@frumble@mehdorn plkay, threat model "forgot to lock screen" lasse ich gelten. Das andere geht sowieso nicht: Der UAC-Screen ist extra abgeschirmt, da können keine Skripts laufen
That said, of course the alternative must be properly maintained etc. But if it is not, people will switch to the original FLOSS implementation. So competition is kinda built-in into FLOSS… 🤔
Actually, if you have good products also FLOSS competition is good. Because an alternative can stil do things differently/better/provide better options etc.
Just see how #bind, that FLOSS monopoly on DNS servers, causes troubles. One vulnerability and everything is gone wrong.
@NHonigdachs@DC7IA AFAIk Wire has a desktop client, so no. (but that is also some web dev thing, so there we have bigger problems than insecure smartphones lol); and Threema, yeah kinda. Although an unofficial desktop implementation exists: https://github.com/blizzard4591/openMittsu/
(though AFAIK they have not yet implemented generating your key pair)
@NHonigdachs@DC7IA 2. that is a workaround. (and maybe they'll block these numbers later, like Google does for their sign-up. AFAIK they want an identity to be a phone number.)
1. I know, yes. But phone number hashes are easily brute-forced (because they cannot contain a salt in our case), so that is not-really a protection. And with easy I mean at most some seconds for one number without special setup. The keyspace is just too low. Even Threema devs acknowledged that and calculated it.