Things I don't like with OMEMO as it is today
debacle · Tuesday, 13 November, 2018 - 19:21 edit · 2 minutes
I use OMEMO every day, because I prefer end-to-end encrypted messaging for many purposes. OMEMO is much better than OTR, and it works well enough to be useful. But OMEMO has a number of usability issues, that should be addressed by the IM and XMPP community at some point.
- It relates to devices instead of users. I don't want to know, whether my contacts own a new device, nor should they care when I do.
- Forward secrecy is a good thing for TLS. But when used for messaging, I cannot decrypt my old messages stored on the server in all cases. Also, it makes key escrow impossible, which is a killer for using it in business.
- Deniability. I want verifiable signatures instead. Maybe I want to conclude a contract via XMPP? For deniability I would use an anonymous account in the first place.
- OMEMO does not encrypt the complete stanza, but only the textual part of a message.
- It does not work with local, serverless messaging. I don't use this feature a lot, but still, encryption should work with it, too.
- OMEMO seems to be pretty complex, which makes implementation relatively hard. In fact, bugs related to OMEMO are still frequent in some clients.
- I already have an OpenPGP key, that is trusted (and occasionally signed) by many. Why not re-use it for IM purposes?
- (added 2019-02-15) This is an amendment to the first point: If we accept the concept of keys per device, at least improve the management. The keys should have a label, e.g. "mobile" or "PC at work", to be less confusing. Or why not automatically cross-sign keys from all devices?
Some of the points can be addressed in later OMEMO versions, but some points seem to be woven into the fabric. Fortunately, I see the light at the end of the tunnel (and I hope it is not the oncoming train): OX or "OpenPGP for XMPP". I hope, that it will heal all my OMEMO aches:
The only thing, I do not like is synchronising of encrypted private keys using PEP, which involves storing it on the server, only secured by the PGP passphrase and the "backup code", generated by the device. But nobody forces me to use the backup feature and I assume, that it can be blocked by admins who feel uneasy about it. Also, OpenPGP seems to have a higher per message overhead than OMEMO. This is probably unavoidable.
Edit: Correction about OX private key encryption, thanks to lovetox!
Edit: Add point about OMEMO complexity and errors, thanks to Holger!