Am I too harsh in believing that if you claim to have E2EE but I can't verify a) your source code b) my client was built from that source code (i.e. reproducible builds) then you don't have E2EE? The whole point of encrypting my traffic on the client is I don't trust you. Why would I believe you aren't sending the encryption keys off to your server if I didn't trust you before?
this post was submitted on 17 Sep 2024
82 points (89.4% liked)
Privacy
31609 readers
709 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 4 years ago
MODERATORS
Am I too harsh […]?
No. If there's no way to verify anything then all we have to go on is their word.
The word of a company generally isn't worth a whole lot. Same with Telegram.
The clients are source available for telegram though
Which is how we know their self-rolled encryption is shit.
There's a reason why Telegram CEO can be arrested when Signal's can't. Because Telegram has information they can give but refuse to whereas Signal give everything they've got, which is basically nothing.
I mean technically the client is verifiable if you use discord in a browser tab... and verify it every time you load the web page... 🙃
you aren't. to me this is just PR
They just mean you now really have to pay to get private data. 🤣
False, this is a lie.
Discord is anti-libre software. We do not control it.
It bans us from proving its claims. It bans us from fixing its lies.
It fails to include a libre software license text file, like AGPL. Discord is malware, anti-libre.
Interesting. I was able to access the linked whitepaper and repositories without trouble and the 3rd party stuff too. Do you have local config preventing you from downloading the source code to review?
While I can respect your distaste for non-libre software, you’ll need to back up the malware claim. There are real security concerns out there in common non-libre; labeling things that are not libre as malware solely because they are not libre muddies the waters and makes your message much less palatable.
Where's the rest of Discord's source code?
While it bans us from proving its claims and more, i'll never let it infect my devices.
The claim is that audio and video are E2EE. I’m not sure how you’re unable to disprove that using the linked code, audit report, and COTS debugging tools. Can you expand on that? I see a lot of FUD without anything more than “they’re not libre” which, again, doesn’t do a great job of selling your point.
Just reverse engineer me bro
And every update, every other app, all their updates too, across every device... 🚩
Should we just waste our whole lives nothing but knee deep in disassembled binaries?
How stupid and gullable does openly hostile Discord think we are?
Couldn't be me still coping and shilling trash like this.
In another post you’re actively looking at purchasing GPS systems. The satellites you’re sending info to are not available to dissect and I highly doubt the firmware of the devices you’re looking at is publicly available much less libre. Your trolling is not internally consistent so it’s clear you don’t have any clue what you’re on about. Good luck with that.
I don't think you need to send info for a GPS client to work. You are just a receiver, no data sent.
This conflates software with service.
Signal's offical servers, when we don't own them, and we don't run them, we can't see inside them too.
Signal is an end-to-end encrypted libre app, so we don't need to.
here's half the source missing
just reverse me bro
that's not your server
Always the same talking points. Some people never learn.
what the hell are you doing that you keep being banned from discord?
It bans us from modifying its source code, sharing its exact and modified copies, using it for any purpose, etc.
We do not control it, anti-libre software.
Which software license do you think Discord is distributed under?
Why put the effort into such a hostile service?
Replied to the wrong comment?
Responding broadly to the thread of folks talking about userScripts & add-ons. This effort would be better put to getting folks to a different protocol where client modification & alternate clients are the norm.
Yeah, some people never learn.
I've been using a modified client for about 2 and a half years now without being banned.
Where's our legal right to modify and share its source code forever? We don't control it.
Discord provides outdated, bloated Electron. As if I am going to trust them again.
bro, just use firefox or Librewolf or something.
I am content with Matrix and IRC. Discord is a privacy nightmare.
If you believe anything you write or say on discord is private. Or would ever even be encrypted, I want whatever you're smoking please.
Yeah, Discord is not a privacy preserving service in the slightest. Honestly I'm only using it because of the network effect at this point.
That and it has full functionality in the browser. No bullshit "download the app".
Welp, better than nothing, right?
But not for text?
nah, selling messages is way easier
Hey Discord, give us the ability to stream audio when sharing our screen on Linux ffs.
Vencord/Vesktop supports audio streaming on Linux and is just a generally better experience compared against the Discord official app. Free and open source.
+1 for vesktop works great for me
No. 😡
No I'm not.
Huh
How will they comply with the US government?
They can deliver the data that they do have, which will be encrypted. Though I doubt they were ever recording calls anyway.
Their TOS says they don't record but who knows..
How would the US government be able to see the messages? They need to monitor for young people leaking data from the Pentagon. /s
It's interesting that the threat model also includes participants. They take into account that when a user leaves, it should be impossible for them to continue listening.
screams in Matrix
but why?
End to end directly to ccp