[jitsi-dev] Free/open source Viber replacement


#1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I would like to see Jitsi on Android become a credible alternative to
Viber. I believe that it could easily do so by automatically creating
the user an XMPP account associated to the user's full mobile number.

I have recently had a play with Viber[1]. In essence, this program
allows users to message and VOIP other Viber users. There is nothing
that I have seen that is possible on Viber that would not be possible
over XMPP and Jingle.

What Viber does very well is that it uses the user's (full) mobile
phone number to identify the user and the user's contacts. This means
that the user need only enter their mobile phone number and they are
fully set up (an automatic txt message is intercepted by the app to
verify the mobile number), with all contacts that also use the app
added to the Viber buddy list (by comparing the mobile phone numbers
in the user's addressbook to the accounts on the Viber server). Viber
works across Android and iPhones, with a Blackberry version apparently
in the works.

I would love to see this user experience recreated with Free and open
source software over open standard protocols, such as XMPP and Jingle.
The easiest way that I can see this working is as follows:

1. Make it work in Jitsi on Android. From the *first release* of Jitsi for
Android, create an XMPP account for the user on the Jitsi XMPP server
(say +61224533343@jit.si), based on verifying the mobile number by
automatic txt message. This would mean that I could, for example, tell
my Mum to install Jitsi and, without more, know that I could VOIP or
message her through the system, without discussing accounts or
networks. There would be a negligible privacy impact, as the database
would only match up mobile numbers that the requester already knows to
special-purpose XMPP accounts. There would of course be nothing
stopping me from also using other networks. (Messages through Jitsi's
own network would also allow Jitsi to use C2DM on Android[2], if this
would offer any battery/data usage benefits.)

2. Make it possible for other Free software to use the same server. I
think it would be ideal if from the beginning the XMPP/Jingle server
was run with branding separate from Jitsi, say "phonelink.com". The
site could recommend Jitsi as a client, but it would be great to
position the site, and distribute tools (e.g. to request and process
the automatic txt message) so that all Free XMPP smartphone apps could
use this server by default. It would be extremely difficult for Jitsi
alone to go head to head with the likes of Viber and Skype, but all
Free apps working together across the different platforms may be
enough to gain momentum/encourage some of the bigger players (eg
Nimbuzz or Google Talk) to use the server. Keeping it separate from
the beginning would allow it to be easily split off into its own Not
For Profit if it did happen to get big. At the point that other
clients are using the server, it would make sense to set a minimum set
of Free codecs that the client must support (eg the WebRTC
VP8/iLBC/iSAC combo[3] or Theora/Speex).

3. Solve the problem properly/Decentralise the information. Keeping
such an index centralised really only moves the
problem. ENUM[4] sounds like a proper solution to the problem, but I
fear that those in control of my number (my mobile network provider)
have no interest in encouraging VOIP. There are third-party ENUM
providers, but these can lead to confusion and complexity[5].
Directories also have the privacy issue that they often publicise
people's contact information, or at least reveal that the same person
owns various accounts (eg that my SIP account is related to my XMPP
account). The best solution that I have been able to come up with so
far would be a database with the following fields:
(a) An index of a hash comprising the protocol and the mobile phone
number (e.g. SHA-256 of "XMPP+61224533343"). This would make it very
difficult to reverse the hash into the mobile number, but would let
any application search the database by combining the protocol with the
number from the phonebook and computing the hash. It would also mean
that only those who knew my mobile number could see that my XMPP
account was related to my SIP account.
(b) The relevant accounts, with priorities if there are more than one
(e.g. "bob@sipprovider.com").
(c) The digital signature of the provider who tested the link between
the mobile number and the account, with the date of that verification
(e.g. PhoneLink/Jitsi testing this by an automatic txt).
These entries could be updated across the network in a manner similar
to keyservers or through DHT or something similar. Each client would
then be able to do lookups itself and maintain a list of trusted
signing authorities.

Those are just my thoughts, but I am really, really hoping that at
least 1 and 2 are possible.

