It will be open source, end to end encrypted using Signal’s double ratchet encryption protocol, and he plans to make it easy for fediverse platforms to integrate it. The beta will release later this month.

He’s also the creator of https://fedidb.org btw

  • @notenoughbutter@lemmy.ml
    link
    fedilink
    English
    232 years ago

    so this is basically fb messenger but it works with twitter, YouTube and reddit (their federated alternatives mastodon peertube lemmy) and is e2ee!

    super cool!

    • @SamsonSeinfelder@feddit.de
      link
      fedilink
      English
      372 years ago

      It really is. In the past a new messenger or Plattform was always annoying as it inevitable meant, how can I get my friends to use this. But with activity pub it doesn’t matter anymore. Everbody can use the fediverse software of his taste and we can still all be interconnected. What a relieve. So many software solutions can compete against each other without us having always to start from zero. Brave new world.

  • @randint@lemm.ee
    link
    fedilink
    English
    302 years ago

    Your link, https://mastodon.social/@dansup/110836811082599292%20sup.%20is%20an%20open%20source%20encrypted%20fediverse%20instant%20messenger,%20similar%20to%20whatsapp,%20made%20by%20pixelfed.%20%20The%20beta%20will%20be%20launching%20later%20this%20month,%20and%20btw%20most%20fediverse%20accounts%20will%20work,%20not%20just%20Pixelfed%20%F0%9F%98%89 is broken. I think you accidentally copied the body text as well. Cleaning up the link results in https://mastodon.social/@dansup/110836811082599292, which works fine.

  • ren (a they/them)
    link
    fedilink
    English
    2472 years ago

    While I doubt I could get my friends and family on yet ANOTHER messaging app in the year of our lord 2023.

    Sup. Is a fucking brilliant name.

    • Annoyed_🦀
      link
      fedilink
      English
      602 years ago

      Could be a fantastic way to replace dm, that’s my first thought.

      • @Magiwarriorx@lemmy.world
        link
        fedilink
        English
        122 years ago

        I remember idly wondering how DMs worked in Lemmy, and I was kinda shocked when I realized they aren’t secure.

        • Aloso
          link
          fedilink
          English
          82 years ago

          “secure” is relative. They may not be e2e encrypted, but they are still encrypted via TLS, like any HTTPS traffic. It’s the same encryption used for online banking. If you care about your instance admin being able to read your messages, you should use Signal or a Matrix client though.

          But remember that only a few years ago, almost nobody used e2e encryption, and it wasn’t much of an issue.

    • @garretble@lemmy.world
      link
      fedilink
      English
      192 years ago

      I personally hate the name, but only because I had a roommate in college who would start every conversation with “sup.”

      On text messages, IMs, in person, you name it. It really started to get under my skin.

      But I hope the software is good.

    • panCat
      link
      fedilink
      English
      -52 years ago

      I think it will integrate with the existing fediverse

  • @cbarrick@lemmy.world
    link
    fedilink
    English
    162 years ago
    1. Will it support MLS? (I still don’t quite know the relationship between Double Ratchet and MLS)

    2. Why not Matrix?

    • @Im28xwa@lemdro.id
      link
      fedilink
      English
      32 years ago

      I really like the promise of MLS, all IM apps being interoperable is an amazing thing

      • @cbarrick@lemmy.world
        link
        fedilink
        English
        12 years ago

        I’m not sure it means the apps will be interoperable, only that the protocol for sharing keys will be standardized.

        I highly doubt that we will see any kind of standardization in the actual messaging protocols in the next 10 years.

  • @PineapplePartisan@lemmy.world
    link
    fedilink
    English
    342 years ago

    I’m not leaving Signal until someone implements keeping data at rest encrypted on both ends and requires multi factor unlock (bio+pin is my choice).

    So sick of E2E clients that leave the data in plaintext on the devices and then back it up in plaintext to the cloud.

    • @outdated_belated@lemmy.sdf.org
      link
      fedilink
      English
      1
      edit-2
      2 years ago

      Does Signal back up in plaintext in the cloud? (If so that doesn’t sound like E2E encryption… unless the ‘ends’ are uh… also constituted as the cloud itself which is… defeating the purpose).

      Where do the pub/ private keys live, exactly, tbh. (Assuming it is asymmetric encryption that they use?)

      Edit: ah, misread. I thought you said that you were not joining it due to it storing plain text in the cloud.

      • dinckel
        link
        fedilink
        English
        302 years ago

        Signal doesn’t store any of your chats at all. They’re all on-device by design

        • @XaeroDegreaz@lemmy.world
          link
          fedilink
          English
          4
          edit-2
          2 years ago

          Hm… If they’re not being stored on the cloud, that means offline users would never receive messages, unless Signal is purely P2P. I haven’t looked at the project, or the source, but I find it hard to believe – you can’t really do user lookups without some sort of middleware in the cloud.

