Post 9kmeclwUIWqarRFO4G by ashwinvis@mastodon.acc.sunet.se
(DIR) More posts by ashwinvis@mastodon.acc.sunet.se
(DIR) Post #9kgIz6SSJRXQF5TXrU by infosechandbook@mastodon.at
2019-07-09T18:19:42Z
5 likes, 8 repeats
Physical (de)centralization of XMPP servers – we took 1000+ XMPP servers and looked at their hosters:https://gist.github.com/infosec-handbook/19f96587511d6d8ab79b564a7e0b3bdf– about 50% of these servers are hosted by only 7 companies in 3 countries– logical decentralization obviously doesn't imply physical decentralization– more than 50% of servers are hosted in Germany, followed by the USA (10%) and France (7%)#xmpp #decentralization #centralization #statistics
(DIR) Post #9kgbme8tf3tg4s6J8K by tobi@social.kabi.tk
2019-07-09T21:50:18Z
0 likes, 0 repeats
.@infosechandbookJoin #Matrix! Setup for personal use is much more easy, using #Yunohost for instance.#FutureNotPast
(DIR) Post #9kggIrEwtqTFmZXx2m by debacle@framapiaf.org
2019-07-09T22:40:58Z
0 likes, 0 repeats
@infosechandbook It would be interesting to count actual active users, but this information is probably not available.I assume, that many private users are concentrated on some well-known servers such as disroot.org, jabber.de, mailbox.org etc. but that's only a gut feeling.Corporate users are probably on their own servers, e.g. this is the case at my workplace.#xmpp
(DIR) Post #9kh8O60qCWLVlMEYk4 by infosechandbook@mastodon.at
2019-07-10T03:55:40Z
0 likes, 0 repeats
@tobi This isn't about the religious war "XMPP vs. Matrix", but about the frequent assumption that such instant messaging systems are mostly decentralized. Obviously this isn't the reality as the majority of servers is hosted by a really small amount of hosters. As @debacle pointed out, it would be interesting to see the actual number of active users per server. Then, everything could be even more centralized. (Assumption here: It is the same for Matrix.)
(DIR) Post #9khl0nhz0lAPDsVJJI by hrthu@fosstodon.org
2019-07-10T11:08:26Z
0 likes, 0 repeats
@infosechandbook Great info, thanks
(DIR) Post #9kmUsGVfvp2ASzSGO0 by kai@m.kretschmann.social
2019-07-12T18:01:07Z
0 likes, 0 repeats
@infosechandbook yeah I found my own server in that list.
(DIR) Post #9kmUt5NymCBIFtFKyG by z428@social.tchncs.de
2019-07-12T18:01:14Z
0 likes, 0 repeats
@infosechandbook Interesting, yet not much of a surprise. At the very end, reliably running physical server infrastructure isn't a trivial endeavour, that's why a lot of people fall back to using Linode, Digital Ocean and the like.
(DIR) Post #9kmZ8uo6H77PtcGf6e by x00@camixo.com
2019-07-12T18:48:59Z
0 likes, 0 repeats
@infosechandbook What is the definition of "hoster" here?
(DIR) Post #9kmeclwUIWqarRFO4G by ashwinvis@mastodon.acc.sunet.se
2019-07-12T19:50:21Z
0 likes, 0 repeats
@infosechandbook @tobi @debacleIndeed, cloud is expensive and the major players are AWS, MS Azure and Google cloud. I am surprised to see DO on top.Eitherways, I would imagine Mastodon instances would be hosted mostly among these - except for smaller instances. Correct me if I am wrong, and this is speculation, what is stopping these big companies from data mining their own servers? Especially when the data is stored in a standard format.
(DIR) Post #9kmhEUzLyo0XByhl8C by aslmx@chaos.social
2019-07-12T20:19:39Z
0 likes, 0 repeats
@infosechandbook @Digitalcourage yeah my domain also shows up in that list.Interestingly it is grouped with other servers from my residential customer Internet service provider. I guess the metric used is the AS number? I wouldn't say these 30 something xmpp servers are hosted on the same platform though...And still.... even if there is some kind of oligopol or center of gravity.... (like with mastodon also) still better than the centralized platforms like the Zucker ones....
(DIR) Post #9kmncYGk2B4G2cgrp2 by lightone@mastodon.xyz
2019-07-12T21:31:14Z
0 likes, 0 repeats
@infosechandbook The same is true for Fedi (https://fediverse.network/servers / https://chaos.social/@leah/99837391793032137 )
(DIR) Post #9knLoPzo147CIbbBlA by tobi@social.kabi.tk
2019-07-12T20:09:06Z
0 likes, 0 repeats
@ashwinvisAlso you can enable server-side total encryption. The most serious thing is availability. So it shouldn't be that if cloudflare or aws is down, nothing works. Therefore people need to host carefully and not with the big companies. We built https://libreho.st for instance as a first approach. Things will be good in the end! Hope so 😅@infosechandbook @debacle
(DIR) Post #9knLoR2K9BivWhmiK8 by ashwinvis@mastodon.acc.sunet.se
2019-07-12T20:13:07Z
0 likes, 0 repeats
@tobi @infosechandbook @debacle Yeah XMPP+Omemo and Matrix would be fine. I was talking about the Fediverse. I don't think there is any encryption going on for Mastodon, isn't it (except for the https traffic)? Plus, I read somewhere in the docs discouraging Mastodon being hosted on low-power devices like Raspberry Pi, which rules out self-hosting for me 😕 Pleroma encourages raspies however.
(DIR) Post #9knLoRzWb54wUJTzbE by infosechandbook@mastodon.at
2019-07-13T03:54:18Z
0 likes, 0 repeats
@ashwinvis @tobi @debacle XMPP servers are as well physically centralized (https://mastodon.at/@infosechandbook/102412870082664239), and server admins can read and modify nearly everything on XMPP servers even if OMEMO is enabled (https://infosec-handbook.eu/blog/xmpp-aitm/). So, this problem is actually widespread.
(DIR) Post #9knMeI7oWbPawk4zjc by infosechandbook@mastodon.at
2019-07-13T04:03:45Z
0 likes, 0 repeats
@x00 Companies that provide virtual/dedicated servers. Most people don't have their physical server at home but somewhere in a data center owned by such companies.
(DIR) Post #9knOMRh8PEypK2Dcxc by nifker@mastodonten.de
2019-07-12T22:22:46Z
0 likes, 0 repeats
@tobi @infosechandbook Matrix does basically even advertise centralization.. which is mostly because it is a bad idea for a decentralized communication protocol to just straight recommend their own server.
(DIR) Post #9knOMRtXf6u9wW1XIe by infosechandbook@mastodon.at
2019-07-13T04:22:54Z
0 likes, 0 repeats
@nifker @tobi We only got a very small sample of Matrix servers and scanned them yesterday: https://gist.github.com/infosec-handbook/ca2650f0e7e49edb70a3d7d81fd20db54 out of 14 servers (28%) are hosted by Hetzner. (Hetzner also hosts 17.5% of XMPP servers and 7.66% of Mastodon servers in our tests.)So, as @Gargron expected, the results are probably similar for most websites.
(DIR) Post #9knZZeW98qEsLrZyWu by muppeth@social.weho.st
2019-07-13T06:28:23Z
0 likes, 0 repeats
@infosechandbook @x00 Your list then is inadequate as you assume everyone uses VPS/dedi provided by given ISP while probably quite few use their own hardware and colocating in those datacenters.
(DIR) Post #9kneue6sLrq0wJaZJA by infosechandbook@mastodon.at
2019-07-13T07:28:23Z
0 likes, 0 repeats
@muppeth @x00 The biggest companies on these lists are well-known server hosting companies. These companies aren't internet service providers.
(DIR) Post #9kpZDDHQ7NbboyuYOe by mmin@scholar.social
2019-07-14T05:33:53Z
0 likes, 0 repeats
@infosechandbookThis is really fascinating. I don't know much about the tech side of it, but seems to me that decentralisation on one layer moves the focus of centralisation to lower layers.
(DIR) Post #9qWCpZhnZk2r73FikK by vitamink2@social.tchncs.de
2019-12-31T08:36:10Z
0 likes, 0 repeats
@infosechandbook thanks for the info!
(DIR) Post #9qcny3dr1EmTWn4j8i by gdr@aleph.land
2020-01-03T13:00:35Z
0 likes, 0 repeats
@infosechandbook looking at my server: your data is wrong. Just because I have a domain purchased at OVH doesn't mean my XMPP server is at OVH.