Post ADXJWUkkqMH3N8ST6O by wago@zap.dog
(DIR) More posts by wago@zap.dog
(DIR) Post #ACzwOwFJOQEkrco5wm by FediFollows@mastodon.online
2021-11-02T17:52:27Z
4 likes, 19 repeats
Centralised messenger Signal has just announced that they are making part of their server software closed source. They claim it is to fight spam, but by using closed source they make it impossible for outsiders to verify the truth. This is worrying.We really, really need a fully open, decentralised alternative to Signal.There are several alternatives being developed, please support them:➡️ @snikket_im ➡️ @xmpp ➡️ @matrix ➡️ @delta ➡️ @briar ➡️ @Jami #Signal #Alternatives #Privacy
(DIR) Post #ACzybvGMYiTBUJcMD2 by Trimble_tech@mstdn.social
2021-11-02T18:12:55Z
2 likes, 0 repeats
@FediFollows @snikket_im @xmpp @matrix @delta @briar @Jami It is unfortunate to see this occur, but I am optimistic that a more decentralized model with several different clients may be a good idea. Youtuber 'Mental Outlaw' has a good video discussing Signal's encounter with the FBI, as well as how Signal forks could help.
(DIR) Post #AD1AnXxYQ3bjIT5asq by selea@social.linux.pizza
2021-11-03T08:15:29Z
0 likes, 0 repeats
@FediFollows You forgot @session :)
(DIR) Post #AD1PKW41t1p0KfjWHw by Trimble_tech@mstdn.social
2021-11-02T18:17:20Z
0 likes, 0 repeats
@FediFollows @snikket_im @xmpp @matrix @delta @briar @Jami I see an ideal future in using unified standards with multiple decentralized clients. Matrix seems like a good framework for this, with independent servers able to talk to each other in a way that.can federate them the same way Mastodon does. I would hope that Signal reconsiders, but we can't be too reliant on only one service.
(DIR) Post #AD1PKWd7mXtW5W9XzU by FediFollows@mastodon.online
2021-11-02T18:23:24Z
1 likes, 0 repeats
@Trimble_tech All of the alternatives listed are decentralised, none of them lock you into a single network like Signal does.
(DIR) Post #AD1PKX7FyVztayFbxQ by z428@social.tchncs.de
2021-11-03T09:02:44Z
1 likes, 0 repeats
@FediFollows Personally, I think for future implementations we should focus on approaches such as Briar, Jami, maybe SSB, Matrix P2P or Tox (that do not depend on particular servers). Jane Doe will not be able to run a server of their own or know someone trustworthy, so there will always be the need to trust a server hosted by "someone else". For this setup, FLOSS doesn't make things better at all because, open or not, you never know whether the code ... @Trimble_tech
(DIR) Post #AD1PKXc67qfR8cgF1s by FediFollows@mastodon.online
2021-11-03T09:40:55Z
1 likes, 0 repeats
@z428 @Trimble_tech You're able to talk to me on ActivityPub because Mastodon made it more user-friendly to sign up, with consistently branded instances, and a good on-boarding site that gets widespread media coverage.@snikket_im aims to do the same for XMPP.XMPP at the moment has a working system but a really messy and inconsistent public appearance. There's no proper onboarding, signing up is scary, instances look scary, no recommended servers etc.
(DIR) Post #AD1PKY5WMSCebsRjtI by z428@social.tchncs.de
2021-11-03T09:52:44Z
1 likes, 0 repeats
@FediFollows Did by chance we ever consider that maybe Signal, Threema, ... are operating on a threat model completely different to what XMPP or federated services try to address? XMPP in example is pretty much *not* zero-knowledge, hasn't avoidance of metadata baked in, ... . Last time I checked, even XMPP with OMEMO had unencrypted sender and recipient information in its messages. Compare that to Signal and sealed-sender. And so on ... 😶@Trimble_tech @snikket_im
(DIR) Post #AD1PKYXsf0t81piO5w by FediFollows@mastodon.online
2021-11-03T10:01:07Z
1 likes, 0 repeats
@z428 @Trimble_tech @snikket_im Signal being centralised is a major problem. Popular centralised services are a magnet for acquisitions by bad actors, because the network effect traps users on the network.This is what happened to Whatsapp, it used to have better privacy but then it was sold to Facebook by its two creators, including Brian Acton who became a billionaire.Brian Acton is the guy who bankrolled Signal's development, and is head of the Signal Foundation which owns Signal.
