1. 49

  2. 20

    the author is transitioning to whatsapp and signal as an alternative. Personally I hate these systems where you use a phone number as an ID. You can’t throw that around the internet like you can a GPG key hash or a username.

    On a related note. Matrix got end-to-end encryption recently. Lobsters post here: https://lobste.rs/s/1i3d9a/unifying_chat_platform_matrix_org

    A friend and I have been using this for a while, but as it stands there are a few issues with the way crypto works. This issue for example: https://github.com/vector-im/riot-web/issues/2313

    1. 7

      I also hate the signal/whatsapp model of phone number as ID.

      Encrypted email at 3 am local time won’t wake me up but an encrypted signal call or someone using my published number would be annoying to say the least.

      1. 5

        There’s also services that DOS phone numbers. Harder to do for signed messages that can come from anywhere on the net to anywhere on the net.

    2. 7

      From what I could gather

      • Key Exchange is difficult
      • Can’t Generate random keys for every interaction
      • Key maintenance is difficult

      I agree.

      1. 4
      2. 7

        I was never able to convince the vast majority of the people I communicate with to use any form of deliberate, manual encryption. While these hosted services are far from perfect, depending on who you are hiding information from (boss? spouse? middle-manager?) they are certainly more effective than plaintext. Danger would come from convincing yourself they protect you from governments or teenagers.

        1. 5

          I couldn’t help but notice I have 3 open tabs talking about PGP key management. I have an org doc outlining my plan for migrating to a yubikey/paper based policy.

          Guess I will just go outside! Computers are stupid anyway!

          1. 4

            If you are in an oppressive regime, where Whatsapp deciding to just give up your chat log could mean you are going to prison indefinitely, then I don’t think it’s an option if you value your freedom.

            Let’s be serious here, as much as people in the western world like to lament the intrusion of their government upon their lives, the chance of them getting bagged and vanned then having their nails pulled out is non-existent. The same can’t be said for people in many other parts of the world.

            It’s just not worth it to go through all the hoops to use something like GPG when you are not up against a serious threat.

            1. [Comment removed by author]

              1. 2

                How sure can we be Whatsapp doesn’t sneak their key in there?

                But even if WA is legit, metadata can be enough to get you in trouble.

                1. 1

                  How sure can we be Whatsapp doesn’t sneak their key in there?

                  Assuming that Whatsapp implemented E2E just so they could subvert it (and risk getting caught subverting it), which is a pretty roundabout way of getting access to messages that they already had access to, and also assuming that if Whatsapp did this they would hand chatlogs of dissidents to an oppressive regime even though they didn’t (or couldn’t) give the chatlogs of suspected drug traffickers to the Brazilian government.

                  You can decompile the app and see how the crypto is implemented, I’d expect some people have already done this hoping to find a smoking gun and write a blog post about it. You can also monitor the traffic leaving the device and use an alternative axolotl implementation to see if matches what you expect (like these folks did, albeit before it was fully deployed).

                  But even if WA is legit, metadata can be enough to get you in trouble.

                  Then GPG is not the answer either.

                  1. 2

                    You are correct, of course, but an ongoing reverse-engineering effort is important, even if it breaks the terms of use. Also comparing data where possible.

                    Personally my main grudge is with feeding Facebook, but that’s just me.