          • dinckel
            link
            fedilink
            English
            12 years ago

            All the data they have on any specific user is the account creation date, and the last online timestamp. They’ve already done loops around this topic in the DOJ.

            And I thought it should be obvious that an online service doesn’t work if you’re offline

            • @XaeroDegreaz@lemmy.world
              link
              fedilink
              English
              12 years ago

              Yeah, but messengers, such as WhatsApp for instance, will send you missed messages once you’re back online. That’s what I was referring to.

          • ᗪᗩᗰᑎ
            link
            fedilink
            English
            22 years ago

            You’re right, Signal is not P2P. The way Signals messaging pipeline works is like this - note I’m oversimplifying it for accessibility.


            Sending a message to Bob

            1. You press Send.
            2. The message is encrypted on your device with a key that can only be unlocked by Bob.
            3. The message is then “sealed” so that there’s only a “deliver to” field visible (not a “from”).
            4. The “deliver to” field is addressed with a hashed/salted label for Bob - this means Signal’s server can see its a unique user, but not what their name is.
            5. The message is finally sent to Signal’s servers.
            6. Your message sits on Signals servers until it can be delivered to the intended recipient.

            you can’t really do user lookups without some sort of middleware in the cloud.

            See their blog post about Private Contact Discovery, they’ve spent a long time figuring out how to engineer a method to know as little as possible about you.

  • Margot Robbie
    link
    fedilink
    English
    432 years ago

    I’ve been unhappy with the direction Signal has taken in recent months and Matrix always felt like it was trying to do too many things at once.

    Happy to see something that would integrate directly into Fediverse platforms as it will greatly enhance interplatform communication.

    Like a better FB messager.

        • ᗪᗩᗰᑎ
          link
          fedilink
          English
          3
          edit-2
          2 years ago

          I’ve posted this previously, but I’ll repost again because I think its important people are aware when making a decision on a secure messenger.

          ======== Original Post: https://lemmy.ml/comment/1615043

          Sessions developers dropped Signal’s Perfect Forward Secrecy (PFS) and deniability [0] security features. Personally I would not trust a product that drops an end-user security feature for the sake of making the developer’s life easier [1] .

          Using existing long-term keypairs in place of the Signal protocol massively simplifies 1-1 messaging.

          For those unaware, PFS protects your data/messages from future exploits and breaches. With PFS, each message’s encryption is isolated, preventing compromise of current and past interactions [2].

          A simple example to illustrate why PFS is beneficial. Lets assume any 3 letter agency is collecting all Signal/Session messages - on top of the tons of data they’re already capturing. The great thing is that your messages are encrypted, they can’t see anything - YAY - but they’re storing them basically forever.

          Two ways they may be able to compromise your privacy and view ALL your messages:

          1. A flaw is discovered that allows them to crack/brute force the encryption in weeks instead of years/decades/eternity. If you were using Sessions, because you use the same key for every message, they now have access to everything you’ve ever said. If you were using Signal, they have access to that one message and need to spend considerable resources trying to crack every other message.

          2. Your phone is compromised and they take your encryption keys. If you were using Sessions, this again gives them access to your entire message history. If you were using Signal, because the keys are always rotating (known as ephemeral) they can only use them to unlock the most recent received messages.

          It’s important to state that both cases above only really matter if you delete your messages after a certain time. Otherwise, yes, all they have to do is take your phone and get access to your entire message history - which is why ephemeral messaging (i.e. auto deleting messages after a certain time) is crucial if you suspect you may be targeted.

          [0] https://getsession.org/blog/session-protocol-explained

          [1] https://getsession.org/blog/session-protocol-technical-information

          [2] https://www.signal.org/blog/advanced-ratcheting/

      • @jack@monero.town
        link
        fedilink
        English
        32 years ago

        It’s great, I’m migrating all my contacts to it. AGPL, no phone number or identifier, decentralized, official lemmy community, fast development pace, …

    • ᗪᗩᗰᑎ
      link
      fedilink
      English
      202 years ago

      personally love the direction Signal is heading but would be happy to not have “all my eggs in one basket”, as well as diversifying the open source E2EE communication options.

      • Margot Robbie
        link
        fedilink
        English
        312 years ago

        I felt that removing SMS while still having it tied to your phone number, stories, and that weird cryptocurrency were not what I was looking for in a messanger.

        • @imaradio@lemmy.ca
          link
          fedilink
          English
          52 years ago

          I agree. As soon as the update that disabled SMS was pushed to my phone, signal was effectively dead.

          Integrating with SMS was so smart. The person who got me into it said “there is literally no reason not to do it” because it was seamless. And I used the same argument to get other people into it. But basically everyone stopped using it as soon as SMS was removed. I don’t have the brain space to remember who is on signal and who is not and go to the appropriate messenger.

          I read the whole long thread on their website where the devs were arguing in favor of this and all the reasons were IMHO stupid. I think someone wanted to tank signal. Got tired of funding it probably. It was too good to be true with no obvious business model so always thought the day would come, and it did. Too bad, it was very good at what it did.

