We have a couple of important announcements relevant to people running the Snikket server software on ARM devices, including Raspberry Pi. Systems using ARM processors are increasingly popular for self-hosting due to their increased efficiency, lower cost and minimal energy consumption.

The Snikket January 2022 server release was an exciting release for us, but some users on ARM-based systems reported some difficulties upgrading to the new version.

Web interface ARM compatibility

Due to a couple of issues with the way our new release was built, the release for certain ARM devices did not include all the necessary components for the web interface to start. If you are affected by this, you may notice the web portal being unavailable on your instance after upgrading. Inspecting the logs may reveal failure to load the module “aiohttp”.

We have fixed our build process, and pushed an updated release. Although the new version is available for all platforms (not only ARM) the only other changes are some translation improvements in the web portal.

To upgrade to the new release, see our upgrade guide .

Compatibility with Debian 10

The second issue we discovered is that users with systems running Debian 10 or Raspbian 10 (“buster”) may encounter an issue where the service fails to start. Inspecting the logs may reveal errors such as “permission denied” or various errors related to “time”.

The container security rules supplied in Debian 10 are out of date. The old rules do not allow access to modern methods of requesting the current time from the system (the current time is necessary for a range of functionality, including verifying certificates are not expired).

Luckily there are a couple of options to fix it. For example, just upgrading your system from Debian/Raspbian 10 to 11 will automatically resolve the issue. Alternatively, if you’d like to avoid upgrading your system right now, a fixed package has been provided by the Debian backports team. We have full details in our troubleshooting guide .

---

If you have any trouble upgrading on any platform, feel free to stop by our community chat and we’ll be happy to help you out!

New year, new Snikket: We’re excited to introduce a new release of the Snikket server! The Snikket server is an easy-to-install server package that allows you to run your own private messaging service for family, friends and other small groups.

The main focus since the previous server release in November has been on the DAPSI-funded Account Portability feature, which allows people to export and import account data for backup and migration purposes.

For information on how to upgrade from a previous release, see our quick upgrade guide .

Account import and export

Last year, we announced that we had been selected for funding to improve the state of account portability/migration in Snikket and XMPP. You can read more background information about this project at the XMPP Account Portability project homepage on Modern XMPP. This release finally introduces the results of our work on this project in Snikket.

Snikket users can export their account data from within the web portal. A new “Manage your data” button provides easy access to the export functionality. This can be used for backup purposes or to take account data to another service provider.

The data is exported in a standardized format which can be supported by any XMPP server, further strengthening the interoperability of Snikket with other existing XMPP-based chat services.

After successful registration via the web portal (not via the app yet), new users are offered a form where they can upload their account data. This data could come from a Snikket server or another compliant XMPP server, allowing users to more easily move to the Snikket ecosystem of small, federated instances.

A glimpse of the new import and export interfaces

We are very grateful for the support of the NGI DAPSI team and the EU funding that allowed us to complete this important piece of our roadmap!

Improved resource monitoring

Our previous release introduced metrics in the web admin dashboard (the “System Health” section), and the ability to export those to monitoring systems such as Prometheus via the OpenMetrics API. This release includes more improvements in this area, including more accurate memory usage monitoring, and Snikket can now also report the amount of storage used by file uploads.

Internal changes

We’ve upgraded the Snikket Docker images from Debian 10 to 11. We’ve also upgraded Prosody, which brings a whole bunch of changes, including reduced memory usage and a more robust DNS implementation. This release should also restore update notifications, which have been unreliable in some previous versions.

Installing or upgrading

If you’re new to Snikket and want to try out the new release, check out our quick-start guide . If you already use Snikket, head over to our upgrade guide !

Folks using our hosting service, the new release will be available in your dashboard in the next day or so.

Our next focus will be on polishing the next version of our iOS app, so we can release a lot of exciting improvements to app store users. Stay tuned for another post about that soon. Meanwhile… happy chatting! :)

Update 20/01: A small hotfix was pushed to the release to solve a lingering issue with update notifications.

Update 31/01: Systems running Debian 10 or Raspbian 10 on ARM should review our upgrade notes before installing this release.

Snikket Server - 2022-01-13 security release

A security flaw has been found and fixed in a core component of the Snikket server software, Prosody. A fix has been released today, and it is recommended that everyone upgrades as soon as possible to receive the fix.

The flaw would allow an attacker to trigger the Snikket server to consume extreme amounts of resources (CPU and RAM), resulting in a denial of service.

Upgrading

You can find instructions for upgrading to the latest release in our upgrade guide .

