Lemmy Support

4651 readers

4 users here now

Support / questions about Lemmy.

Matrix Space: #lemmy-space

founded 5 years ago

MODERATORS

[email protected]

Are dms e2e encrypted between recipients? (lemmy.ml)

submitted 4 years ago by [email protected] to c/[email protected]

8 comments fedilink hide all child comments

Just curious if that is the case. I assume not as Lemmy does not advertise it's encryption at all.

Would this ever be planned for Lemmy?

top 6 comments

sorted by: hot top controversial new old

[–] [email protected] 5 points 4 years ago (1 children)

No, they only have transport encryption with TLS. This is why we recommend Matrix instead. I think Mastodon is working on E2E encryption for ActivityPub, but it seems extremely complicated.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

It would be nice to have them, it's an additional attraction factor for users. It could be done using hybrid approach where one hash derived from user password is used to authenticate in Lemmy and retrieve chat list, second completing hash would decrypt them. Example: https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

[–] [email protected] 4 points 1 year ago (1 children)

Implementing E2E isn't just about the encryption though, it's also about the key exchange/distribution/generation approach.

If you look at what Matrix does, so much of the complexity comes from how they authenticate all the different clients to manage E2E in a distributed way. For proper E2E you've got more than 2 ends (multiple clients) so you need to manage it for all.

[–] [email protected] 1 points 1 year ago (1 children)

I don't get what makes it hard to implement the same stuff using libraries provided, encryption should be optional for servers administrators to enable

[–] [email protected] 2 points 1 year ago (1 children)

Encryption is hard to get right. Which doesn't help when it's essentially useless unless you get it right

https://github.com/soatok/mastodon-e2ee-specification was a thing but it doesn't seem to be updated for months now.

[–] themoonisacheese 1 points 1 year ago

Encryption is also pretty much useless if the thing performing the decryption is served by the people encryption is protecting you against. It would be trivial for a Lemmy instance to serve you backdoored JavaScript as the decryption Algo.

E2e encryption is a legal device used by companies to remove their liability to give your messages to the government. Because united states v Apple (which didn't have a ruling but the case made was pretty strong), code is speech and the US gov cannot compel you to change your code, therefore companies that have e2e encrypted comms can say "we don't know, we have a way of knowing but you can't make us" whenever the US gov comes in with a subpoena.

Bear in mind this is only US jurisprudence, there exist jurisdictions in which the government could legally compel an instance admin to serve you backdoored JavaScript and read your messages.

load more comments