fsebugoutzone.org:9999

       Post AXeaTjp7nNXEeiC3N2 by atoponce@fosstodon.org
 (DIR) More posts by atoponce@fosstodon.org
 (DIR) Post #AXeaTiu3DZshnhUTPU by JoergSorge@social.bau-ha.us
       2023-07-11T17:18:37Z
       
       0 likes, 0 repeats
       
       @Mer__edithIs it possible to use #Signal without a #Phone number?
       
 (DIR) Post #AXeaTjp7nNXEeiC3N2 by atoponce@fosstodon.org
       2023-07-11T17:19:43Z
       
       0 likes, 0 repeats
       
       @JoergSorge @Mer__edith Nope. Supposedly, username support is being developed, but that&#39;s been the case for at least 2-3 years.
       
 (DIR) Post #AXeaTkXR8cyqs8vRRI by nomain@kanoa.de
       2023-07-11T17:31:21Z
       
       0 likes, 0 repeats
       
       @atoponce @JoergSorge @Mer__edith #threema is the solution. http://threema.ch
       
 (DIR) Post #AXeaTlb1CnRK9Xbof2 by atoponce@fosstodon.org
       2023-07-11T17:44:28Z
       
       0 likes, 0 repeats
       
       @nomain @JoergSorge @Mer__edith Threema ships a web interface that can link with your phone. Hard pass.
       
 (DIR) Post #AXeaTmKOU5jgQGq3O4 by CyberSentry@mastodon.social
       2023-07-11T22:59:19Z
       
       0 likes, 0 repeats
       
       @atoponce @nomain @JoergSorge @Mer__edith I actually don‘t see your point. Could you explain this to me?
       
 (DIR) Post #AXeaTnGsycWXLgClYe by atoponce@fosstodon.org
       2023-07-11T23:03:41Z
       
       0 likes, 0 repeats
       
       @CyberSentry @nomain @JoergSorge @Mer__edith Browser JavaScript cryptography is flawed. You assume that when you refresh the browser, the JavaScript you expect to secure your communication is the JavaScript that was delivered. But unless you&#39;re inspecting the source code on *every page refresh*, you can&#39;t be certain.This argument holds for any software, not just webpages, but consider how often you refresh a page versus update software. The opportunity for compromise is lower for the desktop.
       
 (DIR) Post #AXeaTo365N5XlClGhk by atoponce@fosstodon.org
       2023-07-11T23:08:44Z
       
       0 likes, 0 repeats
       
       @CyberSentry @nomain @JoergSorge @Mer__edith Basically, because you&#39;re loading code from the web server, the admin has full control over what code is loaded when you pull up the page and can change it any time.As long as you trust the provider to not be malicious in this manner (disgruntled employees, government duress, etc.), JavaScript cryptography can be quite useful.But if I don&#39;t trust it, and use mobile/desktop software, I can&#39;t prevent chatting with someone using the web interface.
       
 (DIR) Post #AXeaTp4uG886x6cEAC by Jamilla@swiss.social
       2023-07-12T07:09:12Z
       
       0 likes, 0 repeats
       
       @atoponce @CyberSentry @nomain @JoergSorge 1. Threem is  the admin of web.threema.ch2. The Source Code is available for everybody:https://github.com/threema-ch/threema-web
       
 (DIR) Post #AXeaTpqlOCPXLX0Rl2 by atoponce@fosstodon.org
       2023-07-12T11:50:52Z
       
       0 likes, 0 repeats
       
       @Jamilla @CyberSentry @nomain @JoergSorge 1. I don&#39;t trust the Threema employees. For all I know, one with administrative rights on the web server is changing the JavaScript that is loaded when the page pulls up.2. How can I prove that the source code in the repo is the source code I&#39;m using? Or more importantly, how can I prove it&#39;s the source code that the person I&#39;m chatting with is using? With web pages, remember, this can change on any page refresh due to #1.
       
 (DIR) Post #AXeaTrlWGfP9HqZHrU by Jamilla@swiss.social
       2023-07-13T06:17:25Z
       
       0 likes, 0 repeats
       
       @atoponce @CyberSentry @nomain @JoergSorge Grab web.threema.ch and compare it with the source code provided = very easy!Or run the SC on your own Server!
       
 (DIR) Post #AXeaTtKISqok7zqZhw by atoponce@fosstodon.org
       2023-07-13T12:27:49Z
       
       0 likes, 0 repeats
       
       @Jamilla @CyberSentry @nomain @JoergSorge Again, you have to do this on every page refresh, and I can&#39;t verify the loaded JavaScript of the person I&#39;m chatting with. Browser JavaScript cryptography is very dangerous.https://gist.github.com/atoponce/e90089cb5a13ef38a7a07f8e64370dabhttps://tonyarcieri.com/whats-wrong-with-webcryptohttps://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/
       
 (DIR) Post #AXeaTu8zQNMofDZ3iq by Jamilla@swiss.social
       2023-07-13T12:37:01Z
       
       0 likes, 0 repeats
       
       @atoponce @CyberSentry @nomain @JoergSorge If you are permanently suspicious of everything, then you should better go to a psychiatrist.
       
 (DIR) Post #AXeaTurekJ60tkSjLM by bonifartius@qoto.org
       2023-07-13T13:59:13Z
       
       0 likes, 0 repeats
       
       @Jamilla i assume you base this recommendation for medical treatment on the accumulated knowledge working for big brain opsec?@atoponce @CyberSentry @nomain @JoergSorge