Post 9luYSYWHuA6VXR0GEC by triF5@social.tchncs.de
(DIR) More posts by triF5@social.tchncs.de
(DIR) Post #9ltJH0TQp1yF3foNkW by amolith@masto.nixnet.xyz
2019-08-14T22:46:19Z
0 likes, 0 repeats
College is going to kill me. I already have to use two proprietary apps with 7+ in-built trackers each to communicate with the student leaders of my residence hall and now I have to fill out several Google Forms and give them all my personal information. :blobcat0_0:
(DIR) Post #9ltJuo6OErywGu0pTk by ataraxia937@fosstodon.org
2019-08-14T22:53:30Z
0 likes, 0 repeats
@amolith Actual work will be just as bad. In my experience, serious privacy consciousness is incompatible with living a normal life.
(DIR) Post #9ltKCeXaWgu5pXFAQK by alex@phx.social
2019-08-14T22:56:43Z
0 likes, 0 repeats
@amolith Yikes! Are burner laptops a thing?
(DIR) Post #9ltMIDczhTIQ0WYPbs by Xantulon@mastodon.social
2019-08-14T23:20:07Z
0 likes, 0 repeats
@amolith coincidentally (you probably read it)"Getting an educaton shouldn't cost students their right to privacy." - EFFhttps://mastodon.social/@eff/102617658470606094
(DIR) Post #9ltNlNHoy8gAJa7JIm by amolith@masto.nixnet.xyz
2019-08-14T23:36:35Z
0 likes, 0 repeats
@alex I wish but that wouldn't really help anyway. I can run the websites in container tabs and obfuscate personal data with addons but it's still a huge pain.
(DIR) Post #9ltO7NSd09mxE5fCW8 by alex@phx.social
2019-08-14T23:40:32Z
0 likes, 0 repeats
@amolith The more I become aware of the infringements on my privacy and try to be more anonymous, the more I realize how inconvenient it is. The path of least resistance is to give up and be an open book.
(DIR) Post #9ltOlIdWME6TqanLc0 by amolith@masto.nixnet.xyz
2019-08-14T23:46:14Z
0 likes, 0 repeats
@alex In most cases, I actually find it more convenient to be private. Running the majority of my own web services *greatly* facilitates that. It's when you start interacting with other people that things start to get annoying. Some of my friends only use Snapchat, Instagram, Facebook, and SMS. I end up using SMS with them and keeping sensitive information to a minimum. If it's particularly important that I interact with them, they'll typically switch to something more secure.
(DIR) Post #9ltOlWLFOxnyLyLx4a by alex@phx.social
2019-08-14T23:47:46Z
0 likes, 0 repeats
@amolith As I convert my friends over to more private alternatives, things do get easier. I've got a decent number of friends on signal now, so that makes me happy. Trying to get more on my mastodon instance!
(DIR) Post #9ltOlsG1v2hgKA55zk by Xantulon@mastodon.social
2019-08-14T23:45:07Z
0 likes, 0 repeats
@amolith it's important to tell people, in no uncertain terms, that this is not OK. And there's plenty of headlines to show what isn't OK. Tell them you're a special needs student and they have to accomodate you. I don't know, but something to get somebodies attention.
(DIR) Post #9ltPGXt5hiUQ7nydIu by amolith@masto.nixnet.xyz
2019-08-14T23:53:26Z
1 likes, 0 repeats
@alex It is fairly easy to get people to use Signal but I stay away from it specifically. I disagree with a *lot* of what they do.Drew has a pretty great article on the subject.https://drewdevault.com/2018/08/08/Signal.html
(DIR) Post #9ltPHTHsIFBO9B0jLc by Xantulon@mastodon.social
2019-08-14T23:46:36Z
0 likes, 0 repeats
@amolith the special need being privacy, and some control over where your data goes.
