Essem 
I THINK THE MATRIX CHAT PROTOCOL SUCKS
Kevin Karhan 
@kkarhan xmpp has almost no good clients and yet the ux is still better with it compared to element or any other matrix client
hexaheximal
@hexaheximal @kkarhan i already use cinny
@hexaheximal @esm Why would anyone want that anyway?
There are native #XMPP+#OMEMO client for literally any relevant platform!
https://mstdn.social/@kkarhan/111404942780525408
Kevin Karhan :verified: (@[email protected])
@[email protected] I digress: There are many good #XMPP-Clients like #Profanity (#CLI), #monoclesChat (#Android) and #Gajim (#Desktop-#GUI)... And in terms of #Organizations that require #Auditability, the only good option I found is #Zulip, which has excellent #Clients for #Desktop and #Terminal as well - tho sadly the latter one is written in #Python and not like a static binary... https://github.com/zulip/zulip-terminal
Any #E2EE #Messenger with #SelfCustody of all Keys should be considered security-sensitive and thus should not he used as a #WebApp.
Also #ChromeOS supports #Android-Apps and if you don't have administrative privilegues on a machine then consider it insecure and nit trustworthy for yourself as a user!
@kkarhan @esm Not all chromeos devices do. (e.g. ones where apps are restricted by management), and there are still other scenarios where a web app is the best/only way to do it. #ArgumentValid
hexaheximal@hexaheximal @kkarhan @esm I also forgot about the most obvious thing...
Back in the 90s, Bill Gates infamously decided to kill Netscape. He did it because he knew that web apps would make the operating system irrelevant.
While his solution was wrong, he correctly predicted that web apps were going to take over.
Look at all of the desktop apps which are just Electron wrappers now too. It's very common. (and before you say that electron is bad and discard it, which is likely, https://github.com/nukeop/nuclear/blob/master/docs/electron.md)
> Any #E2EE #Messenger with #SelfCustody of all Keys should be considered security-sensitive and thus should not he used as a #WebApp.
This is irrelevant too. Browsers have really good sandboxing nowadays, and on chromium you can even create multiple profiles within the UI. The reality is that, as long as the client-side code can be trusted (reminder that you can self-host element and/or cinny if you don't trust it - I've done that before) as well as the browser itself, it's about the same in terms of security.
You are fighting against reality.
Back in the 90s, Bill Gates infamously decided to kill Netscape. He did it because he knew that web apps would make the operating system irrelevant.
While his solution was wrong, he correctly predicted that web apps were going to take over.
Look at all of the desktop apps which are just Electron wrappers now too. It's very common. (and before you say that electron is bad and discard it, which is likely, https://github.com/nukeop/nuclear/blob/master/docs/electron.md)
> Any #E2EE #Messenger with #SelfCustody of all Keys should be considered security-sensitive and thus should not he used as a #WebApp.
This is irrelevant too. Browsers have really good sandboxing nowadays, and on chromium you can even create multiple profiles within the UI. The reality is that, as long as the client-side code can be trusted (reminder that you can self-host element and/or cinny if you don't trust it - I've done that before) as well as the browser itself, it's about the same in terms of security.
You are fighting against reality.
@[email protected] @esm @hexaheximal
You may call me a #minimalism evangelist but
everytime something that could've been barely Megabytes as an #AppImage, #FlatPak, #Snap or Kilobytes as a #CLI tool instead shoves yet another entire half gig copy of the #Bloatware-#Browser that is #Chromium onto the Desktop despite using not even 0,1% of it's featureset
I call this a systemic failure in Software Architecture.
Browsers are the most attacked applications on #Linux beyond CMSes and Webservers...
@[email protected] @esm @hexaheximal ...and even if we think local #WebApps are a legitimate way to handle sensitive comms - they ain't but let's just assume they are for the sake of argument - WHY would you do anything beyond a .desktop file that includes startup parameters for #Firefox (or even #Chrome if you're that kind of Cyber-Masochist!) that specify the browser, and the file to load.
Because any good #WebApp should be reduceable as #HTML5 + #JS6 + #CSS3 and measured in kB or maybe a few MB.
@[email protected] @esm @hexaheximal Shit like #Discord is an abomination and #Microsoft only won because regulators are systematically dysfunctional, corrupt and staffed with #TechIlliterates, otherwise all the #GAFAMs, #Adobe and #Autodesk among others would've been forcibly disbanded the same way #StandardOil was.
Microsoft feared #Linux but nowadays they basically gave up on #Desktop and #Server OSes since #Xbox, #Office365 & #Azure make the real profits & margins!
https://blob.cat/objects/29e2ce65-026f-4fb6-aa2a-2de2c1ebe4c5
@[email protected] @esm @hexaheximal Like #Atlassian & #Adobe & #Autofesk before them, #Microsoft is working hard to forcibly #Subscription-ize & #Cloud-ify (aka. #Enshittify) their products and subsequently cancel any #OneTimePurcase, #OnPremise / #SelfHosting and #LocalInstall options until there's only #Microsoft365 / #Office365 as a #WebApp with no control over anything whatsoever...
And OFC that'll be weaponized against anyone and everyone!
https://twitter.com/frank_rieger/status/999319383917957121
Frank Rieger (@frank_rieger) on X
The number of network connections required to @Microsoft and @Skype servers, to get Word just to start, is now 31. You can no longer say "I don´t want to send diagnostic data", then Word just quits silently. (Please spare me the Open/LibreOffice gospel, it does not apply here.)
@[email protected] @esm @hexaheximal
So yeah, don't trust any #WebApp where it's trivial to siphon away credentials.
And don't trust any #Service, because they WILL LIE TO YOU just like the #Honeypots of #ANØM and @protonmail did/still do.
Keep your keys in self-custody and encryption as well as decryption locally or don't even bother at all!
And I'd certainly not do critical comms from an insecure device where I don't have full control!
http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/547af5650b3853a3b24e
@[email protected] @esm @hexaheximal @protonmail I do work on getting that part fixed...
https://github.com/KBtechnologies/PocketCrypto
In the meantime, learn #OpenPGP / #GnuPG (#PGP/MIME) and/or #XMPP+#OMEMO...
Tools like #enc make it even easier to do so...
https://github.com/life4/enc
Just like #gpa and #Kleopatra on #GUI Desktops or #OpenKeychain on #Android...
Neil_Martin_@kkarhan Wait, what did ProtonMail do wrong?
@kkarhan @esm @hexaheximal @protonmail
1. ProtonMail is not a honeypot. No idea where you got that from.
2. Dead onion link. I actually went out of my way to try it but it lead to nowhere.
3. I already told you that you can simply self-host Element and Cinny.
4. Now, consider, what if a native app does something malicious that's not possible in a browser sandbox. ;)
1. ProtonMail is not a honeypot. No idea where you got that from.
2. Dead onion link. I actually went out of my way to try it but it lead to nowhere.
3. I already told you that you can simply self-host Element and Cinny.
4. Now, consider, what if a native app does something malicious that's not possible in a browser sandbox. ;)
@[email protected] @protonmail @esm @hexaheximal
1. People said the same about #CryptoAG...
And sadly my gut feeling and the Intel I get is way more reliable than marketing lies.
Let's just say if I was wrong I'd already be dead a dozen times...
2. It's not dead, because I can just open it, even on Mobile.
@kkarhan @protonmail @esm @hexaheximal the fact that you avoided responding to points 3 and 4 really says a lot.
Proton Mail@kkarhan @[email protected] @esm @hexaheximal
There is no comparison between Crypto AG and us. Our encryption occurs client-side, our cryptographic code is open source ( https://proton.me/community/open-source ), and our tech can and has been independently verified. More about this here: https://proton.me/blog/is-protonmail-trustworthy.
@protonmail @kkarhan @esm @hexaheximal based
I've even looked at the network requests while using protonmail, and the messages are indeed encrypted. However, the subject and other metadata is not. Unfortunate, but understandable considering it's PGP, which does not encrypt metadata afaik.
I've even looked at the network requests while using protonmail, and the messages are indeed encrypted. However, the subject and other metadata is not. Unfortunate, but understandable considering it's PGP, which does not encrypt metadata afaik.
@hexaheximal Yes, PGP has its limitations. However, PGP allows for interoperability and, being open source, it has security advantages. We are working on improving it too: https://proton.me/blog/openpgp-crypto-refresh
