There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Wilzax ,

Your options are RCS, Signal, or Lemmy mentions. Or losing contact with me I guess but I’m irresistible

AVincentInSpace ,

So… proprietary data collecting thing owned by Google, service that requires phone number to sign up, or service that does not even pretend to be E2EE and (worse) routes chat traffic through multiple potentially-adversary-controlled servers on its way to you?

crmsnbleyd ,
@crmsnbleyd@sopuli.xyz avatar

You know RCS is not proprietary, right

AVincentInSpace ,

it might as well be with how much control google has over who gets to implement it and how

TheGrandNagus ,

But like saying Android isn’t proprietary.

Like yeah, technically true, but in reality everybody uses a proprietary version of it controlled by Google.

Wilzax ,
  1. RCS is licensed GSMA, not owned by Google
  2. Signal requiring a phone number is a REALLY minor drawback
  3. Obviously lemmy mentions would not be for messages intended to be private, but for anyone to see, just like this one here.
TheAnonymouseJoker ,
@TheAnonymouseJoker@lemmy.ml avatar

Reality check: nobody cares about you if you do not comply with societal “common denominator” norms.

As unfortunate and bullshit as that sounds, it will always hold true. This is the reason I have Whatsapp and Discord work profile sandboxed and highly restricted running through custom HOSTS ruleset + NetGuard. I concluded these are the 2 platforms needed to minmax information “freedom” and social compliance.

banneryear1868 ,

“I only talk to other nerds” basically

Wilzax ,

Nah everyone has RCS these days except people with old phones and iPhones, and even the iPhones are going to be rcs compatible soon

banneryear1868 ,

The average person just has no idea about RCS or protocols in general and are incidental adopters of it just like SMS. Sometimes these nerd debates about platforms and protocols emphasize technology features over actually connecting with people or doing something productive on said technology.

southernbrewer ,

I’m a nerd. I know vaguely what RCS is because I had a discussion in 2019 with a friend about it. Do I have it? Do I use it? I have no idea. Is it an app or just a protocol that happens behind the scenes? I would assume the latter. My phone’s a few years old, isn’t everyone’s? Probably that means I don’t have it. No way to tell and I’m not going to bother trying to find out.

I’m so much more technical than most people btw

Kornblumenratte ,

What is RCS?

owen ,

It’s a messaging standard, it’s pretty much SMS + Internet features. Developed like a decade ago and apple he been trying to dumpster it since then.

shapis ,
@shapis@lemmy.ml avatar

RCS, Signal, or Lemmy

I wish. But I don’t know a single person that uses any of those.

communism ,
@communism@lemmy.ml avatar

Most of my friends use Signal. Honestly hadn’t heard of RCS till now. Either my phone only supports SMS or I’m too technologically incompetent to enable RCS.

OldWoodFrame ,

Spoken like a real android user. All my iPhone friends (and especially family) refuse to download any other app, they just complain that I physically can’t download iChat.

hector ,

As an iPhone user, iChat is mid. I think it’s only in the Us that it is widely used.

Embrace the beauty of Signal now

JohnDoe ,

I use signal as well, might be worth looking into these two links to better manage expectations.

First here and second here.

Related post by Matrix here

aidan ,

I don’t have time to respond to everything, so I’ll just respond to the first one- which is that it’s tankie copium. I don’t deny the Signal Foundation might be taking money from government groups- I believe it is. But looking at the groups its pretty clear what it is, Radio Free Asia, as in the Asia branch of Radio Free Europe. Aka, their goal is to make people living in US adversaries rebel. The US does not censor private communication, it would be very quickly found out if I sent a text to my friend and they couldn’t receive it, or I was sent to jail for the content of that speech.(That’s not to say its not spied on though.) However, in many(most?) US adversaries there is active censorship of opposition communication, the US generally(although not always) supports the opposition by nature of them being the opposition- this is why(if you believe the narrative that everything is a cabal of the powerful) US tech companies supported the Arab Spring. This is why Radio Free Europe broadcast in support of Dubček and the Prague Spring, why they also supported the 1956 Hungarian Revolution. All that is just to say the US can follow the narrative of being 100% power seeking while still supporting open communication platforms. (After all, the US government also either directly created or contributed to SHA-2, Tor, and Ghidra too) And, Signal is open source, read the code and network traffic yourself, they won’t remove encryption for US allies.

That doesn’t mean they’re immune to criticism, they may be able to explain it, but I personally probably wouldn’t donate to an organization that has the money to pay part time developers $450,000 according to their Form 990, but its not my money so not my place to judge how its spent.

JohnDoe , (edited )

I think most of your criticism makes sense.

The part about “not reading private messages” I think is mistaken, or rather, maybe amiss. I mean I don’t have evidence, so this is all conjecture. The sophistication of data surveillance and data gathering makes the content of the message rather meaningless in my view.

EDIT: Oh, I don’t think any adversaries of US, even if working together, make any meaningful threat towards it. It’s really hard to imagine, esp. considering the US has a bunch of successful coups & stuff under their belt.

aidan ,

I wasn’t saying the US doesn’t spy on private messages, I was saying Signal is open source so it would be hard to hide a back door. So I don’t see how any other E2E encrypted messages could be more secret then Signal. I guess obfuscating the messaging servers.

The sophistication of data surveillance and data gathering makes the content of the message rather meaningless in my view.

That’s a fair point but I don’t know if there’s any other good solution to that.

JohnDoe ,

yeah i’m rethinking some stuff too, even in some utopia i think some information related to me might make life inconvenient, so the best way to protect that (e.g. not disclosing it digitally) maybe needs outta the box solutions.

related, does anyone even bother to look at physical mail for stuff? like if i put a cipher in a letter with no return address, using that pen ink that you can erase (which comes back if you put it in a freezer) and only i and my contact have the key to the cipher which we exchanged in-person; could anyone reasonably know it?

it seems digital stuff might be a carrot for surveillance people, maybe it can be made into a honeypot and physical or analog means can make a return.

aidan ,

I think finding novel ways to communicate with a specific person and not be monitored is easy. The difficulty is opening a new line of communication on an already monitored one, communicating to new people, and one of those new people not blabbing.

After all, if you play on a private Minecraft server and spell out text with dirt blocks, I don’t think anyone’s going to bother writing code to analyze your Minecraft network traffic.

LWD ,

Kind of ironic considering that with Matrix…

  • Forward secrecy is kinda hosed
  • they store metadata permanently on their servers by design
  • A ton of stuff that would otherwise be invisible and signal is visible in your Matrix homeserver, including permanent history of all group membership
  • Your data does not belong to you, and that’s how the server is built to treat it, e.g.
  • GDPR deletion is nonexistent (it won’t delete your username or your messages, making it less effective than on Discord, let alone Signal)

… Etc.

Ironically, older federated messaging systems like XMPP might be better by coincidence. Message archiving was an optional addition and some servers, such as the popular Riseup one, do not implement it.

JohnDoe ,

Yeah, fair. It can’t delete your messages to the extent a centralized system, and that’s an indication of the lack of centralized control? It’s a different threat model I think many find satisfying (though perhaps not most).

LWD ,

All those points are about how one server communicates with itself. Federation doesn’t factor into it

JohnDoe ,

huh, yeah that’s fair i did not actually notice that :/

toastal ,

Meanwhile Matrix was built & funded by Israeli Intelligence (to which I’m sure there are anonymous donors today). It’s expensive replication model means only those with the deepest of pockets can run a server leading many to flock to the mother instance of Matrix.org centralizing, replicating the data to a single node (being decentralized in theory, not so much is practice). It’s funny to see them call out Signal, but luckily there are private, free alternatives to both.

JohnDoe , (edited )

Huh, would it be possible to provide a source? I might be bad at searching, I’m not finding anything…

EDIT: Ok I found one with some search operators. I can provide links, most were less trustworthy, I’d reserve judgement.

  1. An organization which was initially responsible for Matrix, AMDOCS, is allegedly (I say allegedly since I didn’t confirm it to a reasonable extent) an organization based in Israel which appears to have products related to surveillance
  2. By association, Matrix is tainted, perhaps it has sophisticated backdoors along with the other myriad of issues mentioned by other commenters

To give an alternative explanation with plausible hypotheses

  1. An organization linked to intelligence surveillance, created and discarded software, which occurs with most software, and I would imagine occurs with software developed at an organization linked with surveillance as well (if it’s publicly funded, i.e. by a government, I’d lean into this)
  2. Though suspect in origin, the amount of time the software has been independent, and with its open codebase, means any backdoors or other nefarious artifacts can be reasonably said not to exist
  3. An organization linked to an intelligence agency would perhaps be the one to expect to have a secure messaging platform, one could imagine said organization would develop a solution in-house as even with software audits, they may not be certain of any external software which may itself be compromised by an antagonist or have vulnerabilities which they could not control

Some food for thought. I’m not one to jump to conclusions, I think claims require proportional evidence, and obviously my judgement isn’t the same as a security researcher or clandestine operator, so settling on what ‘appears’ to be true without proper investigation isn’t something I do.

Thanks for the info though!!

Dustwin ,

Yeah, there was a nice period when Pidgin could easily handle all the chats. Then providers siloed their apps 🫤

bennypr0fane ,

That was the time when all the apps were standard XMPP. It didn’t have proper encryption back then. WhatsApp is still XMPP nowadays, but excluding federation and non-standard implementation on Meta servers and so on

wildbus8979 ,

It didn’t have proper encryption back then.

OTR predates all the commercial platforms adopting XMPP, so that’s not exactly true.

SapphironZA ,

Was OTR a protocol where the server had zero knowledge of the unencrypted content? Or was it basically like SSL?

wildbus8979 ,

OTR is E2E, it’s the direct predecessor of OMEMO/Signal on which they are both based.

bennypr0fane ,

Sure, but now you show me all the clients that supported OTR back then 😜 - or now, for that matter. Besides, OTR doesn’t work in multi user chats. OMEMO does, and support for it is still not exactly widespread…

wildbus8979 , (edited )

Most popular clients supported OTR back then… Pidgin, Gajim, Adium, bitlbee, Psi, you name it.

And that’s at a time where absolutely no one did E2E, even SSL wasn’t a given.

Yes OTR* doesn’t do group chat, but now you’re just moving the goalpost.

*There has been a proposal in the works for years and years, but OMEMO stole a lot of it’s traction, and the last nail in the coffin was the arrest of Ola Bini in Ecuador as he was one of the main contributors.

You seem to not get that OMEMO is directly based on OTR.

wildbus8979 ,

Fun fact, iMessage is also XMPP based!

lars ,

My brother in Christ do you know what fun means

wildbus8979 ,

Federated XMPP is fun yes, defederated XMPP is, indeed, not fun.

Also I’m no Christ’s brother, thanks. Beelzebub maybe.

toastal ,

So is WhatsApp, Zoom, Jitsi

wildbus8979 ,

Had no idea about Zoom!

It’s kind of crazy that all these services use it, and on the federated side of things, Signal killed it.

toastal ,

It also powers the communications / presence on many gaming avenues as well like Fortnite, League of Legends, & whatever Nintendo is using for notifications + online status (assuredly a lot more games).

XMPP is old, stable, & massively scalable for industrial applications – while maintaining decentralization + efficiency & allowing for extensibility like OMEMO encryption which is covering most folk’s chat use cases. Since the XMPP foundation don’t put budget into marketing & hype, a lot of folks weirdly assume it’s dead or not being used. It’s strange to me how folks seem more interested in RCS & Matrix despite their histories/ownership/flaws rather than embracing what is already good.

wildbus8979 ,

Well said! I really miss having a huge roster on XMPP

toastal ,

We can start it up again. Time to nudge in the next Lemmy AMA to allow XMPP addresses alongside Matrix. You’d be surprised how little things like that can nudge adoption & pique curiosity.

wildbus8979 ,

While that’s true, I think the people who care have inherent issues with the lack of social network graph anonimity sadly

bennypr0fane ,

Yeah, XMPP is great and all, but the client side is a big old mess, everything is full of friction and missing support for feature xyz. Have you tried using XMPP on iOS?

toastal ,

Conversations compliance test has brought most clients into an acceptable base to where most basic chat/audio/video needs are met, so if you are comparing older legacy clients then the experience will be different. The XEP system means everything is optional & can be pitched by making a spec & seeing who uptakes the idea. It also means the bar to create your own server is absoluetly minimal since everything is an extension which means you could build one in a weekend which is great for those learning to code since the barrier to entry is extremely low if Conversations isn’t the goal.

IDGAF about Apple since you have to have a wad just to publish an application on their proprietary store & the EU didn’t do a good enough job so it’s expensive to open alternative stores like F-Droid while also being antagonistic towards sideloading as well as PWAs (not to mention needing to buy their overpriced hardware to build/release applications). Heck, you can’t even publish a GPL-or-similar-licensed app on their store. This is a giant slap in the face to free/ethical software developers & probably why the clients aren’t in a good state; if you aren’t trying to make money, why would you develop in an ecosystem that is entirely hostile for you to develop in?

angleangel ,

You can bridge to all of the apps in the image from Matrix

toastal ,

Or Slidge

kadotux ,
@kadotux@lemmings.world avatar

I actually tried pidgin maybe 6 months ago just for kicks if it could handle whatsapp, signal and telegram, and whaddaya know, it could. It was ugly as hell, but it could be done.

ICastFist ,
@ICastFist@programming.dev avatar

For whatsapp, my experience with Pidgin was terrible. Stickers had to be downloaded as photos, group chats would only show up once someone sent a message, contacts would only show as the full international phone number, all existing chats were horizontal tabs, like a browser.

kadotux ,
@kadotux@lemmings.world avatar

Yup indeed, it wasn’t a pleasant experience. Self-hosting Matrix with all its bridges is kinda nice tho (although a bit lacking).

clot27 ,
@clot27@lemm.ee avatar

I use telegram mostly because it have great features and its certainly better than any meta apps in privacy and private enough imo. It was easy to get my friends and family on telegram because they loved those features, signal is just… boring.

strahlemann ,

interestingly it’s worse than whatsapp regarding privacy

clot27 , (edited )
@clot27@lemm.ee avatar

and how? dont send me a decade old audit on the protocol which telegram abandoned around the same time.

strahlemann ,

chats are not e2e encrypted by default and group chats are never e2e encrypted. even whatsapp is e2ee for every chat.

banneryear1868 ,

They hated him, for he spoke the truth.

clot27 ,
@clot27@lemm.ee avatar

And how does being e2ee by default guarantee you are secure? whatsapp doesnt even encrypt metadata.

SmilingSolaris ,

It’s fun watching people argue about things I don’t care about. Like, y’all haven’t already abandoned your sense of privacy to this world? Lol

banneryear1868 ,

These nerds will debate platforms way more than use them productively.

SmilingSolaris ,

It’s fun though. I’m glad they keep an eye on this stuff because I don’t and someone definitely should. But it really is just a hobby. It’s fun how serious they take it. Super serious hobby lol. Love them to death though. Greatful too!

strahlemann ,

I don’t like whatsapp either but my claim still holds. e2ee by default for all chats is arguably more privacy respecting than opt-in e2ee for 1-1 chats only. and what metadata exactly does telegram encrypt but whatsapp does not?

clot27 ,
@clot27@lemm.ee avatar

e2ee by default only for your data to be used when you back it up. Atleast there have been no data breaches reported in telegram so far

strahlemann ,

you can encrypt backups in whatsapp but we might agree on whatsapp and telegram being equally bad then

no data breaches reported in telegram so far

yes they hand it out voluntarily, search term: telegram german authorities

clot27 ,
@clot27@lemm.ee avatar

only if you are terrorist or do some CP stuff. Besides there are ton of reasons why I should use telegram. Its a lot more featureful, its easy for people to move their and its secure enough for me because I am not a terrorist and I dont sell drugs, thanks.

strahlemann ,

i have nothing to hide

okay buddy

clot27 ,
@clot27@lemm.ee avatar

nitpicking by avg signal fanboi.

strahlemann ,

average telegram fanboi cope

guts ,

Telegram is more akin to Discord with secret chats, I wouldn’t trust ZuCKs Whatsapp.

Zacryon ,

And yet no one was able to crack it.

strahlemann ,

it’s not about cracking anything it’s about the telegram owners being able to read your messages???

Zacryon , (edited )

You can use E2E??? !!!

strahlemann ,

not in group chats and most people don’t care about it for 1-1 chats as well.

neutron ,

Sometimes boring is better, sticking to the fundamentals. I didn’t like when signal tried to mix crypto into it.

preasket ,

Wdym “boring”, what do you want a messenger app to do? It does what it’s there for and it does it well.

clot27 ,
@clot27@lemm.ee avatar

Sure, but we have to consider what other people wants too, and if they are getting alot of feature in a single app without any big compromise, they would prefer that and thats perfectly logical.

preasket ,

From my experience of getting other people on Signal, the main issue is that not everyone is already on it. People generally want to use only one app and it attracts them to the most popular one because they don’t need to switch as much.

Secondary issues are:

  • No automatic phone transfer (no cloud backups, has to be done manually)
  • No large public channels

I might add another one, but it applies to WhatsApp too - it’s crazy that there’s still no easy way to move between iOS and Android…

clot27 , (edited )
@clot27@lemm.ee avatar

OTOH telegram gives you option to export your whatsapp chats there making migration a bit more convenient. For the last point, yeah it sucks a lot and fuck whoever is responsible for that…

myusernameis ,

Random hot take, I’m at least grateful that my wife and I use an app that none of our friends use. Removes the “oh shit did I send that to the wrong person” panic.

GregorTacTac ,
@GregorTacTac@lemm.ee avatar

Which app?

zovits ,

xkcd.com/1810/

DragonTypeWyvern ,

Friends don’t make friends install chat apps (besides Signal)

SundryTornAsunder ,

Not sure why you were downvoted. I’ve successfully made most of my friends, and my mom for that matter, talk to me on Signal.

toastal ,

The comment implies Signal is peak chat when it’s flawed & other than maybe onboarding, isn’t superior to alternatives—with the phone number being a pro for onboarding is a con for privacy. It still requires you have an Android or iOS primary device (fueling that duopoly). They don’t want you installing it from a safer space like F-Droid. They still by default send notification metadata to Google & Apple (websocket support exists but drains a fair amount of battery & they refuse to support UnifiedPush). They still ship/use Apple emoji on Android & Linux. It’s still a centralized system you can’t self-host. They still have that missing part of the source code (where I would assume the feds planted something). It still isn’t a good space large chats. And the Electron desktop apps are far too bloated.

SundryTornAsunder ,

And the Electron desktop apps are far too bloated.

No argument. Electron is categorically silly in its own right, lol.

They don’t want you installing it from a safer space like F-Droid.

F-Droid is by no means safe; use Droidify.

They still by default send notification metadata to Google & Apple (websocket support exists but drains a fair amount of battery & they refuse to support UnifiedPush).

Easy: use the FOSS version of Molly instead of the default Signal app.

JohnDoe ,

Hi, could you touch on why F-Droid is less safe? Is it because they package (I think that’s the term?) stuff themselves?

SundryTornAsunder , (edited )

Certainly.

To answer your question: yeah, pretty much.

I got all of this information, originally, through this guy’s channel (Side Of Burritos on YouTube):

  1. www.youtube.com/watch?v=IzpVI4zaso0
  2. www.youtube.com/watch?v=lAbgeJau3eE
  3. www.youtube.com/watch?v=FFz57zNR_M0

It’s also worth mentioning that part three of that series ended up directly inspiring another project called Obtanium, which he then did a video on here:

www.youtube.com/watch?v=JiN37bn0OE8

flubba86 ,

Signal is the best, but no way I’m going to be able to get my wife, my friends, my parents and in-laws to use it.

DragonTypeWyvern ,

Have you considered emotional blackmail?

flubba86 ,

No, I haven’t reached that point yet.

Colour_me_triggered ,

Do yo need a wife, friends, parents, or in-laws?

Pixel ,

Can’t even get your wife on it? Damn…

KillingTimeItself ,

i really fucking hate discord.

Why does EVERYTHING have to be proprietary. Fucking capitalism.

MxM111 ,

Don’t like it - don’t use it. It’s a free (capitalist) country.

KillingTimeItself ,

that’s the cool thing, i dont, but you know who does? You, and you know how i would need to contact you? Through discord! Uh oh!

MxM111 ,

I don’t use discord

KillingTimeItself ,

damn didn’t know you weren’t all of my other friends.

JohnDoe ,

I think they wanted to be, they were advertising themselves!

someguy3 ,

I don’t get why people like it either. It’s a mess of chats.

Jarix ,

Gamers using it for gaming. In game Voice communication is trash

deathbird ,

And that’s fine, but why do gamers use it over any other VoIP option? And why the infinity chat channels over infinity servers?

Resonosity ,

Content creator branding, and “community”

ZoeyBear ,

Because it’s the standard for gaming. I use it and would drop it in a heartbeat if it wasn’t standard for every mmo out there.

Jarix ,

Its pretty amazing for voice communication in gaming.

As a messenging app? Meh

KillingTimeItself ,

dude discord has been one of the worst experiences for voip in gaming IME. I started using mumble SOLELY because discord was actually just disappointing. Though tbf maybe if i paid out the ass for nitro it’s better? I ain’t paying for that though.

Though yeah, for messaging, it’s dogshit, It’s a mess.

TheAnonymouseJoker ,
@TheAnonymouseJoker@lemmy.ml avatar

A funny advice I will give is recommending you and your friends use noise cancelling audio gear. It will help regardless of the platform.

KillingTimeItself ,

this is honestly the only good thing about discord, the krisp noise reduction is actually kind of good. It only took them like 3 years to implement it on the linux client. And we’ve only had system wide noise filtering since the dawn of time.

Although since we’re on the topic, discord manages input/output in the single most inconceivably stupid manner possible.

kate ,

On Linux I use an app called NoiseTorch that creates a virtual mic to cut out background noise in any application

KillingTimeItself ,

i messed with noisetorch for a bit, it seemed interesting, and worked pretty well. Nothing beats push to talk though tbh.

0x2d ,

i get much better call quality in telegram

Xttweaponttx ,

I really wanted to keep faith in it after the ui overhaul recently - VoIP performance was SO much better on Xbox, latency specifically. But good GOD the mobile app is just a pile of garbage nowdays. I have so many friends stuck on that platform, I still end up sharing links there to Lemmy memes and like 60% of the time when I share to the app it permenantly sticks on the splash screen??? 🙄 notifications are fucked these days too, myself & my friend group regularly miss messages entirely, even with direct @ mentions?!

Worse, I dropped a crap review and complained that function has dropped horribly since the update and the devs INSTANTLY replied like “Have you tried pretending you’re a beta tester for us? Do you mind doing a buncha troubleshooting you definitely haven’t already done?” (They wanted me to reinstall the app… Smh)

Anyway - fuck discord. I’m planning to shift to Revolt, but if anyone has better suggestions I’d be happy to try some!

KillingTimeItself ,

im genuinely surprised discord even tries testing things on the two test branches they have. Yes, you heard me correctly, they have TWO separate testing branches. Bugs literally should not exist on the stable branch.

also when it comes to voip, i’ve enjoyed mumble, it’s pretty solid, minimal, configurable (highly integrated into games already, it’s old af though so maybe not new games) and works pretty well. Revolt seems alright, but it’s plagued with bugs, and weird issues, plus it’s self hosting is just, jank.

We could use a self hosted discord replacement tbh.

TheDarksteel94 ,

Reject Discord, go back to Teamspeak

KillingTimeItself ,

i would fuck with ts if they would release ts5 and have an actual feature release, until then mumble it is. Shit slaps, and is minimal.

Roccobot ,
@Roccobot@lemmy.world avatar

What’s the app in the middle? Never seen that logo

r0bi ,

Thats the app Element for the Matrix network

Roccobot ,
@Roccobot@lemmy.world avatar

Thanks. Today I learned: a network called Matrix exists IRL

koncertejo ,

Element, one of the few (only?) entirely open source, encrypted, and federated chat platforms out there.

Pantherina ,

Add SimpleX and Converations-i2p

CubitOom ,

Yep SimpleX works great. Although every time I read the name I think of herpes.

Pantherina ,

Hahaha, SimpleX on Android is fine, the Desktop client is kinda incompatible with anything (no flatpak, the ubuntu version is kinda broken, no repo, their sync requires a random firewall port to be open)

CubitOom ,

Interesting. For my desktop, I just installed a binary from the AUR and it works wonderfully.

Pantherina ,

Yeah I avoid installing stuff to my system but I looked into RPM .spec files and that should be possible too. Flatpak would be the way to go though.

CubitOom ,

Personally, I do the opposite. I try to avoid flatpaks and the like. And the AUR enables that really well

Pantherina ,

Welcome to security I guess

CubitOom ,

Security is a compromise between convenience and safety.

However, simply using flatpaks isn’t inherently more secure than using a binary or compiling from source. But it can make it easier to be secure for people that don’t want to manage their own sandboxes.

It’s also easier for devs so they only have to make one version of their app which in theory should work on all systems. But in practice I find it doesn’t always work that way

Pantherina ,

The AUR is not verified or audited at all, isnt it? So you need to check every release if that script was modified to download something malicious. For sure this works somehow, but idk how.

And sandboxing… flatpak has GUI tooling unlike anything else. Bubblejail is usable.

CubitOom ,

From a maximum security perspective, you should be checking all the code you install on your computer. No matter if it is foss, audited by some group, or proprietary (if possible). What would stop a bad actor from auditing malicious code and approving it?

As for sandboxing, there’s multiple options, not the least of which is containerization.

Again, security is a compromise. More security normally comes at some cost just as less security does.

But back to the topic of the post. You are complaining that SimpleX doesn’t work when installed though a flatpak (because one doesn’t exist). So perhaps it’s not a good software to rely on flatpaks for. Unless you choose to only install software via flatpaks, to which I’d say that’s admirable but also perhaps needlessly limiting. Either way it’s your choice, but I would suggest some open mindedness of options that may let you use the software you want.

Pantherina ,

Yeah I tried the ubuntu version through Distrobox, which is way more secure. But they have no repo, and it broke apt lol.

Appimages are completely insecure, there are literally no updates. Its a random bundle of libraries, as old as possible to work on every old kernel, and they are just broken by design (see an old post of mine).

There is flatpak packaging work done and I want to learn that and help, as Flatpak is just the best.

hperrin ,

Everybody’s got email. Just saying.

anarchrist ,

Everyone can read your emails, just saying.

hperrin ,

Well, I run my own email service.

Samsy ,

Np, they read your mails on the destination, anyway.

garbagebagel ,

Maybe they can but I never do

wildbus8979 ,

GPG S/MIME are still a thing…

Tetsuo ,

I work on email systems everyday.

Please don’t let this protocol survive.

Forget emails that is functionally a terrible communication tool.

You never know if it will be received by the recipient. There is always false positive false negative classification in spam.

SMTP is an outdated protocol that needs to die.

hperrin ,

It sounds like your problem is with the way providers handle email and not email itself. Email is actually a really nice protocol. It’s got so much fault tolerance built into it. I could take my servers down for 24 hours, and none of my customers would miss an email.

Yes, there is definitely a spam problem, but overzealous spam filters are not the fault of email, they are the fault of email providers.

As much as I hate Gmail, at least they are pushing for everyone being required to use SPF and DKIM. That alone will eliminate a huge portion of the spam problem.

Also, email isn’t the only protocol with a spam problem. I get so many spam messages on SMS, Facebook (back when I used it), Telegram, etc. Basically anything that allows someone to send a message without two-party consent first (like scanning each other’s QR codes) is going to have a spam problem if it’s popular enough.

Tetsuo ,

It sounds like your problem is with the way providers handle email and not email itself.

No. Providers handle mail this way because they have no choice to do so.

You are stuck between two major Issues.

On one hand you can have your anti-spam very lenient and receive pretty much everything. But if you do you will get more phishing and malware ridden mails. So the users will be exposed to one of the most dangerous vector of infection.

On the other hand you can have a super aggressive spam filter but some mail will be dropped. Whether an email notifications or the contract of the year for a business. It’s no matter. It might never be delivered.

And since we have to block millions of spam mail everyday we have to block them silently because if you respond to certain malicious SMTP server online they will just spam you.

In reality businesses are used to email so that’s what is commonly used.

But it’s far too unreliable to communicate with clients of that business. You can’t just have an important contract sent as an attachment by mail with some chance that it will be silently dropped at some point.

The simple fact that you can send an information to someone by email and it might be silently dropped without you ever being aware of it should IMO have led to the conclusion that it should never be used for anything remotely critical.

If it’s important it shouldn’t be an email. The reality is millions of dollars worth of business conducted solely through email conversations. And also a very lucrative business of spam.

Even businesses are often spammers or as they may call it “gray mail”.

No email providers will guarantee you a 0% fault spam filtering.

Not Gmail either.

As much as I hate Gmail, at least they are pushing for everyone being required to use SPF and DKIM. That alone will eliminate a huge portion of the spam problem.

It’s a good thing Gmail does that but it helps only their users right now (since February’s changes). If your business communicates with thousands of small domains on small providers it will take another decade for every SMTP server to fix their s***. And even then there will still be spam.

What’s the difference between a spammer going through all the hoops of creating a mail domain and a new business ?

Not much. Both mynewlegitEmailDomain.com and SpammerWho UnderstandsDNS.com are essentially the same for a spam filter.

They both would have “legit DNS records” but would both have trouble sending mail to Gmail at first.

Because Gmail cannot know if you are a spammer that setup a new disposable domain or a serious actor in email that just wants to communicate with you.

Truthfully Email is a terrible protocol that cannot be fixed with yet another layer of duct tape. You will never have any guarantee your mail is delivered. There is plenty of communication systems that’s will tell you it’s delivered or not.

hperrin ,

Again, your problem is with the way providers handle email. It would be perfectly possible to deny email that’s flagged as spam, then the sender would get a bounce notification. “Dropping them silently” (which actually means accepting them and delivering them to a spam folder in this context) is a choice that providers make. It’s already general practice to deny email from an IP address that’s been blocklisted.

Also, spammers aren’t going to spend the money to buy and set up domains if each one is blocklisted before it makes a profit. My own email service will mark something as spam if it fails FCrDNS, SPF, and DKIM. Gmail went one step further and doesn’t even consider FCrDNS.

And again, any communication method will have a spam problem if it is popular enough and it allows non-two party consent messaging. Email’s popularity is the reason it has a spam problem, not its protocol design. And any distributed system cannot guarantee delivery. If my server tells your server it’s delivered, you just have to trust it, no matter what protocol you’re using.

Tetsuo ,

By dropping silently I meant really litteraly. If you answer to SMTP commands, you are not silent. You essentially say a spammer server that you are a valid target and that they can go on.

It’s not even a question if spammer buy domains to spam. It’s well known and the reason why commercial products provides a feature to filter too fresh domains.

There are procedures to “warm-up” an IP if you are a large provider and if you don’t do it and attempt to send a lot of mails to Gmail this will not work. It’s not just about DNS records. You could have donne everything perfectly DNS wise and still be blocked by Gmail servers.

You should take a look at the requirements of Gmail for large providers. As far as I recall Gmail does check FcrDNS since last month. On top of more requirements for authentication.

Still you can’t just buy an IP, a server, set MX, SPF, DKIM, DMARC, ARC?, FcrDNS and expect large amounts of mail to go through right away.

And again, any communication method will have a spam problem

The major issue here is that anybody can send any email to whoever. Most communication apps won’t let you do that certainly not like emails.

You can’t open WhatsApp and start spamming the whole world. You basically can only do that with phone calls and emails ?

So no, SMTP/IMF has rotten foundations. No matter how many (optional) protocol you add on top, it will always be such an hassle to maintain and there will be always people who can’t afford that much effort.

Small businesses having to set that up just to reach Gmail is a big problem that they usually externalize with Outlook365 and so on.

Again, Gmail calls the shots because they are the leader. But on paper my fully unauthenticated mail from Barack.obama is perfectly RFC compliant and legit. These protocols that are essential are optional at the end of the day. They became virtually mandatory because of the spam issue and Gmail pushing in the (right) direction because they have leverage.

SMTP on its own is trash.

hperrin ,

I don’t see your issue with dropping a connection before issuing any SMTP commands. Your problem is with not being able to determine delivery status, right? If your server never even gets to send the message, then you know with 100% certainty that the message wasn’t delivered. And if it’s denied, you know with near certainty that it wasn’t delivered. (I don’t know of any servers that will issue a hard deny after receiving the message and then still deliver it, but that’s technically possible.)

I have read Gmail’s requirements, and I’m familiar with IP reputation. I didn’t mean that they don’t check FCrDNS, I meant that only having that is not enough. They now require both SPF and DKIM. Whereas my service will still accept your messages and not automatically mark them as spam if you only pass FCrDNS.

Generally if you’re getting your emails denied right off the bat, it’s because your IP or the block your IP comes from already has a bad reputation (basically any IP a cloud provider will give you). But yeah, you don’t want to spin up a server on a brand new IP and start firing off 10,000 emails a day, just like you said you don’t want to fire off 10,000 messages a day on WhatsApp. That’s a bad idea for any platform.

WhatsApp is not distributed, nor is it an open protocol, so that’s right out. It will never be the standard.

Gmail only calls the shots for Gmail users. If you never interact with Gmail users, you don’t have to obey any of their requirements. Like imagine a system that you’ve set up to receive notification emails from your own servers. You don’t have to obey anyone’s rules.

Your spoof mail may be perfectly valid for the base ESMTP spec, but there is not one single email provider on the planet that only considers that spec. Email isn’t just one spec. It’s a system that’s made of many specs and common practices, some required, some de facto required, and some optional.

nick ,

Just stop using the spyware ones?

mac ,
@mac@infosec.pub avatar

That leaves you with element, signal and telegram?

LWD ,

Oh, where to begin. Telegram is wild. It may not be spyware in the traditional sense, but they’ve already handed over data to the Indian government, left a telephone number scraping vulnerability open for the Iranian government, and gotten caught with “the most backdoor looking bug” with their unwisely handmade encryption algorithm.

mac ,
@mac@infosec.pub avatar

Okay just element and signal then?

LWD ,

In the meme, yeah. There are others though:

www.privacyguides.org/…/real-time-communication/

JohnDoe ,

SimpleX looks neat.

Zacryon ,

And yet no one was able to crack it.

nick ,

Telegram’s backend is proprietary software and they (very similarly to Discord for example) can just decide to read your chats whenever they want. It’s even worse then WhatsApp in this sense (at least as long as you trust Facebook that they actually encrypt your chats, again, there is no way to know if it’s proprietary software).

TarantulaFudge ,

Telegram and signal are both central points of failure. Signal can be used with other servers, but the server address is hard coded in the app, so you have to deploy your own app. Matrix servers can keep a channel going even if the channel’s home server goes down. The more home servers there are, the more mirrors of public channels there will be.

hoya ,

You can just use Matrix with bridges

Mubelotix ,
@Mubelotix@jlai.lu avatar

You got a guide? I have not been able to setup the thing

TarantulaFudge ,

Easiest way to get going: github.com/…/matrix-docker-ansible-deploy

dejected_warp_core ,

What frustrates me the most about this is that if we promote one commercial solution to the top of the heap, destroying all others, we still lose.

Draedron ,

So glad everyone here just uses whatsapp. Yeah yeah, meta sucks and privacy is bad. I prefer the ease of use and being able to communicate though.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •