XMPP Onion Service Only (no clearnet)

Does anyone know if there’s a guide showing how to create an XMPP client and login only using Tor Onion Services?

Even the docs at coy.im (probably the most secure-by-default XMPP client) suggest that you use username@coy.im. No, I don’t want to enter a clearnet address anywhere.

Is it possible to use only a .onion to create and login with an XMPP account?

3 Likes

Might be useful to post feature requests against servers that seem interested in supporting privacy.

1 Like

My best-guess is that the JID (Jabber Identifier) used for login is usually a clearnet domain to permit federation between XMPP servers without Onion Services, but it’s just a guess; I haven’t found anything that says this.

It seems like there would be a niche use-case for some folks who would be fine with just having Tor ↔ Tor communications. It greatly reduces the number of people you can message, but it greatly increases the privacy of your communications, and reduces the risk of metadata leakage, deanonymization attacks, correlation attacks, MITM attacks, etc.

Might be useful to post feature requests against servers that seem interested in supporting privacy.

I’m struggling to even find a list of XMPP servers with Onion Services

I found this, but only a few of them appear to be online. Unless these .onions only run XMPP servers (and they have no HTTP web server listening on port 80…)

Part of the problem is that I can’t find much info about how to use XMPP with Onion Services on the 'net.

2 Likes

Might be useful to post feature requests against servers that seem interested in supporting privacy.

Since I don’t even know many XMPP server providers, I’m starting with the services that list XMPP servers. I created tickets for the following websites

  1. https://list.jabber.at (ticket)
  2. https://providers.xmpp.net (ticket)
  3. Jabber/XMPP Server List (ticket)
  4. XMPP | XMPP Software (ticket)
  5. GitHub - bluszcz/awesome-xmpp: A curated list of delightful XMPP related resources. (ticket)
  6. GitHub - ChatSecure/xmpp-server-list: Public XMPP server list and metadata in JSON format (ticket)
  7. Public XMPP servers with Tor Hidden Service · GitHub (comment)

The only “XMPP Server List” site that I found with Onion Services is here:

…but every one of them appears to have a clearnet address :frowning:

Update: here’s the hardcoded list of XMPP servers with v3 Onion Services from the CoyIM project: coyim/servers/known.go at main · coyim/coyim · GitHub

2 Likes

See also hsdir - How to test if Onion Service is still alive (hidden service descriptor query)? - Tor Stack Exchange

2 Likes

See also:

2 Likes

Serivce → Service.

Update: using the XMPP server instance lists linked-above, I collected a total of 29 Onion Services for XMPP servers

2n3tvihf4n27pqyqdtcqywl33kbjuv2kj3eeq6qvbtud57jwiaextmid.onion
32qywqnlnqzbry42nmotr47ebts3k6lhiwfob6xniosmepz2tsnsx7ad.onion
4colmnerbjz3xtsjmqogehtpbt5upjzef57huilibbq3wfgpsylub7yd.onion
6voaf7iamjpufgwoulypzwwecsm2nu7j5jpgadav2rfqixmpl4d65kid.onion
6w5iasklrbr2kw53zqrsjktgjapvjebxodoki3gjnmvb4dvcbmz7n3qd.onion
7drfpncjeom3svqkyjitif26ezb3xvmtgyhgplcvqa7wwbb4qdbsjead.onion
ae3w7fkzr3elfwsk6mhittjj7e7whme2tumdrhw3dfumy2hsiwomc3yd.onion
chillingguw3yu2rmrkqsog4554egiry6fmy264l5wblyadds3c2lnyd.onion
fzdx522fvinbaqgwxdet45wryluchpplrkkzkry33um5tufkjd3wdaqd.onion
gku6irp4e65ikfkbrdx576zz6biapv37vv2cmklo2qyrtobugwz5iaad.onion
gois4b6fahhrlsieupl56xd6ya226m33abzuv26vgfpuvv44wf6vbdad.onion
j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion
jabjabdea2eewo3gzfurscj2sjqgddptwumlxi3wur57rzf5itje2rid.onion
jaswtrycaot3jzkr7znje4ebazzvbxtzkyyox67frgvgemwfbzzi6uqd.onion
jeirlvruhz22jqduzixi6li4xyoweytqglwjons4mbuif76fgslg5uad.onion
jukrlvyhgguiedqswc5lehrag2fjunfktouuhi4wozxhb6heyzvshuyd.onion
mrbenqxl345o4u7yaln25ayzz5ut6ab3kteulzqusinjdx6oh7obdlad.onion
nixnet54icmeh25qsmcsereuoareofzevjqjnw3kki6oxxey3jonwwyd.onion
qawb5xl3mxiixobjsw2d45dffngyyacp4yd3wjpmhdrazwvt4ytxvayd.onion
qwikoouqore6hxczat3gwbe2ixjpllh3yuhaecixyenprbn6r54mglqd.onion
qwikxxeiw4kgmml6vjw2bsxtviuwjce735dunai2djhu6q7qbacq73id.onion
razpihro3mgydaiykvxwa44l57opvktqeqfrsg3vvwtmvr2srbkcihyd.onion
rurcblzhmdk22kttfkel2zduhyu3r6to7knyc7wiorzrx5gw4c3lftad.onion
szd7r26dbcrrrn4jthercrdypxfdmzzrysusyjohn4mpv2zbwcgmeqqd.onion
xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion
xiynxwxxpw7olq76uhrbvx2ts3i7jagqnqix7arfbknmleuoiwsmt5yd.onion
xmppccwrohw3lmfap6e3quep2yzx3thewkfhw4vptb5gwgnkttlq2vyd.onion
ynnuxkbbiy5gicdydekpihmpbqd4frruax2mqhpc35xqjxp5ayvrjuqd.onion
yxkc2uu3rlwzzhxf2thtnzd7obsdd76vtv7n34zwald76g5ogbvjbbqd.onion

