Things are heating up. Millions of people are taking to the streets against Trump's rising authoritarianism. Communities around the US are organizing to defend against ICE raids, to protest Israeli genocide, for mutual aid, and for other forms of fighting fascism. Signal can help people safely organize in all of

I am personally not a big fan of using Signal for various reasons, but this seems like a good guide if you have no better options easily available.

  • Lime Buzz (fae/she)@beehaw.orgEnglish
    2·
    5 months ago

    The latest version of that encryption adds features that are beyond what Signal does.

    Do you have a link that explains them in an easy to understand way as I’m very interested in what those are.

    And there is a method to cross-sign keys that makes verification quite easy, but it comes with other trade-offs.

    What are the trade-offs?

    Also, would be nice to have that in all clients.

    Of course if you have many servers there will be a variety of different ones. As I said there are trade-offs. Still better though than having only one single option that is under one of the worst possible jurisdictions.

    I’m still not jurisdiction matters if the encryption is good enough, but maybe. Do you have any recommendations for good servers?

    Edit: you don’t need to do that, there is TOFU for that, and that is entirely sufficient for larger groups where trust is necessarily limited anyways.

    I’m not sure if TOFU is in all clients, but yeah, I’m aware of it, still don’t fully trust TOFU, but it’s good enough, I suppose. Fair about big groups, I tend not to like those anyway, so I guess it doesn’t matter.

    I think the only thing that XMPP is missing, like similar projects is easy to use, well encrypted group calls, or maybe even well encrypted one-to-one calls, I could be incorrect about that though.

    • poVoq@slrpnk.netOPEnglish
      2·
      5 months ago

      Omemo >8.x has some encapsulation of metadata. I am not aware of an easy article about it though. Arguebly this is adding something similar to what Signal partially achives with work-arounds only possible due to their centralized infrastructure and single app only architecture, but doing that in the encryption layer is ultimatly the better approach.

      Cross-signing of keys ultimatly outsources trust to someone else. From a security perspective having to manually verify each key yourself is the best way. Cross-signing is a bit controversial in xmpp developer circles as a result, because many think it adds a lot of internal complexity while being only marginally more secure than TOFU.

      I don’t think I can give you any recommendations for good servers, as it is very context specific. Jurisdiction is IMHO among the most important issues, because even if your encryption is water-tight it doesn’t help you much if the provider can be coerced into tracking you or can be easily shut down and replaced with a honeypot.

      As for calls: the popular xmpp mobile apps do have well encrypted peer to peer calls. Currently most are limited to 1:1 calls, but some others are experimenting with small group calls as well (currently only Dino, Movim and Libervia support these).