XMPP lacks good clients and suffers from fragmentation of protocol standards implementation

• For Android: Conversations is excellent, also on F-Droid if you don’t want to use the Google store.
• For iOS/MacOS: Siskin or iOS/MacOS: Monal.
• For Linux/Windows: Gajim or Linux: Dino.

“Protocol fragmentation” is not a valid complaint about XMPP – it’s like complaining that ActivityPub is fragmented; but that’s not a problem: you use the services (Mastodon, Lemmy, Kbin, etc) built with it which suit your needs, mostly interacting with that sector of the federation (eg, Lemmy+Kbin), but get a little interoperability with other sectors as a bonus (eg, Lemmy+Mastodon).

Almost all those can be self-hosted, and built from source, so matrix, xmpp, simplex, are fine. Don’t use anything that’s uses a centralized server in a five eyes country, like signal or threema.

Kind of limited due to there not being an iOS version, but Briar is pretty decent. It was made to be usable in repressive areas by press and other groups, as well as in areas where bad weather has taken out cell and regular wifi. Can be used with phone data, but also offline via ad-hoc wifi and bluetooth. But stuff like Signal and SimpleX are more overall useful to more people (and I think SimpleX also supports offline local immediate area of each other like wifi and bluetooth but I don’t remember atm).

Conversations?

XMPP clients are fine albeit it all, as many as they are, slightly different as is the nature of the protocol. This just means there is value in contributing to existing clients, creating new clients, or embracing progressive enhancement (which most do for example with emoji reactions just being a quoted text reply & so on) & complete feature parity is a fool’s errand if you want an exensible protocol with diversity & experimentation in the community. With the broad exception of the Conversations Compliance, there isn’t a flagship client & instead the best ideas come to the most used or most innovative clients. I use Cheogram, Profanity, Gajim, Dino, Movim at different times (& would love to create my own). The protocol is stable, healthy, & ready for proposals for improvement.

If I compare this to the more-expensive-by-all-metrics-to-run Matrix, if it ain’t Element, you gotta problem since a vast majority of users are on it & using all of its features & no other client has anything near parity but are expected to have parity instead of allowing things to sometimes be gracefully missed or shown in a less than ideal manner as acceptable. This hurts experimentation. Good luck trying anything similar to GDPR when all nodes are design & required to duplicate all messages & attachments for all users to every server anyone in it comes from.

The only real gotcha is the same gotcha as Matrix when using multiple clients with double-ratchet encryption (ala Signal) is that clients will expire keys that haven’t been seen in a while & is hard to get both devices retrusting one another. Turning it off & on again rarely works & requires fiddling on both ends sometimes. I really should just use PGP for encryption more often…

There’s no such thing as private on the internet. Sometime after the nineties everyone forgot that.

DeltaChat. I don’t use it myself because it’s built on electron (which basically excludes 99% of modern chat clients); but as it’s technically an email client turned into a chat client, we can assume you’re protected by PGP when writing to most users, and with the added effect of not needing to convince anyone to install anything since from their end it’s just an email.

This comment is a great start for what you’re looking for.

https://feddit.org/comment/2362732

I’m using simplex without problems. I get all notifications and didn’t notice an increased battery drain.

good messenger for what?

if you want a solution for you and a bunch of your henchmen to coordinate and discuss totally-not-crimes with ephemeral comms, practically any E2EE solution will work; once the not-crimen is done, burn your accounts and toss the devices for good measure and you’re scot free.

if you want a secure messenger that’s part of a widely used communication platform where you can also do normal people shit and also convert normal people to actually use it (think getting contact deets from cute boy/girl at a bar or giving yours to a business correspondent without an elaborate powerpoint presentation on how to use it) and you want to enjoy the fruits of 20+ years of continuous IM development, like having top-notch UX, battery efficiency, network resiliency, quality voice/video calls, etc., without being spied on then such a thing doesn’t exist.

how come? meredith baxter recently stated that it costs signal $50MM/yr to run their infra. that money has to come from somewhere. if there are no advertising dolts dumping cash on spying on your social graph and convos, the remaining avenues for financing are few and far between.

in closing, there aren’t any super awesome messengers you weren’t aware of, everything is shit.

Snikket is an attempt to solve the XMPP issues, or at least to reduce them, single all-in-one XMPP server distro and clients across platforms, and since it’s self-hosted no one should get their hands on your data (in normal circumstances).

That said, the saying goes “Perfect is the enemy of Good”. Just because a solution is not perfect doesn’t make it unusable, any of those options you mention full of problems are a helluva better than FB Messenger or plain SMS for example. Depending on your threat model they might be more than enough.

I don’t consider those comments regarding Matrix as problematic. Don’t use someone else’s server if you don’t trust them - including a third party lookup server.

/selfhosting Matrix

jami has so much potential. just wish it ran a bit more reliable

Dead drops and one time pads.

Set up a numbers station if you can afford it.

People say this over and over “depends on your threat model” and yet people seem to have a hard time understanding that. Your threat model is “who is your adversary and what he is willing/able to do”. Your security goal is what do you want to keep from your adversary.

As others said, if you are an activist or sth important, perhaps you might want to build a working knowledge of cryptography yourself. If you just want META not being able to see your NSFW chat with your romantic partner Signal might be more than enough. In fact, people way more relevant than me also suggest that Signal is good even for bounty hunter vulnerability reporting.

Having said that, what bugs me most is that people think the instant messaging format as suitable for everything: activism, jobs, crimes, broadcasting 1970’s prog rock for extraterestrials , whatever lmao. Do you really want to use your phone for all that? Like, just carrying the phone around in the first place nullifies your other precautions, for all advanced threat models beyond privacy of non-critical social messaging.

Persistent/resourceful adversaries can eventually get to you, using a set of penetration and intelligence techniques, which means, if you are involved, the convenience of messaging your partners in crime from the phone in your pocket while waiting for a bus is a convenience you probably can’t afford.