Post AJyJAJSkaislodQIls by cy@mstdn.io
(DIR) More posts by cy@mstdn.io
(DIR) Post #AJcClH3M8X3AfLUWoa by Hyolobrika@mstdn.io
2022-05-19T16:14:40Z
0 likes, 2 repeats
More people need to have secure messaging details in their bios because fedi doesn't have E2EE DMs (yet).
(DIR) Post #AJcE327wTBx1XYfW08 by aspie4K@aspiechattr.me
2022-05-19T16:29:03Z
0 likes, 0 repeats
@Hyolobrika I wonder which platform will get it first, Mastodon or Twitter? 🤔
(DIR) Post #AJcEP7HVzE2ntgfzUG by Hyolobrika@mstdn.io
2022-05-19T16:32:44Z
0 likes, 0 repeats
@aspie4K@lain was considering adding it to #Pleroma once
(DIR) Post #AJcER8TCXSfIA86aYa by Hyolobrika@mstdn.io
2022-05-19T16:33:28Z
1 likes, 0 repeats
@aspie4K https://blog.soykaf.com/post/encryption/
(DIR) Post #AJcEoNChvMgkWGTGPQ by Hyolobrika@mstdn.io
2022-05-19T16:37:16Z
0 likes, 0 repeats
@aspie4K Wow. That was two years ago.
(DIR) Post #AJcGI6yAwom4oLPyS0 by aspie4K@aspiechattr.me
2022-05-19T16:54:13Z
1 likes, 1 repeats
@Hyolobrika This is what I'm saying haha, there's many good things about fedi but development moves slowwww because backwards compatibility is important in a decentralised interoperable system.
(DIR) Post #AJcGPW3M5OeCdKN5kW by Hyolobrika@mstdn.io
2022-05-19T16:55:32Z
0 likes, 0 repeats
@aspie4K If you meant fedi as a whole incl Pleroma why did you say "Mastodon" not "fediverse"?
(DIR) Post #AJcGgTLRPObH9lusM4 by aspie4K@aspiechattr.me
2022-05-19T16:58:38Z
0 likes, 1 repeats
@Hyolobrika Oh just because I use Mastodon myself, and saying fediverse would be kinda vague in this context anyway.As in the fediverse is made up of different software written by different people. It'd be silly to demand a feature from all of fedi.Same as demanding a feature from "the internet" or something.
(DIR) Post #AJcHFKSESH3piciJSi by Hyolobrika@mstdn.io
2022-05-19T17:04:57Z
0 likes, 0 repeats
@roboneko @aspie4K what about a browser extension that encrypted the text fields automatically? would that work with something like a double ratchet algorithm (or whatever it was @lain mentioned in the post, I forgot)?
(DIR) Post #AJcHOe3OxCdV6zXe0O by dhfir@expired.mentality.rip
2022-05-19T17:06:38.189648Z
0 likes, 0 repeats
@roboneko @aspie4K @lain @Hyolobrika I believe it's possinble to password-encrypt stuff?might be kind of a mess to deal with, but it could work.
(DIR) Post #AJcHTgXf8AE8HC6DUO by aspie4K@aspiechattr.me
2022-05-19T17:07:31Z
1 likes, 1 repeats
@Hyolobrika @roboneko @lain We could already do that right now using PGP strictly speaking.Only downside is no PFS.But if you create a modern Curve25519/X25519 keypair and rotate your keys often enough, that's decent security.
(DIR) Post #AJcINkHYPaii5pIQyG by aspie4K@aspiechattr.me
2022-05-19T17:04:54Z
0 likes, 0 repeats
@roboneko @lain @Hyolobrika Yeah you need an open source app to trust E2EE.Twitter could do this. Open source the mobile apps, integrate the Signal Protocol.More complex for fedi simply due to different platforms and versions between instances.
