Conversation

Notices

1. Embed this notice
   Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 19-Feb-2025 00:04:17 JST Soatok Dreamseeker

   Reviewing the Cryptography Used by Signal

   Last year, I urged furries to stop using Telegram because it doesn't actually provide them with any of the privacy guarantees they think it gives them. Instead of improving Telegram's cryptography to be actually secure, the CEO started spreading misleading bullshit about Signal®. Since then, I've been flooded with people asking me about various other encrypted messaging apps…

   http://soatok.blog/2025/02/18/reviewing-the-cryptography-used-by-signal/

   • Alexandre Oliva likes this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 19-Feb-2025 00:17:20 JST Rich Felker

     in reply to

     • nadja

     @dequbed @soatok I so hate the IPsec fandom that keeps trying to revive it. It's like:

     "What if we did encryption at entirely the wrong layer and forced everyone to rework their system configurations, network configurations, and applications all at once, rather than just putting the encryption at the right layers? Yes I am smart!!!111"

   • Embed this notice
     nadja (dequbed@mastodon.chaosfield.at)'s status on Wednesday, 19-Feb-2025 00:17:21 JST nadja

     in reply to

     @soatok I am still disappointed that the cannon-sized footgun that is IPsec is … a cannon-sized footgun. I would so love for it to be decent but even at its best it's basically just as good as wireguard :blobcatcomftears:

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 19-Feb-2025 03:18:46 JST Rich Felker

     in reply to

     • nadja

     @dequbed @soatok Unless you're just using IPsec as a tunnel encapsulating layer, the reason it's "the wrong layer" is that applications have to know about it to use it, but they can only use it if they're on a system & network configuration that supports it. This is stupid, because applications don't want encryption at the network layer, they want it at the transport layer and possibly also application layer.

     If you are just using it to encapsulate a tunnel, it's a less compatible, more stateful, more painful to setup version of wireguard.

     Ultimately, encryption at the network layer is not something that benefits application privacy/security. It's just a way to bypass draconian firewalls and metadata harvesting.

   • Embed this notice
     nadja (dequbed@mastodon.chaosfield.at)'s status on Wednesday, 19-Feb-2025 03:18:48 JST nadja

     in reply to

     • Rich Felker

     @dalias @soatok For that point to land you do need to explain why it is "entirely the wrong layer".
     Because if you want to add encryption transparent to all higher layers with the goal to emulate the access safety of a physically secured network — which on the surface is what most VPNs do try to do — then it is entirely the *right* layer. It just turns out most of our problems are not shaped like that.

   • Embed this notice
     Alexandre Oliva (lxo@snac.lx.oliva.nom.br)'s status on Wednesday, 19-Feb-2025 14:19:40 JST Alexandre Oliva

     in reply to
     great stuff! what I most dislike about signal is that you can't even start using it without a device that is already fully compromised (I'm talking about mobile telescreens AKA pocket ankle tracking devices). I hope reading the rest of your review (I like what I'm seeing so far, kudos, but I've still got a long way to go!) will convince me that one can possibly recover privacy after that initial misstep. alas, most people will keep on using it on fully compromised devices, and E2EE is not much use when the attackers can get at the plaintext before it gets encrypted 😞 hopefully you've covered that too. fingers crossed. great stuff!