(DIR) Post #9ltPHizftg8CrMcQCW by amolith@masto.nixnet.xyz
2019-08-14T23:50:20Z
0 likes, 0 repeats
@Xantulon In this situation specifically, it's more a peer pressure thing. It's not *required* that I install and use them but not doing so will make communicating with peers and residence hall administrators much more difficult as well as single me out as an extreme tinfoil-hat-wearing freak. I do enough of that regardless 😂
(DIR) Post #9ltPLtO3CIveFg0X0y by Xantulon@mastodon.social
2019-08-14T23:53:33Z
0 likes, 0 repeats
@amolith I've said it before and I'll say it again. Pick your poisons and protect yourself against them as best as you can (don't tell anyone but I have Amazon Prime...but I only use it when I order things, or watch videos... I don't use the storage space for photos.)
(DIR) Post #9ltPvYN6oCufV1ZV0i by amolith@masto.nixnet.xyz
2019-08-15T00:00:49Z
0 likes, 0 repeats
@Xantulon Picking my poisons is exactly what I'm doing here lol.Not using it for photos is very good 😉 I used to have Prime but cancelled it last year or maybe the year before. I run my own media server and download what I want to watch. For ordering things, I typically use the manufacturer's website directly or from somewhere not Amazon. For example, my really nice headphones were from Walmart.com and I found out something rather interesting. They were the same price as on Amazon but came with a Bluetooth adapter and an additional pair of earbuds *and* free two-day shipping whereas, for *exactly* the same price, Amazon offered nothing extra and it would have taken 5-10 days to get here.
(DIR) Post #9ltPvrbzH76VAfg9L6 by alex@phx.social
2019-08-14T23:59:01Z
0 likes, 0 repeats
@amolith If I'm reading this right, the issues are:- signal can know when are who you're talking to- signal can be shut down because it's centralized- google play store code injection? (not on android myself)Given these, I still see this as much better than iMessage and SMS. My messages are still encrypted using the signal protocol, and that's substantial.
(DIR) Post #9ltQQduOGzWbeGxmvA by Xantulon@mastodon.social
2019-08-15T00:06:25Z
0 likes, 0 repeats
@amolith believe me, I keep an eye out for alternatives. What I'm still trying to work out, is it better to leave a buying record all over the Internet, or have it all in one place. Since the data's passed around anyway, I guess it just changes my profile. So I go with what's best for me in the moment.
(DIR) Post #9ltQlXNDlV3LShPb9M by amolith@masto.nixnet.xyz
2019-08-15T00:10:12Z
1 likes, 0 repeats
@alex There's also a fundamental disagreement with Moxie and his beliefs. https://github.com/signalapp/Signal-Android/issues/127I know this is a really long issue thread so I'll try to sum it up concisely. Moxie spent three years going on about how he didn't want to make it available from "insecure" third-party repositories (F-Droid) and how he couldn't live without analytics from Google Play (about users themselves and about the behaviour of the app).https://github.com/LibreSignal/LibreSignal/issues/37This is another one where he killed a fully free fork of Signal. He goes on about how XMPP is dead, how federation was never a real option for serious projects, etc.I understand that, on a technical side, Signal is alright. It's not terrible and it is certainly better than SMS or iMessage. I push different applications because I disagree with a *lot* of what Moxie does.
(DIR) Post #9ltRAhZD0HZCJd1CPw by alex@phx.social
2019-08-15T00:14:00Z
0 likes, 0 repeats
@amolith That sounds like a good summary. What are your preferred alternatives for secure chat on mobile/desktop clients?
(DIR) Post #9ltRrzfNaNHwu0Y1fU by amolith@masto.nixnet.xyz
2019-08-15T00:22:36Z
0 likes, 0 repeats
@alex Ricochet on desktophttps://ricochet.im/Briar on mobilehttps://briarproject.org/Wire on bothhttps://wire.com/en/Telegram on bothhttps://telegram.org/I know Telegram is proprietary server-side and they rolled their own crypto but they have many nice privacy-respecting features and it's likely the easiest to get people to switch to.
(DIR) Post #9ltRurp7CaqBRkTJYW by alex@phx.social
2019-08-15T00:23:05Z
0 likes, 0 repeats
@amolith Thanks for all the info!
