pep/blog.bouah.net
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
blog.bouah.net/content/posts/slixmpp-omemo-release.md
Maxime “pep” Buquet 5ed0d1b165
slixmpp-omemo-release: Add note about Full Stanza Encryption 
Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>
2019-03-02 22:53:28 +00:00

103 lines
4.3 KiB
Markdown
Raw Blame History

---
title: "Slixmpp gets OMEMO support"
date: 2019-02-25T17:36:50Z
tags: [IM, XMPP, OMEMO]
---
TL;DR: Developers can already experiment with the [slixmpp-omemo][slix-omemo] plugin.
Please give us feedback on the [tracker] or in the [channel]!
After [almost a year][opkode-gulash] since I started working on the [OMEMO]
encryption mechanism support for [Slixmpp], I am happy to finally announce a
first release. I would like to get feedback. I am sure there are still plenty
of things to improve, and so I encourage developers to bring out their inner
vandal, break it and report their findings.
This library provides an interface to [python-omemo].
You can find the code at
[https://lab.louiz.org/poezio/slixmpp-omemo][slix-omemo].
Documentation is available in the [README][slix-omemo-README], and there is
also an [echo bot][slix-omemo-bot], with lots of comments.
Thanks to Syndace and [Daniel] for the help with the OMEMO implementation, and
[mathieui] and [Link Mauve] for the help on Slixmpp and moral support.
[slix-omemo]: https://lab.louiz.org/poezio/slixmpp-omemo
[tracker]: https://lab.louiz.org/poezio/slixmpp-omemo/issues
[channel]: xmpp:slixmpp@muc.poez.io?join
[opkode-gulash]: https://opkode.com/blog/2018-gulaschprogrammiernacht/
[OMEMO]: https://xmpp.org/extensions/xep-0384.html
[Slixmpp]: https://lab.louiz.org/poezio/slixmpp
[slix-omemo-README]: https://lab.louiz.org/poezio/slixmpp-omemo/blob/master/README.rst
[slix-omemo-bot]: https://lab.louiz.org/poezio/slixmpp-omemo/blob/master/examples/echo_client.py
[python-omemo]: https://github.com/Syndace/python-omemo
[Daniel]: https://gultsch.de
[mathieui]: xmpp:mathieui@mathieui.net?message
[Link Mauve]: xmpp:linkmauve@linkmauve.fr?message
## Separate repository
As you may have noticed, this plugin is served via a separate repository. This
is for licensing purposes. As much as I like GPL and copyleft, Slixmpp is
licensed under the MIT license, and this is probably not going to change.
Fortunately for Slixmpp this split should not last forever.
The [python-omemo] library that is used -- developed by Syndace -- is a complete
reimplementation of the Signal Protocol unlike [python-axolotl], which is a
port of the original library implemented in Signal.
There are bits that prevent him from releasing his library under MIT at the
moment, I am not entirely sure to grasp all the details but this is being
worked on.
[python-axolotl]: https://pypi.org/project/python-axolotl/
## Why OMEMO?
There are still lots of things to be improved in the OMEMO specification.
I would personally like to see what is usually called _Full Stanza Encryption_
added to the spec. Today, an OMEMO implementation will only encrypt the
plaintext (`<body/>`) part of messages you send, and either leak everything
else (e.g., chatstates, receipts, corrections, xhtml-im), or effectively
disable them, for privacy-conscious implementations.
I would also like to drop _Forward Secrecy_, in the context of Instant
Messaging. And I would like to have a better way to manage all these device
keys, fortunately there are people working on this already.
Not having all these options (or having them, in the case of _Forward
Secrecy_) heavily degrades user experience in my opinion, and that is my main
concern.
Not having OMEMO though, is also not great either for user experience, many
implementations nowadays provide it, and some even enable it by default.
This makes it impossible for us Slixmpp users to communicate without having
to ask the sender to turn it off first.
While I would prefer to see other alternatives, this library should help with
the current situation, and we can go back to work on fixing the world.
## What's next?
Apart from the tons of bugs that I'll have to fix in the following days/weeks,
now that we have the foundations next step is to implement OMEMO in [Poezio].
Any help is welcome!
EDIT 2019-03-02: _A small but important precision on Full Stanza Encryption.
I did write "what is usually called", because it does not actually consist in
encrypting the full stanza. The server still needs to see routing information,
as well [messages hints][XEP-0334] (e.g., `<no-copy/>` or `<no-store/>`)
designed for the server rather than the final recipient. A better name might
be "Arbitrary Extension Element Encryption" (thanks Flow.)_
[Poezio]: https://poez.io
[XEP-0334]: https://xmpp.org/extensions/xep-0334.html
Reference in a new issue View git blame Copy permalink