@Aaron@boringpeople.org 😂😂😂😂😂 the irony burns

@jerry @Aaron what we really need is a way to securely send e-mail.

People will continue to send e-mail. There is no way this goes away antime soon. People will send sensitive stuff via e-mail.

We can spend time discussing just how exactly people should not use e-mail, or we can build a system that works.

I like the ideas behind PEP and AutoCrypt. I'd like to see them implemented in more clients.


@rysiek @Aaron@boringpeople.org I’m all for something that works and is usable. I can’t help but think that we need to take a step back and put some focus on designing the successor to smtp mail, rather than continuing to try to keep adding parts to Frankenstein.

@rysiek @Aaron@boringpeople.org otherwise, we keep having these issues and the nihilists say “see, it wasn’t made for that use case!”
And the optimists say “it just needs a bit more duct tape on the top and it’s good to go again! Stop being so negative”

@jerry @rysiek @Aaron
I have a feeling that right now, SMTP has the biggest adoption of all federated messagning protocols, and the second place is far far behind. Of all the new communication protocols I've seen recently, they're either popular, or federated, not both. And trying to get your new protocol adopted not just by people for their private communications, but also by companies, govts, and orgs for their internal and external communication is going to be extremely hard.

@Wolf480pl @jerry @Aaron there is some hope in the p2p world.

BitTorrent is not exactly a "messaging" protocol, but got immensely popular.

FireChat, a p2p messaging app, got very popular during protests in Romania. Sadly it's proprietary, so I'd stay far away from it.

Briar doesn't need any introduction in this group, methinks, but is not popular at all... yet.

But, messaging and e-mail are two different things. It's not just about sending the message. It's about the infra around it.

@Wolf480pl @jerry @Aaron what I mean by infra around it is: pretty much every single other on-line service and their dog will communicate with you via e-mail.

If we get a system that can plug-into this seamlessly, it might work.

@rysiek @jerry @Aaron
Maybe we mean different things by messaging.
IMO email is a messaging protocol, but one with certain interesting properties:
- allows you to send very long messages, with attachments, after preparing and proof-reading the whole thing
- is a de-facto standard for official online communication, incl. official documents
- everyone has it

@Wolf480pl @jerry @Aaron exectamente! But we have to be explicit about what we're talking about (incidentally, anyone who heard me talk in private about infosec and internet messaging knows just *how* explicit I get, but I digress).

The last two of your points is what I meant by "infra around it". That's the hard part. The network effect.

But we have a head start since SMTP is an open standard.

@rysiek @jerry @Aaron
so what we need is:
- define a set of email extensions
- define a set of banned email features
- get every client and server to implement the extensions
- get most clients or servers to implement the feature bans
not necessarily in that order?

@Wolf480pl @jerry @Aaron servers need not implement the "feature bans".

And clients blocking HTML in encrypted e-mail is slowly happening already -- with the shining example of Mailpile: github.com/mailpile/Mailpile/i

@rysiek @jerry @Aaron yeah I guess it depends on a particular feature whether it needs to be banned client- or server-side, hence "or". Maybe the set of undesirable server features is empty, I don't know.

@rysiek @Wolf480pl @jerry @Aaron I'd like to add Tox to this list.

It's freesoftware with multiple GUIs, and is quite similar to Briar. Except they do allow adding remote contacts (though sharing the pubkeyhashes to do so may not be practical for most), and they've made superficially different protocol decisions.

@alcinnz @Wolf480pl @jerry @Aaron I agree Tox is interesting. PLayed wth it ~3 years ago, even used it quite extensively.

But usability was a problem. And battery drain on mobile. Plus there were some security issues I'm sure they fixed since.

Has Tox undergone an audit?

@rysiek @Wolf480pl @jerry @Aaron I don't know about these security issues, and I haven't heard of any auditing (though I am interested in any).

And I mostly just use my laptop, so I didn't notice those battery issues.

Wish I could be more informative.

@rysiek @Wolf480pl @jerry @Aaron Wow I'm finding it difficult to quite comprehand the conversation there, but I'll be more cautious about recommending it.

At the same time I don't know what I'd recommend instead. I like the freesoftware p2p, but Briar doesn't appear to fit my usecase (besides I'd prefer a smaller codebase to audit, it looks quite bloated).

Maybe I'll lean more on Matrix or XMPP? But then a loose the metadata encryption I'd love to play with.

@alcinnz @Wolf480pl @jerry @Aaron I think you could go Matrix. Heard good things about it.

Also RetroShare seems interesting, but also bloated.

I am not concerned about Briar's codebase. People working on it are as solid as they come, and Briar went through an audit already. More problematic is the model of establishing contact, which requires physical presence or a common friend. I like how secure it is, but I understand how annoying it might be at times.

For me personally Briar looks good.

@rysiek @alcinnz @jerry @Aaron
I'm not a fan of Matrix. From what I've heard, they have a terrible server implementation, and nobody else tries to make their own implementation because Matrix changes the s2s protocol too often.

Also, I've heard there's a thing called Secure Scuttlebutt, haven't looked into it, but it may be relevant here.

@Wolf480pl @rysiek @jerry @Aaron I do kind-of have questions about Matrix. From a distance it kind-of looks like they decided to reimplement XMPP with the latest fashion of JSON. And I still have to explore it's encryption situation.

As for SSB I'm starting to look into it, particularly with Git-SSB. And from what I've seen, the tech looks very elegant when dealing with group comms or reliability despite the clients. Though again I have to look at the encryption again.

@alcinnz @Wolf480pl @jerry @Aaron I'd love to hear your thoughts on SSB once you dive into it a bit more.

@Wolf480pl @rysiek @jerry @Aaron Practically I'll happily use anything e2e encrypted (and unhappily anything else), but I will explain my ideal messenger.

First off I'm aware that the routing metadata is quite sensitive information, and am keen on seeing ways to encrypt it.

And second while I by no means think everything should be p2p, I do think messaging should be. This comes down to a concern that unless given a practical reason otherwise I worry everyone will use the same server.

@alcinnz @Wolf480pl @jerry @Aaron agreed. e2e, p2p, metadata hidden.

I like the approach of Briar and Ricochet, i.e. going via the Tor network. That's a good start. And with the improvements in the speed of hidden services lately potentially makes it possible to even have audio/video calls.

@rysiek @Wolf480pl @jerry @Aaron Oooh, Ricochet. From what little I've looked up about it, I'll be sure to check it out!

@alcinnz @Wolf480pl @jerry @Aaron aye, please do!

It's a bit dated codebase, no work apparently done for the last 2 years or. Still, working just fine.

@Wolf480pl @alcinnz @jerry @Aaron ah, SSB, forgot about it. Serverless (like Briar, Tox, RetroShare), so it might be super-interesting.

@rysiek @Wolf480pl @jerry @Aaron I'd by no means discourage others from Briar, it looks like a useful tool. It's just not for any usecases I can foresee myself having.

As for the personal auditing, it's something I like to make a habit of. Not that I seriously trust myself to catch many or any issues, but nor do I trust enough auditing is done. And I be no means trust myself with auditting crypto, the most I really can do is say "yeah, that kinda looks like crypto". I'm glad you trust the devs.

@Wolf480pl @rysiek @Aaron@boringpeople.org you’re right. It would need to be an IETF standard, not some garage project, though. And even then, IPv6 is an IETF standard and most ISPs and consumers would rather suffer from lack of IPs than make the move.

@Wolf480pl @rysiek @Aaron@boringpeople.org having said that, I look at my kids (late teens) and realize that email will likely be relegated to inter and intra corporation communications. I’m not saying this is a good thing, mind you, because I don’t think replacing email with a series of Snapchat pictures is the most ideal solution, either.

@jerry @Wolf480pl @Aaron ut that's why I said we have a head start.

We either do this now, however, or we will have to deal with having to do the same thing but for a closed, proprietary, walled garden like Failspook.

@rysiek @Wolf480pl @Aaron@boringpeople.org true. Email itself is becoming rapidly less federated. It’s becoming increasingly more painful to run a mail server (I speak from much experience) and it’s all moving to just a few providers (google, MS, etc). Point is, I think we’re moving to that walled garden even with smtp.

@jerry @rysiek @Wolf480pl @Aaron Interesting discussion! And I recently tooted a thread about a different angle on why so many people are so attracted to these centralised e-mail and other services. It's accessibility for people with disabilities, non-tech users etc. These big companies usually have much better resources to make things usable for a broader audience. See my thread here: toot.cafe/@marcozehe/100032643

@Wolf480pl @jerry @rysiek @Aaron I feel like just one "killer" app would speed the adoption quite a bit. Like if Slack was federated similarly to Matrix.org - people would just use Slack and in the process prop up the new protocol. Like most people don't realize they're using federation when they email someone on a different provider, but they do. Problem is, email's primary incentive wasn't profit, in this VC-funded age it is, so Slack has no incentive to adopt an open, federated protocol.

@MatejLach @Wolf480pl @jerry @Aaron we already have something similar to slack that federates like Matrix.

It's called Matrix.

@rysiek @Wolf480pl @jerry @Aaron On a serious note, the company I work at is very found of Slack, I'm going to try to convince them to adopt Matrix at our next company meeting and report back. If we all do this, we could make a difference.

In addition to SMTP there's !XMPP and #IRC, but you're right, they don't have mainstream adoption (unless you consider the bastardized versions produced by Cisco and Slack)

@bobjonkman Slack doesn't actually XMPP. AFAIK they never used XMPP internally, and recently they shut down their XMPP and IRC gateways.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.