(DIR) Post #9ltv7WGbYdl11ciOzw by triF5@social.tchncs.de
2019-08-15T05:50:20Z
0 likes, 0 repeats
@amolithSorry but Telegram is mich worse than Signal. I don't understand, why people use a service wich has no e2e encryption by default and no e2e in group chats at all. @alex
(DIR) Post #9lu4N4xhk9MYYsMw8u by njha@fosstodon.org
2019-08-14T23:08:14Z
0 likes, 0 repeats
@ataraxia937 @amolith I basically gave up. Google services all the way!The only thing I haven’t given up on is no Facebook/Instagram.
(DIR) Post #9lu4QIpocZtASKDSc4 by ataraxia937@fosstodon.org
2019-08-14T23:10:23Z
0 likes, 0 repeats
@njha @amolith Me too. Out of GAFAM, I'm avoiding Apple and Facebook. But Google owns me, Amazon has its hooks in, and Microsoft is just brushing me a bit.
(DIR) Post #9lu4QT5mU4bMGjlLt2 by amolith@masto.nixnet.xyz
2019-08-14T23:41:18Z
0 likes, 0 repeats
@ataraxia937 Other than for school, I don't have any direct ties to Google and nothing with Amazon, Apple, Microsoft, or Facebook. It's taken a lot of work but I've been able to whittle down my reliance on these companies to *almost* nothing. I hate that they're going to come back with uni though. I'm dreading work but I may be able to find a job somewhere in tech that doesn't rely on the worst of these.@njha
(DIR) Post #9lu4QcvVv6KYln2IGu by pcrock@fosstodon.org
2019-08-15T07:33:54Z
0 likes, 0 repeats
@amolithI think you can do a fair amout of damage control via compartmentalization. Firefox Containers plugin, for example. Multiple email addresses, one for each area of life. Qubes OS. Etc.Your work and university life may need to be fairly public, but you can make it a little more difficult for companies to correlate that with your personal life.@ataraxia937 @njha
(DIR) Post #9lu6rYQYxJvsXiWiFE by triF5@social.tchncs.de
2019-08-15T08:01:55Z
0 likes, 0 repeats
@amolithTo be clear I'm also not happy with #Signal. The bad thing is that I recognized a lot oft problems after migrating a lot of my friends and family to Signal. But in my opinion using #Telegram is as bad or even worse than using #Whatsapp@alex
(DIR) Post #9lu79QRFOgpmyhMu8m by triF5@social.tchncs.de
2019-08-15T08:05:07Z
0 likes, 0 repeats
@amolithIs this happening in Germany?
(DIR) Post #9luLt892m8Eg9WTLwe by syme@masto.nixnet.xyz
2019-08-15T10:50:18Z
0 likes, 0 repeats
@amolith Work life isn't private life. I had to accept that too.
(DIR) Post #9luUSHNtDM8QZpghYO by amolith@masto.nixnet.xyz
2019-08-15T12:26:17Z
0 likes, 3 repeats
@triF5 @alex Sorry for the wall of text but here goes. It's not often I get close to my 2k character limit 😂I understand where you're coming from in the other message (no E2E by default) but I have to disagree COMPLETELY with saying it's as bad as WhatsApp. Neither the client or the server are open source. At least Telegram's client is. The app was caught reencrypting conversations to new keys without warning. It was triggered by the server so nothing the users could do about it.German authorities have a 0 day for WhatsApp's transport encryption and they can read messages in real time. E2E *cannot* scale. It would be impossible to have it in groups unless it's a few people. A messenger doesn't exist that has E2E in groups. In addition to that, WhatsApp backups aren't encrypted and you have no idea where you contact may be backing up to. Your entire message history could be stored in plaintext in Google Drive. To make things even worse, WhatsApp is now in the process of phasing E2E out so there won't be *any* encryption *anywhere* It's owned by Facebook. That should be reason enough to distrust every aspect of the application. They lie and covertly do everything they possibly can to track and surveil their users. Multiple researchers have found multiple backdoors into WhatsApp that lets Facebook and the government read E2E messages. Yeah they've closed them but that doesn't mean there aren't more. For about a week, Telegram hardly worked for anyone because the Russian government was trying to force Telegram to give them a backdoor. Telegram refused and Russia started blocking their servers en masse. I will trust a company that loses millions protecting my privacy before I trust a company who's sole purpose is compromising and monetising it.
