Lol Signal is linking to a copy of the #36c3 talk Moxie hold and what they officially wanted to be taken down... seems really like they just did it for publicity 🤦♀️
@jr Well,fuck Signal even more then.The people behind it suck as much as the software itself 👎
I guess, now, since the talk is recorded and on the web anyway, moxie accepted its existence and there no good reason not to link to it.
@fluxx @jr No,maybe,no and no.It's not the only one,have a look at Threema or Session.Encryption may be strong but with servers at AWS in the United States I still don't trust that infrastructure.And the code is open source but it's not free as in freedom: If you change anything,you're not allowed to connect to the server anymore.And other solutions aren't harder to use.Signal isn't a solution,it's part of the problem.
With good e2ee it can use any infrastructure without any privacy concerns. There might be ethical problems with using services like AWS though, I agree.
And if they'd open up for every client, a potentially malicious client could gain popularity and they couldn't do shit about it. If you see a viable way of keeping everything as secure as possible AND go the way of decentralization, then you should give them a call.
Since when is Threema's e2ee open source?
Okay, I see your point.
But imagine there was a matrix client with a backdoor. What could anybody do about it, when many people (average non-IT people) would start using it due to very good marketing. The users would feel secure but weren't save. What would you recommend? I would really love to know. That keeps me from using matrix. Who would've time to check all the clients for flaws (even if they'd all be open)?
@eutektoid @fluxx @jr The big advantage of decentralized software is that nobody has control over everything.In that case it means nobody can block this client for everyone.But server admins can block clients connecting to their servers.But what should a malicious client do?It doesn't have a phone number or email address,only your user name and the messages.Sure,it could abuse that data but you always have this risk.Signal and Whatsapp could decrypt and spy on your messages,too.And I don't doubt that they do.You operating system can also have a keylogger.Or the keyboard app you use.I don't see why anyone should use a manipulated Matrix client for that.In the end,you're never 100% safe if you don't use 100% open source software on both ends of the conversation.
»But server admins can block clients connecting to their servers.«
I see, but first you were complaining that the signal network was not open for everyone. If I can't choose my client in the end to connect to the whole network, there is no advantage. First, server admins would have to check the client's source code, and second, they shouldn't be able to block anyone 'cause that would be oppression. It's like blocking a party from parliament, 'cause you don't like it.
»Sure,it could abuse that data but you always have this risk.«
The risk is at minimum when everybody has to check just one client and one piece of server code. And the secure communication is MY priority and I would rank decentralization below more safety. Don't get me wrong: decentralization is nice in some ways, but data safety is more important for me in private conversations. So I always have a risk, but it has not the same size in every scenario.
And as far as I understood this, that is one of the Signal project's priority too: more safety above decentralization.
»Signal and Whatsapp could decrypt and spy on your messages,too.And I don't doubt that they do.«
WhatsApp maybe, but Signal is open source and the e2ee is working. So, no they can't read your messages and decrypt it, or what am I missing here?
btw: really nice conversation! thank you!
@eutektoid @jr @fluxx Whatsapps end to end encryption is working,too and that's proven.The thing is that you can't exactly know what the client does.The client has to decrypt the data to present it to you and after doing so,it could theoretically send the cleartext data back to it's company.Whatsapp is closed source and Signal doesn't allow modified client,so you have to trust the builds in the app store.Everyone can build their own Riot from source and make sure that this can't happen,therefore I think Matrix is the safer way.And if that's too much work,you can download the safe build from F-Droid which has been reviewed by the F-Droid team.Whatsapp and Signal both aren't available in the F-Droid store.Yes,the different clients *could* mean a low risk of manipulated clients,but I see a large choice as a advantage.You should also think about upcoming systems like the new Linux phones which will likely never receive official builds of Whatsapp or Signal but everyone can write their own Matrix client for it.A walled-garden can harm the adoption of new platforms as long as their market share isn't relevant enough,therefore I think we do absolutely need decentralization.
Okay yeah, not per se, but there IS a possibility, exactly!
Some attackers (states) will do what they can and what saves time in mass surveillance. Hacking every device might be feasible as well, but seems harder to me, than attacking the communication's infrastructure at the weakest point.
Don't you think?
Mastodon ist ein soziales Netzwerk. Es basiert auf offenen Web-Protokollen und freier, quelloffener Software. Es ist dezentral (so wie E-Mail!).