What Is OMEMO End-to-End Encryption? Chat Privately Using XMPP

XMPP is perhaps as far as you can get from a locked-in chat platform. It is an instant messaging standard that is akin to email. Anyone registering an XMPP account on one server can communicate to anyone else on another server.

By default, these XMPP chats are unencrypted. That’s where OMEMO comes in. With OMEMO end-to-end encryption, XMPP offers comparable security to Signal, Session, and any other private chat app you’ve heard of, but without the risks involved with being dependent on one centralized platform.

What Is XMPP?

XMPP is an instant messaging protocol that has been around since 1999, originally known as Jabber. The acronym stands for Extensible Messaging and Presence Protocol. It is an open standard for sending messages over the internet without everyone having to have an account registered on the same server. Someone can register an account with one provider and send a message to someone registered somewhere else.

For this reason, XMPP usernames resemble email addresses. If you create an account with conversations.im, for example, your name would appear as “[email protected]”.

Note: Conversations.im happens to provide the most popular XMPP app for Android. ChatSecure is a good option if you are using an iPhone.

You may have already used XMPP without knowing it. Several popular chat platforms began as XMPP clients, such as Google Talk and Facebook Messenger. WhatsApp operates using a customized version of XMPP. Some projects, like the free and open source Jitsi video conferencing tool, also use XMPP in the backend.

What Is OMEMO?

By default, XMPP isn’t a particularly private method of communication. While traffic to and from a server may be encrypted, whoever runs the server can read the messages.

Fortunately, XMPP is extensible (it is in the name, after all). OMEMO is an extension that adds end-to-end encryption to XMPP. It isn’t the first. Other methods came first, such as OpenPGP and OTR (Off-the-Record Communication). What OMEMO offers is not merely end-to-end encryption, but multi-end-to-multi-end encryption. Hence the name, OMEMO Multi-End Message and Object Encryption (yes, it’s a recursive acronym).

What does multi-end-to-multi-end encryption mean? In short, it means that when you send a message from your laptop, you can still view that message from your phone and any other device signed in to your account. The recipient can then view the message on any of their devices as well. Yet OMEMO keeps messages encrypted on the various servers, so only you and the intended recipient can read them.

OMEMO was originally based on the Signal Protocol, which Open Whisper Systems created for the Signal app. Unlike the Signal Protocol, which is centralized, OMEMO needs to handle encryption across multiple servers. OMEMO began as a 2015 Google Summer of Code project to implement multi-end-to-multi-end encryption into the Conversations Android app.

OMEMO doesn’t just allow for private messages. You can also transfer files privately as well.

How to Enable OMEMO

OMEMO is easy to turn on if your provider supports it. When you start a chat with someone, look for a lock icon. It will appear as unlocked if your messages are unencrypted and locked if they are. Click this lock to select from the available encryption options.

You can send encrypted messages to anyone whose account is also with a provider who supports encryption, and their client must support it as well. If not, your client may display an error message letting you know that encryption is not available as an option. That said, XMPP has supported encryption for many years, and so do most providers. There is a website that tracks OMEMO support within XMPP clients.

Pros and Cons of OMEMO Encryption

XMPP with end-to-end OMEMO encryption is a private way to communicate, but like any method, it has both its strengths and weaknesses.

Strengths of XMPP with OMEMO Encryption

• XMPP is decentralized. Unlike alternative options like Signal or WhatsApp, you aren’t dependent on one provider being operational. There is no such thing as “XMPP being down.” One provider’s servers may go down, but others will continue to send and receive messages.
• XMPP and OMEMO are open standards. Anyone can read the code to understand how they work. This allows others to audit the code and confirm that messages are actually private.
• Forward secrecy. This means the encryption keys are stored on your device, and any device that does not have access to the messages at the time they are sent is unable to view the message.
• You can use any XMPP client with OMEMO support. You aren’t dependent on any one app. And you have the freedom to find an interface that best suits you.
• Time-tested. XMPP has been around for a long time. OMEMO is younger, but it isn’t likely to go away any time soon. After all, older encryption methods remain available. But if the time comes to switch to a new form of encryption, you can do so without having to ditch your existing XMPP account.

Weakness of XMPP with OMEMO Encryption

• Messages are not encrypted by default. You must enable OMEMO for your account. You can then opt to encrypt messages on a per-chat basis or encrypt all of your messages. The latter limits your communication to people who also have XMPP accounts with OMEMO support.
• Forward secrecy. If you send a message from your laptop before signing in to your phone, your phone will not be able to view the message. This is different from what most of us have grown to expect.
• Older technology limits communication. XMPP with OMEMO delivers most of the essential functionally, but the experience may feel a bit old-fashioned. You don’t have the ability to “like” messages, respond to each individual message with an emoji, or start threads within a chat.
• Relatively unknown. Most people have never heard of either XMPP or OMEMO. If you want to chat with friends and family members, there is a good chance you will need to introduce each person to the technology and convince them to make the switch, one person at a time. While there are apps that make the process very straightforward, such as Quicksy and Conversations for Android, you may have an easier time introducing people to an app like Signal that is gradually becoming more well-known.

Should You Use XMPP With OMEMO Encryption?

XMPP and OMEMO alike are simple tools with overly technical sounding names. Anyone with enough technical proficiency to create an email account and use an email client has the skills necessary to use XMPP and begin sending private messages.

The important questions, as always, are: who do you want to talk to, and will they make the switch with you? If not, don’t necessarily default back to a mainstream platform, and you aren’t stuck with Signal either. Matrix offers similar security and decentralization, but with more modern luxuries.