IMHO, long-term storage is a bad bed fellow for secure comms.

PFS (Perfect Forward Secrecy) is antipode to "message persistence" (what some folks call "scroll back" support I guess or more common parlance: "message history").

You can basically choose one or the other, not both.

Many popular messaging systems, choose message persistence. It's really convenient!

It's really, not secure.

If anything, even if you implement PFS, or are blessed to be using a system which defaults to such things, you're always being bitten at he heels and ankles by folks screen shotting plaintext on an end point or logging plaintext on a "trusted" client (the reference SILC client was derived from irssi and /log %filename is right there not stubbed out) or some other adversary trying to undermine your attempts at PFS, it is not easy.

I do concur that IPFS, etc. are not fit for purpose, but tbh, I do not think that there are any systems which are.

A lot of huge (think: FB/Meta/WhatsApp) companies will store their users' messages indefinitely. This is sketchy a.f. and opens users up to so-called "offline attacks" where evil "big brother" entities will store ciphertext, until perhaps a weakness can be found.

Take for example, this screenshot from 2010: https://www.flickr.com/photos/artkiver/4369339644/ (also attaching to this reply) wherein I and focalintent (RIP, Daniel) used OTR over what was, at the time, Facebook's XMPP. Notice how Facebook explicitly flagged that OTRed messaging as: "[encrypted message]"? Kind of a red flag! Very untrustworthy! Doubtlessly, in 2026, Facebook probably still has that chat, logged, flagged/tagged as encrypted, maybe throwing things at it to see if they can break it.

Headlines such as: "US authorities have reportedly investigated claims that Meta can read users' encrypted chats on the WhatsApp messaging platform, which it owns" as related to ongoing litigation, seem to further that speculation.

SILC (Secure Internet Live Conferencing previously: silcnet.org, these day code is archived here: https://github.com/silc/silc) attempted to offer end-to-end encrypted communication, decades ago (IIRC, Pekka began work on SILC in the 1990s, before Facebook existed at all, certainly source code was available and it was in use before Twitter/X existed too). It offered PFS (Perfect Forward Secrecy) by default. It encrypted messages from server operators by default too!

At the time, I don't think that threat model was widely acknowledged? In 2026, it's hard to ignore. Back in the day, when BBS SysOps would break into chat, and might be constrained to a LATA and have in person meet ups with some intermittent frequency, you could cultivate some level of trust for your SysOp/SysAdmin sorts.

In 2026, when Mark Zuckerberg and Jeff Bezos and the like are making billions of dollars off of their users? It's kind of hard to trust anyone on their payroll, or affiliate systems.

Truthfully, that shark got jumped with MySpace Tom.

Could every BBS operator prior to MySpace Tom, force themselves onto their users as a "friend"? I mean, sure, probably. Were they narcissistic assholes who would do such a thing? NO! Clearly, they weren't.

MySpace Tom, sold MySpace (and his users' data) for $580 Million in 2005! They lost a dozen years worth of data! The last time MySpace changed hands? It was sold for $35 million. You may be able to experience some feint fondness for MySpace via SpaceHey these days, and scene girl styles and uhh, Invader Zim "custom" page templates and such. Not compelling? Yeah, it isn't. The world moved on, not necessarily for the better mind you.

Circa 2014, I released a proof of concept "Merry Cryptmas" release demonstrating OTR messages over SILC in an encrypted VM running OpenBSD and included some other things such as Tor for folks who might want to torify it as well. That was mostly a proof of concept to give folks who were clamoring for "privacy focused, encrypted communications, open source" type desires, a demonstration, they could have that already using existing tools, without writing a single line of code! Though, me being me, I made sure everything was configured to be UTF-8/Unicode clean because 2014 is still more than two decades after @[email protected] made UTF-8 a thing, and since Japanese is my second language, I find it offensive when I encounter ASCII only encoding in the 21st century.

But to echo @[email protected]

"It's difficult to get most people to know or care about this!"

I can't think of a single person who ever told me they used the OTR over SILC proof of concept Merry Cryptmas release. ;(

As it was, focalintent (again, RIP Daniel Garcia), was probably the only one I knew who kept trying to use SILC with me. I would estimate at its apogee, SILC had around 300 daily active users, globally; I was joined to no fewer than five or six spectacular, if very underground SILC networks. I seem to recall one of the CCC (Chaos Communications Congress) events used SILC as well and during that week or so maybe it peaked at several thousand simultaneous users? Alas, CCC seemed to devolve to XMPP/jabberd in later years, quite the downgrade for hackers.

