[yarg]

> because that's not actually a thing that makes sense.

No for micro-blogging, but Mastodon supports direct messaging, and if you support direct messaging, you should support end-to-end.

> If you don't own the key exchange ...

Sure, but I trust https://letsencrypt.org/ more than I trust some random running a server.

[stormbrew]

> No for micro-blogging, but Mastodon supports direct messaging, and if you support direct messaging, you should support end-to-end.

No other microblogging service with DM support has e2e anything. Because they're websites. To have meaningful e2e you need to have key exchange and device keys, and if you have a website you can look at your DMs on then the website has to have a key. If the website has a key the owner of the website can look at your DMs. This is just fundamental to hosted web services, and it's why if you use icloud messaging with imessage you're no longer guaranteed e2e, and why signal just doesn't even have a website for you to use.

> Sure, but I trust https://letsencrypt.org/ more than I trust some random running a server.

LE has nothing to do with this? The key exchange I'm talking about is the end keys. User keys. LE doesn't provide those. For e2e IM systems a server has to manage user/device:key mappings, and are a central point of trust. They can potentially inject a "listening key" into your recipient list without you knowing and tap you or even impersonate you (but only in a forward way).

E2E is not a panacea, but it's also largely irrelevant to websites.

[palata]

That's wrong. A "website" can do e2ee. You just need to do the encryption/decryption on the client side. Protonmail does that, Mega, etc.

[stormbrew]

Eh, if you don't trust your masto instance admin to not read your DMs do you really trust them to not break the "your password never leaves the client" guarantees that protonmail for eg. promises?

This is the thing about this argument: Either you trust your instance admins or not. If they promise you e2e and you don't trust them, you should rightly look at that as snakeoil.

[ryukafalz]

This is meaningless if you don't trust the site admins, and the reason to use e2ee in the first place is to avoid trusting the site admins. All it takes is for them to serve you different JavaScript one time that exfiltrates your messages, and I guarantee you'll never notice.

[yarg]

> LE has nothing to do with this?

You probably want a CA signing the public keys that you store on the site.

> They can potentially inject a "listening key"

You mean a MITM attack? Isn't that the reason for certificate authorities?

[librexpr]

Sorry, you seem to be confusing HTTPS with E2EE. Mastodon already uses HTTPS for all its traffic, including the traffic between servers.

[yarg]

No, I'm not (I'm not a total fucking idiot).

What I'm suggesting is that the same certificate infrastructure that is used to secure the connection between a server and a client could also be used to secure the connections between users.

There's nothing specific to HTTPS about CAs and trust chains.

[cycomanic]

But for encrypted DMs you need per user keys that are stored on the users computer, otherwise the owner of the server has control over the key and we're back at square one. Or am I somehow misunderstanding you?

[yarg]

You can use client side symmetrical crypto to allow for the private key to be stored on the server.

It means that weak keys are a problem, but that's been the case since the dawn of time.