A lot of recent (and upcoming) blog posts I’ve written, and Fediverse discussions I’ve participated in, have been about the security of communication products. My criticism of these pro…
This is a very technology focused view. In any user system, the users themselves have to be a consideration too. I don't use most of them for the fact I don't have a smartphone. So for my use case, any chat application that requires one might as well not exist, so read the rest of this with that in mind.
People fall into a few categories:
The don't cares. They use whatever everyone else uses, because that's what they need to use to talk to who they want to talk to.
The open and defederated. If they can't self host, it fails.
The anti-corporate. If it is run by a big organization, regardless of technology its a no.
The technological illiterate. Basically the same as the first group, but if its not really user friendly they can't figure it out.
I'm sure there are others, but these are what comes to mind first. While signal might be the one that has the best technology for many that doesn't mean, and will never mean it is the "best" because their decision matrix doesn't weigh technology as highly as you, and their knowledge doesn't allow them to understand the nuances you talk about.
Agreed. Interpersonal relationships are stronger bonds then us tech dudes (myself included) tend to appreciate.
People are still on Facebook despite all their unacceptable actions over the years, because the alternative is to completely uproot your whole social circle (everyone all at once, good luck with that) or seriously risk cutting off people you care about.
Almost the same applies to Furs still on Telegram, though afaik TG hasn't ever done anything remotely as bad as Zuck, Elon or Spez
EDIT: sidestepping the uprooting part is what's fantastic about the Fediverse btw; compat and futureproofing between diff websites being a must-have from the start, and that's awesome <3
From a "don't care" position, Elon is probably the only one who has impacted them. For Spez a majority of users probably just use the desktop site, or official app and would be more annoyed with the mods impacting their experience than Spez for making changes. Zuck did a bunch of behind the scenes manipulations, but again the don't cares wouldn't have noticed.
The fediverse itself might be resistant to overall control, but you are still tied to an instance, so a rouge admin, or some spam in activity pub could still cause uprooting.
My whole thing is applied cryptography! When I'm discussing what the bar is to qualify as a real competitor to a private messaging app renowned for its security, I'm ONLY TALKING ABOUT CRYPTOGRAPHIC SECURITY.
This isn't a more broad discussion. This isn't about product or UX decisions, or the Network Effect.
Those are valid discussions to have, but NOT in reply to this specific post, which was very narrowly scoped to outlining the specific minimum technical requirements other products need to have to even deserve a seat at the table.
I understand, but its all about framing. "What does it Mean to be A Signal Competitor", well that is chat apps as that is the space signal occupies. That might not be what space it occupies to you, but that is the space it occupies. "What does it take to compete with Signal's Security" frames the argument to one component, and I would probably have a very different response to that framing. Because of the framing, your argument comes across as "don't talk about use case, its not worth my time." I understand this is because your focus is the cryptographic security, but threat modeling and Human factors has to be a consideration of an overall security posture. Congratulations, you have the best cryptography, but if its not usable, the cryptography doesn't matter, if the users are the weakness, the cryptography doesn't matter, if nobody is willing to use it because its missing a key user feature, the cryptography doesn't matter.
I know enough about cryptography to know to leave it to the experts. I know about hardware power side channels, I know several exploits have been implementation based and not cryptography based, and I know vulnerability does not always mean an exploit