Redo of instant messenger section (centralized, federated, peer to peer) #1500
No reviewers
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1500
Loading…
Reference in New Issue
No description provided.
Delete Branch "pr-instant_messaging_refinement"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I needed to add these icons because they did not exist.
The only one I needed to change was the XMPP logo, as it wasn't square, (only by a few pixels).
Matrix
I also edited the description for Matrix. Initially in https://github.com/privacytoolsIO/privacytools.io/issues/1377 I was going to mention about the privacy sprint. I think this might be a bit complex for new users and really unless they understand what those issues were about it serves little purpose in adding it.
Likewise the confusion between RiotX and regular Riot, I decided not to mention this as users should use what is generally available unless they know otherwise.
I also removed the Experimental E2EE badge as I do not believe that the previous description at all reflects the stability of E2EE in Riot currently which is pretty good, just need to remember to enable it.
XMPP
The original description is too complex so I decided to simplify that also. We won't talk about the bad XMPP clients just the ones we've handpicked.
Netlify preview: https://deploy-preview-1500--privacytools-io.netlify.com/software/real-time-communication/
Deploy preview for privacytools-io ready!
Built with commit
b0e178f4d1
https://deploy-preview-1500--privacytools-io.netlify.com
https://github.com/dngray/ptio-edited-logos I put up the logos here, they got edited with a border.
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I have to pause reviewing to have a dinner, but I will continue from P2P as soon as I can.
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I think the actual Matrix logo should be used here instead of the Riot one. The
[m]
one, I mean.Why is Matrix section advertising bridging capabilities to other platforms, while XMPP had transporting to other platforms since always? :)
I also think that this introduction is looking a lot more complicated.
This may be controversial though as it's still in early development, while being the most modern. It's also horribly outdated in some repos.
More praised client on iOS, but I am missing personal experience.
Oh, Gajim doesn't have OMEMO by default and needs a plugin for that.
Should this mention that it's based on XMPP?
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Would it make sense to link to self-contained networks here?
I think something like this may make this seem like a bit less bad option.
I am not entirely sure, but I think there is also something else than TLS.
I think they are moving domains and used to have a warning about updating links.
Should it be noted that Wi-Fi/Bluetooth only works when the contact is in close proximity and that messages won't start jumping from one user to another? I don't know if this has changed recently though.
Should https://theintercept.com/2019/08/04/whistleblowers-surveillance-fbi-trump/ come here via #1134 ?
Should Wire's APK being available at https://wire.com/en/download/ be noted?
Some nitpicks and general comments.
Another nit: There's also lot of text that says what E2EE stands for ("E2EE (end-to-end encryption)"), so it might feel better and less redundant if we just wrote out "end-to-end encryption". The Signal and Wire cards don't use "E2EE", for example
This is not true. On Android, there is an option to send unencrypted SMS when you use Signal as the SMS app.
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
We should probably get a dark theme version of this logo (using
image-dark=
variable to include it), since black text on dark background isn't optimal.I think stating "Warning" here is redundant (and the other warnings such as "Experimental E2EE" don't have it either)
While we're at it, we should add the (?) icon using
<i class="far fa-question-circle"></i>
for all warning badges with tooltips and move warning badges to the end.This might be misinterpreted as always-on E2EE as a general advantage of peer-to-peer communications, rather than an advantage of the recommendations we make for peer-to-peer chat apps.
I don't think being peer-to-peer alone implies that E2EE is always on or even present; it depends entirely on who is implementing E2EE.
We should move badges to the end like the main recommendations.
Jami also uses RSA (https://jami.net/help/#answer1) for encrypting messages.
I think mentioning Signal's apk here is redundant since the main card already has the apk download link.
The apk for Wire can be added under the Wire card in the same manner.
Some other audits to include:
For perspective, maybe in Related Information we should include Signal's (centralized) article on their view on federation: https://signal.org/blog/the-ecosystem-is-moving/
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I saw this done on the previous version of the article for the cards. Do we not need to escape the " anymore?
