KayOkay, i'm going to say something, may not be very popular but oh well. It's regarding Thrive messenger. I've seen so many comments about it, please, bear in mind this is a new application. Things will be corrected/fixed in time and some of the wording in these comments has been rude at best. Developers work damn hard to make sure something is right, give them some damn respect. #ThriveMessenger
Alex Chapman (moved to new account)@TomGrant91 @ChocolatePie Yup, and that's good dude.
Ra (Freyja) (it/its)𒀭𒈹𒍠𒊩@alexchapman @TomGrant91 @ChocolatePie I also respect what the devs are trying to do. however, I also expect the developers to have a solid roadmap and set of legal and security policies
@freya @TomGrant91 @ChocolatePie You're forgetting, this is not a company, but a couple of people working on this in their spair time, so yeah, expecting all that to be in place right out of the gate is expecting a lot.
@alexchapman @TomGrant91 @ChocolatePie I do not care that this is a company or not dude. you are running, a public service. you are running a service, where people may communicate sensitive data, including personally identifiable information (PII). you are responsible, at that point, for ensuring the security of that data and the media over which it is communicated. whether you're a single developer, a group of 5 people, or a 20000 employee company, it doesn't matter, the same legal and policy requirements apply. I want to see thrive messenger, well, thrive. but it's going to be the source of a massive data breech if yous aren't careful and I don't wanna see yall go through that
@freya @TomGrant91 @ChocolatePie OK, well people know what they are getting into when the phrase, public alpha, or just, alpha, is right there in the releases. Its a proof of concept stage, and all this is being worked on, but its not gonna be there within a click of a finger.
@alexchapman @TomGrant91 @ChocolatePie you are running it as a public service with insufficient security. shut it down, add security, then relaunch. you shouldn't be offering this right now, in its current state, it's not safe
@alexchapman @TomGrant91 @ChocolatePie I'd like to see proof of that. Who's your designated security lead?
@alexchapman @TomGrant91 @ChocolatePie based on what I've heard from you, you don't know much about security. I then ask: what do you thinkl is required to make a truly secure messenger? and how aware are you of the current threat models? what *is* your threat model in fact?
@freya @TomGrant91 @ChocolatePie OK this conversation is getting no where. I am not continuing this.
@alexchapman @TomGrant91 @ChocolatePie I suspect you wouldn't, no, because you don't know how to answer my questions, do you? it's ok to admit you're in over your head here, but you need to admit that and back out
@freya Its being implemented in stages, and I'm not wasting my time explaining shit to the likes of you. Either you stop wasting my time or you're getting blocked.
@alexchapman "not explaining shit to the likes of you". Holy fuck dude, that's......../... I am asking earnest, honest questions. if your messenger was so safe, you wqouldn't find the need to lash out at me like this, would tyou?
@freya Because even if I bother you're gonna give me shit still, I know what you're like
@alexchapman you know what I'm like? we've never met before, so no, no you don't "know what I'm like". Please be honest here and admit that either (A) you don't care about security and you don't care about your users' data, so I can go ahead and assume that or (B) ask for help. I am willing, more than willing, to provide help.
@freya No but people who do this shit usually still act like this even if I've given the info. You wanna know what makes a secure messenger, well, I just made a dedicated post, so go and look for it if you really are that bothered.
@alexchapman did you? and where is that exactly, the thing a day ago where you demonstrate you don't know the difference between the thrive messenger protocol and XMPP?
@freya OK that's what you think
@alexchapman you will gain E2EE with you switch to XMPP. ok, sure. but you currently have a protocol that coudl be vulnerable to TLS downgrade attacks, to self-signed certs, to a whole pile of issues. what happens if the cops get your server? what is your GDPR policy? you could get fined massively for violating the GDPR dude
@freya The current protocol is just standard Python implementation, that's why once all the user facing stuff is fixed and all the UI jank is gone, then its a case of working out the XMPP implementation, but its gonna take more than a few minutes, in fact, more than a few hours.
@alexchapman standard Python implementation of what? standard Python implementation doesn't tell me what the protocol architecture actually is, nor does it tell me how it's secured. dude, I have to ask. how much of this is AI coded. because right now, you're giving me the very strong vibe of someone who doesn't actually understand their code at hte network level
@freya There's no particular architecture, its literally just messages being sent from the client, then the server coordinates the message to the recipient and then the client receives it. Literally like how MSN used to do it. But oh no, people don't want such a simple system, that's why its gonna be improved with XMPP.
@alexchapman there is always an architecture. how are the messages encapsulated. hjow are they verified on the wire? hashes? how are replay attacks and impersonation prevented?
@freya Its literally just messages from the sending client go to the receiving client and the server just acts as the coordination to make sure the right person gets the message.
@alexchapman yes, and how does that work. how does the server verify the identity of the sending client? how do you avoid impersonation? how do you avoid replays? you aren't, actually, answering any of my questions
@freya Username checks, and obviously because passwords are hashed that's also a way for ensuring that people's shit can#t be accessed unauthorised.
@alexchapman the fact the server can run in unencrypted mode at all is fucking horrifying
@freya Its not even unencrypted, the only reason the actual server can do that is for local testing, because no one wants to mess around with SSL shit on their dev environment.
@alexchapman wrong! everything shgould be encrypted, always, no exceptions
@freya That's bullshit, the dev environment doesn't need to be encrypted, because its only the developers that would be using that, not everyone else. So don't gimme that bullshit!
@alexchapman you, sir, clearly do not understand the threat model, nor dop you understand modern development practises. I will be warning any and all entities away from using thrive messenger until they have a dedicated, trained security officer