Big news for the #Fediverse!
General Discussion
25
Posts
8
Posters
0
Views
-
RE: https://socialwebfoundation.org/2025/12/19/implementing-encrypted-messaging-over-activitypub/
Big news for the #Fediverse! End-to-end encryption is coming to #ActivityPub.
@swf with support from @sovtechfund is coordinating two interoperable implementations.
Bonfire is proud to be one of these first two projects, alongside #Emissary by @benpate
We think #E2EE should simply be the default for any private communications, and we’re especially thrilled to bring private, trusted collaboration to the fediverse.
-
Keys will be encrypted on the browser, locked with a separate password that’s not shared with the server.
There are some other synchronization issues we’re going to work out, but not before our first sets of code are due.
There’s more here than I can cover in 500char toots. But I’d be happy to chat some time to hear your thoughts
@benpate @bonfire @swf @sovtechfund Another thought before I'll catch up on sleep:
If the code that handles the key material comes from the webserver, that does not stop a government that's hostile from ordering the website owner to run malicious code that'll also encrypt messages for their people... That's what I worry mainly about in terms of security.
-
I am woefully ignorant here. Spare a link for this poor lad?
-
@benpate @bonfire @swf @sovtechfund Another thought before I'll catch up on sleep:
If the code that handles the key material comes from the webserver, that does not stop a government that's hostile from ordering the website owner to run malicious code that'll also encrypt messages for their people... That's what I worry mainly about in terms of security.
Yes. There has to be trust somewhere along the path.
You could host your own server, but you’d still have to trust the developers to not install a back door. Or a supply chain hack. Or…
-
@benpate @bonfire @swf @sovtechfund Another thought before I'll catch up on sleep:
If the code that handles the key material comes from the webserver, that does not stop a government that's hostile from ordering the website owner to run malicious code that'll also encrypt messages for their people... That's what I worry mainly about in terms of security.
One goal is to make this an interoperable standard, so that you could make your own client app, then use your ActivityPub server as only a dumb pipe.
I think that would instill trust.
More in the AM.
-
undefined oblomov@sociale.network shared this topic
undefined notizie@poliverso.org shared this topic
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
-
-
@joshix based on what's popular today: JSON.
(I'm joking, my assumption is that they chose what was the best alternative at the time. As far as I know JSON hadn't been described by Crockford at Jabber's inception)
-
@wolf480pl yes I think that is a huge part of the problem. It is very easy to completely underestimate the complexity of Instant Messaging. Sending a message from A to B seems like something every software developer can write before lunch and people don’t see how it can and will rapidly escalate from there.
But I don’t know how do communicate that to other people.
-
@mariusor @daniel what would've been a better alternative?
https://www.process-one.net/blog/stop-telling-us-xmpp-should-use-json/
-
I consider this a failure on our part but I don’t really know what to do about it. Most arguments against #XMPP don’t hold if you’re building from scratch anyway:
• #Conversations_im looks very outdated: OK, but you are developing your own clients anyway.
• XMPP doesn’t have an SDK: Neither does your #ActivityPub or email stack
• OMEMO is insecure and I would prefer #MLS: Yes, let’s work on that together and you’ll still benefit from XMPP’s 100+ solved IM problems.
-
@daniel I think people have never truly forgiven XMPP for being an XML based protocol.
-
@daniel
I'm guessing there are complex problems in IM space that they don't realize they'll have to solve from scratch, which XMPP already solved for them.What are these problems?