If you are a Snikket hosting customer, you will receive an email with information about upgrading your instance.

Questions

What is a “Denial of Service” attack?

A “Denial of Service” attack (DoS) is any attack that causes an internet service (such as Snikket) to become unavailable to its users, i.e. unable to handle requests. In Snikket’s case, this means users would be temporarily unable to exchange messages, make calls, or share media and files.

Is any data at risk?

This flaw does not expose any data to the attacker. It simply causes Snikket to consume large amounts of memory and stop responding.

What is the impact of this issue?

Snikket may use large amounts of CPU and RAM while trying to handle traffic that has been specially crafted by an attacker to trigger this flaw. If Snikket is running on a server alongside other services, Snikket’s excessive use of resources may negatively impact those services as well.

How was this issue discovered?

The issue was discovered by the Prosody development team during a review of the code. It is not known to have been actively exploited by anyone. However, now that the fix has been published, it may bring more attention to the flaw. It is recommended that you upgrade as soon as possible.

What other changes are in this release?

This security release only contains changes that fix the security issue. No features or other fixes have been introduced in this release.

Is there a workaround?

If you cannot upgrade immediately, you can run the following command in your Snikket directory (where docker-compose.yml is located) to disable WebSocket support temporarily:

docker-compose exec -it snikket prosodyctl shell module unload websocket

WebSockets are enabled by default, but not used by any of the official clients; they are only needed for Web-based clients. Web-based clients should in addition be able to (be configured to) fall back to the unaffected BOSH endpoint.

Note that the above workaround is temporary - it will be reset if you restart Snikket for any reason. It is recommended to upgrade Snikket to achieve a permanent fix.

How can I tell if my version is affected?

The fix has been released in ‘beta.20220113’.

To check your version, log in to the Snikket web portal with your admin account. Then click on the “Snikket service” text at the bottom of the page. View the section “Software Versions” and ensure that the ‘Prosody’ component reports Snikket test 48-3d061 . If you see 0.dev , 37-e5d49 or any number lower than 48 then your Snikket is not up to date yet. Follow the upgrade guide .

Further information

If you have any questions or concerns about this release, you can join the Snikket community chat or contact us directly .

References

• Original Prosody advisory

We’re excited to introduce a new release of the Snikket server! The Snikket server is an easy-to-install server package that allows you to run your own private messaging service for family, friends and other small groups.

Since the previous server release, we’ve been focusing our work mainly on the Snikket apps, especially the first release of our iOS app. We’ve continued work on the server part of Snikket though, and we’re glad to share a range of new improvements with you now.

For information on how to upgrade from a previous release, see our quick upgrade guide .

iOS improvements

In case you missed it, we released the first version of our iOS app to the app store a couple of months ago. We’ve been continuing to develop the app, and more releases are already in the pipeline.

Upon the app’s initial release there were still a few “rough edges”, such as the lack of notifications for group messages while the app is closed. Fixing a number of these issues required work on the server, and so that has been a big focus of this release.

In particular:

• Encrypted messages show a nicer notification (“You have received an encrypted message”). Displaying the contents of encrypted messages without opening the app is not yet possible, but is planned.
• The app can now show notifications from group chats even while the app is closed. A couple more small changes are required before this works seamlessly, and these will be included in a future app update.

Now that these issues are resolved, a link to the iOS app will be shown by default on the Snikket invitation page, starting from this release.

File sharing limit increased

You can now share files up to 100MB using Snikket! Previously this was limited to 16MB for technical reasons. Although most shared files are much smaller than 16MB, there is the occasional need to share larger files. Now you’re covered.

To help server operators plan their system resources, it’s now possible to set a service-wide quota for the storage of uploaded files. This means that even if your users have a little too much fun with the new limits, you can be sure your system won’t run out of disk space.

Limited accounts

In the previous release we introduced the ability to select whether an account is an administrator or a normal user. In this release we add one further type: “limited” accounts.

A limited account has a number of restrictions. In particular they:

• may only communicate with users and group chats on the same server,
• may not create public channels,
• may not invite new users to the server.

The purpose of limited accounts is to allow you to grant use of the server for communication with other users of the server only. This can be applied to accounts for children or guest users, for example.

For more information, see the documentation on User Roles .

Resource monitoring

The web admin dashboard now shows some basic statistics about your server resources, such as system load and memory usage of the various Snikket components. This can be helpful to ensure Snikket is performing well and you have enough resources available to serve your users.