(DIR) Post #AJcIiby8W03mOKACMC by Hyolobrika@mstdn.io
2022-05-19T17:21:25Z
0 likes, 0 repeats
@aspie4K Might it not have to involve changes in ActivityPub though? If a change involved changes in IP or TCP wouldn't it be a feature of the internet?
(DIR) Post #AJcJBZ12ZdwNd8KMam by aspie4K@aspiechattr.me
2022-05-19T17:09:42Z
0 likes, 0 repeats
@dhfir @roboneko @lain @Hyolobrika Yeah PGP is platform agnostic and based around public key cryptography so that's the obvious solution. Main issue is lack of PFS as you'd get from the Signal Protocol.
(DIR) Post #AJcJl4wZrGlCmxAtLk by aspie4K@aspiechattr.me
2022-05-19T17:33:05Z
0 likes, 0 repeats
@Hyolobrika Sure but ActivityPub is an agnostic protocol that simply dictates message formats. And even if you did change it to include encryption, you'd still face backwards compatibility and differing implementation issues. Encryption is super complex, not a switch you can just flip on.
(DIR) Post #AJcK79yLqIcCktX8gC by aspie4K@aspiechattr.me
2022-05-19T17:29:28Z
0 likes, 0 repeats
@roboneko @lain @Hyolobrika Correct. But what if we're using different apps, especially if I'm on Android and the recipient has an iPhone for example? Every app would need to agree on a uniform encryption standard and implementation. Which is just as unrealistic as expecting all of fedi to do the same natively.
(DIR) Post #AJcKNXNyYnCw0IKR2O by Hyolobrika@mstdn.io
2022-05-19T17:40:02Z
1 likes, 0 repeats
@roboneko @aspie4K @lain lots of different clients support XMPP+OMEMO and Matrix
(DIR) Post #AJcLD4wrXCWiriDuUa by aspie4K@aspiechattr.me
2022-05-19T17:49:15Z
0 likes, 0 repeats
@Hyolobrika @roboneko @lain XMPP is a perfect example of what I'm talking about though. While OMEMO is the standard today, multiple competing encryption standards were used for XMPP beforehand. Different clients supported different ones.It's actually only very recently that OMEMO support become standard for XMPP.
(DIR) Post #AJcOA7sgTTYsxEYK7E by aspie4K@aspiechattr.me
2022-05-19T17:46:41Z
0 likes, 0 repeats
@roboneko @Hyolobrika Of course, but verifying cryptographic hashes is entirely different to a full implementation of an E2EE messaging standard. That is a lot more complex.There's a reason even huge companies implement the Signal Protocol and anyone who understands cryptography will warn you to never "roll your own crypto."Stuff is super complex. Read the documentation for the Signal Protocol for example.
(DIR) Post #AJcRelrig3qjVvPDRQ by oklomsy@social.linux.pizza
2022-05-19T19:01:35Z
0 likes, 0 repeats
@Hyolobrika Does link to website count? I have more secure communication methods there.
(DIR) Post #AJcT1APeBxkdyFWBhw by lucifer@evil.social
2022-05-19T19:02:29.876Z
0 likes, 0 repeats
@oklomsy@social.linux.pizza @Hyolobrika@mstdn.io I think that's exactly what he meant.
(DIR) Post #AJcT1AsiRt0HQP7P16 by Hyolobrika@mstdn.io
2022-05-19T19:16:50Z
0 likes, 0 repeats
@lucifer @oklomsy I wasn't thinking it but that might work. Unless the website doesn't use SSL/TLS. Or uses an untrustworthy CA?
(DIR) Post #AJcT5dOqMQhH1yGxPc by oklomsy@social.linux.pizza
2022-05-19T19:17:37Z
0 likes, 0 repeats
@Hyolobrika @lucifer I use SSL from Let's Encrypt so that's not a big issue.
(DIR) Post #AJcTCuXz0Oz4Ev17lw by Hyolobrika@mstdn.io
2022-05-19T19:18:59Z
0 likes, 0 repeats
@oklomsy @lucifer It's best not to trust people though.
