Micah Lee πŸ”‘ is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Micah Lee πŸ”‘ @micahflee

You know instance admins can read your direct messages in the fediverse? Twitter and Facebook also can - and sometimes do - read your private messages, and they have infrastructure to comply with law enforcement requests. I'd love to see some end-to-end encryption built into Mastodon clients.

maloki @maloki

@micahflee Is it anything you could help with on github?

Falkreon πŸ³οΈβ€πŸŒˆ @Falkreon@fern.surgeplay.com

@micahflee I feel like PGP was made to solve exactly this kind of problem. Would we even need to change anything, except maybe relaxing the 500-character limit?

Micah Lee πŸ”‘ @micahflee

@Falkreon the hard problems would be key management, key verification, and multi-device support I think

Falkreon πŸ³οΈβ€πŸŒˆ @Falkreon@fern.surgeplay.com

@micahflee I guess. I feel like associating pubkeys with accounts really needs to be addressed in the scope of OAuth though. Sort of tangential to mastodon.

Micah Lee πŸ”‘ @micahflee

@Falkreon it's not an easy problem to solve -- no one has solved it really well yet anywhere else either.

If it's addressed through OAuth, then do you trust your OAuth service to act as a CA and to not facilitate MITM attacks? Do you try to build in a web of trust like with PGP? Or do you do TOFU with fingerprint verification like Signal (I think this is the best option)?

Β· Web Β· 1 Β· 1
mastodon.social powered by Mastodon