(DIR) Post #9luVYOkaq8Wp79mxk0 by amolith@masto.nixnet.xyz
2019-08-15T12:38:37Z
0 likes, 0 repeats
@one I know a lot of people complain about having to register with their phone number too. To mitigate that, you can use a throwaway XMPP account (my server seems to be popular just for this 😢), connect it to a temporary phone number from Cheogram (https://cheogram.com/), and register with that. You'll get the confirmation code from Telegram in your XMPP client then you can simply remove the account and forget about it. You would have to be careful not to log out of everything at once though. Once you don't have a client online, Telegram will send a text and you won't be able to receive it. A friend of mine is constantly making and completely deleting Telegram accounts for privacy.@triF5 @alex
(DIR) Post #9luWBMrXnDdKYLcd04 by triF5@social.tchncs.de
2019-08-15T12:45:39Z
0 likes, 0 repeats
@amolith---Multiple researchers have found multiple backdoors into WhatsApp that lets Facebook and the government read E2E messages. Where did you get these information from? Didn't know about it.---German authorities have a 0 day for WhatsApp's transport encryption and they can read messages in real time. Even if they have a 0day for transport enc (which i really did not believe). They could not read the messages because of e2e. ---@alex
(DIR) Post #9luWnJauOPRDQ8w4FU by jt@povne.vidro.club
2019-08-15T12:42:51.428288Z
0 likes, 0 repeats
@amolith @alex @triF5 I’d rather trust Facebook selling my data but is USA company and made by Americans than TG which were “so called blocked” by Russian government and is solely Russian project (there is neither freedom, nor free speech in Russia; such type of “blocking” is only a game to gain more “trust” by TG and get opponents/opposition into it to further control their messaging and activities). Don’t be catch up by Russians
(DIR) Post #9luWnJmxfb4y1WZh2G by amolith@masto.nixnet.xyz
2019-08-15T12:52:20Z
0 likes, 0 repeats
@jt Now this is where we're going to disagree in opinions lol. I believe what happened is legitimate. I'm in a lot of international groups and they all experienced the outage including a great many from Russia. The lack of freedom is why they did their best to force Telegram into creating backdoors. I completely understand why you believe otherwise, I'm just explaining my viewpoint 😉 @alex @triF5
(DIR) Post #9luXE7FQP9mgwnfNVQ by triF5@social.tchncs.de
2019-08-15T12:57:22Z
0 likes, 0 repeats
@amolith @one @alex Did #Cheogram really give you throwaway phone numbers?
(DIR) Post #9luXLCTnLr7pCUlYLw by amolith@masto.nixnet.xyz
2019-08-15T12:58:39Z
0 likes, 0 repeats
@triF5 Yep. It's a 30 free trial; you're supposed to want to continue using the number and pay for it but, if all you want it for is a throwaway Telegram account, there's no reason to worry about keeping it.@one @alex
(DIR) Post #9luXZGNDfdzbKcOcAS by amolith@masto.nixnet.xyz
2019-08-15T13:01:12Z
0 likes, 0 repeats
@triF5 I read about the issues a long while ago; it would take me more time than I have right now to find them again.A couple of friends of mine are German and they confirmed the 0day. Yes, that's true, but again . . . WhatsApp isn't going to have *any* E2E soon.