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I guess this is a good point. I borrowed that from the team description, maybe we should get rid of that part as some of the feature set is unavailable ie E2EE, VOIP etc when using bridges.
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I do like the look of Dino, so I would be keen to approve that however there doesn't appear to be any recently tagged releases: https://github.com/dino/dino/releases this maybe why it's horribly outdated in some repositories.
Also nobody brought this up in https://github.com/privacytoolsIO/privacytools.io/issues/1377
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Hmm siskin is by Tigase Inc. which if i recall correctly is an official XSF sponsor which might mean they have more time to dedicate to it.
Commit wise, they're newer however I guess we would need someone with an iOS device to test (I don't have any).
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Done
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Done.
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I don't believe so:
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Resolved, https://github.com/privacytoolsIO/privacytools.io/pull/1500#discussion_r347158073
See
71cced9631
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Fixed
43da09e142
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Not sure about this one. I think a comma is more appropriate, however avoided with
a2d3eb7df0
Resolved in
a4803c5783
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Fixed:
eaed3a9013
As it happens it's already in the wire card.
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
It's mentioned in the second paragraph for peer to peer https://github.com/privacytoolsIO/privacytools.io/pull/1500/files#diff-48937a8bcda8d20aaa9a12766c6a29ddR145
Do we really need to mention it again?
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I think that article is a bit out of date to be honest and does seem like an excuse for doing things properly.
I also think Drew Devault sums it up pretty well: https://drewdevault.com/2018/08/08/Signal.html in particular under the "Trust, federation, and peer-to-peer chat" section. In particular this comment: Truly secure systems don’t require trust.
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Yes good point.
fd7c1a5dee
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I am wondering about this, where would it go? I am also keen to remove:
https://firstlook.org/theintercept/2015/07/14/communicating-secret-watched which was linked at the bottom. While it does hold true, I think we have distilled what information we need from it in our own blog article maybe.
The stuff about Adium/Pidgin really is very outdated and hence I am keen to remove that link.
Thanks for that I wrote it when I was rather 💤
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Done
704683e818
We should probably do one for qtox too
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
What was the suggestion here?
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
@nitrohorse @JonahAragon I guess you can take up this part? :)
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Fixed in
c8ed76f8c3
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
No, sorry, I think it's just my English and not understanding the word "direct", except that isn't so correct in case of P2P over the internet as there are routers on the way.
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Wrong, Keybase has given up on OpenPGP in 2015 switching to NaCL based device keys and it doesn't even require having a PGP key anymore.
https://keybase.io/blog/keybase-new-key-model
We explain what E2EE is so I've opted to use that throughout after explaining what the acronym means in the first paragraph
4a368f93dd
I figured there's no point in having an acronym if we don't use it to make thing shorter.@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I did put it in it's own bullet point
fce382f042
what do you think about that?@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I don't actually know of any P2P instant messengers that don't have encryption.
By definition if an instant messenger that is peer to peer has encryption it is going to be E2EE as there's no server is it not?
I suppose there was winpopup at one point in time... maybe we can reword this.
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Ah thanks for that, fixed
699d9cb815
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Fixed in
b7cdadafa8
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
Okay then I'll mark this one as resolved. Issues like this should get resolved when we have i18n support https://github.com/privacytoolsIO/privacytools.io/issues/1106
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
I think this sounds okay
48cdab7a39
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
GitHub didn't highlight the diff, but "Distributed hash table" in the parentheses should be lowercase
@ -31,0 +63,4 @@
mac="https://keybase.io/docs/the_app/install_macos"
linux="https://keybase.io/docs/the_app/install_linux"
freebsd="https://www.freshports.org/security/keybase/"
googleplay="https://play.google.com/store/apps/details?id=io.keybase.ossifrage"
thanks for spotting that.
