The official community for Dread announcements, discussion, and feedback. Come post any bugs!
Only posts relating to this site in this subdread allowed! Posts here are manually reviewed before public posting!
by /u/Woodie · 5 votes · 1 month ago
Hi Dread,
The Problem: Currently there is a divide within the community on dread and the broader dark net communities between users with XMPP + OTR and users with XMPP + OMEMO. This causes a headache whenever adding someone, as they might be using one encryption protocol, while you are using another. This leads to an abrasive experience while attempting to communicate with other community members via XMPP/Jabber.
Proposed Solution (for Dread specifically): Allow for having two separate XMPP address fields and two seperate XMPP Fingerprint fields corresponding to XMPP + OMEMO and XMPP + OTR. Currently the feature exists to attach an XMPP address to my profile along with my OMEMO fingerprint. Where there is still a significant divide between OMEMO and OTR users, until the community transitions to mainly (90%) either OTR or OMEMO, I think it would make sense to have a configurable field on your Dread profile for an OTR and OMEMO specific address with corresponding fields for OMEMO and OTR fingerprints.
Lets have a calm and friendly community discussion regarding this and I'd be interesting in hearing other views or input.
/u/psuedonym · 1 votes · 1 month ago · Link
Friendly bump
/u/LydiaRQ P · 1 votes · 1 month ago · Link
As our group is in the process of making a clearnet OpSec training site we have been into this issue. It's unfortunately deeper than just which flavor of encryption to use. The first barrier is a general lack of education on how to use a XMPP client, which one (like it matters) and feeling comfortable doing so. That right there has limited it's use quite a bit. Add the OTR/OMEMO debate on top and rather than roll forward, the ball just comes rolling back to avoiding what really has a lot of potential.
I'd like to see stats on how many people chat using XMPP. I'd be willing to bet it's not 10%. Usage should be first priority, then with a consensus we choose one method to rule them all.
OMEMO will win out not for it's superior security or anything else except for the fact that it can manage group chat. That difference is why OTR should be ditched in order to have compatibility among eGangsters.
/u/Woodie
· 1 votes
· 1 month ago
· Link
Kudos for undertaking the valiant effort of creating an OpSec training site. That would be a huge resource for newbies entering the community.
Regarding your mention of the "general lack of education on how to use an XMPP client". Its been around a decade since I first used XMPP, so my memory of when I first used it in non-existent so I have a difficult time comprehending what it is like to have to try to setup an XMPP client with a lack of understanding of exactly how to go about it. I'm sure there is probably a good bit of friction with setting it up as someone completely new to this area of the internet. I would be curious if anyone has any constructive ideas on how to streamline the process to onboarding to XMPP with the least friction. The only idea that I can muster for that, is if there was something similar to XMR Guide onion that very clearly explained the setup guide. I think my fear with that, is that there are a lot of different opinions when it comes to which OpSec approach should be considered best practice. And I think if a website like that is made, then there needs to be an sister discussion location for experts and veterans in regards to OpSec to politely and constructively debate the different approaches and keep a stern eye out for any logical falacies that could derail any discussion to be had regarding opsec.
Although I think what you said is valuable, I just wanted to clarify, that I don't believe these issues are mutually exclusive or need to be addressed in a sequential order. I think we could have an update to dread to support both OMEMO and OTR profile fields, while working to build up a knowledge base in the community regarding best practices with XMPP.
/u/LydiaRQ P · 1 votes · 1 month ago · Link
Well said Woodie, well said.
I am in education production mentality right now, and my instinct is to KISS. I think we both see the issue. It's a classic one of tech maturity. It starts off as something only nerds understand, then enthusiasts, then there has to be a big push to make it usable. Cars were that way, trains, heck cell phones still are to those above age 50.
Our approach is aimed at the lowest rung on the ladder. We plan to make it a Russian McDonalds menu where WE select the client, WE show you how to set it up, and WE ignore all the debate which can only confuse the masses who just want to buy on a DNM.
That said if we accomodate Dreadsters (who are not noobs) with an OTR field it may be good for them in the short term but then when the flood of noobs arrive they are clueless and less confident because of options. Dictatorial I know but have you seen how many noobs there are today? Confusion can create good discussion and lead to progress but only among those with a brain. The majority won't be able to grasp it, so I say we start now and just go with what can handle group chat (OMEMO).
It's kinda like dealing with children. We keep them from the realities of life not by lying to them but by not telling them the whole truth.
In conclusion a decision needs to be made; an approach as to the level of accomodation. What is the average OpSec understanding of the Dread community?
/u/soairse · 1 votes · 1 month ago · Link
When your site is up can you let me know? I'd be interested in checking it out
/u/LydiaRQ P · 1 votes · 1 month ago · Link
Aaaaaaaaaaabsolutely! We'll be announcing it all over Dread. In fact, I just might hit you up to preview it prior to official launch if I may.
/u/soairse · 1 votes · 1 month ago · Link
Sounds great, thanks
/u/captainsensible · 1 votes · 1 month ago · Link
I'm a baby bottle account that would be interested too...
/u/Natsuko · 1 votes · 1 month ago · Link
This!
/u/d3market P · 1 votes · 1 month ago · Link
You are right there does seem to be a divide with public opinion on OTR and OMEMO. OMEMO is a objectively better protocol however. It is good that Dread is pushing OMEMO over OTR. I would not speak for /u/HugBunter and /u/Paris but from posts that moderators such as /u/Shakybeats has made I assume it is Dread's goal to push OMEMO over OTR. I could be wrong.
There did not use to be a OMEMO fingerprint on user's profiles. Dread adding that allows for secure out of band verification which is vital for protecting against Man In The Middle attacks. Dread once again giving vital services to the community.
There are many reasons that show OMEMO being superior to OTR.
OMEMO allows group chats. OTR does not.
You can message someone who is offline with OMEMO. You cannot with OTR. You both need to be online.
OMEMO has a standardized way to transfer files. OTR does not.
OMEMO has both forward and backwards secrecy. OTR just has forward secrecy. Forwards secrecy protects past messages against present or future compromise. Backwards secrecy protects present or future messages from past compromise.
For a list of Jabber clients that are compatible with OMEMO you can check this link.
https://omemo.top/