(DIR) Post #9luYSYWHuA6VXR0GEC by triF5@social.tchncs.de
2019-08-15T12:48:14Z
0 likes, 0 repeats
@amolith ---E2E *cannot* scale. It would be impossible to have it in groups unless it's a few people. A messenger doesn't exist that has E2E in groups. Signal, Whatsapp and other really open messengers have e2e in group chats.---And my point about #Telegram is, that they have everything by default in plain text on their Servers. When they get my plaintext from an #OpenSource-App it is as worse as an #ClosedSource App.Last: Where can I register without phone number in #Telegram?@alex
(DIR) Post #9luYSYqqfiYCZCcgHA by amolith@masto.nixnet.xyz
2019-08-15T13:11:11Z
0 likes, 0 repeats
@triF5 I didn't make my point clear enough; I'm sorry. I meant that one doesn't exist that has it in *large* groups. When I said E2E doesn't scale well, I was talking 500+ people. I don't know about Signal but WhatsApp is limited to only 256 members. Very few of the Telegram groups I'm in are so small. Most of them are 300+.Yes they do have it as plaintext by default *but* there are things you can do to mitigate that. A few months ago, they added a few *seriously* wonderful features for privacy enthusiasts. Not only can you can delete your messages from groups, but also from one-on-one chats now at the *server* level. A friend of mine and I both have scripts we run every few days that delete our messages for private conversations and public groups from Telegram's servers. Once that's done, they're irreversibly gone from everyone's device with no chance of recovery. As far as I know, that's impossible with WhatsApp, Signal, Threema, etc.
(DIR) Post #9luYbJ3KmQaKAsdIzA by triF5@social.tchncs.de
2019-08-15T13:12:46Z
0 likes, 0 repeats
@amolith ok, if you trust these promises. (Deleting on server level)
(DIR) Post #9luYyPY0nZzeyi01c8 by triF5@social.tchncs.de
2019-08-15T12:52:49Z
0 likes, 0 repeats
@jt @alex @amolith I don't want anyone selling or reading my data. So I'm taking Signal. Everything #e2e, no phone numbers on server and they don't know where the message come from. (https://signal.org/blog/sealed-sender/) I don't like some of their decisions but they are the best from the worse ;) (in my opinion).
(DIR) Post #9luYyPq5iMSHsmSSnI by amolith@masto.nixnet.xyz
2019-08-15T13:16:56Z
1 likes, 1 repeats
@triF5 @jt I said it somewhere else I think; Signal isn't a terrible messenger. I just disagree with a lot of what they do.If you want something truly secure (more so than any other messenger I've ever seen), try Briar. You can't add remote contacts *yet* but the testing image has support for it. The feature will be released in the next update. At the moment, you have to be with the person IRL to add them as a contact. The app is completely open source and uses open standards for encryption. The only detriment I've found so far is that it's mobile-only. There's no desktop client because it's a fully P2P messenger. If you're in Bluetooth range, it uses that. If you're on the same LAN, it uses that. If you're not, the messages are sent over Tor.https://briarproject.org
(DIR) Post #9luZALAAvScar4XRCK by amolith@masto.nixnet.xyz
2019-08-15T13:19:05Z
0 likes, 0 repeats
@triF5 There are various ways you can test and verify that messages are deleted at the server level. Telegram has a very open API that you can probe for information like that.
(DIR) Post #9lubyIkwLhHvmFgaKu by amolith@masto.nixnet.xyz
2019-08-15T13:50:32Z
0 likes, 0 repeats
@LouWestin In my opinion, yes and in their opinion, no 😂 It's a rather long thread with a bunch of different replies here and there but it's all public so you can still read everything.@triF5 @alex
(DIR) Post #9lucCfbADbsufwxrIe by alex@phx.social
2019-08-15T13:53:07Z
0 likes, 0 repeats
@amolith @LouWestin @triF5 In my use case, using a phone number identifier is acceptable & convenient (a luxury of freedom). I don't like the encryption off by default of telegram, but I installed it and I'll see how much social capital I have left to get anyone to try it. Everything I've heard about signal isn't enough for me to jump ship because it's still better than what I left, but I'll be checking out the other alternatives: https://masto.nixnet.xyz/@amolith/102618140266504448
(DIR) Post #9lugxtdsDny7et0Tku by alex@phx.social
2019-08-15T14:46:29Z
0 likes, 0 repeats
@amolith Wire looks pretty legit. To a security layman, looks like all guts of the signal protocol are there.https://wire-docs.wire.com/download/Wire+Security+Whitepaper.pdf
(DIR) Post #9luroqOa1RoOTjju1Q by louis@pleroma.gnusocial.club
2019-08-15T13:02:03.955095Z
0 likes, 0 repeats
@amolith @one @triF5 @alex then is best not to use it if privacy is of concern. Temporary phone numbers will not allow recovery of the account. And they also prove how stupid such requirement becomes. The only reason for phone numbers is tracking people.
