[throwaway77384]

This is baseless speculation, but I'm assuming Jabber is being targeted as it's famously used on darknet markets for drug trades (or other illicit activity). Goes to show that you should never just trust "it's encrypted, bro". You need to PGP your messages at the very least. Is PGP crackable by quantum computers? Will there be hardening against those kinds of attacks in the future? Since, if the messages have been hoovered up in encrypted form, it's just a matter of time until they get decrypted. And this appears to be done for just about all web traffic they can get their hands on... see https://en.wikipedia.org/wiki/Utah_Data_Center

[ndriscoll]

Jabber/XMPP has had e2e encryption for at least like 10-15 years. I used to use it with even my normie friends back when Facebook/Google Talk supported XMPP and you could use pidgin, kopete, etc.

Obviously securely exchanging keys with an anonymous drug dealer over the Internet is error-prone though...

[ValdikSS]

This mitm may be as a part of Genesis Market takedown, but it's just out of the blue.

https://therecord.media/genesis-market-takedown-cybercrime

[theamk]

A second layer of encryption would help, but I don't recommend PGP in particular.

If you haven't heard, it has lots of problems and a lot of people recommend avoiding it (for example https://www.latacora.com/blog/2019/07/16/the-pgp-problem/ / https://news.ycombinator.com/item?id=20455780)

[upofadown]

"The PGP Problem" is generally misleading and is straight out wrong in some places. I ended up writing an article to save time:

* https://articles.59.ca/doku.php?id=pgpfan:tpp

PGP certainly has its problems, but isn't really special compared to other similar things. The big advantage that PGP has is that it is a stable and well known standard. There is a tendency to imply that it is insecure in some way, but no real evidence seems to exist to that effect.

[theamk]

> isn't really special compared to other similar things.

If you define "similar thing" as "kitchen-sink thing that tries to do everything like PGP does", then this is true, as no full alternatives exist, nor should they.

But for all practical applications? Pretty much every "other similar thing" that I have tried is _vastly_ more simple and more reliable and easier to debug and infinitely easier to script. For example, "seccure", "minisign", "age", even "ssh-keygen -Y". Especially cool are "seccure" which uses passphrases as private keys (no more private key files ever!) and "ssh-keygen -Y" which uses ssh keys which everyone already has anyway.

If you are writing a new software and thinking about integrating PGP, do yourself a favor and look for alternatives. If this is something developer-oriented, I recommend using something based on SSH keys, like git does.

[alwayslikethis]

Most clients also support OMEMO now

[kitkat_new]

doesn't OMEMO have the problem that you have to verify every session from all your sessions, which is practically infeasible?

[nicoco]

If you are serious about needing e2ee, using few sessions (well, devices) and actually verifying fingerprints OOB is a must, and that's true for all E2EE methods AFAIK?

[kitkat_new]

> and actually verifying fingerprints OOB is a must, and that's true for all E2EE methods AFAIK?

most E2EE messaging services (e.g. Matrix, Signal, WhatsApp) enable verifying other people instead of devices, reducing the required verifications for one person to 1 instead of 1 per session

[upofadown]

More like every device from all your devices. That comes from the Signal protocol. If you want one verification per user then that would be PGP.

[kitkat_new]

> More like every device from all your devices.

no, you could have multiple sessions per device, e.g. desktop client and browser tab

> That comes from the Signal protocol.

no, Signal doesn't require this