WingNews logo WingNews
top | item 11671646

(no title)

CariadKeigher | 9 years ago

> And I think that email is unbeatable, because it is federated, because it's governed by standards and because in spite of all constraints, it's quite adaptable, being the kind of platform supporting short term proprietary solutions because (and not in spite of) its client/server decoupling.

E-mail's biggest problem is that many, many, many people get it wrong either through configuration snafus or a holier-than-thou approach to how it talks to other servers. It's a miracle that it has managed to function as well as it has; and has done so only only out of sheer necessity.

The problems that e-mail face are the problems that Moxie doesn't want to deal with. If other people want to go for a protocol that has interoperability that's fine, but he wants no part in it. He has no obligation to provide a service to clients he doesn't want connecting and he's right to demand that those who use "Signal" in their name cease its use so to not confuse their attempts with his own.

We already saw a revolt when Signal (when it was known as "TextSecure") went away from its SMS model to a client-server one, leading to a version that still relies on SMS. The point of switching away was to further remove metadata that otherwise would have become exposed. This demonstrates that the type of people who want to go against Moxie's wishes are the type that are to get this implemented incorrectly.

> Is it unencrypted? Sure, but it doesn't matter though. Because we are willingly trading that for a capable search engine and a good web interface. Trade secrets aren't communicated over email anyway.

Your username should be enough to tell you that trade secrets are traded over e-mail routinely.

A multitude of inappropriate material that should not be shared via e-mail is done so on a regular basis. If you work at any company that has credit card numbers being used for either expenses or customer details, you'll quickly find that with a search for 16-digit strings within e-mails will give results.

The problem you're neglecting to acknowledge here is that data at rest can be left unencrypted but overall has no business being unencrypted when in transit. If data from party A is meant for party B (and C, D, E, F, and so on) then any party that is not involved has no business knowing about its contents other than where it is destined to--and even that is questionable.

Those who favour convenience over security are part of a huge problem that faces the Internet.

> I think Moxie is missing the point. He's emulating WhatsApp, but you can't beat WhatsApp at their own game. Did WhatsApp really deliver encryption to 1 billion users? Well, those are 1 billion users that probably won't use Signal or chat with Signal users. Oops.

Moxie isn't trying to beat WhatsApp at its game; he in fact went and improved it by incorporating aspects of Signal into it [1]. Signal is meant to be something else and not something to directly compete with WhatsApp on. Signal and WhatsApp cater to different groups and markets.

[1] https://whispersystems.org/blog/whatsapp-complete/

discuss

order

bad_user|9 years ago

First of all, I really respect Moxie's choices and am very grateful for his work. What he wants to do, it's entirely his choice. Never meant to imply otherwise.

> Those who favour convenience over security are part of a huge problem that faces the Internet.

I'm not necessarily in favor of convenience, the problem is I cannot trust a binary blob communicating with a proprietary server, even if I can trust some of the people that worked on it, at least for now. I cannot trust something like WhatsApp. Signal I can trust, because at least it is open-source and up for review, but Signal will not succeed in being popular. At least not when it makes the same design choices. You say they cater to different markets, but I don't see a difference. For example Signal considers the phone number as being the username, just as WhatsApp.

Hence I end up carrying more about freedom than security. When I changed my email provider from Google Apps to FastMail, nobody noticed and I value that a lot.

> If you work at any company that has credit card numbers being used for either expenses or customer details, you'll quickly find that with a search for 16-digit strings within e-mails will give results

That may happen, but we've got strict policies in place. Nothing over email is communicated that's more important than source code. And given that source code lives in a Git repository provided by a public service, it would be ridiculous to do encrypted email, but not have behind-the-vpn on-premises Git repositories. And I know mistakes are made, etc. I still want federation more than I want end-to-end encryption.