XMPP:安全联邦式IM的复兴
本文作者,一位安全研究人员,探讨了XMPP(可扩展消息与存在协议)这一老牌安全联邦式即时通讯协议的现状与未来。
虽然XMPP最初被称为“Jabber”,但官方名称为XMPP,其轻量化、可扩展性使其成为许多IM系统的基石,并被政府和非营利机构广泛采用。
然而,由于扩展碎片化,用户体验不统一。
作者表达对XMPP、Signal和Matrix的排序观点,并尝试寻找更佳的IM替代方案,例如Simplex。
文章还提及了作者辞去Kudelski Security工作,加入Horizen Labs担任密码学研究员,并将专注于研究零知识证明系统(ZKP)。
最后,作者分享了他在DEF CON会议期间对“科学村”和“超级安全村”的个人感受。
查看原文开头(英文 · 仅前 3 段)
Jabber/XMPP
The grandpa of secure, federated IM, but still rockin'. First of all: You should not call it "Jabber" anymore, that's the old name, the official name since 2002 is XMPP (Extensible Messaging and Presence Protocol). XMPP is the backbone of a plethora of IM systems. Unlike Matrix, which aims at offering a fully fledged experience out-of-the-box, XMPP aims at being lightweight and extensible through plugins. This has the advantage that hosting your own server is very easy: compared to Matrix, the effort and requirements are minimal. Also, because it is a completely open specification, it has been adopted over time by many government and no-profit entities (rescue operations, military, NGOs, etc) as "the" open standard of choice. The disadvantage is mainly that, because the adoption of extensions is so fragmented, there is no "uniform" user experience: things that are possible with one client (e.g. audio/video calls) might not be possible with another, or might not be supported by some servers.
Speaking of XMPP security, even encryption was not meant to be "default", and was added as an optional extension. The modern standard for XMPP encryption is OMEMO which is, roughly speaking, equivalent to Signal (with caveats, lot of them, yes, I know).
※ 出于版权考虑,仅引用前 3 段。完整内容请阅读原文。