Super true. I think this was best exemplified by SignalGate
starkzarn
joined 2 years ago
This is great, I have not seen this post before. Thank you for sharing.
You make an excellent point here, that the burden of security and privacy is put on the user, and that means that the other party in which you're engaged in conversation with can mess it up for the both of you. It's far from perfect, absolutely. Ideally you can educate those that are willing to chat with you on XMPP and kill two birds with one stone, good E2EE, and security and privacy training for a friend. XMPP doesn't tick the same box as Signal though, certainly. I still rely heavily on Signal, but that data resides on and transits a lot of things that I don't control. There's a time and a place for concerns with both, but I wanted to share my strategy for an internal chat server that also meets some of those privacy and security wickets.
Yes, absolutely. It all depends on implementation. I am using VLANs for L2 isolation. I have a specific DMZ VLAN that has my XMPP server and only my XMPP server on it. My network core applies ACLs that prevent any inter-VLAN traffic from there, so even if STUN/TURN pokes holes, the most that is accessible is that single VLAN, which happens to contain only the single host that I want to be accessible.
Great question.
Just updated my original comment, but that XMPP blog post I mentioned is live: https://roguesecurity.dev/blog/xmpp
Arch wiki never fails to deliver!
XMPP most definitely! Especially if you want to have connectivity to other servers at all (like simplex). It's much simpler, more well-known, battle hardened, and still supports E2EE and video calling very well.
I recommend prosody. I recently went through the process of setting up a server and have a draft blog on it half way finished if you want an account of the experience.
EDIT: Blog post is live at https://roguesecurity.dev/blog/xmpp
There is not a mobile app, no. You can pseudo install it as a PWA if using a chromium based browser though.
I do use HomeAssistant so I let it do the notifications for me, but you could easily setup pubsub and use that to hook gotify or something. Maybe it even has native webhooks at this point, I'm not sure.
Notably though I don't run frigate in HomeAssistant, it's just plugged in via API. That's to support hardware passthrough for my coral TPU.
I highly recommend it over the others. the only one I haven't tested is blue iris because it's windows only and I refuse to have a windows machine on my network. Frigate outperforms all the others that I tested. Zoneminder is a runner up but it feels dated and the object detection is a kludge.
Fantastic writeup. Thank you!
I have some reolink and some amcrest, and I'd choose the amcrest (or dahua) any day tbh. Similar workload. Tensor and frigate for software NVR and object detection, all to a zfs dataset.
Says who? I give all my billionaire best friends shit every day.
Yeah they just redid their container image pipeline and these containers are the result!