Conversation

Notices

1. lnxw48a1 (lnxw48a1@nu.federati.net)'s status on Monday, 06-Sep-2021 20:28:49 EDT lnxw48a1
   https://thehackernews.com/2021/09/protonmail-shares-activists-ip-address.html
   
   I did not anticipate this, because I figured they’d have learned from Lavabit and designed their systems such that there was no way for them to have any metadata (user’s IP address, user’s ‘user agent’, timestamps of users’ correspondence, pretty much everything except what is required to send and receive messages). Any information your system has, however briefly, can be the subject of a government order.
   
   My issue over the years has been that both Protonmail and Tutunota send you the JavaScript used to “end-to-end encrypt” your message. At any time, they could be ordered to modify that JS to cache the encryption keys for later reuse by government agencies.
   
   Tags: #Protonmail, #surveillance, #government_over_reach, #metadata, #encryption, #JavaScript
   1. simsa04 (simsa04@gnusocial.net)'s status on Monday, 06-Sep-2021 20:50:56 EDT simsa04

      in reply to
      So what's the point of still using this mail provider then? I'm relieved I never used my account there much and didn't fall for the fake promises of purported "security".
      1. GeniusMusing (geniusmusing@nu.federati.net)'s status on Tuesday, 07-Sep-2021 09:34:09 EDT GeniusMusing

         in reply to
         @lnxw48a1 @simsa04
         
         We know many ways to not have secure messaging, how do we do it correctly?
         
         How would it be "future proofed" as if it was done correctly, the laws would probably be changed to try to allow for snooping at some level?
         
         As it is, anything going over the internet is traceable/trackable at some level, even if only your connection and the ip address(s) you are connected to.
         1. Alexandre Oliva (moved to @lxo@gnusocial.jp) (lxo@gnusocial.net)'s status on Tuesday, 07-Sep-2021 10:09:16 EDT Alexandre Oliva (moved to @lxo@gnusocial.jp)

            in reply to
            P2P, E2E-encrypted and onion-routed messaging implemented with fully freedom-respecting software, an active community auditing every change, and reproducible builds
            1. GeniusMusing (geniusmusing@nu.federati.net)'s status on Tuesday, 07-Sep-2021 11:35:33 EDT GeniusMusing

               in reply to
               @lxo @lnxw48a1 @simsa04
               
               The only thing missing on my bingo card for a win is blockchain. :P
               
               This might be a solution for 0.1% of possible users, what about the rest?
               
               Storage (new/old messages and attachments) and retrieval (message syncing on multiple devices) are the two biggest functional issues I can see.
               
               The other big issue is how to make it easy enough to install so that almost anyone can use it on any platform otherwise it becomes just another "geeks only" tool for communicating.
               
               I have been thinking about this messaging 2.0 thing for over five years and I am no closer to something that would work (theoretically, no code tried yet) for the majority.
               1. Alexandre Oliva (moved to @lxo@gnusocial.jp) (lxo@gnusocial.net)'s status on Tuesday, 07-Sep-2021 21:13:26 EDT Alexandre Oliva (moved to @lxo@gnusocial.jp)

                  in reply to
                  consider an email system that uses the P2P storage system suggested in https://www.fsfla.org/blogs/lxo/draft/decent-computing.en.html
                  consider that you can run however many MTAs you wish, that will deliver email to your P2P-stored encrypted and replicated mailbox, and MUAs that will show you the messages in it
                  MTAs could be receiving mail by SSMTP on onion addresses. we could have open proxies tunneling incoming [S]SMTP connections into the onion services. you can throw in blockchain-based domain name registration as a means to register MX entries for your domain, and to associate IP addresses to them. does any of this make sense for you?