Regards,

Aaron

[1] http://www.viber.com/
[2] https://code.google.com/android/c2dm/
[3] http://www.webrtc.org/faq
[4] https://en.wikipedia.org/wiki/ENUM
[5] https://en.wikipedia.org/wiki/ENUM#Call_forwarding_with_ENUM


#2

It sounds nice, but you are locking out an entire segment of the Jitsi community. Many of us do not use any of the chat, jabber, or XMPP functionality. Jitsi is just a front end for my Asterisk server, or for some third party phone services. What you are talking about would be very nice for some, but please do not make me sign up for yet another service that I do not want and will not use, just to get the software. That kind of behavior just smells like the Google Toolbar to me.

      Lee

···

On 01/22/2012 01:54 AM, Aaron Whitehouse wrote:

What Viber does very well is that it uses the user's (full) mobile
phone number to identify the user and the user's contacts. This means
that the user need only enter their mobile phone number and they are
fully set up (an automatic txt message is intercepted by the app to
verify the mobile number), with all contacts that also use the app
added to the Viber buddy list (by comparing the mobile phone numbers
in the user's addressbook to the accounts on the Viber server). Viber
works across Android and iPhones, with a Blackberry version apparently
in the works.


#3

With Skype, they know a percentage of their users are not behind NAT,
and they use the bandwidth of those users to relay traffic for other
users: so Skype doesn't need to operate their own central relay servers.

For Viber, as the target is mobile users, virtually all the users suffer
with NAT - and few, if any, can relay for other users

So the first question is, how does Viber provide relay capacity for all
the users stuck behind NAT?

The second question is this: can the Viber protocol be reverse
engineered so that an open source product can interact with it or use
it's SMS verification and relay services?

Please also see my comments inline below

I would like to see Jitsi on Android become a credible alternative to
Viber. I believe that it could easily do so by automatically creating
the user an XMPP account associated to the user's full mobile number.

Why XMPP and not SIP? Many hardphones are out there with SIP only.
Also, Asterisk and other server side apps have better support for SIP
than Jabber.

What Viber does very well is that it uses the user's (full) mobile
phone number to identify the user and the user's contacts. This means

Agreed - the Viber and Skype user experience is the reason for their
success. Open source products are only accessible to technically-minded
users like ourselves right now.

(say +61224533343@jit.si), based on verifying the mobile number by
automatic txt message. This would mean that I could, for example, tell

How to pay for all the text messages? Viber had over 1 million users in
their first month. In some countries, SMS is really expensive - in the
UK, Twitter stopped providing SMS service because the mobile networks
refused to compromise.

3. Solve the problem properly/Decentralise the information. Keeping
such an index centralised really only moves the
problem. ENUM[4] sounds like a proper solution to the problem, but I
fear that those in control of my number (my mobile network provider)
have no interest in encouraging VOIP. There are third-party ENUM
providers, but these can lead to confusion and complexity[5].
Directories also have the privacy issue that they often publicise
people's contact information, or at least reveal that the same person
owns various accounts (eg that my SIP account is related to my XMPP
account). The best solution that I have been able to come up with so
far would be a database with the following fields:
(a) An index of a hash comprising the protocol and the mobile phone
number (e.g. SHA-256 of "XMPP+61224533343"). This would make it very
difficult to reverse the hash into the mobile number, but would let
any application search the database by combining the protocol with the
number from the phonebook and computing the hash. It would also mean
that only those who knew my mobile number could see that my XMPP
account was related to my SIP account.

Not quite... phone companies publish lists of tariffs that include:
- the prefixes of all mobile networks around the globe (e.g. +447[789]
in the UK)
- the lengths of the numbers

In the UK, Ofcom breaks them down into blocks of 10,000 numbers and
allocates them to phone companies, publishing the allocations on a
public web site - so the list of possible phone numbers can be narrowed
very accurately.

From that information, someone can quickly compute all valid, allocated

phone numbers and then compute hashes.

I give the UK examples because I've previously worked with the UK
system, but other countries are similar.

