XMPP is perhaps as far as you can get from a blocked chat platform. It is an instant messaging standard similar to email. Anyone who registers an XMPP account on one server can communicate with anyone else on another server.
By default, these XMPP chats are unencrypted. This is where OMEMO comes into play. With OMEMO end-to-end encryption, XMPP offers comparable security to Signal, Session, and every other private chat app you’ve heard of, but without the risks associated with being dependent on a centralized platform.
What is XMPP?
XMPP is an instant messaging protocol that has been around since 1999 and was originally known as Jabber. The acronym stands for Extensible Messaging and Presence Protocol. It’s an open standard for sending messages over the Internet without everyone having to have an account on the same server. Someone can register an account with one provider and send a message to someone registered elsewhere.
For this reason, XMPP usernames are similar to email addresses. For example, if you create an account at Conversations.im, your name will appear as “firstname.lastname@example.org”.
Note: Conversations.im offers the most popular XMPP app for Android. ChatSecure is a good option if you use an iPhone.
You may have used XMPP before without even knowing it. Several popular chat platforms started out as XMPP clients, such as Google Talk and Facebook Messenger. WhatsApp works with an adapted version of XMPP. Some projects, like the free and open-source video conferencing tool Jitsi, also use XMPP in the backend.
What is OMEMO?
By default, XMPP is not a particularly private communication method. While traffic to and from a server can be encrypted, anyone running the server can read the messages.
Luckily, XMPP is extensible (after all, it says so in the name). OMEMO is an extension that adds end-to-end encryption to XMPP. It’s not the first. Other methods came first, like OpenPGP and OTR (Off-the-Record Communication). What OMEMO offers is not just end-to-end encryption, but multi-end-to-multi-end encryption. Hence the name OMEMO Multi-End Message and Object Encryption (yes, it’s a recursive acronym).
What does multi-end-to-multi-end encryption mean? In short, this means that if you send a message from your laptop, you can still view that message from your phone and any other device logged into your account. The recipient can then also view the message on any of their devices. Nevertheless, OMEMO keeps the messages encrypted on the various servers so that only you and the intended recipient can read them.
OMEMO was originally based on the signal protocol developed by Open Whisper Systems for the Signal app. Unlike the centralized signaling protocol, OMEMO has to handle encryption across multiple servers. OMEMO started as a Google Summer of Code project in 2015 implementing multi-end-to-multi-end encryption in the Conversations Android app.
OMEMO not only allows private messages. You can also transfer files privately.
How to activate OMEMO
OMEMO is easy to activate if supported by your provider. When you start a chat with someone, look for a lock icon. It will show as unlocked if your messages are unencrypted and locked if they are. Click on this lock to choose from the available encryption options.
You can send encrypted messages to anyone whose account is also with a provider that supports encryption, and their client must also support it. Otherwise, your client may display an error message informing you that encryption is not an option. However, XMPP has supported encryption for many years, as have most providers. There is a website tracking OMEMO support within XMPP clients.
Pros and cons of OMEMO encryption
XMPP with end-to-end OMEMO encryption is a private mode of communication, but like any method, it has both its strengths and weaknesses.
Strengths of XMPP with OMEMO encryption
- XMPP is decentralized. Unlike alternative options like Signal or WhatsApp, you don’t rely on a provider being active. There is no “XMPP has failed”. A provider’s servers may be down, but others will continue to send and receive messages.
- XMPP and OMEMO are open standards. Anyone can read the code to understand how they work. This allows others to examine the code and confirm that messages are indeed private.
- convey secrecy. This means that the encryption keys are stored on your device and any device that does not have access to the messages at the time they are sent cannot view the message.
- You can use any XMPP client with OMEMO support. You are not dependent on an app. And you have the freedom to find an interface that suits you best.
- Proven. XMPP has been around for a long time. OMEMO is younger, but it probably won’t go away anytime soon. Finally, older encryption methods remain available. But when it comes time to switch to a new form of encryption, you can do so without having to give up your existing XMPP account.
Weakness of XMPP with OMEMO encryption
- Messages are not encrypted by default. You must activate OMEMO for your account. You can then choose to encrypt messages per chat or encrypt all your messages. The latter restricts your communication to people who also have XMPP accounts with OMEMO support.
- convey secrecy. If you send a message from your laptop before logging into your phone, your phone will not be able to view the message. This is different than what most of us expect.
- Older technologies limit communication. XMPP with OMEMO offers most of the essential features, but the experience can feel a little dated. You don’t have the ability to “like” messages, reply to each message with an emoji, or start threads within a chat.
- Relatively unknown. Most people have never heard of XMPP or OMEMO. If you want to chat with friends and family members, there’s a good chance you’ll have to introduce each person to the technology and convince them to make the switch, one person at a time. While there are apps that make the process very easy, like Quicksy and Conversations for Android, you might find it easier to introduce people with an app like Signal, which is gradually becoming more popular.
Should you use XMPP with OMEMO encryption?
XMPP and OMEMO are equally simple tools with overly technical-sounding names. Anyone with sufficient technical knowledge to create an email account and use an email client has the skills needed to use XMPP and start sending private messages.
As always, the important questions are: who do you want to speak to and will they switch with you? If not, you’re not necessarily going back to a mainstream platform, nor are you stuck with Signal. Matrix offers similar security and decentralization, but with more modern luxuries.