Just saw someone implementing user authentication for an #E2EE application by taking the users password, running it through libsodium's crypto_pwhash with a fixed salt derived from the user's email address, before sending the (email, hash) pair to the remote server.. and I'm just like "is this secure?"
I'd always thought you'd want a construct like SRP6a for conducting the authentication between client & server (without the server learning the user's password)... #security#cryptography
The #UK#OnlineSafetyBill is a poorly written proposal which would have devastating effects for privacy and availability of online services in the UK, breaking end-to-end encryption. Please sign this petition and boost for visibility.
https://www.privacyguides.org/en/ For LGBTQAI+ people needing privacy and anonymity tools right now, I really like this site for that purpose. It can take time to navigate, though, if it's unfamiliar. And I realize this doesn't solve all the issues, but in terms of people trying to track your identity/location, it can be helpful in that regard.
#Telegram was blocked in my country (#Brazil) yesterday on all ISPs, and soon they will be removed from App Store and Play Store ... that's why decentralized communication apps are so important, apps like #Session and #Matrix are trending here right now.
Client-side scanning is like having a “government-supplied CCTV camera in every room of your house.” It puts faith in “an unknown algorithm to detect bad things, which get reported to a private moderation team provided by the people who built your house” - Matthew Hodgson, CEO of @element
"Open Rights Group warned that what it called “a form of chat surveillance” is being slipped in through “a back door measure” in the legislation. Its paper went on to call for E2EE private messaging services to be put out of scope of the bill entirely."
This week we hit the streets in London to send a message to the UK government: Don’t Scan Me! We’re calling on lawmakers to support Lord Clement-Jones’ amendment to the #OnlineSafetyBill that would remove private messaging platforms from the surveillance measures.
"Few would consent to the state putting CCTV in everyone’s bedroom to crack down on the abuse of children. But that is effectively what a technology notice could mean: a CCTV camera in everyone’s phones."
What Proton AG (products are @protonmail, @protonvpn, Proton Calendar and Proton Drive) has to say about the Online Safety Bill:
“While UK lawmakers have stated they don’t want to ban end-to-end encryption, the only ways an end-to-end encrypted service could comply with the bill are:
"Weakening end-to-end encryption would reduce everyone’s safety online, including the children this bill is trying to protect. Without strong encryption, the sensitive data of millions of people would be at risk."
Proton calls on the government to revise the Online Safety Bill to protect privacy, free speech and encryption.
The relationship with your phone is personal. Everyone's private comms shouldn't be monitored for the government. Once the tech is there, any government could ask companies to scan for an ever-growing list of content.
"Open Rights Group warned that what it called 'a form of chat surveillance' is being slipped in through 'a back door measure' in the [Online Safety Bill]." We "call for E2EE private messaging services to be put out of scope of the bill entirely." #e2ee
Treating an entire population as a suspect whose private messages must be scanned is neither necessary nor proportionate to tackle public policy issues. The spy clause in the Online Safety Bill (UK) must be removed. It's a tool of mass surveillance.
Interessant wäre evtl auch ein Federated Chat Service...
Hab ein bisschen nachgedacht und möglicherweise ist das sogar mit #activitypub zu machen.
So ein bisschen "back to the roots" mäßig, zurück in Richtung TS3. Wobei natürlich die Frage wäre wie viele Leute bereit wären ihren eigenen Server zu hosten wenn Dinge wie #Discord existieren