I hacked together a script (using python and stem) to query the Tor network directory for hidden service descriptors for each of the above v3 Onion Services.

Of those, only 22 were still “online”

2n3tvihf4n27pqyqdtcqywl33kbjuv2kj3eeq6qvbtud57jwiaextmid.onion
32qywqnlnqzbry42nmotr47ebts3k6lhiwfob6xniosmepz2tsnsx7ad.onion
4colmnerbjz3xtsjmqogehtpbt5upjzef57huilibbq3wfgpsylub7yd.onion
6voaf7iamjpufgwoulypzwwecsm2nu7j5jpgadav2rfqixmpl4d65kid.onion
ae3w7fkzr3elfwsk6mhittjj7e7whme2tumdrhw3dfumy2hsiwomc3yd.onion
chillingguw3yu2rmrkqsog4554egiry6fmy264l5wblyadds3c2lnyd.onion
fzdx522fvinbaqgwxdet45wryluchpplrkkzkry33um5tufkjd3wdaqd.onion
gku6irp4e65ikfkbrdx576zz6biapv37vv2cmklo2qyrtobugwz5iaad.onion
gois4b6fahhrlsieupl56xd6ya226m33abzuv26vgfpuvv44wf6vbdad.onion
j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion
jabjabdea2eewo3gzfurscj2sjqgddptwumlxi3wur57rzf5itje2rid.onion
jaswtrycaot3jzkr7znje4ebazzvbxtzkyyox67frgvgemwfbzzi6uqd.onion
jeirlvruhz22jqduzixi6li4xyoweytqglwjons4mbuif76fgslg5uad.onion
nixnet54icmeh25qsmcsereuoareofzevjqjnw3kki6oxxey3jonwwyd.onion
qwikoouqore6hxczat3gwbe2ixjpllh3yuhaecixyenprbn6r54mglqd.onion
qwikxxeiw4kgmml6vjw2bsxtviuwjce735dunai2djhu6q7qbacq73id.onion
rurcblzhmdk22kttfkel2zduhyu3r6to7knyc7wiorzrx5gw4c3lftad.onion
szd7r26dbcrrrn4jthercrdypxfdmzzrysusyjohn4mpv2zbwcgmeqqd.onion
xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion
xiynxwxxpw7olq76uhrbvx2ts3i7jagqnqix7arfbknmleuoiwsmt5yd.onion
xmppccwrohw3lmfap6e3quep2yzx3thewkfhw4vptb5gwgnkttlq2vyd.onion
yxkc2uu3rlwzzhxf2thtnzd7obsdd76vtv7n34zwald76g5ogbvjbbqd.onion

I tried to load each of these with curl, but most didn’t have a web service running.