(DIR) Post #AD1PKZ34n1qFaaJIie by FediFollows@mastodon.online
2021-11-03T10:09:14Z
1 likes, 0 repeats
@z428 @Trimble_tech @snikket_im I am not saying Acton is acting in bad faith, it's impossible for me to know.But by setting up Signal like this, it's making it more difficult for outsiders to verify his intentions, and making it more difficult for Signal's users to leave should something go wrong.
(DIR) Post #AD1PKZVR5aWj0XZwvI by z428@social.tchncs.de
2021-11-03T10:51:18Z
0 likes, 0 repeats
@FediFollows ... my contacts losing contact with me without even noticing. I don't really see this possible or implemented in any of the "federated" messengers at the moment, even in Mastodon (which isn't a messenger and rather good at "user-friendly federation") user accounts are tightly coupled with particular instances and essentialls "lost" if an instance, say, goes down overnight or is taken over by some undesirable actor. @Trimble_tech @snikket_im
(DIR) Post #AD1PKa4B0QJekHph4a by snikket_im@fosstodon.org
2021-11-03T10:58:18Z
0 likes, 0 repeats
@z428We've been working on (b) at https://docs.modernxmpp.org/projects/portability/There's still some work to do, but by the end of the year we aim to complete the majority of the remaining tasks to make migration trivial for users.Based on our findings, almost all servers shut down with some advance notice. However using the tools and data formats we've been working on, you can also pre-emptively back up your data.@FediFollows @Trimble_tech
(DIR) Post #AD1PnSIEz99X2GBCVc by z428@social.tchncs.de
2021-11-03T10:49:57Z
0 likes, 0 repeats
@FediFollows ... talking to, which kind of message content I'm transferring, which groups I'm part of and so forth. So far, I see both Matrix and XMPP doing rather bad at this (see https://web.archive.org/web/20200905183322/https://infosec-handbook.eu/blog/xmpp-aitm/ in example). And (b) switching instances, in case my admin or its organization decides to behave shady, is sold out, ... , needs to be much cheaper than it is now - without me losing contacts, groups, communication history, ..., and much more important, without ...@Trimble_tech @snikket_im
(DIR) Post #AD1PnT8hq57Veyj6Ho by z428@social.tchncs.de
2021-11-03T10:58:15Z
0 likes, 0 repeats
@FediFollows (Ah, updated version here: https://infosec-handbook.eu/articles/xmpp-aitm/ ; hope they'll do something similar for Matrix at some point.)@Trimble_tech @snikket_im
(DIR) Post #AD1PnTgjnYLHMWeHKa by snikket_im@fosstodon.org
2021-11-03T11:03:34Z
0 likes, 0 repeats
@z428 As for the issues you raise around trust in server operators, there are a few paths to take:1) the Snikket way: encourage smaller servers, run by people the users know and trust in a specific social context (e.g. family member)2) Use a pseudonymous account on a public server via Tor/I2P/etc.3) Use something "serverless" like Briar, and accept the limitations of such a design.Which of these is best depends strongly on your specific use and threat model.@FediFollows @Trimble_tech
(DIR) Post #AD1R9vWV5bIE1282JU by z428@social.tchncs.de
2021-11-03T11:18:49Z
0 likes, 0 repeats
@snikket_im Glad to see account portability is becoming a thing in this world. From where I stand, (1) and (2) are okay but not (yet?) able to cater to a reasonably large group of users, a group of users large enough to really make a difference compared to the proprietary silos. Most folks in my environment don't know someone who could handle running a trustworthy smaller server, and I personally would be capable of doing so yet stay away from it because in ...@FediFollows @Trimble_tech
(DIR) Post #AD1RQCRPxLl17SViyW by z428@social.tchncs.de
2021-11-03T11:21:43Z
0 likes, 0 repeats
@snikket_im ... order to replace WhatsApp or Signal this would require a considerable amount of continued work and still bear the risk of, say, being target of an attack, of surveillance targetting my infrastructure at a lower level, or of being blocked by other instances for whichever reasons. But that's just a personal view, more important indeed is what I see about specific use and threat model, that's why pretty often I feel very bad seeing XMPP as a ...@FediFollows @Trimble_tech
(DIR) Post #AD1RT9Y9AAsL1K4BN2 by z428@social.tchncs.de
2021-11-03T11:22:14Z
0 likes, 0 repeats
@snikket_im ... suggestion to replace Signal or Threema. It's a good tool for some purposes, but it tries to solve a totally different problem in my opinion. 😉 @FediFollows @Trimble_tech
(DIR) Post #AD1UPWumeMP8BqcPxY by z428@social.tchncs.de
2021-11-03T10:46:19Z
1 likes, 0 repeats
@FediFollows But "it's impossible to know" nails it for virtually everyone operating any service: You never _know_ whether all actors act in good faith. You always either have to trust them, or you can opt for solutions that don't require that kind of trust and dependency. I'd prefer the latter, which would boil down to servers being "just" dumb transports meeting two requirements: (a) The server and/or any of its operators mustn't know who I am, who I am ... @Trimble_tech @snikket_im
(DIR) Post #AD1UPXYUGkACAzC7qS by FediFollows@mastodon.online
2021-11-03T11:50:17Z
2 likes, 0 repeats
@z428 @Trimble_tech @snikket_im Yes, but with popular decentralised services like email or telephones, if bad faith actors are exposed people can migrate to other instances. They may (or may not) have to let their contacts know about their new address/number, but it's do-able.With popular centralised services, the person running them could say they're removing all encryption, and most people would still have to use that centralised service due to the network effect.
