13 KiB
XMPP servers comparision
Well, here I am going to compare XMPP servers. As we all know XMPP is a descentralizeted protocol. So you can have an account in servera.tld and your friend can have an account in serverb.tld and communicate without problem.
The best thing to do is to setup your own XMPP server. But, obviously, not everyone can do this. So public servers exists for some reason. In this article I am going to compare all the XMPP public servers I've seen. What they recollect, how to register to them and stuff like that.
I am NOT going to dig into terms of service. Only privacy.
What to check in a XMPP server?
Well, first thing you should check is for how long they keep IP addresses. (Or if they don't collect IP addresses, like some services do). You shold also check if they provide a v3 onion address (so you can connect anonymously to it). And you should check what kind of data they ask for in the registration.
Trashserver.net
Let's dig onto their privacy policy!
IP addresses of users are not logged by default. Exception: In case of incorrect login attempts, the IP address is logged to prevent attacks on accounts.
Awesome! Just be sure to type your password correctly and no IP will be logged. Also, some clients, like Gajim, Conversations and ChatSecure supports connecting from Tor. (By the program's settings. For another client just use torsocks or something like that)
No personal data is required for registration.
Registration is closed. So I cannot test this now.
To keep messages synchronized across multiple devices and exchange messages even when two subscribers are not online at the same time, messages are cached on the server for up to 4 weeks.
Well, understandable. If you don't want to do this. You have two options:
- Use OMEMO/OpenPGP/OTR
- Disable the logging feature in your client.
Contents uploaded via http_upload remain stored on the server for 4 weeks
If you don't want content to be in trashserver's. Don't upload files to it. Or use OMEMO/PGP/OTR
Awesome! This server seems good!
If I am required to cooperate with law enforcement authorities under any applicable law, information will be disclosed in accordance with the applicable law.
Aw, shit.
Good server. But be sure to always use OMEMO/PGP/OTR so this last point is less harmful. High tier.
404.city
Alright what the fuck? I have to solve a ReCraptcha to create an account? in the absolute trash it goes!
We store your contact list, connection time and current session IP address. To prevent spam from 02/12/2020 we save account registration information. We are not located on the surface of Mars and we will be obliged (as anyone else) to provide this data by officially confirmed government request in the United States or the European Union.
Alright, they store, your IP Address and when you connected. Don't even think on creating an account here. And would give info to feds SHIT TIER
Also, the website is cuckflared
on top of that, xmpp://nuegia.net admin sent a text to me:
404.city has more problems than you specified. For one, choosing an account on 404.city is actively harmful to the federation as you are unable to send messages or contact 404.city users unless they add you to your roster first. Even worse 404.city users are not notified when someone trying to contact them has been blocked. The message is just dropped from their perspective.
the operator of 404.city is notoriously hard to contact, in fact his domain he used for contact, faceless.city no longer exists. Sometimes the operator pops up in the XSF operators chat, other times i have to ask around in general for someone who knows him to ping him for me.
the operator of 404.city is not very responsive to issues, and almost always will blame you for making a mistake when you contact them about a service or interoperability issue until you explain it 3 times over with XML traces what's going on and why it's their problem not mine.
To top this all off, the service is unreliable, frequently having outages and is laggy. Responses to and from the server even if your an external user connecting to a muc there are SECONDS behind on transaction
The first paragraph is the most harmful in my opinion, because XMPP is good because it's a federation. But 404.city breaks the federation by only allowing contacts to message you Remember that they keep the contact list. So they fucking literally know who you talk to. In other servers you can make the server admins don't know who you talk to by just texting them, instead of adding them to contacts, but 404.city makes this not possible.
I don't know what he mean by faceless.city does not exist. It exist but it is cuckflared (and a non-existing website is better than a cuckflared one)
But when he mentions that the operator is impossible to contact, that's true, partly because He don't know English
Snopyta
You have to create to enable JS to create an account. Err.
Well, but nothing else is needed! No Craptchas!
Now, in their privacy policy:
Login credentials are stored in encrypted form and never shared with other parties.
Good.
No IP adresses are stored by default on our servers. We may temporary enable logs which contain IP addresses if needed for debugging. These logs are deleted immediately after action has been taken and are kept for a maximum of 24 hours.
Well, you have to be out of luck for Snopyta to log your IP. Anyways, you can always log in using Tor. They also provide a .onion address for XMPP.
Messages sent to you while you are offline are stored until you connect or your account is deleted.
Yeah, use OMEMO or PGP
The rest of the privacy policy is just XMPP basic stuff. High tier.
Riseup
Ah, the old reliable. Right?
NO!
Riseup has a good privacy policy. XMPP is not the exception but their XMPP server sucks!
You cannot even Upload files to it! Altought it does not support A LOT of XEPs. That all the previous server supports. Low tier. If you con't care about it. Riseup has a good privacy policy (they literally would rather to nuke the server than surrender to the goverment) then it is high tier.
Wait what? You're telling me that Riseup accepts non-trusted connections? WHAT? ABORT EVERYTHING. NEVER USE THIS
Disroot
They require a email address for signing up (altough they provide e-mail services). But i'm only caring for XMPP in this article, in XMPP they collect:
- IP address (deleted after 24 hours)
Apparently that's it. But they log IP addresses and they require Email address for signing, and i didn't see any .onion hostname for their XMPP server, so mid tier
jabber.lqdn.fr
Literally who XMPP server. Yes, but Digdeeper uses it.