(DIR) Post #AJcdSlOVnmrg1mminI by oklomsy@social.linux.pizza
2022-05-19T19:03:15Z
0 likes, 0 repeats
@lucifer @Hyolobrika Oh in that case, I am all good then.
(DIR) Post #AJcdSloOFZZ5K2tO88 by Hyolobrika@mstdn.io
2022-05-19T21:13:53Z
0 likes, 0 repeats
@oklomsy @lucifer OMEMO is more secure as it uses a double ratchet
(DIR) Post #AJcdYS7iMcAtzudn7Y by cy@mstdn.io
2022-05-19T20:50:26Z
0 likes, 1 repeats
@inference @Hyolobrika One thing I also like to do is include my key fingerprint in my profile. mstdn.io could spoof it of course, but then they have to conspire with DNS authorities, SSL authorities etc, it's just one more chance for the correct fingerprint to slip through.
(DIR) Post #AJcddTifrBWuObKCPI by Hyolobrika@mstdn.io
2022-05-19T21:15:49Z
0 likes, 0 repeats
@cy @inference You have OpenPGP. OMEMO is more secure because it uses a double ratchet (https://blog.soykaf.com/post/encryption/)
(DIR) Post #AJclBwZjmFPbPpWgQy by cy@mstdn.io
2022-05-19T22:40:28Z
0 likes, 0 repeats
@Hyolobrika OMEMO only works for real time chat apps though, which makes it vulnerable to timing analysis.If I could use OMEMO over a high latency protocol like email, that'd be pretty sweet.
(DIR) Post #AJclsAqb6YT5qFY7BQ by Hyolobrika@mstdn.io
2022-05-19T22:48:07Z
0 likes, 0 repeats
@cy Didn't know that. Anyway, you could use it with XMPP (probably should). Please do, I'd like to chat with you!
(DIR) Post #AJcm0ZFkFVYhqpJXZg by Hyolobrika@mstdn.io
2022-05-19T22:49:38Z
0 likes, 0 repeats
@cy Did you get a notification that I added you or is adding someone a local thing?
(DIR) Post #AJcmXfwaOR5e9v8jEu by Hyolobrika@mstdn.io
2022-05-19T22:55:37Z
0 likes, 0 repeats
@aspie4K you should probably hear this too
(DIR) Post #AJcmehcoXcL1OrF5xA by cy@mstdn.io
2022-05-19T22:56:53Z
0 likes, 0 repeats
@Hyolobrika Oh, right I just didn't notice it! Authorized.
(DIR) Post #AJcnA62Hpezc5O7upU by cy@mstdn.io
2022-05-19T23:02:33Z
0 likes, 0 repeats
@Hyolobrika No, it won't show fingerprints. I can't disable OMEMO either. You might as well trust my fingerprint over XMPP though. If I post it here, then mstdn.io has a chance to spoof it, while with XMPP only your XMPP server could spoof it.
(DIR) Post #AJcnxiXrRbxFi4YZ6G by cy@mstdn.io
2022-05-19T23:11:31Z
0 likes, 0 repeats
@Hyolobrika Oh there it is./lurch fp showThis device's fingerprint is 057004f3 05c40380 b49d1113 3e40a990 2fbfc3ea 0805a27c 98a97631 fbe2d46c.
(DIR) Post #AJyIzQenVERgwWrtKq by cy@mstdn.io
2022-05-20T16:19:58Z
1 likes, 0 repeats
@inference Yeah, your article gives some alternatives. I just bristle at the idea of taking even more encryption away from people, on the claim that the newer method is more new. SSL forcibly converted the entire Internet into a bunch of helpless consumers living under mafia authority. I would definitely like a better solution for encrypting files, and just encrypting any generic data. Until then, PGP is... all I got.
