It will be open source, end to end encrypted using Signal’s double ratchet encryption protocol, and he plans to make it easy for fediverse platforms to integrate it. The beta will release later this month.
He’s also the creator of https://fedidb.org btw
so this is basically fb messenger but it works with twitter, YouTube and reddit (their federated alternatives mastodon peertube lemmy) and is e2ee!
super cool!
Nice🔥
deleted by creator
Thanks you Daniel superman supernault @dansup@mastodon.social. @dansup@dansup@mastodon.social
I want this at the ActivityPub level, for direct/group messaging at least.
This is good.
It really is. In the past a new messenger or Plattform was always annoying as it inevitable meant, how can I get my friends to use this. But with activity pub it doesn’t matter anymore. Everbody can use the fediverse software of his taste and we can still all be interconnected. What a relieve. So many software solutions can compete against each other without us having always to start from zero. Brave new world.
Your link,
https://mastodon.social/@dansup/110836811082599292%20sup.%20is%20an%20open%20source%20encrypted%20fediverse%20instant%20messenger,%20similar%20to%20whatsapp,%20made%20by%20pixelfed.%20%20The%20beta%20will%20be%20launching%20later%20this%20month,%20and%20btw%20most%20fediverse%20accounts%20will%20work,%20not%20just%20Pixelfed%20%F0%9F%98%89
is broken. I think you accidentally copied the body text as well. Cleaning up the link results in https://mastodon.social/@dansup/110836811082599292, which works fine.deleted by creator
Thanks, fixed.
While I doubt I could get my friends and family on yet ANOTHER messaging app in the year of our lord 2023.
Sup. Is a fucking brilliant name.
Could be a fantastic way to replace dm, that’s my first thought.
I remember idly wondering how DMs worked in Lemmy, and I was kinda shocked when I realized they aren’t secure.
“secure” is relative. They may not be e2e encrypted, but they are still encrypted via TLS, like any HTTPS traffic. It’s the same encryption used for online banking. If you care about your instance admin being able to read your messages, you should use Signal or a Matrix client though.
But remember that only a few years ago, almost nobody used e2e encryption, and it wasn’t much of an issue.
Double rachet encryption protocol is also rather dope
I personally hate the name, but only because I had a roommate in college who would start every conversation with “sup.”
On text messages, IMs, in person, you name it. It really started to get under my skin.
But I hope the software is good.
So, you’re playing a little Playstation, huh? That’s whack. Playstation is whack. 'Sup with the whack Playstation, 'sup?
sup.
Yep. That’s what he’d do. So basically he’d always want you to start the conversation.
No man, you’re just supposed to say “Sup.” back to them and then repeat ad nauseum.
After a few sups, the least dominate of the two has to say “nunmuch chu?”
I might know that guy lol
(what’)SUP 🤪
I think it will integrate with the existing fediverse
-
Will it support MLS? (I still don’t quite know the relationship between Double Ratchet and MLS)
-
Why not Matrix?
I really like the promise of MLS, all IM apps being interoperable is an amazing thing
I’m not sure it means the apps will be interoperable, only that the protocol for sharing keys will be standardized.
I highly doubt that we will see any kind of standardization in the actual messaging protocols in the next 10 years.
-
Another messenger = another target for all who hate it. This is another way - let’s see them target that channel.
I’m not leaving Signal until someone implements keeping data at rest encrypted on both ends and requires multi factor unlock (bio+pin is my choice).
So sick of E2E clients that leave the data in plaintext on the devices and then back it up in plaintext to the cloud.
Does Signal back up in plaintext in the cloud? (If so that doesn’t sound like E2E encryption… unless the ‘ends’ are uh… also constituted as the cloud itself which is… defeating the purpose).
Where do the pub/ private keys live, exactly, tbh. (Assuming it is asymmetric encryption that they use?)
Edit: ah, misread. I thought you said that you were not joining it due to it storing plain text in the cloud.
Signal doesn’t store any of your chats at all. They’re all on-device by design
Hm… If they’re not being stored on the cloud, that means offline users would never receive messages, unless Signal is purely P2P. I haven’t looked at the project, or the source, but I find it hard to believe – you can’t really do user lookups without some sort of middleware in the cloud.
All the data they have on any specific user is the account creation date, and the last online timestamp. They’ve already done loops around this topic in the DOJ.
And I thought it should be obvious that an online service doesn’t work if you’re offline
Yeah, but messengers, such as WhatsApp for instance, will send you missed messages once you’re back online. That’s what I was referring to.
You’re right, Signal is not P2P. The way Signals messaging pipeline works is like this - note I’m oversimplifying it for accessibility.
