fsebugoutzone.org:9999

       Post AVZg06oLbGrf9aC31s by reto@mstdn.digital
 (DIR) More posts by reto@mstdn.digital
 (DIR) Post #AVZYW2VOLRsnQu2dvc by rene_mobile@infosec.exchange
       2023-05-06T19:29:50Z
       
       0 likes, 2 repeats
       
       #WhatsApp implementing #KeyTransparency is pretty nice, and definitely an excellent step in the right direction against shadow accounts and the service provider trust problem. However, without the client being #OpenSource, it is not that meaningful. Yes, of course somebody could implement an independent monitor for the transparency log to check keys registered for an identity, but what percentage of the user base will actually do that when the only realistic way to use the service is to rely on the #proprietary client, which can still be used to maliciously target (groups of) users to break #E2EE?Secure messenger clients should both use identity security protections like #KeyTransparency and have a *default* implementation that is #OpenSource and, ideally, be distributed with #BinaryTransparency and verified through #ReproducibleBuilds. Oh, and allow other identifiers than just phone numbers (still looking at you, @signalapp - which is otherwise ticking a lot of the right checkboxes).
       
 (DIR) Post #AVZg06oLbGrf9aC31s by reto@mstdn.digital
       2023-05-06T21:02:07Z
       
       0 likes, 0 repeats
       
       @rene_mobile @signalapp Well, if one cares about #privacy and #transparency one shouldn’t use #WhatsApp in the first place, period.They‘re still uploading your complete address book and collecting every bit of metadata of the communication.No, no and no.
       
 (DIR) Post #AVZg07z1F4zkmyC5Im by rene_mobile@infosec.exchange
       2023-05-06T21:14:07Z
       
       0 likes, 0 repeats
       
       @reto @signalapp Yeah, that&#39;s still the main reason why I&#39;m not using it and it&#39;s unlikely this will change. I was mostly commenting on the recent announcement on #KeyTransparency.
       
 (DIR) Post #AVZg08hgZ0ix1V5kvI by eighthave@social.librem.one
       2023-05-12T09:23:22Z
       
       0 likes, 0 repeats
       
       @rene_mobile @reto @signalapp Your post is a nice breakdown.  There is a tricky balance here: of course more systems implementing trusted E2EE methods is a good thing, but its turned into a marketing bullet point, like &quot;fully private because E2EE&quot;. As for #Signal, last I&#39;ve seen, they don&#39;t really do Reproducible Builds.  Their process uses the binaries for their own native code, and just reproduces the Java and Android resources part. And Signal releases still include proprietary libraries.