Screenshot of the resources panel in the Snikket web interface

Server announcements

In the same system health area of the admin dashboard, you can also now send an announcement message to all users of your server - e.g. to inform them about upgrades and maintenance.

Support and questions

As usual if you need any help or have questions about the new release, you’re welcome to join our community chat where folk will be glad to help you out.

Stay tuned for more upcoming releases, and… happy chatting!

This is the announcement many people have been waiting for since the project began!

Opinions are often strong about which is the best mobile operating system. However, while it varies by region and demographic, wherever you are it’s very likely that you have Apple users in your life, even if you don’t use one yourself. We want to ensure that the platform you use (by choice or otherwise) is not a barrier to secure and decentralized communication with the important people in your life.

The lack of a suitable client for iOS was an obstacle to many groups adopting Snikket and XMPP. For this reason, today’s release of a Snikket app for Apple’s iPhone and iPad devices is a significant milestone for the project.

A community effort

It’s a journey that began late last year with the announcement that we would be sponsoring support for group chat encryption in Siskin IM, the open-source iOS XMPP client developed by Tigase .

The Tigase folk have been very supportive of our project, and I’d like to especially thank Andrzej for his assistance and patience with all my newbie iOS development questions!

There are many other folk who have also helped unlock this achievement. This includes everyone who helped to fund the development work - especially Waqas Hussain, the kind folk at jmp.chat and of course absolutely everyone who has donated to the project. The majority of donations are anonymous so it’s impossible to thank everyone individually, but the amount of support we’ve received as a project is amazing, and really gives us confidence in achieving even more ambitious milestones in the future.

Funding aside, we couldn’t have refined the app without help from our diligent beta testers - with particular thanks to Michael DiStefano, Martin Dosch, mimi8999 and Nils Thiele for their bug-catching and comprehensive feedback. Everyone participating in the beta programme has helped shape the app we’re releasing today.

What happens now?

We’ll be rolling out a Snikket server update shortly that will add a link to the iOS app from Snikket invitation pages.

If you’re eager to make the app available to your users before then, you can add the following line to your snikket.conf:

SNIKKET_WEB_APPLE_STORE_URL=https://apps.apple.com/us/app/snikket/id1545164189

After saving the file, apply the change with the command docker-compose up -d .

If you are using the Snikket hosting service, you will get an email soon that explains how to enable the app store link for your instances.

We’re not done yet

This is a big milestone, without a doubt. But we’re not completely done. The app is not perfect (yet!) and we’re still working on many things. But we believe this is no reason not to share it with the world as early as we can.

Push notification compatibility

The first thing to note (especially as many non-Snikket users will also be excited about a new iOS XMPP client on the scene) is that our primary focus has been on the app working seamlessly with Snikket servers. We’re committed to XMPP interoperability, but time and resources mean we can’t develop and test every change in pace with every XMPP server.

Although we expect it to generally work, there are some known compatibility issues currently. Specifically, due to the strict “no background network connections” policy for iOS apps, we have needed to adapt push notification handling slightly differently to what is supported on most XMPP servers today. The extensions we use are openly published by Tigase , and we have made available community modules for Prosody ( mod_cloud_notify_encrypted , mod_cloud_notify_priority_tag and mod_cloud_notify_filters ), and discussion has begun on moving these extensions over to the XMPP Standards Foundation standards process. We welcome help and contributions towards evolving XMPP’s current push notification support. If you’re interested, reach out!

Until then, although some backwards-compatibility considerations are in the app, this means it’s very possible you may experience issues with notifications on some non-Snikket servers when the app is closed (though Tigase servers and Prosody servers with the community modules enabled should be fine).

Language support

The app is currently only available in English, which is an unfortunate contrast from all other Snikket projects which are available in many languages already.

Updating the app to support translation of the interface is high on our priority list. After this is implemented, we will also be looking for help from translators, so stay tuned for further announcements.

Other work in progress

Other known issues that we are working on:

• Notifications for OMEMO-encrypted messages show a potentially-confusing message about the app lacking OMEMO support. This will be fixed by the same server update that adds the app to the Snikket invitation page.
• Group chat notifications are not yet working. This will also be rolled out as a future server update.

Of course, we will also soon be incorporating feedback from the usability audit and testing sessions when that work is completed.

---

I want to say a final thanks to our entire community for supporting the project. Snikket has ambitious goals , and the progress we’re making couldn’t be achieved without all the help and support we’ve received.

Drop us feedback about the app if you try it out, file bug reports and feature requests to help us with planning and, if you can, donate to help sustain the development of the entire project.