(DIR) Post #AJyJ2M6isHKXhYKFUW by cy@mstdn.io
2022-05-20T20:54:15Z
1 likes, 0 repeats
@inference Data miners collect statistics on when you're asleep, when you're doing something other than work for your employer, and who you're interacting with when. Where were you on the night of the 25th? And if you're chatting from multiple locations, they can combine that with the timing analysis to identify what was going on at that location at that time. Perhaps at some sort of political rally? Union meeting? So I take timing analysis pretty seriously.
(DIR) Post #AJyJ4VXwkd8JYV5MtE by cy@mstdn.io
2022-05-20T21:02:59Z
1 likes, 0 repeats
@inference The threat level is forming a union. It's not exactly a super obscure and niche activity. I guess attending a rally isn't something people do often. I'd never attend one of those big protests, because I know the cops are taking down names. I really don't see how this is equivalent to 16 layers of blackout curtains. It's just a way to make it harder to predict and manipulate the system overall, no curtains necessary.
(DIR) Post #AJyJ4XMK0p1TB1f732 by cy@mstdn.io
2022-05-20T21:05:44Z
0 likes, 0 repeats
@inference tbh I'm tired of all these engineered recessions, an parade of "times are tough right now, so buckle up," bosses, when times never stop being tough anymore. I just want to do something without finding them there waiting for me, targeting nice things to maximize their success and ensure we can't have nice things.
(DIR) Post #AJyJAJ02JTuiNZzN0y by aspie4K@aspiechattr.me
2022-05-19T17:42:28Z
0 likes, 0 repeats
@roboneko @lain @Hyolobrika This is exactly the type of thing that takes years and years to standardise though. Everyone coming up with their own standard and users having to wait for a de facto standard to finally emerge.I agree it's the logical conclusion but it's extremely inefficient.Meanwhile a centralised platform "just works."This is why mainstream adoption is difficult for fedi.
(DIR) Post #AJyJAJSkaislodQIls by cy@mstdn.io
2022-05-20T00:37:01Z
1 likes, 0 repeats
@aspie4K The reason that comic is a rotten lie is that companies make a lot of money by locking you into their products. They're avoiding standardizing on purpose. It's the same with A/C adapters as with automobiles, where the company gets a monopoly on parts, since no other parts will work, despite our technology that can fabricate things with molecular precision. The existence of USB is a friggin miracle.
(DIR) Post #AJyJKgf3C9mSez7hiK by aspie4K@aspiechattr.me
2022-05-30T07:50:14Z
0 likes, 0 repeats
@cy They're not mutually exclusive. Yes vendor lock-in is a very real thing.But if you have multiple open source clients that are supposed to be interoperable but each choose different standards for, say, encryption, the same issue is created organically too.
(DIR) Post #AJyJO9M0yJIqWCs2OO by aspie4K@aspiechattr.me
2022-05-30T07:58:43Z
0 likes, 0 repeats
@roboneko @Hyolobrika I am 100% in favour of E2EE I'm just pointing out the inherent added complexes of implementing it in a federated system.I think you can't downplay the difficulty just because libraries exist for standards. Yes this means you don't need to reinvent the wheel (nor should you) but most attacks against E2EE are side channel attacks for this exact reason. The encryption is strong but a flawed implementation is easily exploitable.
(DIR) Post #AJyfZ1Drk65bTaeAFM by Hyolobrika@mstdn.io
2022-05-30T12:21:04Z
1 likes, 0 repeats
@roboneko @aspie4K false sense of security maybe?
(DIR) Post #AJzNx7zQd7UlOhCTlQ by colinsmatt11@gleasonator.com
2022-05-30T16:47:55.350256Z
1 likes, 0 repeats
I'm putting my money on Zot because I think it's best solution in terms of federation, I would certainly like to see more applications supporting Zot or eventually I start making them myself.
(DIR) Post #AJzNy2Kz8A0q9liU8e by cy@mstdn.io
2022-05-30T17:02:11Z
1 likes, 0 repeats
@colinsmatt11 @aspie4K @roboneko The instance still gets your private key with Zot, and you have to send your private key to multiple instances unencrypted if you want a "nomadic" identity.