← Back to context

Comment by chadsix

1 year ago

> if you have to reason about how the operator will handle legal threats, you shouldn't bother reasoning about the messenger at all.

That's true.

You need to run your own platform people. XMPP is plenty simple, plenty powerful, and plenty safe -- and even your metadata is in your control.

Just self host. There's no excuse in 2024.

Wake up people!

Why should the arrest of someone else affect YOU?

14 comments

chadsix

Reply
nrr  1 year ago

"You need to run your own platform people." What problem does this solve?

I'm someone who's been on the business end of a subpoena for a platform I ran, and narcing on my friends under threat of being held in contempt is perhaps the worst feeling I'm doomed to live with.

"XMPP is ..." not the solution I'd recommend, even with something like OMEMO. Is it on by default? Can you force it to be turned on? The answer to both of those is, as it turns out, "no," which makes it less than useful. (This is notwithstanding several other issues OMEMO has.)

  • immibis  1 year ago

    Note in particular that the Ethernet connection to xmpp.ru/jabber.ru's server was physically intercepted by German law enforcement (or whatever-you-think-they're-actually-enforcing enforcement), allowing them to issue fraudulent certificates through Let's Encrypt and snoop on all traffic. This was only noticed when the enforcement forgot to renew the certificate. https://news.ycombinator.com/item?id=37961166

  • zaik  1 year ago

    > The answer to both of those is, as it turns out, "no"

    This is not true, it depends on the client. Conversations has OMEMO enabled per default.

dylan604  1 year ago

As if it were that simple. Where are you going to host that self-hosted instance? What protections against law enforcement inspections do you have? What protections against curious/nefarious hackers? How are you going to convince every single person you interact with to use it?

Gung-ho evangelists rarely convert like a reasonable take on the subject does

godelski  1 year ago 

  > Just self host. There's no excuse in 2024.

I hate to break it to you, but there's plenty of excuses. We live in a bubble on HN.

May I remind you what the average person is like with this recently famous reddit post:

https://archive.is/hM2Sf

If you want self hosting to happen, with things like Matrix, and so on, the hard truth is that it has to not be easy for someone who can program, but trivial for someone who says "wow, can you hack into <x>" if they see you use a terminal

maqp  1 year ago

You're assuming end-to-end encryption doesn't exist, and that the only way to be safe is to have someone close to you self-hosting.

Self-hosting is terrible in that it gives Mike, the unbeknownst creepy tech guy in the group 100% control over the metadata of their close ones. Who talks to whom, when etc. It's much better to either get rid of that with Tor-only p2p architecture (you'll lose offline-messaging), or to outsource hosting to some organization that doesn't have interest in your metadata.

The privacy concern Green made was confidentiality of messages. There is none for Telegram, and Telegram should have moderated content for illegal stuff because of that. They made a decision to become a social media platform like Facebook, but they also chose not to co-operate with the law. Durov was asked to stop digging his hole deeper back in 2013, and now he's reaping what he sow.