watching people explain E2EE threat models at @0xabad1dea has been major source of facepalming these past 24h
-
-
@gsuberland yeah, it could well be that having just a client that can display things the right way is plenty enough, but idk about load
even irc *is* „federated“ in a sense, right? *relay* chat. but also i guess computers are very fast now so maybe it is not needed
but that’s what I meant by „getting into details“
-
@gsuberland yeah, it could well be that having just a client that can display things the right way is plenty enough, but idk about load
even irc *is* „federated“ in a sense, right? *relay* chat. but also i guess computers are very fast now so maybe it is not needed
but that’s what I meant by „getting into details“
@halcy IRC just operates with multiple servers for technical reasons, you can't talk from freenode to ircnet for example.
-
@halcy IRC just operates with multiple servers for technical reasons, you can't talk from freenode to ircnet for example.
@halcy (I'm pretty sure this was originally for reasons relating to paying for international phonecalls)
-
@jpm @gsuberland Some people will launch themselves into LEO for the express purpose of missing the point.
-
@halcy (I'm pretty sure this was originally for reasons relating to paying for international phonecalls)
@gsuberland my assumption was latency and having to manage user sessions, but
-
@halcy (I'm pretty sure this was originally for reasons relating to paying for international phonecalls)
@gsuberland @halcy Fun fact: the original splitting of the monolithic major IRC network was actually due to a late good friend of mine (RIP), back then a high level ircop, pissing off some of his US counterparts.
Later there were other reasons such as forks with additional features creating incompatibility, etc.
-
also very funny* how the majority of seasoned infosec professionals I know (including actual cryptographers working on E2EE systems) fully agree with her point, and she herself is a well-qualified security professional, yet the thread is lousy with far less qualified people yelling security-maximalist positions
(*not in a ha-ha sense)
@gsuberland I tend to agree that most people don't need encryption for everything themselves. But that's also missing part of the problem. If only leakers and dissidents use encryption, it's VERY easy to pinpoint those messages. You need to encrypt everything to _also_ protect those very few people.
In that way it's a little bit like a vaccination. You really need almost everyone to do it, so that you gain herd-immunity.
We're all talking private or nobody is talking private.
-
@gsuberland I tend to agree that most people don't need encryption for everything themselves. But that's also missing part of the problem. If only leakers and dissidents use encryption, it's VERY easy to pinpoint those messages. You need to encrypt everything to _also_ protect those very few people.
In that way it's a little bit like a vaccination. You really need almost everyone to do it, so that you gain herd-immunity.
We're all talking private or nobody is talking private.
@claudius @gsuberland but it is absolutely not the case that only dissidents and leakers use encryption; we already solved that. When my MIL texts her aunts and cousins about birthday party arrangements, it is e2ee. And they all know each other personally and would notice very quickly if one of them were not actually them, whether there’s a meaningless “key error” or not. Hundreds upon hundreds of millions of DMs and small-group chats are e2ee’d like this every day.
It is, *very specifically,* many-to-many e2ee in chat rooms full of hundreds of people who don’t know each other like that which is self-defeating.
-
@claudius @gsuberland but it is absolutely not the case that only dissidents and leakers use encryption; we already solved that. When my MIL texts her aunts and cousins about birthday party arrangements, it is e2ee. And they all know each other personally and would notice very quickly if one of them were not actually them, whether there’s a meaningless “key error” or not. Hundreds upon hundreds of millions of DMs and small-group chats are e2ee’d like this every day.
It is, *very specifically,* many-to-many e2ee in chat rooms full of hundreds of people who don’t know each other like that which is self-defeating.
@0xabad1dea @gsuberland thanks, I'm aware. This is a hypothetical, because right now, a "discord alternative" is widely being discussed, and people are also debating if encryption is even necessary.
This is, why I'm bringing it up.
(this is also very much an oversimplification of that whole debate, of course, but I had 500 chars minus this disclaimer).
-
R relay@relay.infosec.exchange shared this topic
