Technology

71717 readers

4239 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

[email protected]

836

Signal – an ethical replacement for WhatsApp (greenstarsproject.org)

submitted 1 day ago by [email protected] to c/[email protected]

149 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 4 points 19 hours ago (2 children)

Tell me you don't know anything about security without telling me you don't know anything about security.

[–] [email protected] 1 points 13 hours ago (1 children)

Could you explain a bit? I see main issue with Signal (though I'm not an expert, and they're not strictly related to security): it's centralized (and the server isn't even open-source).

The question is also a lot about your threat model right?

[–] [email protected] 1 points 10 hours ago* (last edited 10 hours ago) (1 children)

The encryption being crap really does not depend on the threat model. Sure, in some threat models you may not need e2ee at all but in that case, what's wrong with WhatsApp?

The issue with XMPP is that security really was an afterthought. Not only is e2ee an optional extension, but there are actually 2 incompatible extensions, each with multiple versions. Then you have some clients not implementing either, some clients implementing the older, less secure one. Some implement the newer one but older version of the spec with known issues. And of course, the few clients that implement it well become incompatible with other clients that don't if you enable e2ee, so it is disabled by default.

That is all before you start looking into security audits or metadata harvesting.

[–] [email protected] 1 points 1 hour ago* (last edited 1 hour ago)

Your reasoning would hold up if 80% of xmpp wasn't running on Conversations or forks of it, that all support OMEMO and OpenPGP.

Your criticisms are too broad with few serious negatives. What makes extensions powerful is that they can easily change the rules without breaking the underlying system. If your client sucks, get another?

You have choices, but if your problem is metadata, whoooo boy.

https://news.ycombinator.com/item?id=32780665

https://github.com/matrix-org/synapse/issues/9133

https://www.reddit.com/r/PrivacyGuides/comments/q7qsty/is_matrix_still_a_metadata_disaster/

[–] [email protected] -2 points 16 hours ago

I guess that sucks because I make a living working in cyber security. What do I know, amirite? 🤷