So having convinced a bunch of my family and friends to set up accounts on Wire and install it, I may have lost the main thing that made it attractive (a #FreeCode desktop client for 32-bit GNU/ Linux where voice calls work properly). At what point do I just give up on trying to be a #SoftwareFreedom purist, and buy a 2nd-hand MacBook for comms (and video editing, and ... and ... and ...) :(
While I'm on a rant, it annoys me that I might have to retire my laptop in a year or two, even though the hardware is still working fine and dandy, just because even #FreeCode software seems to require more and more hardware power over time to do basically the same tasks. When I bought this laptop in 2010, it could run perfectly good voice and video calls over Skype on Windows XP! We must stop treating complex electronics as disposables.
@strypey That's windows for ya, they don't call it fatware for nothing! Linux Mint runs smooth as on the Dell Inspiron I got back in 2009.
@aran It would be nice to think that, but I've been running GNU/Linux on this laptop since about a year after I got it. Sadly, free code OS also bloat up over time, require more hardware power, and often stop supporting devices long before they stop being usable. Dropping 32-bit support being a classic example. Many #RasberryPi devices are 32-bit!
@strypey @aran Okay, it's just about ia32 - https://twitter.com/felixrieseberg/status/1103356589304512519.
That means raspis are safe.
@strypey I'm still running Debian on a 64-bit laptop from 2010 but modern browsers are too big for its 4GB memory, which I didn't bother to upgrade yet.
@strypey Indeed, Moore's law gets completely eaten by the opposite pull in software. And the hardware manufacturers who externalize waste costs and profit from obsolescence seem perfect happy with that.
@strypey the bad choice was Wire... why not Telegram instead?
@alexl see the 2-3 length discussions I've had here over the year about chat apps. TL;DR Wire is #copyleft #FreeCode on both client and server side, and has plans to support #federation between Wire servers. #Electron is a downside, but they are ok with community-created clients without Electron to connect to their server (unlike #Signal, don't know about #Telegram)
@strypey Telegram made a challenge and the best clients became the official ones: a Qt desktop client for Windows, Mac & Linux, two clients for Android, one for iOS, a web client and one specific for Mac, all Open Source, plus community clients including a CLI one. 200 mln of users, 15 bln of messages/day. E2E encrypted chats (optional) and calls.
@alexl @strypey ...but for some obscure reason, the server code is still closed source, even though they said they would open source it years ago. https://telegram.org/faq#q-why-not-open-source-everything
Obscure reasons? https://telegram.org/faq#q-why-not-open-source-everything
Keeping Telegram fast and secure while switching to a federated architecture is a tech challenge. See Matrix, it's the state of the art of decentralized instant messaging and can't deal with Telegram's performance.
"Our architecture does not support federation yet. Telegram is a unified cloud service, so creating forks where two users might end up on two different Telegram clouds is unacceptable. To enable you to run your own Telegram server while retaining both speed and security is a task in itself. At the moment, we are undecided on whether or not Telegram should go in this direction."
@paulfree14 bullshit and fake news, I'm tired of answering people who share that page on GitLab.
@alexl if parts of what is linked are false, the other arguments still stand.
So it remains: telegram is not to be trusted.
@paulfree14 there is not a single argument against Telegram, they took the best decision in every case.
@alexl @stragu no, it isn't. #XMPP is much more advanced than #Matrix when it comes to server performance. But what's key is whether the company recognises that having servers they control at the centre of the entire service is a bad idea (#SinglePointOfFailure) or not. Wire does. Telegram hasn't even released their server code.
@strypey XMPP and Matrix are two totally different things, check Matrix's FAQ section on XMPP
@strypey there is no point in releasing server-side code for an instant messaging platform if there isn't support for server federation. It's just a marketing thing, no benefit from security point of view
@deejoe @alexl the benefit is it allows the whole system to be studied independently, including for security audits. You can stand up your own version of the server, check it for backdoors, and see whether messages are actually secure when you connect clients to it. It also gives the user community the freedom to run their own service for private use, and to fork if the original developer is exposed as a bad actor. So it's quite important.
@strypey zero, there is no value in Facebook/Twitter codebase... Reddit was Open Source, but its federated version, Prismo, is being built from scratch
About Wire, I specified "instant messaging" because using your own server mean you and your contacts need to trust the same server managed by you or one of your contacts that maybe don't know each other... so at that point is better to trust a third-party company like Wire that has low interest in your conversations...
@strypey ...and even if independent developers can audit the code and make it more secure you still need to trust Wire because you have no idea of what they are running on their servers. They could run a branch of the Open Source repo with optimized performance, with additional security holes... so the important part in e2eE systems is just clients being Open Source and secure
@alexl @strypey open-sourcing doesn't necessarily mean switching to a federated architecture, it should be trivial for the Telegram developers to restrict the official clients to the official servers, even if others open new servers based on the original code. What it _would_ allow though, is some public review of the quality of the code, to check for code quality and confirm the privacy claims. And it would allow others to creatively re-puprose, and learn from their valuable work.
@jalcine willdo, sorry. Only just saw this after I sent that last post.
@alexl sure, but all the code #Telegram use on the server-side is proprietary. If you can't audit the server, you can't guarantee the #E2E the client claims to offer. If I was willing to compromise on #SoftwareFreedom to reach more people, I'd use #WhatsApp. Unlike with social media (when used for activist purposes), I don't care about reach. All I want to do is voice chat with people I already know, and we can use email and other tools to agree on which chat app to use.
@alexl @strypey #Telegram client gets Diffie-Hellman configuration from the server via https://core.telegram.org/method/messages.getDhConfig but performs only a probabilistic check of received parameters, see https://github.com/DrKLO/Telegram/blob/e397bd9afdfd9315bf099f78a903f8754d297d7a/TMessagesProj/src/main/java/org/telegram/messenger/voip/VoIPService.java#L283 and https://github.com/DrKLO/Telegram/blob/e397bd9afdfd9315bf099f78a903f8754d297d7a/TMessagesProj/src/main/java/org/telegram/messenger/Utilities.java#L210
Probabilistic check is only enough if *you* have generated the prime. If you receive it from a potentially malicious server, the server can simply generate a lot of insecure parameters and select the one that will pass the check. Telegram is bad, use #Signal protocol
@wire No thanks
@alexl Why not? Just in case, Signal protocol means you can use XMPP+OMEMO or whatever, just something with sane crypto. Telegram simply does not have secure E2E. Bad verification, no warnings on key change, keys regenerated for each call, huge vulnerabilities indistinguishable from backdoors found in the past (in Russian, with comments by Nikolay Durov, @W_K: https://habr.com/en/post/206900/ ), and now this Diffie-Hellman vulnerability exploitable by the server.
@alexl Its Olm protocol is based on the Signal and it was audited https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last/ So it is good enough from the security and FOSS point of view, just need to check if current usability is satisfying for you. My only concern is the lack of self-destructing messages and lack of secure defaults (too easy to create insecure chat etc.) so you should rely on your peers not to accidentally backup the conversation to google disk etc.
Their key management is way worse. You have to manually confirm each device of your contact. It's way harder than scanning one QR-code per contact. So in practice you will see that your contacts have one or two unconfirmed devices. They can verify them for themselves but there is no way propagate this trust.
> OWS even forced them to publish it under GPL license even though they wanted to publish it under permissive license.
Citation please? Given how much pressure had to be put on Signal to release their own source, and the discussions I've had about licensing with folks from Wire on GH issues, I'm sceptical.
OWS wants every open implementation of the Signal protocol to be under the copyleft license (GPL), so they can continue selling their own implementation to WhatsApp under proprietary-friendly license.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!