I wonder if it's worth linking to the protocol audit? Taken from https://threatpost.com/signal-audit-reveals-protocol-cryptographically-sound/121892/
We link to Keybase's protocol audit btw.
I wonder if we could also hyperlink "identity proofs" for further reading/reference.
Maybe https://keybase.io/docs/server_security ?
Also worth noting we'll need to create Discourse forum links for any new suggestions.
I think we can do
I think I remember @danarel mention to remove this for now since it's undergoing construction.
I'm thinking for Signal and Keybase, we could just link to this subsection instead (since it already contains links to the audits and more)?
Maybe https://en.wikipedia.org/wiki/Keybase#Identity_proofs might be easier to digest?
Some suggestions, nice work so far!
I think this is a bit too big for me at the moment, but I will get back to this at a better time. I should be able to especially next week.
I agree looks good for consistency.
Yes i had a note on my list to do this, i don't think i have permission to do that.
XMPP: https://forum.privacytools.io/t/discussion-xmpp/2112
Briar: https://forum.privacytools.io/t/discussion-briar/2114
Jami: https://forum.privacytools.io/t/discussion-jami/2116
(q)Tox (is there point in making it client specific?): https://forum.privacytools.io/t/discussion-tox/2115
Regarding disadvantages of federated servers:
We oftentimes observe that small servers run by private people don't serve privacy policies, or there are some indications that the server admins aren't security "professionals" but set up their server by implementing some guides on the internet.
Due to this, it can be 1) hard to reclaim any privacy rights, 2) hard to identify the party actually running the server, and 3) hard to check the actual level of security of the federated server (also including that federated network don't come with a homogenous level of security).
Furthermore (not directly connected to points mentioned above), a federated server can still block federation to other servers. So depending on your server, it can be impossible to talk to some other server in the federated network.
these are merely suggestions, do as you wish.
What I wonder is, is this an advantage for the user? We can restate it in a way that is more clearly is.
I can't do multi-line suggestions but I would make the following changes (which I can't do in multiple suggestions because I want to reorder everything — I think the order is important in terms of what people care about the most).
see above
moving this to disadvantages.
@ -53,1 +161,4 @@
fdroid="https://f-droid.org/packages/org.briarproject.briar.android/"
googleplay="https://play.google.com/store/apps/details?id=org.briarproject.briar.android"
%}
I am inclined to agree with you.
We need to reword that part if we go with this
I am approving this, but request the typo "or or " to be fixed before merging. I have some other questions, but that is the biggest one I can spot at the moment.
I wish for a better link for XMPP, but I am fine with this one.
Any idea how?
I am not sure Matrix.org team is correct, isn't it New Vector?
Double or looks wrong to me.
Their peers? Would contacts be more clear or could this be reworded?
@ -31,0 +87,4 @@
<h3>Disadvantages</h3>
<ul>
<li>Adding new features is more complex, because these features need to be standardized and tested to ensure they work with all servers on the network.</li>
<li>Some metadata may be available. Information like "who is talking to whom," but not actual message content if E2EE is used.</li>
I am not entirely certain on the reasoning.
@ -31,0 +88,4 @@
<ul>
<li>Adding new features is more complex, because these features need to be standardized and tested to ensure they work with all servers on the network.</li>
<li>Some metadata may be available. Information like "who is talking to whom," but not actual message content if E2EE is used.</li>
<li>Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is utilized.</li>
Was there a comment on file names?
Nevermind it's in the XMPP warning.
@ -31,2 +132,4 @@
<p>Peer-to-Peer instant messengers connect directly to each other without requiring third-party servers. Clients (peers) usually find each other through the use of a <a href="https://en.wikipedia.org/wiki/Distributed_computing">distributed computing</a> network. Examples of this include <a href="https://en.wikipedia.org/wiki/Distributed_hash_table">DHT (distributed hash table)</a> (used with technologies like <a href="https://en.wikipedia.org/wiki/BitTorrent_(protocol)">torrents</a> and <a href="https://en.wikipedia.org/wiki/InterPlanetary_File_System">IPFS</a>, for example), or <a href="https://en.wikipedia.org/wiki/Ethereum">Ethereum</a>'s <a href="https://github.com/ethereum/wiki/wiki/Whisper">Whisper</a> protocol (used with some newer DApps). Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the <a href="https://www.scuttlebutt.nz">Scuttlebutt</a> social networking protocol). Once a peer has found a route to its contact via any of these methods, a direct connection between them is made.</p>
Should IPFS and torrents also be links by the way?
@ -31,0 +87,4 @@
<h3>Disadvantages</h3>
<ul>
<li>Adding new features is more complex, because these features need to be standardized and tested to ensure they work with all servers on the network.</li>
<li>Some metadata may be available. Information like "who is talking to whom," but not actual message content if E2EE is used.</li>
The reasoning is that documentation needs to be available so a consistent integration can occur.
Kind of like with Matrix, when a new room upgrade is available, they have to write about it first rather than just merge a change.
Riot itself is released by New Vector, although it's a thin skin on top of the reference client SDKs (
matrix-{react,ios,android}-sdk
) released by the Matrix.org Foundation.Sorry @dngray, more things to address were given to me in private at Matrix
On Matrix I am asked what does this actually mean?
I tried to explain transport encryption and that there are also other E2EE protocols, but that OMEMO is the best/easiest and that there is a comparsion on https://conversations.im/omemo
I was also asked what does this mean. My answer was:
Is there anything about transport encryption currently?
Assigning myself, so I maybe will remember to use the fine suggest changes button or may be sending PRs to your branch
@ -31,0 +55,4 @@
image="/assets/img/tools/keybase.png"
description='Keybase provides a hosted team chat with E2EE. Its protocol has also been <a href="https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf">indepedently audited (PDF)</a>. Keybase can help you prove you own social media accounts though the use of cryptographic signing of "<a href="https://en.wikipedia.org/wiki/Keybase#Identity_proofs">identity proofs</a>".'
labels="warning:<a href=//github.com/keybase/client/issues/6374>Warning</a>:This software relies on a closed-source central server."
website="https://keybase.io/"
Another link: https://github.com/keybase/keybase-issues/issues/162
@ -31,2 +132,4 @@
<p>Peer-to-Peer instant messengers connect directly to each other without requiring third-party servers. Clients (peers) usually find each other through the use of a <a href="https://en.wikipedia.org/wiki/Distributed_computing">distributed computing</a> network. Examples of this include <a href="https://en.wikipedia.org/wiki/Distributed_hash_table">DHT (distributed hash table)</a> (used with technologies like <a href="https://en.wikipedia.org/wiki/BitTorrent_(protocol)">torrents</a> and <a href="https://en.wikipedia.org/wiki/InterPlanetary_File_System">IPFS</a>, for example), or <a href="https://en.wikipedia.org/wiki/Ethereum">Ethereum</a>'s <a href="https://github.com/ethereum/wiki/wiki/Whisper">Whisper</a> protocol (used with some newer DApps). Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the <a href="https://www.scuttlebutt.nz">Scuttlebutt</a> social networking protocol). Once a peer has found a route to its contact via any of these methods, a direct connection between them is made.</p>
Done.
I think I have resolved this in
1a20f3acbb
That table does say that file transfer with OMEMO is encrypted however there are two XEPs for file transfer (3 if you include the retracted one).
Looking at XEP-0384: OMEMO Encryption it says:
Note that it says could and can that does not mean that it does. Maybe Conversations does?
This is of course assuming that the client is using XEP-0234: Jingle File Transfer and not the older XEP-0096: SI File Transfer.
Looking at XEP-xxxx: OMEMO Encrypted Jingle File Transfer I don't think file transfers or voice/video do get encrypted E2EE. (This one is also written by the developer of Conversations).
