Mike Masnick ✅Nov 6, 2022

A quick note of something that may be important for people to know: I already noted that DMs here are a bit sketchy security wise, but (THIS IS THE IMPORTANT BIT): if you mention someone else's account in a DM, Mastodon, yoinks them into the conversation.

So, you know, if you think you're talking about someone behind their back, you might be doing it to their face.

Show threadmeditative zebraNov 7, 2022
@mmasnick uh, that seems like an amazingly dumb design decision
Show threadnoirscape moved to @[email protected]
@meditativezebra
@mmasnick

It's because they're not *really* DMs. What they are are statuses with a privacy level set to "only those mentioned" (and mentioning causes a notification to show up).

When sending a status to an outgoing instance you should also be aware that an instance can just ignore your request for privacy. There was one instance that was modified to do this in 2016, none others since to my knowledge, but yeah. The status is otherwise not encrypted or anything.
Nov 7, 2022 at 12:16amWeb
Show threadmeditative zebraNov 7, 2022

@techpriest @mmasnick

i appreciate the explanation

but i still see it as very misleading that something which is labelled a "direct message" will actually go to other people if you mention them

guess all of us twitter refugees are gonna need a while to recalibrate

Show threadScott FeeneyNov 7, 2022
@techpriest @meditativezebra @mmasnick IMO none of that justifies how it works. It is terrible that you can’t mention someone without sending the message to them. And it’s terrible that the UI doesn’t provide a more clear indication of who is going to receive the message. These are different, unrelated, and bigger problems than lacking e2e encryption.
Show threadweems :verified:Nov 7, 2022
@graue @techpriest @meditativezebra @mmasnick ugh yep
Show threadJoel BennettNov 7, 2022
@graue @techpriest @meditativezebra @mmasnick it's unfortunate that they copied the wording "direct message" into the UI when there are no DMs on Mastodon -- there is only "Mentioned People Only" visibility.
Show threadnoirscape moved to @[email protected]Nov 7, 2022
@graue
@meditativezebra @mmasnick
To be clear, it is very much a UI issue. I'm posting this from Pleroma which does make it clear that the "envelope" privacy is "anyone you mention in the post".

Actual secure chat (not this hacky privacy thing) on the fediverse *does* exist... just not on Mastodon, it's on Pleroma.
Show threadnoirscape moved to @[email protected]Nov 7, 2022
@graue
@meditativezebra @mmasnick

https://docs-develop.pleroma.social/backend/development/API/chats/

Realize that posting the spec for that might be useful too. Secure here means "doesn't actually leak out to other people on accident" to be clear. Everything I said about external server trust still applies.
Chats - Pleroma Documentation

Show threadkolyaNov 8, 2022
@graue
Show threadDave SmithNov 7, 2022
@techpriest @meditativezebra @mmasnick Well... there's another opportunity for someone to come in and fix.
Show threadTheresaNov 7, 2022
@techpriest @meditativezebra @mmasnick this is helpful, thank you
Show threadAndrew BuckoNov 7, 2022
@techpriest @meditativezebra @mmasnick Perhaps it would be better to use the mastondon identity for email?