Daniel Gultsch@daniel@gultsch.socialgultsch.social

Dino 0.5 is out!

Dino now features improved file transfers and two completely reworked dialogs.

Release blog post: https://dino.im/blog/2025/04/dino-0.5-release/

Security firm: We found XYZ. Here are steps to reproduce. Our customer wants a detailed timeline for when you expect to have this fixed.

Me: (That’s not how this works but) here is the commit.

Security firm: Please credit our researcher in the commit.

Me: I'd be more than happy to give you credit once you've published the audit.

Security firm: We can’t publish the audit

(later)

Please credit us.

Me: I'd be more than happy to give you credit once you've published the audit.

(repeat 10x)

Security audits are a funny thing. We lack the (financial) resources for regular, thorough penetration tests. However I’m aware that some of the higher profile users of #Conversations_im occasionally perform audits without my direct involvement and without publishing it afterwards. Those audits aren’t adversarial as indicated by them wanting me to fix what they find.

The funniest instances are when they want to be credited for finding an issue but refuse to make the audit public.

A big thank you to Radically Open Security for performing the audit and to @nlnet for funding it.

Radically Open Security has been a long term partner of #Conversations_im ever since they did the first #OMEMO audit back in 2016!

Recent audit: https://conversations.im/2025_audit_conversations.pdf
OMEMO audit: https://conversations.im/omemo/audit.pdf

A recent security audit of #Conversations_im¹ found that wildcard certificate handling didn’t fully comply with the spec.

Conversations was accepting *.a.example for c.b.a.example, even though wildcards are only meant to match a single label.

This issue has been fixed in version 2.18.0, now live on Google Play.

¹: https://conversations.im/2025_audit_conversations.pdf

Looks like Dino is enabling #OMEMO by default for the next release¹. I think that was the last of the major #XMPP clients to do so. Hopefully we can now put the "But XMPP is not encrypted by default" debate to rest.

¹: https://github.com/dino/dino/commit/fc6447c56e7fdaf6f6d843a2215d870caee4aba0

You are encouraged to self-host #XMPP but you are not required to. We try to make self hosting as easy as possible. I think it is one step above hosting your own website but way easier than hosting your own e-mail.

If you are medium tech-savvy I recommend getting your own domain and going for an XMPP provider that let’s you bring your own domain (for example: https://account.conversations.im/domain/) this gives you the flexibility to self host or switch providers later.

The good news is you don’t have to wait for the slow, democratic process of the European Union to impose tariffs on US-based digital services. You can boycott Amazon, WhatsApp, and Signal today.

Cool, Fennec is interested in #UnifiedPush support [1]

We will probably have it on Fennec before it gets upstream (if it does ).

That means UnifiedPush will be available for "installable web applications". So we'll have push notifications with some new apps !

[1] https://gitlab.com/relan/fennecbuild/-/merge_requests/78

I think I’ve found a relatively nice solution for #FediLinks in #Conversations_im.

You can put web+ap URIs into a message (or room description) and ideally a click on those will open your Mastodon client. However if no installed app supports those (the only app that I’m aware of is Fedilab) Conversations will open a browser instead.

Currently no app will create web+ap links but it is fairly easy to handcraft them.

cc @SoniEx2

I've seen (generative) AI code. I'm currently not worried about AI putting artists out of work.

Anyway here is me catching up to Internet trends from three weeks ago.

With the NGI Mobifree Pilot we work on more ethical mobile software. Consortium partner @waag is looking for app developers who'd like to volunteer as testers.
You'll be testing Murena Fairphone (on loan), F-Droid & Repomaker. There will be 2 in-person meetings and weekly requests for feedback. Because of the in-person meetings it's aimed at people who live in the Netherlands.

Registration is open till April 10. For more info: https://waag.org/en/article/testers-wanted-open-source-smartphone-software/

Today I’m announcing a 45% tariff on #Conversations_im sold in the USA.

It’s hilarious how openly hostile @element has become toward its own users. Calling them free-riders¹ for not purchasing premium support is just bizarre. Imagine a project like nginx doing that. If you don’t want to be an open-source project, just stop.

¹: https://element.io/blog/us-shows-the-risk-of-running-a-government-by-signal/

I’m so glad that #IsarAerospace decided to live stream their launch. As @acolangelo recently put it on @meco learning from #SpaceX includes celebrating your failures.

Srcub or RUD doesn’t matter. I’m here for it.

https://www.youtube.com/watch?v=bykfQ3J4NNc

I recently developed a thing to turn a Conversations chat* into a PDF.

https://codeberg.org/moji/typst-conversations

That story began with a friend of mine that had got a XMPP group chat where they shared updates and pictures of their latest travel adventure. Now chat is rather ephemeral and they wanted to preserve those memories in an easy accessible format that is PDF. And so I put something together.

* actually any chat as long as you can get the raw data in the expected format

There are no known security issues with "Siacs OMEMO" / OMEMO v0.3¹ despite of what some very loud Signal fans would like you to believe. It has been audited by a third party² who took a longer look at it than all of the Signal fans combined.

Yes, #OMEMO v0.7+ (or TWOMEMO ) is a cleaner spec with more features (most notably Stanza Content Encryption). That’s why we wrote it. I’m a co-author. That doesn’t mean v0.3 is insecure.

¹: https://xmpp.org/extensions/attic/xep-0384-0.3.0.html
²: https://conversations.im/omemo/audit.pdf

For the next #Conversations_im release I’m refactoring how URIs are linked / made clickable. I’m adding a bunch of URI schemes like tel and mailto on top of the existing xmpp, http(s) and geo but removing support for "things that look like web URLs but aren’t actually URIs" (like 'example.com') to avoid some false positives.

Once the 2.18.0-beta comes out tomorrow or so let me know if you see things that isn’t matched and should be matched or vice versa.