Encrypt. Now. - eviltoast
  • ɐɥO@lemmy.ohaa.xyz
    link
    fedilink
    arrow-up
    51
    arrow-down
    1
    ·
    1 year ago

    This is just plain up stupid.And wont stop any criminals. People who actively want to hide someting will just use smaller/selfhosted services.

    • SitD@feddit.de
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      here’s my prognosis: noticed how phishing is getting more popular recently? yeah that will turn straight into spear phishing. anyone sending messages from a public WiFi will be receiving personalized phishing mails written to perfection by ai. i really don’t understand how politicians cannot think anything to a logical conclusion

  • MrSilkworm@lemmy.world
    link
    fedilink
    arrow-up
    16
    ·
    1 year ago

    I have an idiotic request. Since I’m not familiar with the subject, could we be directed to a kind of wiki or megathread on how to actually encrypt our communications?

    • Monkey With A Shell@lemmy.socdojo.com
      link
      fedilink
      arrow-up
      19
      ·
      1 year ago

      Depends on the application in use. The grail is end2end encryption with asymmetric encryption where no provider has access to the private keys. The difficulty is getting people on a common method where you can just look for your peer and get a public key handed to you without having to fuss around with where it was uploaded.

      Maybe the most common/simple would be looking into things like PGP. You and I would both have a public/private key pair. When I send you messages it’s encrypted with your public key and signed with my private key, and as a result only your private key can decrypt the message and you know it came from me because only my private key could have signed it.

      The ugly mechanics behind it don’t need to be anything you actually learn in detail, but just look for apps that offer end to end encryption where the encryption is set up locally rather than in the service provider’s host, if the host generated the keypair then functionally it’s useless because at that point they have the private key.

    • vector_zero@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      As the other commenter mentioned, your best bet is being selective about which services you use to communicate.

      Unencrypted (plain text) is the worst, since data is easy for a third party to sniff (think of it as a wiretap). For example, HTTP and SMS are unencrypted.

      Encrypted is a good start, since third parties can’t sniff your traffic, but the server handling your communications can usually see everything that passes through it. For example, HTTPS is an SSL-encrypted variant of HTTP, and services like Facebook messenger are encrypted, but Facebook can still see all of your messages, since it’s stored on their servers.

      End to End Encrypted (E2EE) is the golden standard. Only the endpoints (i.e. you and your friend) can see the content of your messages, and all traffic is encrypted in a way that even the server cannot view it. Signal is end to end encrypted, as are many other modern messaging platforms (WhatsApp is E2EE in theory, as is Google Meet, but we can’t verify this ourselves).

      • miss_brainfart@lemmy.ml
        link
        fedilink
        arrow-up
        6
        ·
        edit-2
        1 year ago

        WhatsApp is E2EE in theory

        Didn’t Signal even work together with them, to implement their protocol?

        But anyway, as far as I know, WhatsApp only encrypts message contents, not the associated metadata. So they’re still able to learn a lot about you.

        • vector_zero@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          I believe WhatsApp uses the same protocol (or at least the same crypto algorithms), though I’m not sure if they were involved in its development.

          Good point on the metadata. Signal has the “sealed sender” thing, which (I think) helps with the metadata problem somewhat.

          • Monkey With A Shell@lemmy.socdojo.com
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Metadata and the comm endpoints is one of the hardest parts to deal with. If an intermediary doesn’t have a pointer to a destination then delivering a message becomes problematic, envelopes without an address tend to sit in bins. It would be possible to simply store messages and allow recipients to poll for them but that gets really inefficient at scale. Plus it creates a central repo where messages sit until retrieved which is a liability in itself.

            Things like OTR encryption are interesting as a transient system ad-hoc type encryption for things that don’t need or even want absolute assurance of identity, but if I want to talk to Alice and be sure it’s not Eve then it’s not ideal.

  • soulfirethewolf@lemdro.id
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    This article he just goes:

    We should all use PGP, SSL or equivalent tools; VPNs, Tor and/or SSH tunnelling; IPFS, or other distributed file systems — and ditch proprietary OS’s in favour of Linux or truly free Android distros. We should switch to Protonmail or similar webmail; to Matrix, Signal or similar messaging. Ad-blocking, URL cleansing and third-party cookie rejection should be the default for everyone. Those tools and techniques should cease to be arcane nice-to-haves for nerds: we must get more non-technical people onboard.

    All this is a moral imperative to those of us who have the ability and the means to follow this strategy and to educate others about it.

    He just relies entirely on the “moral obligation” people have to use this stuff, but then doesn’t give any advice on how to convince people to actually use this stuff besides “using our abilities and the means to follow the strategy and educate others about it”. Because I’ve certainly been trying that for ages and it hasn’t worked. Of course a good amount of that stuff I don’t even think I would use. I find Protonmail encryption to be annoying in compatibility since you actually have to pay to get the desktop program to decrypt your email, Signal, and a lot of Matrix clients lack a lot of the nice messaging features that extend beyond the app itself (Like Google Assistant/Siri support). Also not sure if OP has seen the current state of using an adBlocker on the web. I’m not sure if everyday people would want to actually deal with that. I certainly can’t get my mother to use an adblocker, and whenever I try to instate pi hole onto our network, within moments, someone complains about the internet “not working correctly”.

    The argument is almost always “we need to start mandating these really private things onto everyone, don’t give them any choice on it” and never “how can we make good enough things people will want to use with privacy by design?”. I look at apps like Nextcloud and home assistant that have created better experiences than what the market currently offers. And I wish that I could see more of the same with that with apps that are private by design, and can integrate well with just about anything.

    • Oliver Lowe@lemmy.sdf.org
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      I suppose it’s a call to arms - the intended audience is those who are familiar with all those acronyms. It’s meant to ignite a fire in the belly to spur individual action against the proposed Chat Control legislation.

      I know what you mean though. The reality of “resisting” is actually kinda messy. Using all the mentioned tooling is exhausting. Much like I don’t think that consumer recycling is going to save humanity, I don’t think that if everyone “made the little effort required to secure their data and their communications” it would end crazy proposals like Chat Control. TLS is so common now (in HTTPS) and WhatsApp (implementing e2ee) is incredibly popular. Yet here we are.

      The article briefly mentions open-source software. To me this is where I see more private & secure by design stuff like you mention. I’m happy that things like Lemmy exist making countermeasures like 3rd party cookie blocking sand URL cleansing irrelevant.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    22
    ·
    1 year ago

    I don’t live over there…

    If any such bill comes to the US you will get my support to not support it

    • Vik@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      I feel like this comment may have been misunderstood. You’re not saying that you don’t care about this invasion of privacy in the EU, you’re saying that you’re unable to act on this locally since you’re situated in the US.