Yes We're Config!™
Beginners guide to XMPP-speak

XMPP

Extensible Messaging and Presence Protocol. - A communications protocol based on XML that has been in development since 1999. Ever since the standard has been incrementally developed to add more functionality. It is the underlying technology that powers a lot of well known chat applications such as WhatsApp and Google Talk.

Jabber - The original trademarked name of the Jabber service. Jabber.org is the original instant messaging (IM) service based on XMPP. Afterwards many different servers and clients have emerged. “Jabber” is to “XMPP”, what “email” is to “SMTP” and what “web” is to “HTTP”1.

MUC - “Multi-User Chat”, the jargon for groupchat in XMPP world. This feature needs to be supported by both the clients and the servers. See XEP-0045.

ROSTER - is your list of contacts.

JID - Jabber ID / XMPP address. JID is the identifier of a user account. It looks a lot like an email address: user@server.com, but it is not. Some users might use the same name for both their email and JID but most of the time these are completely different things. Following the same logic, chatrooms also have a similar address: roomname@muc.server.com.

XEP - XMPP Extension Protocol

XEP-0045 MUC - defines support for Multi-User Chats, in other words, group chats.

XEP-0163: PEP - Personal Eventing Protocol allows amongst other things to automatically publish avatars and OMEMO public keys.

XEP-0313: MAM - Message Archive Management is an extension that allows one to receive messages while offline.

federated server - A group of servers which agreed upon certain standards to communicate with each other. Such a group is a federation of servers. The federated XMPP protocol enables the user to select a client of preference and connect to their XMPP server of choice.

centralized service - A vertically integrated service that includes both exclusive client and server software. In this scenario, most of the time, the user can only run one specific client and only interact with other users from the same service.

Software: Clients

As featured in our guide on XMPP clients:

Conversations - Mobile client for Android.

Gajim - Desktop client for Linux distributions, BSD, and Windows.

ChatSecure - Mobile client for Apple iOS, ‘experimental’, but in active development.

Other popular clients not featured in our guide:

Adium - Desktop client for Apple macOS. The OSX version of Pidgin

Kaiwa - A webclient, so it runs in the browser. Supports a lot of features and XEPs. Win/Lin/OSX

Pidgin A client which supports a number of messaging standards including XMPP. Recently implemented support for OMEMO.

There are many more clients available. Check your local F-Droid/Google Play Store/AppStore.

Software: Server

Prosody - Open Source XMPP Server software written in LUA. It is actively being developed and is notable for the large ammount of supported XEPs.

Encryption

C2S - The connection between a client and the server.

S2S - The connection between servers.

Transport Layer encryption

Encrypts communication while it is in transit between client and server (c2s) or from one server to another (s2s). The servers where the messages are relayed between can however still read their content. It is probably known to most people in the form of HTTPS, which indicates the communication is encrypted between your browser and the server that is hosting the website you visit.

Depending on your threat model, in case you and your contacts share the same trusted XMPP server, transport layer encryption might be enough to safeguard your privacy.

End-To-End Encryption (e2e)

End-to-end ciphers is client side method for encrypting messages. Only the sender, and the receiver, at both ends of the communication chain, can read the message, but not the servers in between.

OTR - “Off-The-Record” is one of the older forms of e2e encryption available in some messaging clients. The big disadvantage of OTR is that both clients need to be online at the same time for the encrypted session to work. It is also not possible to synchronize OTR encrypted messages across mutliple clients.

OMEMO - OMEMO Multi-End Message and Object Encryption, OMEMO is the XMPP implementation of the Double Ratchett encryption algorithm developed for Signal by Moxie Marlinspike at Open Whisper Systems. It is the most modern and convenient encryption mechanism that is practically invisible to the user. It also provides so-called forward secrecy, which means that every message is separatly encrypted. In the case that one cipher is intercepted by a third party, only one message can thus be decrypted.

TOFU - Trust On First Use. A mechanism where the received fingerprint is assumed trusted immediately and is therefore checked as verified. Used in ChatSecure for OTR and OMEMO, called ‘Blind Trust’ in Conversations.

OpenPGP - Pretty good Privacy is the oldest generic method for end-to-end encryption. It requires quite some knowledge and maintenance frmo its users. OMEMO is designed to provide similar or better encryption with less hassle. To use OpenPGP in Conversation a third party app called OpenKeyChain is required.

Threat Model. When thinking about security and privacy it is important to note that there is no such thing as a protection against every and any possible threats. By aiming too large and aimlessly at a universal form of privacy, there is a risk of missing obvious blind spots because of lack of resources, lack of time, and lack of knowledge to cover all possible situations. In that sense the concept of a threat model is very useful. In a threat model, an assessment of what has to be secured and who could be willing to acquire your information and at what cost, is established in a realistic fashion. What poses a credible threat to you and your situation? Who represents that threat? What kind of resources does this threat possesses? The answer to these questions should inform you on what kind of measures one should take and which ones have the highest priority.

Obviously this differs from situation to situation. Are you a political activists or dissident trying to organise for direct action and trying to avoid surveillance from governement agencies? Are you the user of a popular social network, trying to protect as much as possible your most confidential information from your private life? Are you an office worker trying to leak confidential information about unethical activities of your employer while remaining anonymous? Are you a user of public or private torrent trackers hoping to get away with mass downloading and uploading of whole seasons of The Great British Baking Show? Every situation is different, every situation needs a specific understanding of what is at stake and what would be the consequence if what you try to protect is exposed. Don’t believe in magical solutions, do your homework.

This list is partly based on this glossary

This guide is a companion to our article Have You Considered The Alternative? on instant messaging. Also check out our guide on configuring the self-hosted XMPP server Prosody, and our guide on XMPP clients.