Of those, only 9 had a response of some kind on curl:

6voaf7iamjpufgwoulypzwwecsm2nu7j5jpgadav2rfqixmpl4d65kid.onion
ae3w7fkzr3elfwsk6mhittjj7e7whme2tumdrhw3dfumy2hsiwomc3yd.onion
fzdx522fvinbaqgwxdet45wryluchpplrkkzkry33um5tufkjd3wdaqd.onion
j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion
jabjabdea2eewo3gzfurscj2sjqgddptwumlxi3wur57rzf5itje2rid.onion
nixnet54icmeh25qsmcsereuoareofzevjqjnw3kki6oxxey3jonwwyd.onion
qwikxxeiw4kgmml6vjw2bsxtviuwjce735dunai2djhu6q7qbacq73id.onion
rurcblzhmdk22kttfkel2zduhyu3r6to7knyc7wiorzrx5gw4c3lftad.onion
xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion

Some of these didn’t allow signups. Some just responded with a cert error or a gateway timeout.

Of those, only 5 appeared to be useable

fzdx522fvinbaqgwxdet45wryluchpplrkkzkry33um5tufkjd3wdaqd.onion
j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion
jabjabdea2eewo3gzfurscj2sjqgddptwumlxi3wur57rzf5itje2rid.onion
nixnet54icmeh25qsmcsereuoareofzevjqjnw3kki6oxxey3jonwwyd.onion
qwikxxeiw4kgmml6vjw2bsxtviuwjce735dunai2djhu6q7qbacq73id.onion

I couldn’t figure out how to signup & login using only the Onion Service on any of ^ those XMPP server instances. So I emailed all of the admins for each of the above Onion Services.

Of those, only two admins responded to my emails

jabjabdea2eewo3gzfurscj2sjqgddptwumlxi3wur57rzf5itje2rid.onion
qwikxxeiw4kgmml6vjw2bsxtviuwjce735dunai2djhu6q7qbacq73id.onion

After a quick back-and-forth, both XMPP server admins told me that it is only possible to login with a JID using their clearnet domains :frowning:

I asked them why and if they could support this in the future.

2 Likes

While it might be possible, it would probably break federation with non-Tor XMPP servers – if not breaking federation with all other XMPP servers.

I still think it could be useful for a single org to have local-only XMPP communications, secured with the assurance that a user couldn’t accidentally connect to the XMPP server without connecting to the Onion Service, but couldn’t find any XMPP servers that only run on an Onion Service nor let you create an account with a JID (Jabber IDentifier) that uses the Onion Service.

Chris (admin at jabjab) responded to my question:

Hi Michael,

I see no practical use for that. XMPP is about federation. With an “onion” username, you only could chat with people within the tor network (I actually don’t want the support mails “I can’t reach my friend …”).

On the other hand, I don’t see any improvement. You can connect via tor for your own privacy and to avoid metadata. Furthermore, due to an agreement between xmpp admins, encryption between servers is mandatory (I can’t find the link right now, there was a github page about that, it happened several years ago). Additionally, you can use omemo to use end- to-end encryption for your messages.

Third, there is the technical point: Out of my head, I have no idea, how to tell my xmpp server that this message has to be routed through the tor network and that other one over the public internet.
You also would have to make some exceptions for self-signed certificates.

I believe that those are the reasons why there is no .onion domain for xmpp out there.

–Chris

Chris later linked to this document titled A Public Statement Regarding Ubiquitous Encryption on the XMPP Network, in which 75 Jabber stakeholders (XMPP RFC author, instance operators, etc) agreed to enforce TLS transfer encryption between XMPP servers back in 2014. This is a huge plus (compared to email, in which it’s a violation of RFC 2487 to require encryption), but it does not provide end-to-end encryption that we expect in 2025.

I asked if it’s possible for XMPP servers to enforce OMEMO encryption (a layered security preference to mitigate the risk of client-side misconfiguration or accidental human error), and they said no.

OMEMO mostly happens on the client side. The server only stores the public key of each device you are using.

XEP-0384: OMEMO Encryption

It is not possible to force OMEMO encryption because it is initiated or denied by the clients.

You may quote me, but I don’t see myself as an “expert”. I run a xmpp server.

–Chris

Meta: why can’t I mark this as the “Solution” to this thread?

2 Likes

Discourse Solved is not enabled for the General Tor and Anonymity Talk category.

Discourse Solved - Plugin - Discourse Meta isn’t installed here.

1 Like