Looking at XEP-0234: Jingle File Transfer it says:
Now if we dig into XEP-0260: Jingle SOCKS5 Bytestreams Transport Method we see:
XEP-0261: Jingle In-Band Bytestreams Transport Method says:
Should also note that sharing files is a peer-to-peer operation will expose your IP address to the other participant. Unless the client supports XEP-0363: HTTP File Upload, yet another way to share files.
So in conclusion my observation is voip/video is not encrypted, they are peer to peer transfers that occur exposing your IP to the remote user.
File transfers can be encrypted transparently but might not be. It's not very clear on that.
I think i've made it clearer
d1487f7a3c
@danarel and I had a look around, and couldn't find anything.
I've decided to remove this as it's very much an advanced feature, which actually means no E2EE on Matrix so we probably shouldn't recommend it.
What point specifically are you talking about?
How can I verify that the server software running on a random server somewhere matches the public source code?
@ -31,0 +55,4 @@
image="/assets/img/tools/keybase.png"
description='Keybase provides a hosted team chat with E2EE. Its protocol has also been <a href="https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf">indepedently audited (PDF)</a>. Keybase can help you prove you own social media accounts though the use of cryptographic signing of "<a href="https://en.wikipedia.org/wiki/Keybase#Identity_proofs">identity proofs</a>".'
labels="warning:<a href=//github.com/keybase/client/issues/6374>Warning</a>:This software relies on a closed-source central server."
website="https://keybase.io/"
As far as this is concerned, no. They've not said they are going to do federation, and I like to avoid linking to github issues on the main page.
sure you can only do that if you're running it yourself, or you trust your system administrator, ie if it was a family member that set it up.
I added the netlify link to the original comment and I am not sure if the bridge/transport part was removed, but could it be noted that bridges/transports/relays turn federation/P2P into a single point of failure? And is the depedency on your server explained or do we consider that as too obvious?
Looks great!
Emergency approval before I leave from home as requested on the team chat, however I disagree with demoting XMPP.
(And my other change requests will probably need a new PR?)
https://github.com/matrix-org/synapse/issues/1263
another emergency approval while I still disagree with the direction this PR took overnight.
Was this even something previously discussed? It was never full-recommended in the first place, this keeps it in the same position.
duawdhuawhdawudh
Clarification on my previous comments:
I woke up at 07.23 which is earlier than usually and left for psykofyysinen kuntoutus at 8.23 (where I arrived late). During this time I did my morning tasks and checked the PrivacyTools team chat where I learned that a blog post has been posted and this needs emergency merging immediately and that we have delisted XMPP.
After I left from home, I was unable to reach other team members than @nitrohorse on XMPP and Wire (and we also established a Signal connection) who apologised for not understanding that I didn't have time for reviewing and clarified to me that we have not delisted XMPP and XMPP is still a worth mentioning app, which I can agree with).
I also learned that as a backup to the teamchat on Matrix, we are having a backup chat on Keybase. However neither works on my main phone (and I was too di/stressed about everything to remember I have a powered off spare phone that Riot works on) as they are too heavy.
I am not sure if RiotX has an issue about not performing well on Nokia 1, but at first it was showing me that everything is an encrypted message, then I maybe got two or three lines sent and read and as it then threw me to ancient history in the scrollback I attempted the clear cache and reload trick, which RiotX never continued further. I am aware that RiotX is an experimental app, but even with its malfunctioning, it works better and seems lighter than Riot.
On Keybase, I have been complaining about it not working on my main phone for almost an year https://github.com/keybase/client/issues/15115 and it's also one of the most heavy apps I run on my desktop (that has 8 GB RAM) alongside Riot, Signal and Wire.
PS. I haven't still reviewed what has happened to this PR since my previous full review yesterday or earlier and I don't see much point doing that seeing that it has been merged already.
PPS. I have no access to either team chat until around 14 UTC as the app is too heavy for my work try-out practice device with 4 GB of RAM that is efficiently eaten by Firefox, RocketChat, Riot and Telegram.