> but the knowledge that someone spoke to email@example.com isn't - because some Tor endpoint is doing that part for you.
There's a very good chance (I haven't looked) that the recommendation will be to talk to a jabber server via an .onion, which means you won't be using an exit.
That also addresses (in part) your certificate concerns - if you hold the private key for the hidden service, there's a good chance I'm talking to the right server.
If I'm trying to use an XMPP server on the clearnet, then yeah something is inavoidably going to have to connect for me. Which, if someone else is able to defeat the TLS, is going to reveal some metadata. But it's arguably better than if OTR wasnt in use at all.
> Are we using PFS for this?
Every OTR plugin I've seen lately supports it, so it'd be unforgiveable if the answer wasn't yes.
> The OTR over XMPP I've seen (a while back, I admit) is nothing more than a plugin to the server/client that encrypted the messages sent over the (insecure) underlying protocol.
Correct. But the whole security/usability tradeoff comes into play here. XMPP is used all over the place, so you have the ability to use a wide array of servers.
Better alternatives exist but require specific client/servers. I've got a client installed that I've only used to talk to one person because noone else uses anything that supports the protocol.
> not be a MITM on the OTR and check that the user on the other end of the OTR *was* your friend
IOW you need to do key exchange and verification properly rather than blindly trusting. Most OTR plugins make this easier, though its still reliant on both ends taking it seriously
> I'm not at all convinced that this is, or can be made, safe *AND* click-here-simpleton-level software.
I think you're right. Whilst we want the masses to have encryption, the reality is most of them don't care, and the second you mention verifying a key fingerprint they lose what little interest they might have had.