Have you seen this news?
-
Signal also has 50 employees and money in the bank to pay the lawyers.
I'm certainly not a lawyer or expert on this, and I'm sure it varies between legal jurisdictions... but I thought that US law has (some?) liability protections for "common carriers" who pass data but are unable to read it.
Your ISP isn't liable for stuff you download over a secure HTTPS/SSL connection. In theory, the same *should* apply here. But still, someone may try to test it in court.
-
It's fully backwards compatible. If you don't support encrypted messages, you can still send/receive regular ones.
Here's a *very* short version:
Your device makes two encryption keys: one is public and one is private
The private key never leaves your device
The public key is published in your ActivityPub profile
If I want to send you a message, I check your profile to see if you've published encryption keys.
Have keys? send encrypted messages
No keys? send plaintext messages -
@benpate @bluewinds @GroupNebula563 I think you're confused.
The public keys that are rotated frequently are encryption public keys.
The thing I've proposed are for identity public keys.
Using your identity secret key to sign each encryption public key, and having your recipient verify them, is basically a one-liner:
https://github.com/swicg/activitypub-e2ee/issues/35#issuecomment-3738855995
Thank you, and yes. Syncing key packages to a public server might get tedious for everyone.
BTW: We had a video conference today, and you came up (along with the issue you linked)
We were running out of time (because W3C meetings) but want to keep open the possibility of implementing this in the future.
We're meeting again in two weeks. Wanna come?
-
Thank you, and yes. Syncing key packages to a public server might get tedious for everyone.
BTW: We had a video conference today, and you came up (along with the issue you linked)
We were running out of time (because W3C meetings) but want to keep open the possibility of implementing this in the future.
We're meeting again in two weeks. Wanna come?
@benpate @bluewinds @GroupNebula563 Sure! My signal is
soatok.45if you'd like to coordinate -
I'm certainly not a lawyer or expert on this, and I'm sure it varies between legal jurisdictions... but I thought that US law has (some?) liability protections for "common carriers" who pass data but are unable to read it.
Your ISP isn't liable for stuff you download over a secure HTTPS/SSL connection. In theory, the same *should* apply here. But still, someone may try to test it in court.
US law is certainly one jurisdiction, one which routinely compels the sharing of metadata of E2EE users and their conversations, and one which is trying very hard to remove a number of protections currently enjoyed by US-based service providers through legislation such as KOSA and EARN-IT.
Also, social media companies are not common carriers. That's a very different thing (like ISPs, telcos, and railroads.)
Also...
https://umap.openstreetmap.fr/en/map/fediverse-near-me_828094#3/25.799891/29.794922
-
@rapsneezy2 Ha! None that I know of 😅
We're (Mastodon, Bonfire, and Emissary) not doing this from scratch. It's building on MLS, which is an open standard for end-to-end encrypted messages that is used by many big players in tech.
Plus, all of this is open source (mine is here: https://github.com/EmissarySocial/conversations-mls) so hopefully any theoretical back doors would be found by interested parties.
If you're interesting in auditing some code, I'd *love* for you to participate!
sadly i'm not qualified to audit cryptogrpahic function enforcing code
but I do recall RSA being open source and being promoted by NIST and the US gov
whilst having known vulnerabilities
https://grahamcluley.com/nsa-bribe-rsa-encryption/
https://www.cnet.com/news/privacy/security-firm-rsa-took-millions-from-nsa-report/
-
US law is certainly one jurisdiction, one which routinely compels the sharing of metadata of E2EE users and their conversations, and one which is trying very hard to remove a number of protections currently enjoyed by US-based service providers through legislation such as KOSA and EARN-IT.
Also, social media companies are not common carriers. That's a very different thing (like ISPs, telcos, and railroads.)
Also...
https://umap.openstreetmap.fr/en/map/fediverse-near-me_828094#3/25.799891/29.794922
Also, even if I enjoyed all the protections in the world, I am not in the E2EE business.
I am not in the patio installation business.
I am not in the porn business.
I am not in the banana peel recycling business.
I operate a public-facing social networking service for charitable purposes, with various liabilities I have chosen to take on, and various regulatory requirements I have chosen to comply with.
E2EE is not in my mission, nor in my wheelhouse, nor in my business plan.
-
Also, even if I enjoyed all the protections in the world, I am not in the E2EE business.
I am not in the patio installation business.
I am not in the porn business.
I am not in the banana peel recycling business.
I operate a public-facing social networking service for charitable purposes, with various liabilities I have chosen to take on, and various regulatory requirements I have chosen to comply with.
E2EE is not in my mission, nor in my wheelhouse, nor in my business plan.
-
sadly i'm not qualified to audit cryptogrpahic function enforcing code
but I do recall RSA being open source and being promoted by NIST and the US gov
whilst having known vulnerabilities
https://grahamcluley.com/nsa-bribe-rsa-encryption/
https://www.cnet.com/news/privacy/security-firm-rsa-took-millions-from-nsa-report/
@rapsneezy2 Yup. And, most vulnerabilities have nothing to do with the encryption, but all of the architecture around it that leaks, injects, or lets adversaries circumvent your encryption.