        • @randint@lemm.ee
          link
          fedilink
          English
          92 years ago

          I also don’t like the fact that Signal needs your phone number and that the only way to connect to other people is by their phone number.

          • Margot Robbie
            link
            fedilink
            English
            92 years ago

            Everybody just want to ask me about my opinion on work, nobody ever ask me about my opinion on tech.

            But using an obvious AI generated profile picture and all of a sudden I can just express opinions on things now.

            • @joshuaacasey@lemmy.world
              link
              fedilink
              English
              -42 years ago

              Wait. Is this the actually celebrity and not just someone using the name? Because honestly if this is the actual person it’s always kinda cool to see “famous people” doing normal people things like say having tech related or privacy related interests and hobbies (idk i just listed that because i can relate to it)

  • @blunderworld@lemmy.ca
    link
    fedilink
    English
    23
    edit-2
    2 years ago

    Great news that it will work across the fediverse. I’d love to try pixelfed for example, but its got too much of a walled garden thing going on since nobody I know uses it.

    • Polar
      link
      fedilink
      English
      112 years ago

      I just uninstalled Pixelfed. Mostly because the app is absolutely garbage on Android, and the developer made it look like an iOS app.

      The app is just so dead. I’m happy to revisit later, but as for now I’ll stick with posting my stuff on Mastodon and Lemmy.

    • @Appoxo@lemmy.dbzer0.com
      link
      fedilink
      English
      142 years ago

      Theres reasons to pm stuff. Some used it on reddit for stuff like exchanging adresses for trading tea, sweets, etc.

        • @Appoxo@lemmy.dbzer0.com
          link
          fedilink
          English
          32 years ago

          I don’t want to give strangers my personal cell, discord, twittter, whatever handle here publicly. If there is a need to exchange secret informatiom, how will you take this convo elsewhere?

            • @Appoxo@lemmy.dbzer0.com
              link
              fedilink
              English
              12 years ago

              I don’t have matrix?

              Anyway: Platform specific handle being “public” is not a problem. What is a problem (to me) is the association with other platforms I am on. No one besides those that actually should know it (hence PM), need to know it.

              Do I reuse my username on many platforms? Sure do.
              Do I need to tell you? Nope brother!

              Also: Why should I take my conversation from here to exchange confidential information than just letting it stay here?

              • @HughJanus@lemmy.ml
                link
                fedilink
                English
                22 years ago

                I don’t have matrix?

                My point, exactly.

                Why should I take my conversation from here to exchange confidential information than just letting it stay here?

                I’ve already answered that.

    • Dran
      link
      fedilink
      English
      382 years ago

      Presumably because currently, activitypub doesn’t have a module for secure message exchange that can’t be snooped on by a server admin.

    • Rob T Firefly
      link
      fedilink
      English
      292 years ago

      Because fedi is going to take away all Meta/Facebook’s proprietary toys, WhatsApp included.

        • @ChewTiger@lemmy.world
          link
          fedilink
          English
          8
          edit-2
          2 years ago

          Competition is good, especially with regards to privacy and cyber security. Customers benefit when companies don’t have a captured market. A lack of competition only leads to monopolies and stagnation.

          If no one offers a secure product, then customers have no choice but to either not use anything or put up with it. Competition means that at any time a newcomer can offer a better product (that is hopefully open source).

          Edit to add: Ideally you could message people on different apps with the same account. But I’ll take fragmentation over a monopoly.

          • @HughJanus@lemmy.ml
            link
            fedilink
            English
            22 years ago

            Hard disagree. People actually being able to use apps is good. The smallest amount of privacy and security is a thousand times better than WhatsApp or Facebook Messenger or whatever other Meta garbage people are using.

            Wickr, Threema, Telegram, blah blah blah there’s too many chat apps already.

          • paraphrand
            link
            fedilink
            English
            5
            edit-2
            2 years ago

            I find it interesting that people who don’t really think about these things much often have a default sentiment that everyone on a single platform is better.

            It’s especially true of people who just exploit platforms for attention. It breaks the rules they have built up in their heads about how to be important and have status.

            Just kinda thinking out loud here.

            • @HughJanus@lemmy.ml
              link
              fedilink
              English
              12 years ago

              I find it interesting that people who don’t really think about these things much often have a default sentiment that everyone on a single platform is better.

              No one thinks that. We just think having everyone on a different platform is bad.

              • paraphrand
                link
                fedilink
                English
                12 years ago

                Can you clarify the nuance you are pointing out? I really have heard multiple people assume they will be forced to be on every platform if multiple platforms become active/popular. They express they think a single platform is preferable.

                • @HughJanus@lemmy.ml
                  link
                  fedilink
                  English
                  12 years ago

                  I explained this in another comment. I don’t want to have to keep 20 chat apps on my phone just to talk to my friends and family. I don’t want another one. Pretty simple.