Over the past few years I have gone through a bunch of different apps and protocols to find the best one for “securely” communicating with my family and friends.
I ended up with the amazing XMPP protocol and my family/friends frequently use its clients to contact me.
Monal for IOS and Cheogram/Conversations/Quicksy for Android. The android app I install depends on if I can get F-Droid on their phone or not.
It’s been great with OMEMO encryption and the clients/apps available for XMPP. But sometimes I have issues introducing people to it.
Jabber (friendly name for xmpp) sounds silly to say. The clients all have weird names. And after trying the Signal mobile app it feels more focused than what anyone in the XMPP community has whipped up.
But the capabilities of XMPP makes it better.
Signal Cons (immediete)
- Centralized
- Single app
- Phone numbers
XMPP/Jabber Cons
- Picking server
- Apps are sort of less friendly
What really scares me about Signal is the centralization. Any nerd can easily host an XMPP server these days. But Signal from what I’ve heard really wants us to use their server.
If XMPP gets more attention I’m sure we can get people supporting projects and creating better apps.
I keep seeing people recommended Signal instead.
This is a bit of a tired ramble. What I wanna know is why anyone is preferring Signal over XMPP apps. I assume it might be not knowing about it. Tell me what you use to message people.


Signal is a much better recommendation when leaving Telegram. And the OMEMO implementation concerns are something I need to consider. That unprofessional response from one of the devs is not a good look at all.
Though as a comment pointed out, control of servers is like the one main checkbox that I really need filled.
On the point about clients not being OMEMO by default or enforced. This isn’t the biggest issue for me. I’m not doing crimes, but I still wouldn’t want my saucy messages to be read by server admins or third parties. Whenever I message somebody, I confirm that they are the proper recipient and are using OMEMO. And the clients I found myself comfortable with all support PGP key use instead. (That would be Cheogram & Gajim if anyone was interested.)
This was a great read though, at least to me. It gave me some thoughts to consider.
I’m gonna look into what kind of threats these improper dependency versions and such might pose. Hopefully by now most of these issues have been resolved.
The biggest thing is getting people into the loop of “secure apps” before they really need it.