(DIR) Post #AD1UVtdP5kCiOKWcD2 by FediFollows@mastodon.online
2021-11-03T11:56:09Z
3 likes, 4 repeats
The main issue with Signal is what is its end game?Let's say they want to become a mainstream messenger service, like a privacy-friendly alternative to Whatsapp.Let's say they got hundreds of millions or even billions of users.At that point, the network effect would be VERY strong and Signal users would be pretty locked into using it, come what may.And then... Signal would be a very tempting target for acquisition by Facebook/Google/Amazon etc.(1/X)
(DIR) Post #AD1VTQ7nw93UFB7ztY by FediFollows@mastodon.online
2021-11-03T12:04:50Z
2 likes, 4 repeats
Signal is owned by a non-profit, the Signal Foundation, which is headed by Whatsapp creator Brian Acton.If Facebook/Google/Amazon offers Signal Foundation, for example, $20 billion to Signal either as a purchase or a "donation" or some kind of partnership agreement, what happens next?We don't know.What we do know is most Signal users would be stuck the same way most Whatsapp users were when its privacy was degraded.Centralisation is dangerous.(2/2)
(DIR) Post #AD1VkRVM3lkvRjGCZc by adam@social.librem.one
2021-11-03T12:10:32Z
0 likes, 0 repeats
@FediFollows I guess I predicted that and it happened sooner than I expected. https://pocketnow.com/stop-being-naive-when-it-comes-to-things-like-whatsapp-telegram-signal-etc
(DIR) Post #AD1WgK1g1VXN2zyg5o by boilingsteam@mastodon.cloud
2021-11-03T12:20:59Z
0 likes, 0 repeats
@FediFollows Signal can't be trusted in the first place because they had the opportunity to decentralize but chose not. On the paper they are open source but as close as it can get. Matrix is a better alternative right now.
(DIR) Post #AD1WjP8hT7dzm5jU3c by boilingsteam@mastodon.cloud
2021-11-03T12:21:33Z
0 likes, 0 repeats
@FediFollows Signal can't be trusted in the first place because they had the opportunity to decentralize but chose not to. On paper they are open source but as close as it can get. Matrix is a better alternative right now.
(DIR) Post #AD1XGCCCc5Q1Bg0UGe by PublicNuisance@fosstodon.org
2021-11-03T12:27:28Z
0 likes, 0 repeats
@boilingsteamMatrix; XMPP; Session; all better options than Signal.
(DIR) Post #AD1XLUc5Z517kwdn9c by boilingsteam@mastodon.cloud
2021-11-03T12:28:25Z
0 likes, 0 repeats
@PublicNuisance Yup. Just mentioning Matrix as it's definitely getting more popular, but there are several alternatives indeed.
(DIR) Post #AD1egqeNWhoDrYqGJ6 by ozoned@mastodon.technology
2021-11-03T13:50:40Z
0 likes, 0 repeats
@PublicNuisance @boilingsteam I have Matrix, it's not for the less technical savy, imo. It's confusing and not great. I love the idea, but it seems like they're having a focus issue. Do you have a recommendation for a Matrix client that is easier to use?Everyone says XMPP, but you need a XMPP server yourself don't you? That's an impossible ask for majority of folks.I remember hearing Session a long ago, and I just installed it, and this seems pretty impressive and probably the lowest bar to entry.
(DIR) Post #AD1fsCqhQs0TqnaJvs by PublicNuisance@fosstodon.org
2021-11-03T14:03:58Z
0 likes, 0 repeats
@ozonedI prefer Nheko and FluffyChat for Matrix. You can use a variety of XMPP servers with no effort on your part.https://list.jabber.at/I use 5022.de currently. What I find surprising is most people I talk to find Session the hardest to get going. Just goes to show people are all different. Personally I find XMPP; Session and Matrix all pretty easy to use.