We look forward to welcoming more users to the XMPP network than ever before!

One of the primary goals of the Snikket project is improving the usability of open communication software. We see usability as one of the major barriers to broader adoption of modern communication systems based on open standards and free, libre, open-source software. By removing this barrier, we open the door of secure and decentralized communication freedom to many vulnerable groups for which it was previously inaccessible or impractical.

Simply Secure is a non-profit organization working in user interface (UI) and user experience (UX) design. They specialize in combining human-centered design with the complex technical requirements of privacy-first secure systems. Our first introduction to Simply Secure was while contributing to Decentralization Off The Shelf (DOTS) , a unique and valuable project to document and share successful design patterns across the decentralized software ecosystem.

Now, thanks to funding from the OTF’s Usability Lab , we’re pleased to announce that Simply Secure will be working with us over the coming months to identify issues and refine the UX across the project, with a special focus on our iOS app.

We’ve made a lot of progress on the Snikket iOS app recently, largely based on valuable feedback from our beta testers, and we are getting excitingly close to a general release. However there is still some work to be done.

The expert folk at Simply Secure will be performing a usability audit of the current app, as well as conducting usability testing , which is the study of how people use the app, and what struggles they face while completing specific tasks.

Using information from these analyses the Simply Secure team will assist with producing wireframes (sketches of what the app’s interface should look like) and actionable advice to improve the UX of the iOS app and Snikket as a whole. You will find information on how to participate later in this post.

What is UX anyway?

The modern UX design movement is a recognition that technology should be accessible and easy to use for everyone. Good design can assist and empower people, poor design can hinder and even harm people. The need for design goes far beyond making a user interface look beautiful. Software that is not visually appealing may affect someone’s enjoyment of an application, but an aesthetically-pleasing interface is not magically user-friendly.

Therefore designing for a good user experience is about more than just making the interface look good, it’s about considering how the software fits into a person’s life, what they need from the software (and what they don’t need) and how they expect it to behave.

These are tricky things to get right. Every user is different, and a broad range of input must be taken into consideration as part of a good design process.

UX methodologies

There are various ways to gather information useful for making informed decisions about UX improvements. A common easy and cheap approach is to add metrics and analytics to an app. This can tell you things like how often people tap a particular button, or view a particular screen. Developers and designers can use this information to learn which features are popular, which should be removed, or made more visible.

This approach has drawbacks. Firstly it only tells you what users are doing, it doesn’t tell you why they are doing it, or what they are thinking and feeling - for example if they are frustrated while looking for a particular feature or setting. Metrics can tell you that making a button more prominent increased the click rate, but it won’t tell you if half the users who clicked on the button were expecting it to do something else! This isn’t really going to give you enough information to improve usability.

Another significant drawback with a focus on metrics is the amount of data the app must share with the developers. People generally don’t expect apps on their device to be quietly informing developers about the time they spend in the app, what they look at and what buttons they press. Such data collection may be made “opt-in”, and there are modern projects such as Prio , working to bring privacy and anonymity to such data collection through cryptographic techniques.

A wildly different but much more valuable approach is to directly study people while they use the app - a technique known as “usability testing”. Unlike silent data collection, usability testing directly pairs individual users or groups with an expert while they are asked to perform specific tasks within the app. Although this requires significantly more time and effort it produces more detailed and specific insights into the usability of an interface.

Advantages of this kind of study include the ability to listen and learn more deeply the needs of specific types of users, particularly minorities whose problems could easily be drowned out by larger groups of users in a simple statistics-driven data collection approach. It also allows you to capture peoples' thought processes, by asking them to explain each step as they complete tasks within the app.

Participation and looking forward

We can’t wait to begin our first usability testing facilitated by the experienced team at Simply Secure, and incorporate their findings into Snikket’s development.

If you’re interested in taking part, or know someone who would be a good fit for this project, we’d love to talk to you for 30 minutes to better understand how to improve Snikket. There will be no invasions of privacy as a result of this research. All identifying information will be removed. We will take all necessary and appropriate precautions to limit any risk of your participation. Anything that we make public about our research will not include any information that will make it possible to identify you. Research records will be kept in a secure location, and only Simply Secure and Snikket personnel will have access to them.

Appointment slots are available from 24th August to 3rd September.

Update: The usability testing phase of this project has now ended. Many thanks to everyone who participated, and helped spread the word!

