Privacy

32109 readers

782 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

How secure Signal really is - Mesibo (scribe.rip)

submitted 2 years ago by linzilla@lemmy.ml to c/privacy@lemmy.ml

24 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] X_Cli@lemmy.ml 1 points 2 years ago* (last edited 2 years ago) (1 children)

Can you elaborate on how this is FUD, please?

Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.

Using phone numbers as identifiers is a well-known Signal flaw.

And while CBC is indeed less robust that GCM regarding certain types of attacks, it is true that "up-to-date" CBC implementation have no known vulnerability. Yet, would you claim that TLS1.3 is FUDing for dropping CBC support as well?

I am not promoting mesibo, which I never heard about before. I am just trying to understand how this criticism of Signal would be invalid, or FUD.

[–] southerntofu@lemmy.ml 2 points 2 years ago (1 children)

Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.

Oh no it's a pretty good idea, and unfortunately mosibo isn't the first project to implement it... in an entirely new protocol that nobody will ever adopt. Implementing SMP in a widely-used protocol (email/PGP, IRC/OTR, XMPP/OMEMO) would benefit a lot more users.

Using phone numbers as identifiers is a well-known Signal flaw.

Indeed, but once again we have dozens of protocols providing messaging primitives, whether federated or centralized. Why should we even consider Signal or Mesibo? To be honest, i appreciated Mosibo's criticism of Signal: it's fair and strongly deserved. I would add to this that Signal dropped on-disk database encryption which is horrible: users set a passphrase expecting some security... only to find out later that the passphrase is purely cosmetic and the local DB is unencrypted.

I am just trying to understand how this criticism of Signal would be invalid, or FUD.

I don't think it's either FUD or invalid. It just looks like yet another corporation making yet another protocol for yet the same usecases we already have a dozen protocols for. If mesibo is only about cryptographic research, OMEMO/MegOLM could use a refresher... but unfortunately they're promoting an entire ecosystem and it's really not clear what the technical/business model is (i found the code for libmesibo but i don't see any server implementation on their github).

I think given the very fragmented ecosystem we already have, the burden is on them to prove that their project is interesting/useful. From my perspective, it looks like some cryptographers wanted to do cool stuff, but need a bullshit business front (like any startup) to operate... like a lot of crypto research, unfortunately...

[–] X_Cli@lemmy.ml 2 points 2 years ago

I agree with all of your points :)