XMPP is great, until you have to explain to granny how to use it.
Signal isn't perfect, but I can just tell Granny ‘install Signal, it's like WhatsApp or all the other messaging apps’.
The best crypto protocol is useless if no one uses it.
I don't know if you're familiar with the Olvid app. Its cryptographic system has been audited and is used by the French state. It allows you to create accounts that are not linked to a phone number or email address, etc. Lot of great features for tech-savvy crypto enthusiasts.
The only problem is that you have to be physically present and scan a QR code on each client to add a contact. So it does prevent spoofing, but it's incredibly impractical. Setting up a group chat is a real challenge because all the participants have to have each other's keys. Nobody wants to revive the PGP parties
Hey cmon.. I do; but, like, mostly for fun, and for the ceremonial readouts of usernames / key fingerprints etc... a bit of demonic summoning vibe, it can be...
But in seriousness: yes again and again, people miss the good chasing the perfect.
Also (to grandparent comment iirc): Signal reproducible builds have existed for a while, fyi!
"Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn !" It's the correct cryptographic fingerprint. However, you don't have any gouvernement issued ID on you Mr Cthulhu ?
My grandmother lives 700 km from my home, I can't be there every time she changes her phone or breaks something.
I can instruct a non-technical relative to install Signal. Installing Conversations and configuring the right account on the right server is another story.
Maybe https://quicksy.im/ would work in that case. Easy to install like Signal, but it uses your phone number as a routable XMPP address. Unsophisticated users get easy onboarding and nobody else gets locked into some walled garden.
It's encrypted by default. I agree that having no option to send unencrypted messages would increase security somewhat, but the unsophisticated user can always be tricked into sending an unencrypted message. They will just use a different app if something doesn't work. Not really fixable on the application level.
The best crypto protocol is useless if no one uses it.
I don't know if you're familiar with the Olvid app. Its cryptographic system has been audited and is used by the French state. It allows you to create accounts that are not linked to a phone number or email address, etc. Lot of great features for tech-savvy crypto enthusiasts.
The only problem is that you have to be physically present and scan a QR code on each client to add a contact. So it does prevent spoofing, but it's incredibly impractical. Setting up a group chat is a real challenge because all the participants have to have each other's keys. Nobody wants to revive the PGP parties