Further reading

• Comparison of usability evaluation methods (wikipedia.org)
• User Testing Cheat Sheet (simplysecure.org)
• Safeguarding Research Participants With A Bill Of Rights (simplysecure.org)

We’re pleased to introduce a new release of the Snikket server. The Snikket server is an easy-to-install server package that allows you to run your own private messaging service for family, friends and other small groups.

As well as some new features, this release has some important security fixes for the built-in Prosody component. We advise all administrators to update as soon as possible.

For information on how to upgrade, see the (very short) upgrade guide .

Web interface

User and role management

This release brings a new interface for viewing and editing user accounts on the server. Among the changes is the ability to select the “access level” of an account via the web interface. In particular this allows you to add/remove other administrators of your server.

In the future we will also be adding an additional ‘limited’ access level that can be used to restrict access to features such as invites and federation for certain user accounts (such as guests and minors).

Invitations

Invitation pages now include a link to download the Snikket app from F-Droid , as well as Google Play. Although F-Droid doesn’t yet support the seamless registration flow , it’s important that we help people discover free (as in freedom) alternatives whenever possible!

Translations

Translation improvements have been made for Polish, German, Danish, Spanish (Mexican), Indonesian and Swedish.

Certificate renewal

A bug has been fixed that eventually caused Snikket to present an expired certificate for web links (the web interface and also shared files). Restarting the service is a temporary fix, but this release will prevent it happening again in the future.

Technical improvements

Here’s a bunch of lower-level changes for advanced users that are included in this release:

• You can now configure what address Snikket’s built-in HTTP server will listen for connections on (useful for certain advanced setups behind a reverse proxy)
• Add docker health checks, allowing docker to inform you about the health of the Snikket services
• Switch to a more robust DNS resolver (used for federation when connecting to other servers)
• Allow configuration of an external TURN server (replacing the built-in one)
• Fix support for BOSH and websockets (allowing third-party web clients)

If you have any questions or feedback about this release, let us know!

We have some exciting news to share! An important piece of the Snikket roadmap has been selected for funding by NGI DAPSI, an EU-funded project focused on data portability and services.

What is DAPSI?

The Data Portability and Services Incubator (DAPSI) is a EU funded project, under the European Commission’s Next Generation Internet (NGI) initiative. In their own words, DAPSI was established to:

[…] empower top internet innovators to develop human-centric solutions, addressing the challenge of personal data portability on the internet, as foreseen under the GDPR and make it significantly easier for citizens to have any data which is stored with one service provider transmitted directly to another provider.

You can learn more about the initiative on the NGI DAPSI website .

Data portability in Snikket and XMPP

Over the years we have seen many XMPP providers come and go, and when a provider decides to shut down, it’s too often not easy for people to obtain their data and move it elsewhere. This contributes to user churn on the XMPP network - individuals are likely to leave XMPP rather than figure out the necessary steps to migrate to a new XMPP service.

There are other reasons for wanting to move your data, such as seeking providers with better privacy or reliability. You may also want to relocate from a provider to a self-hosted solution, or vice-versa.

As part of Snikket’s mission to improve all aspects of XMPP usability, clear data ownership and portability options have been an important goal since the project’s beginning.

In particular we believe:

• People should not be locked into the service by the first provider they sign up with.
• People should be able to export their full data at any time, in a standard format.
• People should be able to easily migrate their account data to a new provider without losing important contact relationships.

The XMPP account portability project

The need for account and data portability goes beyond Snikket, we want to see improved portability and data interoperability across the whole XMPP ecosystem. DAPSI have funded an extensive project that over the next nine months will cover:

• Standardizing the necessary protocols and formats for account data import and export
• Developing open-source easy-to-use tools that allows people to export, import and migrate their account between XMPP services
• Building this functionality into Snikket

The standards will be submitted through the usual XMPP standards process and the implementations will be open-source.

XMPP already has some existing standards that overlap with this project, in particular XEP-0227 and XEP-0283 . Both specifications are outdated and incomplete (XEP-0227 doesn’t support many modern features, and assumes your password will be exported in plain text!). We will update and/or complement these documents as needed.

The final stage of work will be to integrate the migration mechanism into Snikket. This will allow people to move their accounts between Snikket servers, including to or from our hosted service as well as other XMPP servers.

Our not-for-profit organization is committed to sustaining the Snikket project through ethical means and without the influence of private investment. We are very grateful for initiatives such as NGI, allowing projects like ours to fulfil our ambitious goals with open and transparent funding. Every project funded by them is helping to rebalance the internet.

We look forward to sharing further updates on this project in the coming months, so stay tuned! You can follow us on Mastodon and Twitter , or subscribe to this blog’s RSS feed .