I'm gonna share this image *so many times* today :)
At the end of the day, I don't think we're building something to keep out the NSA or the Mossad. I think we're thwarting nosy admins, data harvesters, and the same. And that's a good step forward.
Use Signal to do illegal stuff.
-
Also, even if I enjoyed all the protections in the world, I am not in the E2EE business.
I am not in the patio installation business.
I am not in the porn business.
I am not in the banana peel recycling business.
I operate a public-facing social networking service for charitable purposes, with various liabilities I have chosen to take on, and various regulatory requirements I have chosen to comply with.
E2EE is not in my mission, nor in my wheelhouse, nor in my business plan.
To be clear, I am very happy E2EE services, patio installers, porn services, and banana peel recyclers exist.
I simply do not want to operate one of these businesses.
-
Also, even if I enjoyed all the protections in the world, I am not in the E2EE business.
I am not in the patio installation business.
I am not in the porn business.
I am not in the banana peel recycling business.
I operate a public-facing social networking service for charitable purposes, with various liabilities I have chosen to take on, and various regulatory requirements I have chosen to comply with.
E2EE is not in my mission, nor in my wheelhouse, nor in my business plan.
@jaz I can only say "yes" so many times before I dig up the Meg Ryan gif.
Do you want me to dig up the Meg Ryan gif?
-
I don’t have all the answers, but I believe there’s a network effect at work.
Signal is fantastic. I use it for lots of things. But it’s “yet another” place to go.
But the Fediverse is my primary place to talk with people (like you)
If you and I could have a truly private follow-on discussion without switching networks, it would be a win for the Fediverse.
I'd say watch @delta too!
-
Also, even if I enjoyed all the protections in the world, I am not in the E2EE business.
I am not in the patio installation business.
I am not in the porn business.
I am not in the banana peel recycling business.
I operate a public-facing social networking service for charitable purposes, with various liabilities I have chosen to take on, and various regulatory requirements I have chosen to comply with.
E2EE is not in my mission, nor in my wheelhouse, nor in my business plan.
-
Yup. I've heard some discussion about allowing users to "Flag" content to admins. But then there's the question of how to prove that the message is authentic (and I didn't just use a screenshot maker to frame someone)
Right now, I don't know how that'll play out. But I'm glad Mastodon is going to be asking those questions.
-
@rapsneezy2 Yup. And, most vulnerabilities have nothing to do with the encryption, but all of the architecture around it that leaks, injects, or lets adversaries circumvent your encryption.
I'm gonna share this image *so many times* today :)
At the end of the day, I don't think we're building something to keep out the NSA or the Mossad. I think we're thwarting nosy admins, data harvesters, and the same. And that's a good step forward.
Use Signal to do illegal stuff.
I may be wrong but I understood the RSA issue to be a deliberately chosen random number generator which wasn't quote so random - so algorithmic.
(but i'm no expert)
-
@jaz I can only say "yes" so many times before I dig up the Meg Ryan gif.
Do you want me to dig up the Meg Ryan gif?
@benpate I'd appreciate the gesture 😜
-
@rapsneezy2 Yup. And, most vulnerabilities have nothing to do with the encryption, but all of the architecture around it that leaks, injects, or lets adversaries circumvent your encryption.
I'm gonna share this image *so many times* today :)
At the end of the day, I don't think we're building something to keep out the NSA or the Mossad. I think we're thwarting nosy admins, data harvesters, and the same. And that's a good step forward.
Use Signal to do illegal stuff.
@benpate I would also say
use Signal (or other) to do good stuff which western governments like Germany don't want you to do
not just illegal stuff
good stuff on the right side of history
-
-
Yup. I've heard some discussion about allowing users to "Flag" content to admins. But then there's the question of how to prove that the message is authentic (and I didn't just use a screenshot maker to frame someone)
Right now, I don't know how that'll play out. But I'm glad Mastodon is going to be asking those questions.
-
@jaz @benpate I should also say that the interviews I've done about having more people bring their personal connections, family and friends, to the Fediverse, they repeated again and again that they needed to have private messaging to do that, and this warning keeps them from doing it. If people don't connect with real-world relationships here, they aren't going to stay. This is existential.
Ciao! Sembra che tu sia interessato a questa conversazione, ma non hai ancora un account.
Stanco di dover scorrere gli stessi post a ogni visita? Quando registri un account, tornerai sempre esattamente dove eri rimasto e potrai scegliere di essere avvisato delle nuove risposte (tramite email o notifica push). Potrai anche salvare segnalibri e votare i post per mostrare il tuo apprezzamento agli altri membri della comunità.
Con il tuo contributo, questo post potrebbe essere ancora migliore 💗
Registrati Accedi