Sending a message to
Bob
- You press
Send
. - The message is encrypted on your device with a key that can only be unlocked by
Bob
. - The message is then “sealed” so that there’s only a “deliver to” field visible (not a “from”).
- The “deliver to” field is addressed with a hashed/salted label for
Bob
- this means Signal’s server can see its a unique user, but not what their name is. - The message is finally sent to Signal’s servers.
- Your message sits on Signals servers until it can be delivered to the intended recipient.
you can’t really do user lookups without some sort of middleware in the cloud.
See their blog post about Private Contact Discovery, they’ve spent a long time figuring out how to engineer a method to know as little as possible about you.
Thanks for the explanation.
- You press
No, signal does not do cloud backups. The keys live on the end users devices.
I’ve been unhappy with the direction Signal has taken in recent months and Matrix always felt like it was trying to do too many things at once.
Happy to see something that would integrate directly into Fediverse platforms as it will greatly enhance interplatform communication.
Like a better FB messager.
You should try Beeper too.
I’d never heard of that until now, looks amazing!
Beeper is truly fucking amazing.
SimpleX looks intriguing
Session too. Not a big fan of signal since it requires giving them your phone number.
I’ve posted this previously, but I’ll repost again because I think its important people are aware when making a decision on a secure messenger.
======== Original Post: https://lemmy.ml/comment/1615043
Sessions developers dropped Signal’s Perfect Forward Secrecy (PFS) and deniability
[0]
security features. Personally I would not trust a product that drops an end-user security feature for the sake of making the developer’s life easier[1]
.Using existing long-term keypairs in place of the Signal protocol massively simplifies 1-1 messaging.
For those unaware, PFS protects your data/messages from future exploits and breaches. With PFS, each message’s encryption is isolated, preventing compromise of current and past interactions
[2]
.A simple example to illustrate why PFS is beneficial. Lets assume any 3 letter agency is collecting all Signal/Session messages - on top of the tons of data they’re already capturing. The great thing is that your messages are encrypted, they can’t see anything - YAY - but they’re storing them basically forever.
Two ways they may be able to compromise your privacy and view ALL your messages:
-
A flaw is discovered that allows them to crack/brute force the encryption in weeks instead of years/decades/eternity. If you were using Sessions, because you use the same key for every message, they now have access to everything you’ve ever said. If you were using Signal, they have access to that one message and need to spend considerable resources trying to crack every other message.
-
Your phone is compromised and they take your encryption keys. If you were using Sessions, this again gives them access to your entire message history. If you were using Signal, because the keys are always rotating (known as ephemeral) they can only use them to unlock the most recent received messages.
It’s important to state that both cases above only really matter if you delete your messages after a certain time. Otherwise, yes, all they have to do is take your phone and get access to your entire message history - which is why ephemeral messaging (i.e. auto deleting messages after a certain time) is crucial if you suspect you may be targeted.
[0]
https://getsession.org/blog/session-protocol-explained[1]
https://getsession.org/blog/session-protocol-technical-information-
It’s great, I’m migrating all my contacts to it. AGPL, no phone number or identifier, decentralized, official lemmy community, fast development pace, …
personally love the direction Signal is heading but would be happy to not have “all my eggs in one basket”, as well as diversifying the open source E2EE communication options.
I felt that removing SMS while still having it tied to your phone number, stories, and that weird cryptocurrency were not what I was looking for in a messanger.
I agree. As soon as the update that disabled SMS was pushed to my phone, signal was effectively dead.
Integrating with SMS was so smart. The person who got me into it said “there is literally no reason not to do it” because it was seamless. And I used the same argument to get other people into it. But basically everyone stopped using it as soon as SMS was removed. I don’t have the brain space to remember who is on signal and who is not and go to the appropriate messenger.
I read the whole long thread on their website where the devs were arguing in favor of this and all the reasons were IMHO stupid. I think someone wanted to tank signal. Got tired of funding it probably. It was too good to be true with no obvious business model so always thought the day would come, and it did. Too bad, it was very good at what it did.
I think someone wanted to tank signal. Got tired of funding it probably.
This take doesn’t make any sense. Signal is funded by a non-profit and has tons of money that allows them to not worry about funding in the near feature. There is nobody to “get tired of funding” them.
Makes a lot more sense when you realize they hired an ex-Google exec to run Signal.
Meredith Whittaker? Artificial Intelligence researcher
[0]
, not ex-Google exec, Meredith Whittaker who “led global walkouts”[1]
against Google? Meredith Whittaker who “helped lead employee protests at Google over the search giant’s military work, artificial intelligence and policies”[2]
, Meredith Whittaker?If that’s who you’re talking about, they chose the right person to lead a project that goes completely against the silicon valley M.O. of selling your private data to the highest bidder or mining it to sell ads. Her actions have demonstrated she isn’t afraid of speaking up or pushing back against “the hand that feeds you”, even at risk of being retaliated.
