[tgsovlerkhgsel]

As I said - every single of my chat-app-militant contacts has migrated from XMPP (which they pushed early and aggressively) to Matrix, which includes groups like hacker spaces etc. (at least the ones that didn't just give up and migrate to closed solutions).

I literally have no single person to talk to on XMPP. The software names you mention all trigger flashbacks of horrible experiences, with my last experience even worse than my recent experience with Element, and unless they have been rewritten from scratch, I wouldn't be willing to install them again. At least I can run Element in a browser tab where it can't pwn my system...

There seem to be three incompatible standards for e2ee on XMPP, the latest being https://xmpp.org/extensions/xep-0384.html which is marked "experimental". I've never seen OpenPGP used, OTR was a compatibility nightmare, and I think by the time OMEMO started to be a thing XMPP started to stop being a thing.

[amatecha]

OMEMO is the only E2EE standard to use now (I mean, barring occasional outliers, but OMEMO is the norm). That's cool, I'm talking to people on XMPP every day with people who have zero intention of moving unless something better (by their definition) comes along. XMPP seems to be gaining popularity as one of the last possible options for a genuinely decentralized encrypted chat protocol that isn't beholden to a singular closed org/corp. I just personally onboarded like five people and they're all like "this is awesome" and.... wait, did you just say "at least I can run this in a browser tab where it can't pwn my system"? Please search "browser exploit rce" on your favorite search engine. Here's one from two weeks ago: https://windowsforum.com/threads/cve-2025-21279-remote-code-...

I used to have a couple 1:1 Matrix chats with friends where I was trying to bridge the whole "different OS" issue for E2EE chat. Neither of them use Matrix anymore, and we were all having issues with Signal (my account is still b0rked). It was just too much hassle. So I mean, the anecdotes go both ways here.

[mrusme]

I'm a fan and active user of XMPP. However, it unfortunately is true that encryption is a can of worms. OMEMO should be the standard, yet there is fragmentation in terms of the specific OMEMO spec version that clients use. Not even the most prominent clients keep up with the latest spec, as can be seen here [1]. One of the issues is, that everything prior to 0.4.0 uses AES-128-GCM, instead of the standard that is used by other platforms (eg Signal), that is AES-256-CBC with HMAC-SHA-256. In plain English this means that most mainstream XMPP clients do not offer encryption at a level that can and should be expected these days.

[1]: https://xmpp.org/extensions/#xep-0384-implementations

[dzaima]

Browser sandbox escape to userspace exploits are still much harder to make though, compared to... uh.. a userspace to userspace exploit, given that the latter takes literally (actually literally) zero effort, and as such you don't have one every couple weeks, but rather an ∞ of new exploits per second.

(that said, a web-based client has the aspect that an exploit could be inserted at any point with only a page restart necessary, whereas a native client would need updating; but hopefully you update your client, lest you start missing out on new protocol features!)

[genewitch]

Hey man, GNU Social still exists toooooo