Brilliantly debunking of Moxie's bullshit about and lies against decentralized systems at :

Decentralized systems' far better track record than centralized services on these goals must be very frustrating if you run such a centralized service but attacking bizarre straw men is not useful. Imagine if the over 50 million dollars funding Signal had gone towards polishing a distributed messenger....

@jz I'm really not advocating for WhatsApp, but they rolled out encryption basically over night.
When, exactly is wide support for OMEMO coming to XMPP?

Sorry, but Moxie *does* have a point.

@jz I also don't get why web would be a good comparison. For one thing, the huge browser vendors basically write their own standards. We're now down to two actually deployed rendering engines. And even with that unhealthy amount of implementations, we still have to check things like "caniuse" regularly if a feature from three years ago can be deployed widely.

@amenthes @jz My point was that even though you may have mostly central development, you don't need central servers. Google doesn't route all your HTTP traffic through itself. Anyone can start up their own servers. Different implementations of HTML5 are a bit messy but haven't stopped or even significantly slowed evolution. Centralized alternatives (Flash in this case) die.

@sj @amenthes @jz funny that you bring up flash, which invented stuff for the web in 3-4 years that took HTML another ten years to catch up to. Vector graphics, Video, 3d-canvas, socket connections, oh and animations in general.
I need a working messenger right now, and signal is just the least shitty trade-off for me. If the rest catches up in a few years I'll happily switch.

@amenthes @jz and I guess I'm changing my own definitions there, flash while centrally developed, still ran on distributed servers. They didn't host all the flash files or see all the metadata.


I don't think you fully appreciate the economic dynamics at play.

(Incidentally, I don't find to be of any significant practical advantage over previous encryption mechanisms. It just seems like a fashionable thing to have right now)


@0 @jz has OTR solved multi-device by now? If not, then this is where OMEMO has its practical advantage. If it has, good for them, when did that happen?


> this is where OMEMO has its practical advantage.

Against ?

, notwithstanding certain technical advantages, is sort of an ad-hoc solution with properties that are not necessarily desirable by everyone, e.g., forward secrecy, a nightmare in a business context.

There was no technical impediment preventing us from using either of the two “standard” encryption approaches for .



Both OMEMO and OTR are solutions to send encrypted content over a dumb pipe. They work with almost every messaging protocol, but they are no good solution if you have the option to use more advanced features of a protocol than just sending text messages.

- OTR requires one contact before encrypting.
- PGP needs key distribution
- PGP has a lot of overhead
- PGP has no PFS (yes, *I* do want this for my chats).

OMEMO is able to use jabber features to provide that.

@amenthes @jz

Especially OMEMO can store pre-keys like these used by WhatsApp and Signal using PEP. This is a precondition for using double ratchet (Signal encryption).
This is only possible, because OMEMO actually knows the protocol and can use its more advanced features.
You are still able to use PGP when you want features like having no PFS or long term keys.

@amenthes @jz


> needs key distribution

This is a problem that we should have solved decades ago.

Still, works well in a business context, though nowhere near as much support as , which is another option if you don't mind the hierarchical model.

Not perfect either, I know, but I'd prefer a few well supported options rather than everybody jumping onto a different bandwagon every five years or so. 🤷

@amenthes @jz

But using PGP in text chats is still something that works, but is kind of a crude workaround.
By using the more advanced features of XMPP, clients could for example send binary PGP data using extensions like Bits of Binary instead of sending armored PGP messages as plain text.

OTR and OMEMO are both authenticated during your chat, they only provide deniability after your session ended. What is in most use-cases seen as a feature and not as a bug.

(We may be off-topic in this thread now)


> instead of sending armored PGP messages as plain text.

What is wrong with that? 🤔

@jz Moxie has also made weird comments (basically FUD) on Lavabit's AMA on Reddit, claiming that Ladar shouldn't be trusted.

( /


I wouldn't lend much credence to anyone pretending to advocate from, err… a website, or using google forms, as they do, etc. They know about privacy as much as I know about moonwalks.

For a few cold facts on , see

I do agree that the guy is remarkably dishonest, possibly psychopathically so.


@0 @jz I wouldn't lend much credence to anyone who disregards cited facts b/c of publication outlet. It's like dismissing the content of Bruce Schneier's "Applied Cryptography" b/c the paper isn't archive quality. BTW, I guess you missed #Github's role in the "prostitution ring diagram".


I guess that is a good analogy. Popularity does not have a causal relationship with academic rigour or quality.

Sadly the ghost in that Microsoft website chose to mix factual statements with his own opinion along with outright speculation, something which is made possible because that privacy tools project is social (in a fashion statement kind of way) rather than technical in nature.

Which is fine, just not my cup of tea.


Thanks for posting the link to that issue, it is a well written list of problems I too have seen with #Signal, and then some.

@jz Thank you very much for this post 👍 Once more a great description why Signal should not be trusted and used.But it's so hard to tell that to the fans.Whatsapp users often know that Facebook is shit or at least listen to your facts and use it only because so many other people are using it.But Signal users do actually think they're really doing anything better,they're even advertising this shit to other people and tell them they're safe.I don't get it.I never will.That's just totally stupid 🙄

@jz The only thing that I've seen that give Signal points vs something like Jami is that Signal actually gets the message to the recipients. There are times when Jami utterly fails in this regard.

Just an additional data point.


Decentralized systems still fail with push notifications. Not their fault. It's related to Google energy consumption reduction design.

I think Moxie just wanted something that works fast (as Skype did) rather than really solve the problem (as maybe webrtc does)

Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media Fédéré

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!