Can the fucking government please quit trying to kill our privacy? A #backdoor for just the “good guys” (a questionable thing to call them at best) isn’t possible, has massive potential for abuse, and has been repeatedly proven so.
Yet, they keep trying to enact this shit. It’s utterly mind-boggling to me that any of these lawmakers think this will do anything.
#privacy #E2EE

From: @hn_discussions
https://mastodon.social/@hn_discussions/110770792625199040

@meowski @feld OP's complaints seem to be in part that multiuser (>2) #E2EE is inherently insecure

@lanodan @bot Hmm, fair point.

However, is it fair to say that this isn't an issue if #E2EE is enabled?

@meowski @lanodan It does seem more serious than that, he linked to this thread:

https://github.com/matrix-org/matrix-public-archive/issues/47

Although like it's also mentioned in the thread, much of this could be mitigated by enabling #E2EE

@artaxadepressedhorse @ZeroEcks #RevoltChat isn't distributed, it's centralized, but it does have #E2EE and you are allowed to self-host it as well.

A no-brainer step tech platforms can take to protect abortion seekers and providers is implementing default end-to-end encryption for all messaging, so that tech companies can’t be forced to turn over people’s private messages. #MakeDMsSafe #E2EE
https://www.axios.com/2023/03/14/encrypted-messaging-texas-abortion-suit

Elephant help me, I'm actually releasing this thing! :toot: Folks, I present to you:

✨ End-to-end Encryption for Mastodon DMs ✨

#E2EE #Mastodon

https://codeberg.org/cuchazinteractive/Mastodon/src/branch/e2ee-4.0.2-dev/doc/e2ee

It's far from perfect (Far), but it's a start. I have no idea how people release mods for Mastodon because I've never seen one before. Forks, sure, but not mods. So I made something up. You can read all about it at the link above.

For now, I'm supporting Mastodon v4.0.2 and the Firefox browser. There's a browser extension in there, so browser support is tricky. It's a whole thing. I'm starting simple to at first. Walk before you can run and all that, right?

Anyway, try it out. If you want. Or not, no judgement. But if you do, tell me how it went, will ya? I'm curious.

Maybe try it on a testing instance first though. I should probably set one of those up actually.

And If you try it out and run into trouble, send toots! :blobcatboophappy: I'll help out.

Progress on #E2EE for #Mastodon DMs:

Uhhh... maybe it's ready for testing? :rblobcatpeek:

Here's a question though. This is very unofficial work. Think of it as a mod for Mastodon. How do people distribute Mastodon mods these days?

I have a git branch based on the 4.0 official release (4.1 rebase is forthcoming) with all the changes in there.

https://codeberg.org/cuchazinteractive/Mastodon/src/branch/e2ee

Is it enough to point server admins at this branch and they'll know what to do? Should I do a squash-commit and point to that? Should I distribute an actual patch file, like it's the 90s? Is there some slick mod loader out there like this is Minecraft or something? Do I need to distribute an entire E2EE branded fork of Mastodon?

I'm new here, what do people usually do?

The well-executed digital dollar we deserve would provide the same level of #privacy as cash. We need real alternatives with end-to-end encryption level privacy built in. It’s time to STOP the corporations making money from abusing our personal data. #E2EE

Work on my #E2EE DMs mod for #Mastodon is getting close to being finished! :blobcatcheer:

In preparation for an upcoming release of that, I've updated the Burger Identity Manager browser extension (used to handle the DM encryption securely in the browser) to fix all the issues I found while while working on Mastodon DMs.

The new v0.2 of Burger Identity Manager is available for download in the Mozilla addons for Firefox.

https://addons.mozilla.org/en-US/firefox/addon/burger-identity-manager/

Only FireFox on desktop/laptop is supported for now. Other browsers/platforms will come later. If you want to vote for your favorite browser to get supported next, leave a comment.

Status update for #E2EE #Mastodon DMs:

✨ Holy crap it actually works!! ✨

Like, even across different instances. It federates and everything!

I still need to sand down some rough edges, and make sure the edits federate too, but I might actually be almost done with this. :blobcatcheer:

Oh, and I need to rebase against the new 4.1 release of Mastodon. But I'm trying not to think about that yet.

End to end encryption is essential to keep all of us safe online.

Discussions that block or discourage #E2EE are downright dangerous and totally unacceptable—privacy is a basic human right for a reason.

Update on #E2EE for Mastodon DMs: I finally got two instances running out of the same source tree on my dev machine so I can actually test federation. But wow, was that a pain to set up!

I'll have to say, I didn't start this project of adapting my portable/nomadic identity system to Mastodon because it would be easy. I started it because I * thought * it would be easy. Why, oh why, does that always turn out to be so wrong?

@deancommasteven I’d be pretty surprised if upstream were interested in my code, but they’re certainly welcome to use it if they want. Last I heard, they had their own plans for #E2EE, so they probably don’t want what I did. No hard feelings.

That being said, I definitely plan to make a patch of some kind available so anyone can add my flavor of E2EE to their instance if they want.

More progress on #E2EE DMs on #Mastodon:

Editing encrypted DMs works now. Including viewing the edit history of an encrypted DM.

I'm still getting some concurrency issues with the website-to-browser-extension comms channel though. That's a tricky piece of tech to get right since browsers don't make that kind of comms easy. And of course concurrency continues to be hard.

Still working on #E2EE DMs for Mastodon using my Burger identity system, but progress is slow. Now I think I know why:

I just don't like working in Ruby. Or Ruby on Rails. Or both. I don't actually know the difference. I've never seen one without the other.

The code itself tells you so little about what's going on. There's so much behind-the-scenes magic. You have to keep this huge ruleset of Other Stuff in your head for the code to even make sense. My head just isn't good at that kind of work. My memory is terrible.

It's probably the same reason I vastly prefer GUIs over CLIs. I just can't keep the vast lexicon of commands that CLIs need all in my head at once, so I prefer UXs where you don't need to do that.

@Paulo @meeper Some people say it doesn't, not sure why. The only thing that's ever been janky for me is #E2EE, occasionally, but that's because the people I talk to always forget to verify their sessions lol

Fascinating. The Financial Times tried to stand up a Mastodon Instance and promptly gave up saying basically: it’s not worth it.

https://archive.ph/AoOno

Among the reasons cited: “Mastodon administrators have access to everyone’s direct messages by default. FTAV has no interest in sliding uninvited into anyone’s DMs and the best way to prove it is to remove all opportunity.”

We really need #E2EE DMs.

Not because we’re really missing out by the shuttering of FT’s instance (we’re probably not), but because this simply shouldn’t be one of the risks of being an instance admin.

We don’t want to see your DMs.

Always fun to see #BigTech copying features #FOSS already had

Here's #FaceBook's #Messenger added emoji reactions to encrypted chats:

https://aspiechattr.me/@TechNews/109739543384001553

#Matrix already has emoji reactions to #E2EE chats.

@atoponce Really? Why would some rando's fork of a browser project be more trustable than the browser itself? I'm mean sure, Electron isn't just some rando, but there are other desktop embeddings of browser apps too. Tauri comes to mind. Do you mean specifically Electron is better than a browser extension, or the idea of customized browser forks is better than extensions generally?

I ask as someone who's building an #E2EE web app. Staying in the regular already-installed browser is a hard requirement. An extension/add-on feels like a viable option here, so I want to make sure I'm not entirely mistaken.