-
msavoritias
kurisu: The only bridge that you can easily connect and is not proprietary and paid is irc as far as i know. And that one is hated by a lot of people in irc and will get you block bicause the matrix team hasnt integrated it well. Never mind that the signal and whatsapp bridge they have is basically a hacky man in the middle solution that was called out the minute it was announced and people were outraged.
-
kurisu
Are xmpp bridges well integrated into irc? How can a bridge not be a man in the middle? Isn't it pretty much by definition a man in the middle?
-
moparisthebest
biboumi for example so perfectly integrates into IRC that IRC users can't tell I'm using XMPP
-
kurisu
what do matrix-irc bridges do that lets others tell you're using matrix?
-
moparisthebest
it doesn't put a [m] by my name and spam pastebin links and such to IRC channels
-
kurisu
>spam pastebin links wait wut
-
moparisthebest
here's a brief example of how bad the experience is for IRC users https://drewdevault.com/2019/07/01/Absence-of-features-in-IRC.html
-
kurisu
the experience for IRC users is always bad regardless of gateways because irc is a poor protocol 🙂 jokes aside, isn't that a matter of configuration in the matrix bridge?
-
kurisu
when I forget I'm on an irc channel and send a multiline message irc users either receive it without multilines or as multiple messages. Never bothered to check
-
moparisthebest
Is it?
-
kurisu
Why do people ever pick irc over xmpp ever? That poor thingy doesn't even offer chat history. For me it's a total killer. What if the channel is slow and I might expect to receive a message overnight, am I then to leave my computer on the entire night? What the kek, I wouldn't expect that expectation from an old protocol especially, given that in the past internet connection were sometimes charged by the hour. Today it still is inconvenient and laughable. What if I don't have internet access 24/7? What if the connection or power is lost while I sleep? That's not even speaking about how repelling it is to non "pro" users. I mean I personally have a server running 24/7 and I run a client there and connect thru ssh, but come on I shouldn't have to. Actually the only thing I use that for are i2p irc servers unreachable by xmpp gateways
-
wgreenhouse
kurisu: the bad experience with the matrix bridge is by default, and nearly everyone uses the matrix.org bridges
-
wgreenhouse
which don't tell you, the matrix user, as they turn your long messages into opaque links
-
kurisu
well I'd still take that over no obvious integration at all
-
Menel
https://biboumi.louiz.org splits multiliner nicely in multible one liners. The only thing I've to remember, is not to use to many emoticons, since most users dont hava a font to supprt them. (but some do)
-
msavoritias
kurisu: Irc has its uses. Personally i love the ephemeral "open space" it has. Also it is one of the lightest protocols to self host. Its the best for its use case. Also why not actually be respectful towards irc people and not use bridges that destroyes the readability of the chat? We need to be better neighbours. As for the bridge of course it is a man in the middle. You wont see the matrix folks saying that though when you rent the bridge. And when they were asked about it they said: "If you are not a journalist or an activist you dont have to worry about encryption".
-
kurisu
not like it makes sense to care about encryption in this case even if you're an actitivist. By definition a bridge translate your protocol to another protocol, it's impossible to translate encrypted data
-
Menel
at least nearly impossible. ort could work if both sides support it.
-
kurisu
So it's like you're asking for a translator's services and then syncing about how you can conceal the conversation's contents from him. You can't as long as you need his services. You can only learn the language of the interlocutor yourself
-
msavoritias
Sure. But when its marketed to normal people you have a responsibility to inform them. Plus in the case for the signal bridge it breaks the security of signal. Because now i will have to check with every person if im talking to them or matrix + them. It essentially makes the whole signal uses encryptioe enot so sure anymore
-
kurisu
imho security of a centralised "app" that requires your phone number can never be trusted anyway so screw that
-
kurisu
As for imforming I agree however.✎ -
kurisu
As for informing I agree however ✏
-
msavoritias
And thats the core of the issue for me. With irc its all unencrypted i dont care. But with signal i have some encryption some basic privacy assumptions. And now a company i dont know is basically offering to mim that without a way for me to opt out.
-
kurisu
signal is much more of a "company". It's centralised and violates your privacy by requiring a phone number.
-
dwd
msavoritias, I'm not sure that you can make any assertion, on any system, about whether the messages you send to someone else remain encrypted or not. I mean, you know for a fact they're decrypted at some point, of course, but you can't really be sure when.
-
msavoritias
dwd: Thats redactive. When i am using conversations i dont have a wish for omemo to be used. I expect it to be used. Likewise when i use signal i expect stuff to be encrypted. Matrix breaks that expectation in a way that is not configurable by me. I wouldnt even know its happening. Both if them im talking about e2e encryption btw. Nothing gets leaked between my phone and the other persons phone.
-
dwd
msavoritias, Sure, I get what you mean. I'm just saying that is, broadly, an unsafe expectation without further verification, and even then it's probably bogus thanks to cleartext backups of messaging history.
-
dwd
msavoritias, Of course, in all these cases, the encryption isn't there to protect you, anyway. It's there to protect WhatsApp, or Signal, or whoever.
-
msavoritias
dwd: what do you mean?
-
dwd
By the latter? I mean that WhatsApp (for example) enforces encryption to avoid having to deal with "phone tapping" orders. Both for the cost of handling them and the reputational damage.
-
dwd
Their internal implementation isn't defined by practical security, or indeed whether they could intercept, it's based on what they could be forced to disclose via a court order. So they'll keep your private keys, for example, unencrypted in their server's volatile memory as that's exempt from seizure based on court precedents.
-
dwd
Now, I don't know if WhatsApp do keep a copy of your private key in such a way, to be clear. But I've heard engineers from multiple "encrypted" messaging services discuss doing so.
-
msavoritias
dwd: Look i hate whatsapp as much as anyone but as far as i know it was implemented securely. Also assuming that apps only put encryption for court orders is pretty cinical with no evidence. At least for signal how matter misguided they are they dont want to sell data.
-
dwd
I'm just telling you what I've heard discussed by engineering teams from multiple encrypted text chat providers in the same room as me.
-
dwd
I mean, I'm still cynical, for sure. But I have the evidence. :-)
-
msavoritias
Sure sure
-
dwd
Meanwhile I can *also* tell you that militaries *don't* use e2ee, and they don't use it because they can build more secure systems. Ah, the irony.
-
msavoritias
I agree with that. It could be less needed. The problem is i havent heard of one. If you want actual security you may as well burn your computer and go be a farmer.
-
moparisthebest
"as far as i know it was implemented securely"
-
dwd
Haven't heard of what, sorry?
-
moparisthebest
right, since no one knows anything about how it's been implemented, it's secure, as far as anyone knows :)
-
msavoritias
dwd: of a secure system
-
moparisthebest
terrible to make those kind of assumptions if you *need* security though
-
Ge0rG
everybody needs security, but it's not the same security for everybody.
-
msavoritias
moparisthebest: I am going with what the signal folks have said plus that i havent heard anything related to it being broken.
-
moparisthebest
sure, don't trust code, just trust whatever anyone tells you, that sounds secure
-
dwd
msavoritias, In fairness, I've no reason not to trust the aims of Signal itself.
-
dwd
moparisthebest, At some point, you have to trust someone else unless you've a solid background in number theory etc.
-
moparisthebest
msavoritias, sorry for the sarcasm, but the point is *actual* secure systems come from a standard being documented publically, reviewed, and multiple compatible implementations being able to be created from it, for example TLS
-
moparisthebest
not from facebook saying "trust us guys, it's secure"
-
Ge0rG
dwd: given the number of abstraction layers below a typical e2ee app that are all required to run it, number theory alone won't save you
-
moparisthebest
or from signal saying "trust us, it's secure, but we aren't going to document anything and compatible implementations are forbidden"
-
msavoritias
moparisthebest: Who said facebook? Plus nobody can audit all the millions of lines of code and the hardware semantics. You have to trust someone at some point
-
dwd
Ge0rG, True, but at least you can count the ways you're screwed.
-
moparisthebest
msavoritias, you were talking about whatsapp right? that's facebook
-
Zash
I'm sure number theory is very useful for counting potatoes
-
msavoritias
moparisthebest: Yes but nobody said to trust facebook.
-
moparisthebest
> <msavoritias> Look i hate whatsapp as much as anyone but as far as i know it was implemented securely. you said it ¯\_(ツ)_/¯
-
msavoritias
> I wrote: > moparisthebest: > I am going with what the signal folks have said plus that i havent heard anything related to it being broken. Did you miss the next message? At least read the whole conversatioe.
-
moparisthebest
so to clarify, you trust facebook because the signal folks said to trust them ? :/
-
moparisthebest
for the sake of argument, let's say the signal folks are trustworthy, and facebook's impl was trustworthy when the signal folks last looked at it, why should anyone trust that they didn't change it immediately ?
-
moparisthebest
I trust open source code implementing open standards, and nothing else
-
dwd
moparisthebest, You're very trusting. :-)
-
moparisthebest
not all of it mind you :) but "open source code implementing open standards" is a pre-requisite to be able to ever trust anything
-
msavoritias
moparisthebest: I trust that the encryption was implemented correctly. Whatsapp doesnt need to break the encrypion to get your messages
-
moparisthebest
ok, just seems like an insane thing to trust
-
Guus
How many OS'es are out there that are open-standard based that have multiple open source implementations?
-
dwd
Guus, POSIX, I suppose?
-
Guus
isn't that shell-oriented?
-
msavoritias
moparisthebest: Standard encryption is not always good though mind you.
-
Guus
"loads of wiggle room"
-
dwd
Guus, No, POSIX covers the whole UNIX thing, not just the shell. Linux aims at POSIX, but so do the *BSDs.
-
moparisthebest
msavoritias, what is "standard encryption"
-
dwd
moparisthebest, Double ROT-13.
-
atomicwatch
Lmao, true
-
dwd
moparisthebest, By the way, there have been cases of attackers subverting the entire standards process before. Linux, rather famously, did not use the standard PRNG, and it turned out that the NSA had (perhaps) injected weaknesses into the definition. So even standards cannot be a priori trusted. And Open Source can be subverted as well, with subtle bugs which defy examination. Ultimately you do have to trust people, and that generally means understanding their motives.
-
dwd
moparisthebest, Paradoxically, this means I do trust WhatsApp security, despite their motives differing from mine by rather a lot...
-
moparisthebest
right, open standards + open source alone is not sufficient for trust, but it's a pre-requisite for trust
-
dwd
moparisthebest, No, I think understanding motives is the prerequisite. Open standards and open source both provide a lot of visibility into people's motives, I think.
-
moparisthebest
take signal for example, they publish their client code, and have published some specs, but are you allowed to use any of those to connect to the service? nope, you have to use *their* binary; cannot be trusted period
-
moparisthebest
motives don't interest me, and can change
-
Daniel
I think technically it's a reproducible build
-
Daniel
Not that I ever actually tried
-
emus
Daniel: did you receive my PM?
-
moparisthebest
actually google is a famous example for motives, their motto used to be "don't be evil" and got cut down to "be evil" :D
-
Link Mauve
guus.der.kinderen, even Windows implemented POSIX at some point.
-
Link Mauve
It was woefully useless, as it didn’t integrate with their other subsystem, and they implemented it just to win a contract IIRC.
-
mathieui
Daniel: it is notoriously hard to get it to reproduce, from what I have heard