(DIR) Post #9lut45QyUWGdPygw8O by Mikoto@fedi.absturztau.be
2019-08-15T17:02:05.921898Z
0 likes, 0 repeats
@triF5 @amolith @alex> E2E *cannot* scaleYou can easily make E2E scale in groups by sharing a single key with all of the users in said group.
(DIR) Post #9lutLwcxyMcTJjoe12 by Mikoto@fedi.absturztau.be
2019-08-15T17:05:19.558595Z
0 likes, 0 repeats
@alex @amolith As cool as wire is, it is really buggy (stops receiving messages and forgets your whole history permanently on low space situations), offers very few customisation options (no ability to select a proxy, youtube videos load by default, etc), and its authentication is broken (will not warn you at all if your friends just change public key). It is also centralised which is pretty bad.
(DIR) Post #9lutUVT4JxDHgoGjoG by Mikoto@fedi.absturztau.be
2019-08-15T17:06:52.376636Z
0 likes, 0 repeats
@alex @amolith Plus it is electron - and thus it is laggy with high memory usage.Not to mention, it has no option to disable emojies or add new ones.
(DIR) Post #9luvBKEw2eV3GydiZE by amolith@masto.nixnet.xyz
2019-08-15T17:25:47Z
0 likes, 0 repeats
@Mikoto As far as I know, that's exactly how WhatsApp implements it but you're still limited to 256 participants and it's so bad that they're discontinuing E2E.@triF5 @alex
(DIR) Post #9luvmgo76ElXykuVwO by louis@pleroma.gnusocial.club
2019-08-15T17:32:32.075027Z
1 likes, 1 repeats
@alex @amolith XMPP Jabber over secure network like your own hosted XMPP over SSL is well secure chat, no need for anything else for long term.https://tox.chat is well secure and encrypted chat, you can install right away and transfer information. It allows speaking and video conferencing.GNU Jami is secure chat with speech and video conferences https://jami.net/
(DIR) Post #9luvxFWirt2oYUoNGq by alex@phx.social
2019-08-15T17:34:26Z
0 likes, 0 repeats
@amolith @Mikoto @triF5 It’s my understanding that a single shared secret leaves backdoor vulnerabilities. Some protocols require the triple diffie hellman key exchange with each user in the group. I believe this has a factorial growth effect on the computational work to connect.
(DIR) Post #9luw5TFfisRFRIkxV2 by Mikoto@fedi.absturztau.be
2019-08-15T17:35:57.810639Z
0 likes, 0 repeats
@alex @amolith @triF5> It’s my understanding that a single shared secret leaves backdoor vulnerabilitiesHow so?
(DIR) Post #9luwf42WwCHrfea7vM by alex@phx.social
2019-08-15T17:38:29Z
0 likes, 0 repeats
@Mikoto @amolith That electron argument is becoming less and less true or significant. But it does still highly depend on who’s building the app. Some apps stay up to date with electron releases and use good architecture, some most definitely do not.
(DIR) Post #9luwf4I80ClQS1saEi by Mikoto@fedi.absturztau.be
2019-08-15T17:42:23.224390Z
0 likes, 0 repeats
@alex @amolith> That electron argument is becoming less and less true or significantDoes it? I have a haswell and 8GB of ram yet I still have issues when running electron stuff.In addition to that wire takes ages (can be more than an hour) to decrypt the messages if you are gone for say a week from your group.
(DIR) Post #9luwrw3rudW0gtLSng by alex@phx.social
2019-08-15T17:37:05Z
0 likes, 0 repeats
@Mikoto @triF5 @amolith I believe a shared secret has to pass through the central server, which is a complete fail for e2e.
