It will be open source, end to end encrypted using Signal’s double ratchet encryption protocol, and he plans to make it easy for fediverse platforms to integrate it. The beta will release later this month.
He’s also the creator of https://fedidb.org btw
While I doubt I could get my friends and family on yet ANOTHER messaging app in the year of our lord 2023.
Sup. Is a fucking brilliant name.
I remember idly wondering how DMs worked in Lemmy, and I was kinda shocked when I realized they aren’t secure.
“secure” is relative. They may not be e2e encrypted, but they are still encrypted via TLS, like any HTTPS traffic. It’s the same encryption used for online banking. If you care about your instance admin being able to read your messages, you should use Signal or a Matrix client though.
But remember that only a few years ago, almost nobody used e2e encryption, and it wasn’t much of an issue.
I personally hate the name, but only because I had a roommate in college who would start every conversation with “sup.”
On text messages, IMs, in person, you name it. It really started to get under my skin.
But I hope the software is good.
Yep. That’s what he’d do. So basically he’d always want you to start the conversation.
I just saw this on Mastodon and was about to post it here. 😄
Pretty cool idea. Though I’m not looking forward to trying to convince my friends to switch to yet another new platform. 😂
Im mainly looking forward to it replacing the “DMs” of mastodon and lemmy.
I’ve not been on either platform long enough to use the DMs, but this is a good point.
After all, DMs aren’t actually private on either platform, as far as I’m aware.
If they’re not end to end encrypted, your messages are not actually private on any platform.
It’s a bit more obvious in the Fediverse than elsewhere, as direct messages are generally stored on two separate servers (sender and receiver). Furthermore each server tends to be smaller: if Zuckerberg decides to go through people’s DMs it’s unlikely to affect any particular Facebook user, but if the owner of a Mastodon instance does the same it’s small enough that she could actually get an overview. It’s mostly a false sense of security embedded in larger services, but people are all about having a false sense of security.
DMs aren’t actually private on either platform, as far as I’m aware.
“Private” is not really a binary concept.
They’re “private” in the sense that no one can see them other than the participants and the server admin (if they really wanted to).
They’re not private in the sense that they can be hacked and leaked, or subpoenaed.
Right now I just think about me and how I’ll use it. I’m eager to try this messaging app to have a way of being reachable by like-minded people.
To put it differently, I don’t want to be a slave of others’ choices. I know the network effect is real and that I’m powerless to break it. So I’ll just change my attitude, and embrace this wave. Who knows what will happen? And in the meanwhile, I’ll have fun using what to me seems right.
This is good.
It really is. In the past a new messenger or Plattform was always annoying as it inevitable meant, how can I get my friends to use this. But with activity pub it doesn’t matter anymore. Everbody can use the fediverse software of his taste and we can still all be interconnected. What a relieve. So many software solutions can compete against each other without us having always to start from zero. Brave new world.
I wonder if he is friends with the guy who runs calibre and kitty terminal. I read somewhere that he was seriously planning to single-handedly maintain python 2 after it was EOLed because it was so integral to calibre. But was eventually talked into transitioning to python 3. The idea of that is totally nuts; the guy is a machine.
I’ve been unhappy with the direction Signal has taken in recent months and Matrix always felt like it was trying to do too many things at once.
Happy to see something that would integrate directly into Fediverse platforms as it will greatly enhance interplatform communication.
Like a better FB messager.
personally love the direction Signal is heading but would be happy to not have “all my eggs in one basket”, as well as diversifying the open source E2EE communication options.
I felt that removing SMS while still having it tied to your phone number, stories, and that weird cryptocurrency were not what I was looking for in a messanger.
I also don’t like the fact that Signal needs your phone number and that the only way to connect to other people is by their phone number.
TIL Margot Robbie has strong opinions about encrypted messaging apps. My respect grows by the day.
I agree. As soon as the update that disabled SMS was pushed to my phone, signal was effectively dead.
Integrating with SMS was so smart. The person who got me into it said “there is literally no reason not to do it” because it was seamless. And I used the same argument to get other people into it. But basically everyone stopped using it as soon as SMS was removed. I don’t have the brain space to remember who is on signal and who is not and go to the appropriate messenger.
I read the whole long thread on their website where the devs were arguing in favor of this and all the reasons were IMHO stupid. I think someone wanted to tank signal. Got tired of funding it probably. It was too good to be true with no obvious business model so always thought the day would come, and it did. Too bad, it was very good at what it did.
I’ve posted this previously, but I’ll repost again because I think its important people are aware when making a decision on a secure messenger.
======== Original Post: https://lemmy.ml/comment/1615043
Sessions developers dropped Signal’s Perfect Forward Secrecy (PFS) and deniability [0] security features. Personally I would not trust a product that drops an end-user security feature for the sake of making the developer’s life easier [1] .
Using existing long-term keypairs in place of the Signal protocol massively simplifies 1-1 messaging.
For those unaware, PFS protects your data/messages from future exploits and breaches. With PFS, each message’s encryption is isolated, preventing compromise of current and past interactions [2].
A simple example to illustrate why PFS is beneficial. Lets assume any 3 letter agency is collecting all Signal/Session messages - on top of the tons of data they’re already capturing. The great thing is that your messages are encrypted, they can’t see anything - YAY - but they’re storing them basically forever.
Two ways they may be able to compromise your privacy and view ALL your messages:
-
A flaw is discovered that allows them to crack/brute force the encryption in weeks instead of years/decades/eternity. If you were using Sessions, because you use the same key for every message, they now have access to everything you’ve ever said. If you were using Signal, they have access to that one message and need to spend considerable resources trying to crack every other message.
-
Your phone is compromised and they take your encryption keys. If you were using Sessions, this again gives them access to your entire message history. If you were using Signal, because the keys are always rotating (known as ephemeral) they can only use them to unlock the most recent received messages.
It’s important to state that both cases above only really matter if you delete your messages after a certain time. Otherwise, yes, all they have to do is take your phone and get access to your entire message history - which is why ephemeral messaging (i.e. auto deleting messages after a certain time) is crucial if you suspect you may be targeted.
[0] https://getsession.org/blog/session-protocol-explained
[1] https://getsession.org/blog/session-protocol-technical-information
