this post was submitted on 14 Sep 2021
57 points (96.7% liked)

Open Source

31173 readers
459 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
57
This seems solid discord alternative (itsfoss.com)
submitted 3 years ago by Goodstar1084@lemmy.ml to c/opensource@lemmy.ml
52 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] Helix@feddit.de 3 points 3 years ago (1 children)

That blog post is not about Element and doesn't include any of the ways Element stores data and sets up encryption. Basically they're just saying 'there's no sane defaults and websites want to spy on you', which I totally agree to, but which still misses the point. It is doable, it's just not done well. To just send everything in plaintext is definitely not the solution here.

[–] dreeg_ocedam@lemmy.ml 2 points 3 years ago* (last edited 3 years ago) (2 children)

there's no sane default and websites want to spy on you

If you're considering E2EE you're already considering that the server cannot be trusted (AKA it wants to spy on you).

It's not about defaults, it's about the fact that you're doing crypto to protect yourself from the server, using code that the server just sent you.

This is the key point of the post:

Where installation of native code is increasingly restrained through the use of cryptographic signatures and software update systems which check multiple digital signatures to prevent compromise (not to mention the browser extension ecosystems which provide similar features), the web itself just grabs and implicitly trusts whatever files it happens to find on a given server at a given time.

It is doable, it's just not done well. To just send everything in plaintext is definitely not the solution here.

If you're serious about security, the only good way to do it is to not do it at all. It really pisses me off that even password manager don't care.

[–] dreeg_ocedam@lemmy.ml 2 points 3 years ago

By "not doing it at all" I mean redirect people towards full blown apps that can do proper crypto.

[–] Helix@feddit.de 0 points 3 years ago (1 children)

it’s about the fact that you’re doing crypto to protect yourself from the server, using code that the server just sent you

Ah, yes, makes sense. Solutions to this may be to use client applications, local storage in browsers or checksumming.

[–] dreeg_ocedam@lemmy.ml 2 points 3 years ago

There are still many issues with that. This stackoverflow discussion shows that it is not really possible to do. Some of the points are irrelevant, but the general takeway is that local storage, caches and all are not designed for security but for performance.

The thing is that the browser is absolutely not designed for this kinds of uses.