In the registration. E-mail is optionan. Which is good, and no craptchas are needed.
Messages in the server sent to someone offline are logged until sent. Alright, as always, use OMEMO/blah blah/
Your list of contacts (that's how xmpp/jabber protocol is working)
Well, I guess.
The date of last connection for each account, so that we can delete account when they are unused for 6 months. (But we don't keep the IP address from where you connect.)
Well, that's ok.
Well, the privacy policy is ok. High tier
Creep.im
Oh, okay! first thing we see when accessing the website is "IPs are not logged" Good start!
You can create an account directly in the client! Awesome!
You can connect to a .onion link!
This is too good to be true.
And indeed it is. If you want to talk to someone in a creep.im account. You'll have to solve a craptcha. Don't use creep.im if you don't want your contacts to become your enemies. Shit tier. just for this.
yax.im
Yaxim is a XMPP client for Android, which also gives us a XMPP server:
Information Associated with your Account
The IP address of your registration and of your last login are stored alongside the account. This is required to detect and delete spammer accounts (Art. 6.1f). IP addresses and Jabber IDs of identified spammer accounts will be shared with other server operators to prevent further abuse.
Well, storing the IP address is not a good start. You can use Tor for this.
Server logs
IP Address and timestamps
Okay, they can see when you log. ehh
Well, the server is OK. but there are better alternatives. Middle tier
xmpp.jp
Recaptcha for registartion. their privacy policy don't say much. Low tier.
e2e.ee
How can we figure out who you are? We can’t.
Will we ever share data about you with others? No! We don’t know who your are.
Do you control the chats and data you place on this server? Yes! You can delete them at your discretion.
Seems nice!
e2e.ee uses IP information to ensure that the service is not abused. IP addresses are recorded for the following objectives:
Allow the creation of one account per IP address every 6 hours IP Addresses are recorded on the webiste for these reasons only. The records expire and are deleted from the server continuously, always within 6 hours.
/!\ IP address are logged /!\ But at least they're deleted within 6 hours.
Also
An XMPP ID, also known as a Jabber ID, is never associated with an IP address. Which is good
Prosody XMPP Server logs IP addresses when a login fails. This information is used to keep accounts safe from brute force attacks. Prosody XMPP Server never logs IP addresses in association with actual XMPP IDs.
Like with trashserver, don't input a bad password. And prosody never logs IP addresses.
Well, their website could have better IP address logging. Middle-High tier.
Then i realized I cannot register in my IP because "fraud IP address"
Then I tried in Tor, I also couldn't because "Proxy address". What a Joke. Low tier.
sum7.eu
This is the community which developed conv6ations, thanks guys! But they also let you use sum7.eu as XMPP server. when you go to https://sum7.eu their privacy policy link says "Privacy policy: we save nothing!"
We do not use external services like GoogleAnalytics, external fonts or GoogleMaps.
So far, so good... So what?
But now we have this:
From your Website request is only saved: Address Family: IPv4 or IPv6 Requested Domain: e.g. chat.sum7.eu Duration of delivery: How long a request take time (in histogram cumulated in buckets)
Thought you guys didn't save anything!
For easy use, there is Message Archiving enabled by default. Hopefully you use OMEMO or you should disable MAM. Otherwise your messages are stored plain on this server for other clients.
Yeah, use OMEMO and disable MAM, as always
HTTP-Uploads are stored for 7 days before it will be deleted automatically. Accounts after 1 year unused will be deleted.
Good.
I mean, sum7 didn't give a lot of info, although you create an account directly from the client. Idk if you can create it through Tor (probably you can). idk, middle/high tier.
Update 2021-07-10: If you have an account in chat.sum7.eu and someone wants to add you, they will have to resolve a captcha, just like creep.im. So don't use it if you care about your contacts.
xabber.org
Need recaptcha to create account, privacy policy is ok. middle-low tier
dismail.de
Privacy policy is in German, and i don't speak German, however, trying they specify in their xmpp service info that you s2s is required (this is good) and also c2s, also provide a v2 and v3 onion addresses, and the fingerprints for their SSL certs.
No recaptcha is needed for registration, high tier
blabber.im
Website made by the pix-art dev, pix-art is (was, apparently now it's called blabber), it is a fork of conversations, like sum7, they let you use their server for XMPP. Their privacy policy says:
- No IP addresses logged
- Passwords are stored in SCRAM-SHA1
I don't know how good this is, because SHA-1 is broken (look up shattered)
- No input of personal data is necessary
This is true, You only have to input username and password.
However, the program in F-Droid says that this app tracks and reports your activity. And it just makes me suspect. ? tier
Summary
Most servers have their flaws. Snopyta requires an email to register. You cannot register in trashserver nowadays. lqdn does not support http_upload
The best thing you could do is Trashserver->Snopyta->sum7->yaxim->e2eee->lqdn
Don't bother with 404.city it is shit tier.
You should ALWAYS use OMEMO/PGP to protect your messages. And connet through Tor if possible. Some clients support giving a hostname. You put the .onion as hostname. But the regular domain as Jabber ID. Something like this:
