Mastodawn

When I said that your discord clone doesn’t need e2ee, I got a lot of comments along the lines of “ then how would I use it to organize the revolution!” The answer is: you don’t. If you have more users than can comfortably share a Signal chat and hence want to use discord or something like it, you cannot POSSIBLY be vetting all of them to a high standard of trust. Your logs ARE leaking. End-to-end encryption between more people than can fit around a dinner table is pointless.

This article confirms what I already assumed, that “open source [information sense, not code sense] intelligence gathering on social media” includes, for the US government, asking for links to join groups that may *feel* private. My own discord has literally like a thousand idlers. It would be very *lucky* if none of them were logging for potentially nefarious purposes! And I remind the active users of this occasionally.

https://www.kenklippenstein.com/p/exclusive-ice-masks-up-in-more-ways

Exclusive: ICE Masks Up in More Ways Than One

Feds could be in your group chat

Ken Klippenstein

Show thread

refraction

@0xabad1dea I do think there's a point to E2EE that isn't about trying to thwart nation state adversaries. honestly you should probably not talk about your illegal actions on Signal either.

Show thread

refraction

Feb 13

@0xabad1dea but yeah anything that for all practical purposes is basically open to the public anyway doesn't need encryption. I just don't know that that contains all likely use cases.
though I do see the risk of encryption giving folks a false sense of security.

example: we're in a signal group with several hundred local folks where people share about events, ask recommendations for doctors and the like. at that point the encryption is basically pointless. this is just the chat app everyone happens to have.

Show thread

abadidea Feb 13

@elexia my conversations with my mother-in-law about dogs, horses and babies are e2ee. because e2ee with one other party that a rando couldn't successfully impersonate long-term to you is a pretty solved problem.

many-to-many e2ee does not work. it simply, absolutely does not work, in either a technical or social sense, and accomplishes nothing while introducing significant problems.

Show thread

refraction

Feb 13

@0xabad1dea yeah the thing is just, people use discord for (relatively) small groups too. some of those would honestly be fine as a signal group (had one if those before), but for some having something with a bit more functionality would be good and your threat model there probably isn't being targeted by a nation state adversary, but surveillance dragnets and not wanting everything to sit in plaintext on a server in case someone who shouldn't gains access.

Show thread

refraction

Feb 13

@0xabad1dea of course you can argue about whether those different use cases are best handled by the same software

Show thread

derptron Feb 13

@0xabad1dea @elexia I don't know if you're really understanding what E2EE is giving you.

With E2EE that actually does what it says, the logs of your group chats that the hosting provider keeps can't expose what you said to each other. If you become interesting enough to go try to join they can't just go ask your provider for their logs to see what you've already said before they got in. They actually have to go infiltrate your group.

Show thread

Owl Eyes Feb 13

@0xabad1dea @elexia "many-to-many e2ee does not work." - it's a highly valid insight. It's a notoriously hard problem to solve perfectly, for all use cases and scenarios. There have been several valiant attempts in the #OpenSource world, but some sort of technical problem or other seems to keep "bursting out the seams". The devil keeps being in the details.