#Conversations_im has the ability to fetch outage status information from an independent server and display that in case the regular #XMPP server can not be reached.

This is powered by XEP-0455 (https://xmpp.org/extensions/xep-0455.html).
TLDR: Server gives client a URL to a JSON file during normal connects, client will hold on to that URL and fetch the JSON file in case server is unreachable.

Security audits are a funny thing. We lack the (financial) resources for regular, thorough penetration tests. However I’m aware that some of the higher profile users of #Conversations_im occasionally perform audits without my direct involvement and without publishing it afterwards. Those audits aren’t adversarial as indicated by them wanting me to fix what they find.

The funniest instances are when they want to be credited for finding an issue but refuse to make the audit public.

A big thank you to Radically Open Security for performing the audit and to @nlnet for funding it.

Radically Open Security has been a long term partner of #Conversations_im ever since they did the first #OMEMO audit back in 2016!

Recent audit: https://conversations.im/2025_audit_conversations.pdf
OMEMO audit: https://conversations.im/omemo/audit.pdf

A recent security audit of #Conversations_im¹ found that wildcard certificate handling didn’t fully comply with the spec.

Conversations was accepting *.a.example for c.b.a.example, even though wildcards are only meant to match a single label.

This issue has been fixed in version 2.18.0, now live on Google Play.

¹: https://conversations.im/2025_audit_conversations.pdf

I think I’ve found a relatively nice solution for #FediLinks in #Conversations_im.

You can put web+ap URIs into a message (or room description) and ideally a click on those will open your Mastodon client. However if no installed app supports those (the only app that I’m aware of is Fedilab) Conversations will open a browser instead.

Currently no app will create web+ap links but it is fairly easy to handcraft them.

cc @SoniEx2

Today I’m announcing a 45% tariff on #Conversations_im sold in the USA.

For the next #Conversations_im release I’m refactoring how URIs are linked / made clickable. I’m adding a bunch of URI schemes like tel and mailto on top of the existing xmpp, http(s) and geo but removing support for "things that look like web URLs but aren’t actually URIs" (like 'example.com') to avoid some false positives.

Once the 2.18.0-beta comes out tomorrow or so let me know if you see things that isn’t matched and should be matched or vice versa.

@wiktor I understand the concern about bad fallback on the web. I just wish people would be a bit more pragmatic about it and at least add support for reading / opening such URIs. Nobody suggested replace all Follow buttons with web+activitypub: links.

Can we have support for FEP-07d7 in #Tusky and #Fedilab? (cc @Tusky @apps)

It shouldn’t be that hard to implement at least one of the possible URI schemes in #Conversations_im, #Lttrs, #Tusky and #Fedilab. Maybe get @delta on board too?

Is there any #ActivityPub / #Mastodon URI scheme used in the wild that would allow me to open an ActivityPub account directly in my Android app?

I've seen 'acct' and 'web+ap' mentioned but none seem to be implemented.

The goal is that given a text of "Here is my Mastodon profile acct:daniel@gultsch.social" #Conversations_im can link that directly into #Tusky. (Just like mailto and xmpp URIs open my E-Mail or IM app respectively)

Have @apps or @Tusky considered that? If not why not?

Hi @daniel and @xmpp

Why is #conversations_im no longer listed on xmpp.org?

If you're still recommending #Signal, you may have missed the tech oligarchs' takeover of the US government. The best time to recommend European alternatives was 8 years ago; the second best is now.

Absolutely nobody knows what an XMPP address is, so just go ahead and call it a: