- 2 Posts
- 24 Comments
For anyone considering Session messenger:
The Session developers dropped Perfect Forward Secrecy because it would be hard to work around it.
First things first, let’s talk about what we’re leaving behind: Perfect Forward Secrecy (PFS) and deniability.
Source: https://getsession.org/session-protocol-explained
In plain English, they dropped a security feature for their convenience to the detriment of their users’ security.
For anyone unsure what PFS provides:
The value of forward secrecy is that it protects past communication.
Source: https://en.wikipedia.org/wiki/Forward_secrecy
The Session devs also claim:
Session provides protections against these types of threats in other ways — through fully anonymous account creation, onion routing, and metadata minimisation, for example.
Reading between the lines, we can interpret that as introducing security through obscurity, which is generally considered bad practice - https://cwe.mitre.org/data/definitions/656.html
What’s wrong with Briar? https://briarproject.org/
Censorship-resistant peer-to-peer messaging that bypasses centralized servers. Connect via Bluetooth, Wi-Fi or Tor, with privacy built-in.
I think the reason these apps don’t take off is the compromises they make in order to work the way they do. When you do need them, you best hope you’re able to get them and get others to use them as well.
… or having episodes missing or original music removed/changed.
This link goes straight to the video and skips the website for anyone wanting to avoid it.
https://customer-aw5py76sw8wyqzmh.cloudflarestream.com/2463f6d3e06fa29710a337f5f5389fd8/iframe
Ooh silverbullet looks nice too, thanks. Link for the lazy: https://silverbullet.md/
- •
- www.usememos.com
- •
- 8M
- •
If you’re on Firefox on desktop/laptop, check out Bypass Paywall [0]. It was removed from the firefox add-on store due to a DMCA claim [1], but can be manually installed (and auto updates) from gitlab. The dev even provides instructions on how to add custom filters to uBlock Origin [2], so you don’t have to add another extension but still get some benefit.
[0] https://gitlab.com/magnolia1234/bypass-paywalls-firefox-clean
[1] https://winaero.com/mozilla-has-silently-removed-the-bypass-paywalls-clean-add-on-from-amo/
[2] https://gitlab.com/magnolia1234/bypass-paywalls-clean-filters
You’re right, but security and privacy is about layers, not always 100% effective mitigations, especially not when the mitigation is a function (contact discovery) that requires a private list (your contacts) be compared against another one. For anyone where this is an actual security risk, they don’t have to to share their contacts. They will not know which of their friends/family are on Signal, but they can still use the service.
This feature does protect users in that any legal court order for Signal to present who is friends with who (as almost every other messaging provider has actual access to your list of contacts) is not possible. They’ve been subpoenaed multiple times[0] and all they can show is when an account was created and the last day (not time) a client pinged their servers.
Lastly, I’m not sure if this is even a feature or not but it wouldn’t be too difficult to introduce rate-limiting to mitigate this issue even more. As an example, its very unlikely that most people have thousands (or even tens of thousands) of people in their contacts. Assuming we go just a step beyond the 99th percentile, you can effectively block anyone as soon as they start trying to crawl the entire phone number address space, preventing the issue you’re describing.
Not necessarily.
Signal has people who are experts in their field. They engineer solutions that don’t exist anywhere else in the market to ensure they have as little information on you as possible while keeping you secure [0]. This in turn means high compensation + benefits. You don’t want to be paying your key developers peanuts as that makes them liable to taking bribes from adversaries to “oops” a security vulnerability in the service. In addition, the higher compensation is a great way to mitigate losing talent to private organizations who can afford it.
[0] Signal has engineered the following technologies that all work to ensure your privacy and security:
- •
- 1Y
- •
Fair point, but do note that https://wormhole.app is just a web-client for the wormhole protocol. There’s a reference implementation and there’s - personally - a much better go-based implementation (wormhole-william) that also has a few clients built using its API:
- rymdport: A cross-platform Magic Wormhole graphical user interface
- riftshare: Desktop filesharing app
- tmux-wormhole: tmux wormhole integration
- wormhole-william-mobile: Android wormhole-william app
may not meet your requirements but have you taken a look at https://wormhole.app ?
I used Ubuntu for a while and distro-hopped before deciding to land on Debian. I figured major distros used it as their base for a reason. The older I get the more I appreciate the “it’ll release when its ready” approach that Debian takes. There’s no economic pressure to release with major bugs hoping the next sprint will fix most issues, like a lot of “enterprise” software. The Debian release cycle is not 100% predictable, but it is reliable. I’ve had a server go through a few major upgrades for nearly a decade before the hardware itself gave out. The OS was rock solid the entire time. Additionally, with flatpak, outdated desktop apps are no longer an issue and I use docker for hosting services.
I will admit that Debian is pretty “bland” from a fresh install, but I don’t mind that at all.
I’m only aware of this one. Is there another one you’ve heard of?
As someone who’s been wanting to test (and maybe move to Podman) in the future but hasn’t really spent any time on it, what features have Red hat removed from Podman?