[2]
https://finance.yahoo.com/news/google-protest-leader-meredith-whittaker-015305645.htmlI like her politics and activism, I just don’t think Google and ex-Google people know the features people want out of a messenging app.
Yes I’m still very unhappy over Allo.
Yes I’m still very unhappy over Allo.
Same, it had so much potential, but seems to have been poorly managed.
I also don’t like the fact that Signal needs your phone number and that the only way to connect to other people is by their phone number.
And that your phone number inevitably leads to being spammed
TIL Margot Robbie has strong opinions about encrypted messaging apps. My respect grows by the day.
Everybody just want to ask me about my opinion on work, nobody ever ask me about my opinion on tech.
But using an obvious AI generated profile picture and all of a sudden I can just express opinions on things now.
Wait. Is this the actually celebrity and not just someone using the name? Because honestly if this is the actual person it’s always kinda cool to see “famous people” doing normal people things like say having tech related or privacy related interests and hobbies (idk i just listed that because i can relate to it)
lol
Great news that it will work across the fediverse. I’d love to try pixelfed for example, but its got too much of a walled garden thing going on since nobody I know uses it.
I just uninstalled Pixelfed. Mostly because the app is absolutely garbage on Android, and the developer made it look like an iOS app.
The app is just so dead. I’m happy to revisit later, but as for now I’ll stick with posting my stuff on Mastodon and Lemmy.
Sadly it doesn’t look so much like an iOS app, more like a bad Instagram clone 😕
Honestly, I don’t hate that Idea much bcoz I think it will help users switching from IG to PixelFed.
Fedilab works great for me.
Ok but why
Theres reasons to pm stuff. Some used it on reddit for stuff like exchanging adresses for trading tea, sweets, etc.
There are already hundreds of ways to PM stuff. Why do we need another?
I don’t want to give strangers my personal cell, discord, twittter, whatever handle here publicly. If there is a need to exchange secret informatiom, how will you take this convo elsewhere?
How is it that your Matrix handle is “personal” but your Sup. handle is not?
I don’t have matrix?
Anyway: Platform specific handle being “public” is not a problem. What is a problem (to me) is the association with other platforms I am on. No one besides those that actually should know it (hence PM), need to know it.
Do I reuse my username on many platforms? Sure do.
Do I need to tell you? Nope brother!Also: Why should I take my conversation from here to exchange confidential information than just letting it stay here?
I don’t have matrix?
My point, exactly.
Why should I take my conversation from here to exchange confidential information than just letting it stay here?
I’ve already answered that.
Presumably because currently, activitypub doesn’t have a module for secure message exchange that can’t be snooped on by a server admin.
Not but there are 7369543 other “modules” you can already use.
Because fedi is going to take away all Meta/Facebook’s proprietary toys, WhatsApp included.
Not likely
Why the hell not?!?
Because fragmentation of chat apps is bad
You are already on another social media. Just not a centralized one.
…huh? Who is talking about social media?
You are on the wrong platform then
What are you talking about
deleted by creator
Competition is good, especially with regards to privacy and cyber security. Customers benefit when companies don’t have a captured market. A lack of competition only leads to monopolies and stagnation.
If no one offers a secure product, then customers have no choice but to either not use anything or put up with it. Competition means that at any time a newcomer can offer a better product (that is hopefully open source).
Edit to add: Ideally you could message people on different apps with the same account. But I’ll take fragmentation over a monopoly.
Hard disagree. People actually being able to use apps is good. The smallest amount of privacy and security is a thousand times better than WhatsApp or Facebook Messenger or whatever other Meta garbage people are using.
Wickr, Threema, Telegram, blah blah blah there’s too many chat apps already.
If there’s n of something and n+1 breaks it, then it was broken to begin with.
What?
I find it interesting that people who don’t really think about these things much often have a default sentiment that everyone on a single platform is better.
It’s especially true of people who just exploit platforms for attention. It breaks the rules they have built up in their heads about how to be important and have status.
Just kinda thinking out loud here.
I find it interesting that people who don’t really think about these things much often have a default sentiment that everyone on a single platform is better.
No one thinks that. We just think having everyone on a different platform is bad.
Can you clarify the nuance you are pointing out? I really have heard multiple people assume they will be forced to be on every platform if multiple platforms become active/popular. They express they think a single platform is preferable.
I explained this in another comment. I don’t want to have to keep 20 chat apps on my phone just to talk to my friends and family. I don’t want another one. Pretty simple.
This seems highly sexual