(DIR) Post #AD24tw65BTpNKRhZI0 by mvgorcum@mastodon.technology
2021-11-03T18:43:57Z
0 likes, 0 repeats
@selea @FediFollows @session session isn't actually decentralized or federated, it's just centralized with extra steps. At least it was last time I looked at it.
(DIR) Post #AD4aWfDLNF5N9kxs00 by datenschutzratgeber@mastodon.social
2021-11-02T19:21:23Z
1 likes, 0 repeats
@FediFollows I don't think so. I mean, it doesn't affect E2EE and it's not like they made any existing software proprietary. Also, their explanation is quite understandable. All in all it's not such a big deal in my opinion.
(DIR) Post #AD4bsZRNcXFbZhXX60 by juleLe@social.tchncs.de
2021-11-03T12:06:44Z
0 likes, 0 repeats
@FediFollows#Quicksy also tries to make it easier to sign upa to xmpp.@z428 @Trimble_tech @snikket_im
(DIR) Post #AD4bsZzPa0TNHFSi8m by z428@social.tchncs.de
2021-11-03T12:26:15Z
0 likes, 0 repeats
@juleLe Yeah, quicksy is pretty good at what it does. My problem with these tools, however: Neither XMPP nor e-mail (deltachat) have been built with security in mind as a first-class citizen. In both cases, server-sided metadata, unencrypted transport metadata, ... are issues. We too often seem to fall back to these old tools because techies like them and are comfortable using these, rather than focussing on crafting up-to-date tools to fix these flaws.@FediFollows @Trimble_tech @snikket_im
(DIR) Post #AD4bsaVJfNzesCOBs0 by Hyolobrika@counter.fedi.live
2021-11-05T00:02:08.449165Z
0 likes, 0 repeats
@z428 @juleLe @FediFollows @Trimble_tech @snikket_im https://cwtch.im/ (federated) and @session (P2P) are being built with privacy in mind
(DIR) Post #AD4c0YEO09ye8kGe48 by icedquinn@blob.cat
2021-11-05T00:04:47.925516Z
0 likes, 0 repeats
@Hyolobrika @z428 meta-data protection is a hard problem. the solutions are very onerous.@FediFollows @Trimble_tech @juleLe @session @snikket_im
(DIR) Post #ADGALtW2mzN7gijyJU by nitrokey@social.nitrokey.com
2021-11-10T13:51:24Z
0 likes, 0 repeats
@M33 @FediFollows For reference, the statement refers to https://nitro.chat
(DIR) Post #ADGPxznlMjZFV2ee4e by nodq@fosstodon.org
2021-11-10T16:30:45Z
0 likes, 0 repeats
@FediFollows @snikket_im @xmpp @matrix @delta @briar @Jami this is kinda nonsense shittalk. If the client has proper E2EE and is open source then it doesn't matter what the server does or not. That is the whole point of E2EE at the end of the day... because you can not trust other parties than yourself and those you talk to. -> the server. Just check the client source and if there is anything wrong with it, then you can make an uproar.
(DIR) Post #ADGPy0Ql1kl9Rytmr2 by FediFollows@mastodon.online
2021-11-10T16:43:20Z
1 likes, 0 repeats
@nodq What happens if Signal changes its mind about e2ee?What will people do then?Users can't switch instances because Signal is centralised.If Signal grows popular enough to be an alternative to Whatsapp, it would also be impossible to leave due to network effect.The main backer and head of the Signal Foundation is Brian Acton, the co-founder of Whatsapp. Acton became a billionaire because he sold Whatsapp to Facebook.What happens if history repeats itself in some way?
(DIR) Post #ADVlzJtS85RpV8J0BE by thatonecalculator@voring.me
2021-11-18T02:33:51Z
0 likes, 0 repeats
@FediFollows As a Matrix + Jami user, I can happily say "fuck signal". :tuxagony:
(DIR) Post #ADXJWUkkqMH3N8ST6O by wago@zap.dog
2021-11-18T19:24:23Z
0 likes, 0 repeats
So snikket is Prosody and some other projects mash-up? Like 'snicket cert manager' is a rebranded lets encrypt certbot probably. I don't see where it's pulling all these packages from, there's no mention of XMPP or Prosody, etc. No licenses like the prosody MIT license, but maybe that gets pulled from somewhere? Stuff like 'just do docker install' that downloads a bunch of random software doesn't work for me. Feedback.. hope it helps.
(DIR) Post #ADXJWVGevjnKy5Nwpc by snikket_im@fosstodon.org
2021-11-18T20:24:02Z
0 likes, 0 repeats
@wago Hi! Thanks for the feedback. All the source code for Snikket (server components and apps) is available at https://github.com/snikket-im/Happy to answer any other questions you may have!