xmpp protocol along with the use on whonix.

Let’s say we use Pidgin/ Gajim and we connect a normal jabber server (normal domain), create an account and use it like usually but as I need to connect via an exit node, it could spy on me and read all what I write? Or is it safe when I use xmpp with OTR even I’m connecting to their domain because some provider don’t have .onion adress.

XMPP is a communication spec and protocol. By itself it doesn’t bake in encryption by default, but is supported as a transport by encryption implementations added on top of it. OTR is the older crypto method being replaced by OMEMO for it’s offline messaging and encrypted group chat features.

You are confusing privacy with anonymity. OMEMO protects content of communications but these messages are still tied to pseudonyms visble to the server. If any member of the chat created their account without using Tor or by volunteering deanonymizing info like clearnet emails and passwords, it will be easy for the server or anyone watching it to know who the participants are. This is metadata and is just as important if not more than what is being said.