(DIR) Post #9luwrxhboMtjmQwiNk by Mikoto@fedi.absturztau.be
2019-08-15T17:44:41.673207Z
0 likes, 0 repeats
@alex @triF5 @amolith This is not necessary.
(DIR) Post #9lux351Gwl1DewReBk by louis@pleroma.gnusocial.club
2019-08-15T17:46:43.481150Z
0 likes, 0 repeats
@amolith make proper complaint with arguments, and provide replacement suggestions
(DIR) Post #9luxZaIICiuXvEuByC by alex@phx.social
2019-08-15T17:49:50Z
0 likes, 0 repeats
@Mikoto @amolith They might be a poorly implemented electron app then haha. Your constraints sound like you do need more native solutions. Good crypto will be slow since it has to be computationally intense enough to be strong against today’s powerful systems. And wire uses double ratchet (like signal), which means it has to decrypt messages in order to derive the key that unlocks the next message in the sequence.
(DIR) Post #9luxZaVlOdgcb1Cwy0 by Mikoto@fedi.absturztau.be
2019-08-15T17:52:36.486609Z
0 likes, 0 repeats
@alex @amolith> Good crypto will be slowChacha20 is one of the fastest yet one of the strongest ciphers in the world. Good crypto does not need to be slow. Only attempting to crack it/bruteforce it should be computationally expensive. No matter how fast a cipher is you will not be able to bruteforce 2^255 keys.
(DIR) Post #9luxeGQpTm3Jlh86XQ by alex@phx.social
2019-08-15T17:50:58Z
0 likes, 0 repeats
@Mikoto @triF5 @amolith The server becomes the vulnerability and has a privileged view into the secret.
(DIR) Post #9luxeGcAnb7uKsRADg by Mikoto@fedi.absturztau.be
2019-08-15T17:53:26.778105Z
0 likes, 0 repeats
@alex @triF5 @amolith Sorry if I was not clear. My point was that the server does not need to know the secret.
(DIR) Post #9luxncfQB6LnKuPwo4 by Mikoto@fedi.absturztau.be
2019-08-15T17:55:07.963755Z
0 likes, 0 repeats
@alex @amolith Although I admit that I did not know that the double ratchet implementation in wire did a key exchange every message. I thought that it would do it every few messages.
(DIR) Post #9luyHsvaHlxwSIPLSC by alex@phx.social
2019-08-15T17:57:25Z
0 likes, 0 repeats
@Mikoto @triF5 @amolith Ah, I misunderstood. Are you thinking of peer to peer exchange? Otherwise it's back to diffie hellman and maybe there's a way to do that without doing it for each group member.
(DIR) Post #9luyHtPiTk4JxkVPQ8 by Mikoto@fedi.absturztau.be
2019-08-15T18:00:35.809255Z
0 likes, 0 repeats
@alex @triF5 @amolith Yeah, my idea was that each member that invited a new one into the group would give them the group identifier + the key via the existing e2e mechanism. Key exchange would need to happen only once per user.
(DIR) Post #9luyN72BGXl1eZzBia by alex@phx.social
2019-08-15T17:59:07Z
1 likes, 0 repeats
@Mikoto @amolith You know, I got that from signal. I didn't read the wire white paper close enough to know for sure they do the same.
(DIR) Post #9luyR8I4XLQ8hyKtYe by alex@phx.social
2019-08-15T18:01:34Z
1 likes, 0 repeats
@Mikoto @triF5 @amolith I think one point here might be that there isn't group consensus to add a member, but that's getting into the weeds.
(DIR) Post #9luzZwc3QJrj3DRqBk by alex@phx.social
2019-08-15T18:08:10Z
1 likes, 0 repeats
@Mikoto @amolith I'm stretching a bit here (not a crypto dev), but it looks like double ratchet is what dictates the new key for each R/W.
(DIR) Post #9ly2mFpFwhz2kShOSm by codeforchaos@cybre.space
2019-08-17T05:35:00Z
0 likes, 0 repeats
@amolith What’s the source for the discontinuation? It’s not obvious from a web search...@Mikoto @triF5 @alex