(b) The relevant accounts, with priorities if there are more than one
(e.g. "bob@sipprovider.com").
(c) The digital signature of the provider who tested the link between
the mobile number and the account, with the date of that verification
(e.g. PhoneLink/Jitsi testing this by an automatic txt).

This is a good point

···

On 22/01/12 08:54, Aaron Whitehouse wrote:

These entries could be updated across the network in a manner similar
to keyservers or through DHT or something similar. Each client would
then be able to do lookups itself and maintain a list of trusted
signing authorities.


#4

Hey all,

It would probably be worth pointing out that Jitsi is a client and all
our efforts are currently invested in making it better and porting it to
android.

We have no resources to launch a proper service at this point least one
that would imply a specific business model, new protocols, handling
online payments and probably a substantial investment for the SMS part.

Still I enjoy the discussion and I suppose others may also be finding it
interesting so this should not be taking as an objection.

Emil
(with my lead hat)

···

On 22.01.12 08:54, Aaron Whitehouse wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I would like to see Jitsi on Android become a credible alternative to
Viber. I believe that it could easily do so by automatically creating
the user an XMPP account associated to the user's full mobile number.

I have recently had a play with Viber[1]. In essence, this program
allows users to message and VOIP other Viber users. There is nothing
that I have seen that is possible on Viber that would not be possible
over XMPP and Jingle.

What Viber does very well is that it uses the user's (full) mobile
phone number to identify the user and the user's contacts. This means
that the user need only enter their mobile phone number and they are
fully set up (an automatic txt message is intercepted by the app to
verify the mobile number), with all contacts that also use the app
added to the Viber buddy list (by comparing the mobile phone numbers
in the user's addressbook to the accounts on the Viber server). Viber
works across Android and iPhones, with a Blackberry version apparently
in the works.

I would love to see this user experience recreated with Free and open
source software over open standard protocols, such as XMPP and Jingle.
The easiest way that I can see this working is as follows:

1. Make it work in Jitsi on Android. From the *first release* of Jitsi for
Android, create an XMPP account for the user on the Jitsi XMPP server
(say +61224533343@jit.si), based on verifying the mobile number by
automatic txt message. This would mean that I could, for example, tell
my Mum to install Jitsi and, without more, know that I could VOIP or
message her through the system, without discussing accounts or
networks. There would be a negligible privacy impact, as the database
would only match up mobile numbers that the requester already knows to
special-purpose XMPP accounts. There would of course be nothing
stopping me from also using other networks. (Messages through Jitsi's
own network would also allow Jitsi to use C2DM on Android[2], if this
would offer any battery/data usage benefits.)

2. Make it possible for other Free software to use the same server. I
think it would be ideal if from the beginning the XMPP/Jingle server
was run with branding separate from Jitsi, say "phonelink.com". The
site could recommend Jitsi as a client, but it would be great to
position the site, and distribute tools (e.g. to request and process
the automatic txt message) so that all Free XMPP smartphone apps could
use this server by default. It would be extremely difficult for Jitsi
alone to go head to head with the likes of Viber and Skype, but all
Free apps working together across the different platforms may be
enough to gain momentum/encourage some of the bigger players (eg
Nimbuzz or Google Talk) to use the server. Keeping it separate from
the beginning would allow it to be easily split off into its own Not
For Profit if it did happen to get big. At the point that other
clients are using the server, it would make sense to set a minimum set
of Free codecs that the client must support (eg the WebRTC
VP8/iLBC/iSAC combo[3] or Theora/Speex).

