💾 Archived View for dio9sys.fun › writeups › snikket › index.gmi captured on 2023-05-24 at 17:40:06. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Greetings, weary traveller! Today we're going to set up a chat server on Snikket.
I set up a server the other day using the official install guide, but ran into
a couple snags that aren't appropriately addressed.
For context: here is the install guide (web URL, sorry)
Like most of my small projects, I used the cheapest linode I could find. I really
like how no-mess linode is, but you can use whatever you like to use.
I went with a 1 GB RAM server, referred to as a "nanode" on linode. Please note
that you will *not* need to pay for SSL, as the Snikket server automatically
generates keys with Let's Encrypt. More on that later
Now, I set up a linode running Debian 11 on an amd64 machine. This made things
fairly easy, as docker and docker-compose both have very clear instructions for
Debian servers.
One thing I didn't anticipate was issues with SSL. Let's Encrypt just...would
not work for me.
I checked all my ports and whatnot, then looked in the logs when trying to
redeploy Let's Encrypt.
The Snikket guide mentions needing groups.* and share.* subdomain records.
Somehow I missed that in the beginning ^_^;
Okay, we fixed it.
Now we have it all deployed! I set up a user for myself and started
generating invite links.
For the first couple days, everything was great! Then I ran into a minor
snag - A friend of mine joined, and suddenly I couldn't message the group!
I got the following erorr:
There are no usable keys available for this contact. Could not fetch new keys from the server. Maybe there is something wrong with your contact's server?
So, I went to the support chat, asked what I can fix on my server and got
told in no uncertain terms that this isn't actually a problem with my server.
Weird, since I, you know, got an error message saying it may have been an
issue with my server.
Whatever, let's figure it out. I asked what client my friend was using.
This friend was using Profanity, an XMPP client for the terminal. Very
neat!
I dug through the documentation of Profanity and found the problem:
The default Snikket app automagically accepts the OMEMO fingerprints
of all other connected devices.
Profanity on the other hand? Nah, by default you have to manually
verify fingerprints.
This makes a TON of sense from a security standpoint, especially for one on
one conversations, but it meant that there was an issue.
We were all trying to chat. My friend was trying to chat. On the protocol
level, though, since my friend's client was not accepting the other people's
fingerprints Snikket just straight up blocked everyone from sending OMEMO
encrypted messages, rather than the more graceful failure of the default
xmpp "your device is not compatible with OMEMO" message.
A little weird, but by running some commands in Profanity you can set it to
trust other devices by default.
UPDATE: turning on carbons simply didn't work. I kicked my friend from the server,
had them join again using a client that trusts OMEMO fingerprints by default and...
it didn't work. At first.
I had them manually trust my device and for a while I was still getting OMEMO error
messages. At some point I guess the fingerprints synced and, like magic, it started
to work.
OMEMO is confusing and frustrating.
If you choose to send your OMEMO fingerprint to someone to manually trust it, the
snikket app does NOT like that.
It is not documented anywhere, but it turns off a flag to automatically trust
OMEMO fingerprints.
This is also not documented anywhere, but you can reverse this by going to:
settings
|->expert settings
|->Blind trust Before Verification
Check the box again. If the box is checked it will start doing the OMEMO fingerprints
automatically again.
This guide is very barebones, mostly going over what wasn't covered in the
documentation that I found.
Overall, I really like Snikket. Encrypted chat that works across a billion
chat clients? Heck yes.
There are of course concerns about hosting yoru own encrypted chat on your own
server, but OMEMO and PGP are included as options by default and, if somebody
pops my server, I can always just wipe it since it's a very small server that
JUST does this one thing. I'm a big fan of single-use VPSs for exactly this
purpose.
Maybe at some point I'll flesh out this guide more but, for now, I'm calling
this good.