You know instance admins can read your direct messages in the fediverse? Twitter and Facebook also can - and sometimes do - read your private messages, and they have infrastructure to comply with law enforcement requests. I'd love to see some end-to-end encryption built into Mastodon clients.
@micahflee e2ee would be great.
@micahflee How would you envision it happening? An embedded XMPP client + OTR?
About our Hack Day: http://andregarzia.com/en/blog/addons-hack-day
@Falkreon it's not an easy problem to solve -- no one has solved it really well yet anywhere else either.
If it's addressed through OAuth, then do you trust your OAuth service to act as a CA and to not facilitate MITM attacks? Do you try to build in a web of trust like with PGP? Or do you do TOFU with fingerprint verification like Signal (I think this is the best option)?
@pettter @rysiek @micahflee FWIW, I agree with @lambadalambda - it can be argued that private messages are simply a misfeature in OStatus since they cannot be truly private without extra (non-standard) hacks.
Keeping things simple is valuable; using the right tool for the job (some other protocol for private messages) is good engineering.
@lieselotte @pettter @rysiek @micahflee @lambadalambda Well, I'd venture that poor engineering usually leads to a poor user experience sooner or later. The fundamental user expectation is "software that works".
Mastodon and GNU Social and others could all agree to integrate XMPP (or even SMTP) for direct messages. It doesn't need to be in the OStatus protocol.
@lambadalambda @micahflee @rysiek Not completely. Riseup rolled out a system a few weeks ago that encrypts all emails with your login passwords. So if they have to hand out data, it will be encrypted data. https://0xacab.org/riseuplabs/trees
Philosophically: The same thing. Granted.
Practically: Huge difference if you ask me.