SamuraiLink3A Mastodon exclusive: I'll be presenting my "Secure XMPP" findings at Ohio InfoSec Forum next week.
Results: XMPP is a dumpster fire.
HedgeMage@samurailink3 thanks for spreading the I-wish-it-were-self-evident truth
(Axel Rauschmayer—OLD)@HedgeMage @samurailink3 I thought Mastodon didn’t use XMPP(?)
@rauschma Oh, it doesn't. Mastodon isn't meant to be End-To-End encrypted or "Secure" (beyond using HTTPS on the site). Mastodon is a re-implementation of the GNU Social project (https://gnu.io/social/).
I think Mastodon is "secure enough" for the majority of its use case: Being a public, federated, open-source, Twitter.
My XMPP comments relate to a talk I'm giving next week at an infosec user group meeting.
@HedgeMage I really really want XMPP to be the secure self-hosted Signal alternative, but it just can't happen with this architecture (not without a substantial rewrite anyway).
OMEMO is a good start, but it has a host of issues. At this point, there's no benefit (and serious detriments) to using self-hosted XMPP over Signal or WhatsApp.
I know that gives the FOSS fanboys (like myself) concerns, but it's the truth. XMPP isn't safe for the average user.