A big thank you to Radically Open Security for performing the audit and to @nlnet for funding it.

Radically Open Security has been a long term partner of #Conversations_im ever since they did the first #OMEMO audit back in 2016!

Recent audit: conversations.im/2025_audit_co…
OMEMO audit: conversations.im/omemo/audit.p…

A recent security audit of #Conversations_im¹ found that wildcard certificate handling didn’t fully comply with the spec.

Conversations was accepting *.a.example for c.b.a.example, even though wildcards are only meant to match a single label.

This issue has been fixed in version 2.18.0, now live on Google Play.

¹: conversations.im/2025_audit_co…

#XMPP #Jabber

If you're still recommending #Signal, you may have missed the tech oligarchs' takeover of the US government. The best time to recommend European alternatives was 8 years ago; the second best is now.

#Conversations_im #XMPP #Jabber

I don’t usually do this kind of evangelism, but if you’re looking for a reason to try #XMPP on #GlobalSwitchDay, now’s the perfect time: #Conversations_im is currently free on Google Play!

play.google.com/store/apps/det…

⚠️ 🚨 It’s time to stop using Blabber.im 🚨⚠️

The abandoned fork of #Conversations_im has a critical security issue: attackers can bypass STARTTLS negotiation, resulting in an unencrypted connection to a fake server. This vulnerability is similar to the STARTLS attack discovered in various email clients¹

✅ Fixed in Conversations 2.13.1 (Feb 2024)

📢 Please migrate to Conversations immediately! It's free on Google Play until the end of the year and always free on #fdroid

¹: archive.fosdem.org/2024/schedu…

FOSDEM 2024 - [Protocols] Security of STARTTLS in the E-Mail Context

^{archive.fosdem.org}