FBXL Social

cryptography people: do NOT use telegram. do NOT use matrix. i have identified flaws in the encryption protocols that may allow an adversarial nation-state with sufficient resources to spy on your messages

me using discord for basically all my DMs: hey im at the store, do we still need more flour

i am subsequently destroyed by a very small tactical missile aimed at aisle 5

also to be fair telegram does have an incredibly bad case of techbro happening atm. which is also why i ended up mostly talking to people via discord

@eevee Yeah, the one thing that really bugs me about cryptography people is that they only, ONLY focus on the cryptography, and act like everything that doesn't satisfy their expectations is a complete objective failure, without any consideration to any other potential exposure vectors that users might actually be concerned about (see also: Signal's still-extant requirement of a phone number to register)

@dragonarchitect @eevee
Not to mention the fact that half of these problems don't exist on Signal simply because there is no federation at all — there is no home server to be compromised as there are no other home servers 😂

@m0xee @dragonarchitect @eevee Wdym? Couldn't the main Signal servers still be compromised?

@eevee me as well, expect I send messages about flour with super secure Signal with people I have verified safety numbers with

@m0xee @dragonarchitect @eevee I guess that's less likely than servers run by amateurs being compromised.
replies
1
announces
0
likes
0

@Hyolobrika
That's the point, there can be no compromised servers: either everyone is safe or the whole system gets compromised — which as you rightly noted, isn't out of the question, because at present you might have the strongest cryptography behind your system, but vulnerabilities, including those in algorithms, get discovered all the time and black hat hackers might not even be interested in disclosing them, it might take time to realise the system got compromised.
@eevee @dragonarchitect

@Hyolobrika
As users don't usually audit the cryptographic algorithms themselves and we don't know much about what's happening with these servers, for the most it's "Just trust me, bro!"
Centalised systems are a sweet spot for attacks: you break into one system — you own all the users, but no one might ever get interested in hacking into your server for a dozen users. Centralisation is always weak from security POV — no amount of strong cryptography can change that.

@eevee @dragonarchitect