3. Solve the problem properly/Decentralise the information. Keeping
such an index centralised really only moves the
problem. ENUM[4] sounds like a proper solution to the problem, but I
fear that those in control of my number (my mobile network provider)
have no interest in encouraging VOIP. There are third-party ENUM
providers, but these can lead to confusion and complexity[5].
Directories also have the privacy issue that they often publicise
people's contact information, or at least reveal that the same person
owns various accounts (eg that my SIP account is related to my XMPP
account). The best solution that I have been able to come up with so
far would be a database with the following fields:
(a) An index of a hash comprising the protocol and the mobile phone
number (e.g. SHA-256 of "XMPP+61224533343"). This would make it very
difficult to reverse the hash into the mobile number, but would let
any application search the database by combining the protocol with the
number from the phonebook and computing the hash. It would also mean
that only those who knew my mobile number could see that my XMPP
account was related to my SIP account.
(b) The relevant accounts, with priorities if there are more than one
(e.g. "bob@sipprovider.com").
(c) The digital signature of the provider who tested the link between
the mobile number and the account, with the date of that verification
(e.g. PhoneLink/Jitsi testing this by an automatic txt).
These entries could be updated across the network in a manner similar
to keyservers or through DHT or something similar. Each client would
then be able to do lookups itself and maintain a list of trusted
signing authorities.

Those are just my thoughts, but I am really, really hoping that at
least 1 and 2 are possible.

Regards,

Aaron

[1] http://www.viber.com/
[2] https://code.google.com/android/c2dm/
[3] http://www.webrtc.org/faq
[4] https://en.wikipedia.org/wiki/ENUM
[5] https://en.wikipedia.org/wiki/ENUM#Call_forwarding_with_ENUM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8bwJcACgkQCq+ErtWaTnFbgACeKOizvHP3lhiHKTzi5YvVzB7L
HqwAoK/t6Mf9somO+wSf24KCRUcWPiEr
=9tCT
-----END PGP SIGNATURE-----

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
http://jitsi.org FAX: +33.1.77.62.47.31


#5

o Aaron Whitehouse on 01/22/2012 08:54 AM:

3. Solve the problem properly/Decentralise the information. Keeping
such an index centralised really only moves the
problem. ENUM[4] sounds like a proper solution to the problem, but I

...

(a) An index of a hash comprising the protocol and the mobile phone
number (e.g. SHA-256 of "XMPP+61224533343"). This would make it very

+1 for some privacy through hashing the phone number; all those vibers/whatsapps/etc don't really need to know the full social graph including phone numbers

...

These entries could be updated across the network in a manner similar
to keyservers or through DHT or something similar. Each client would
then be able to do lookups itself and maintain a list of trusted
signing authorities.

hm. who asserts the identity, and that you've got the e164 number? or, that the one who does the verification through SMS does it properly?

not sure how feasible this is on mobile, but i believe the first real solution to decentralized identity is bitcoin - google the namecoin project.

Stefan


#6

I would like to see Jitsi on Android become a credible alternative to
Viber. I believe that it could easily do so by automatically creating
the user an XMPP account associated to the user's full mobile number.

In fact, I was already working on this when you sent your email

It is now in the Android market: look for Lumicall

It also works with Kamailio, Jitsi, Asterisk, any other SIP system basically

And it supports TLS, ENUM and DNS SRV records - so it makes the idea of
a world of federated VoIP a reality rather than just a pipe dream -
please let me know your feedback

http://www.lumicall.org has some release notes - and credits to ice4j,
which provides the RFC 5245 ICE implementation for Lumicall


#7

hm. who asserts the identity, and that you've got the e164 number? or,
that the one who does the verification through SMS does it properly?

not sure how feasible this is on mobile, but i believe the first real
solution to decentralized identity is bitcoin - google the namecoin
project.

Another very interesting comment...

I've been mulling over the idea of bitcoin-style phone numbering for
some time (namecoin is more like DNS names)

There are two problems I can see with making it work for phone numbers:

a) integration with the existing international dial plans - if someone
has good financial backing they may be able to convince the ITU to let
them use something like +88[12] XXXX...X (up to 12 Xs)
http://www.itu.int/dms_pub/itu-t/opb/sp/T-SP-E.164D-2009-PDF-E.pdf

b) fair distribution of numbers: for any telephone system to be valid,
it should not be possible for one mischievous user to `landgrab' all the
numbers - every unique and deserving participant should be able to have
at least one number. If all the numbers become exhausted too soon, then
some of your friends won't be able to get numbers, you won't be able to
call those people, and the system becomes redundant.