@alexchapman Uh... This is most definitely wrong. Lmfao. Yes, people do TLS on their dev computers. It's called having a dev certificate. It's self-signed, yo ushould perhaps learn about what your talking about before you criticise it.

@draeand But I don't open ports like a lot of others do, and this freya person was acting like not doing that is the worst thing, like literally, if I had ports open then yeah, but when editing code locally and then git pushing its not needed.

@alexchapman So what? TLS is always something you should be testing locally. Especially if your using a protocol which makes TLS a requirement. I know at least one protocol that requires TLS as a part of the protocol, it isn't an optional thing you can turn off

@draeand Yeah, when you're running shit on a server, but if you're just running tests before pushing changes to the VPS and stuff then yeah, this guy was basically trying to discredit me all because my windows machine, which doesn't have ports open, doesn't host any shit that is supposed to be on a VPS or other machine, doesn't have the SSL shit set up. I'm not the only one that doesn't go that far, a lot of people don't bother, because its not a requirement to write code and run tests.

@alexchapman Do you have any evidence that so many people just don't do that? Because I would say that's very specific on what it is your developing

@draeand Well I wouldn't be surprised, because doing that on Windows means messing with extra stuff instead of developing.

@alexchapman Also, development velocity is not a metric yo ushould use to judge how well your doing, because the metric is so vaguely defined as to be useless to begin with.

@draeand Yeah well I've never known anyone to do that shit on their own machines, they just crack on and if something needs testing with SSL they set it up on their VPS and if they're not ready to push it out to the main application they set up a test version on a subdomain and have it as a fresh instance, database and all, that way only the dev, or devs, can get on to that version.

@alexchapman Also, "lots of people don't bother" is an appeal to mediocrity and isn't the flex you think it is. Lots of people don't write tests, too. So by your own logic, we shouldn't test our software

@draeand No, I was just stating from what I've seen, not logic

@alexchapman Okay, so then what is your threat model? What do you think E2EE is? Because security should never be something you just bolt on after the fact. That will leave your messenger a scandle behind, all the time, and your users will be the threat model. And you really, really don't want yoru users to be the threat model, because most users do not appreciate being used as guinea pigs. Consider that users will (not may, will) transmit sensitive information via your app, because they reasonably believe, based on yoru statements, that security is really something you care about. You telling me "we'll figure it out later" is you hand-waving away genuinely hard problems, and tells me that security is something you don't really care all that much about, because security needs to be baked in from the start, not something you do as some kind of afterthought.

@alexchapman I would be happy helping you out with this stuff (as, I'm sure, would many many others), but the last thing you want to do is go delaying critical features like this. Security is something that will make or break your app. If you don't take it seriously from the very beginning, your app is going to be DOA.