To me at least: "long term archival"? Seems adversarial in nature, I think: "NSA" or other TLAs, wanting to store vast swaths of ciphertext as being enemies to those who may wish to maintain a shred of privacy online.

Federated? IRC was already that. Same with SILC.

Distributed, a little more challenging. PSYC2 (https://about.psyc.eu/PSYC) is attempting to address such things, and points out some of the pitfalls with federation e.g. : https://about.psyc.eu/Federation

The lead dev behind PSYC2 is a pretty rad individual. Albeit, I have not crossed paths with them in person since 2014.

Yet again, I know a lot of other folks in this field, on a personal level. Some of them are scheisty a.f. some are merely sketchy mc sketch sketch. The world of infosec is not as small as it once was, but it is still too small for most folks to care about at the end of the day.

At the end of the day?

Most folks, using computers, or pocket computers, or whatever, don't even program anymore!

I do not even understand why I would want to own a device I cannot program.

I strive, to avoid accumulating such thneeds.

Meanwhile, Tim Crook's Apple, convicted monopoly Alphabet Inc./Google who had co-founders who think they can retire with billions made off their users, MySpace Toms, Mark Zuckerbergs? Are going to learn a lesson the hard way apparently, about karma and how they have already made the world a worse place for everyone.

People who actually care about users and users' privacy?

They exist!

But ask yourself: why wasn't Pekka Riikonen (lead SILC dev) getting millions of dollars?

Heck, how much grant money do you think Ian Goldberg and the OTR development team received? You know of billionaire academics?

I don't.

Especially not in such realms, and friends and I were working on military postdoc computers in our teens, so I know too many PhDs on a first name basis at this point in my existence.

Last I checked, teachers in San Francisco were on strike again recently and probably still not getting livable wages in return.

So, "abuse management" I think, from my vantage?

You may have an incorrect perception of "abuse"?

From where I sit? I see a couple of thousand billionaires, abusing billions of humans, and many more non human species on planet Earth.

Encrypted comms aren't going to solve that kind of abuse.

Good luck with that. Seriously, the human species needs precisely:

ZERO MySpace Tom types. No more Larry Page and Sergey Brin sorts! Which came first: Linus Torvalds and Linux, or Jeff Bezos and Amazon?

@[email protected], isn't a billionaire either last I checked.

Wake t.f. up, please!

It's not OK to pretend that the handful of folks who actually care about real user privacy and security, or even the good of a community at large are the causes of significant abuses.

They've been sharing, freely for decades and fixing bugs when reported too!

Everyone else is ignoring their hard work, apparently: willfully.

Worse: some rich broligarch billionaire technocrat robber barons, are taking the good of the commons, and profiting from it, personally rather than sharing the wealth, which was already being shared freely.

It's Bill Gatesonomics!

Just go back and listen to the words which Thomas E. Kurtz had to say about "B.G. [Before Gates]" as he wryly phrased it in overly polite academic condescension probably lost on those who never cultivated an ear for it, with reference to his co-invention of BASIC with John G. Kemeny. BASIC had over 5 MILLION users, before Micro$oft decided to start charging money for a port of it to the MITS Altair. Bill Gates, set a bad example, that too many, continue to follow.

John G. Kemeny and Thomas E. Kurtz were academics, they didn't become billionaires off of inventing BASIC, they shared it with the world, for the benefit of all.

How's the joke go: "A rising tide lifts all boats, not just yachts."

We've got a couple thousand too many yacht morons, today, abusing the rest of us. Can't solve that with protocol paradigms, pretty sure you're going to need something more revolutionary.

And, if the revolution will not be televised?

I would posit, Uwe Schmidt also claims: it won't be online:

https://raster-raster.bandcamp.com/track/r3v

But how many folks are even hip to Gil-Scott Heron's "the revolution will not be televised"?

Because they're still sending manned moon missions, so they clearly were never cultured enough to understand Gil-Scott Heron's "Whitey on the Moon" from 1970!? (e.g. https://www.youtube.com/watch?v=otwkXZ0SmTs)

Get with the times, the billionaires are stuck in the last century, apparently!

@daidoji I refuse to prop up RSA or PGP.