This is the appropriate response. It's more about China saving face and their attempt to maintain control than actual Covid-19 prevention, although there is some of that too.
They had a choice to accept Pfizer and Moderna early on and chose not to. Now they're paying for it politically, socially, and epidemiologically.
I live in the south and if anything I'm glad that the fucking summer is finally over. I had SAD in spring because of my allergies and because I know that the heat is coming though.
In places of the EU, especially close to the sea, tap water fucking sucks. You end up with kidney stones if you drink it every day. Stop romanticising the EU so much for fuck's sake.
Chill the heck out, I was very obviously talking about the UK, and parts of Europe, not all of it. We don't all have politicised motivations or a desire to 'one up' continents.
(Hypothetically) wouldn't it be possible for client devices to generate key pairs, and for messages to be stored on the server encrypted in such a way that recipients' client devices could decrypt them? (I think that's what Signal does?)
Not saying that that's what happens on Mastodon instances, I don't know enough about it's operation to comment.
Yes, end-to-end encryption is possible. It just needs support in clients, as well as a common protocol if you want it to work between different clients.
Chances of a centralized Twitter stealing your sensitive information is quite a bit lower than N number of federated Mastodon instances run by any number and types of actors.
If you don't own the key exchange (and you don't, even on the services most people consider secure), you're still, on some level or another, just relying on trust that this is the case.
At any rate, mastodon is a web app, not an IM client. No one who's ever raised this has even begun to explain how you could work e2e into something like it. Certainly no other microblogging platform has e2e anything, because that's not actually a thing that makes sense.
> No for micro-blogging, but Mastodon supports direct messaging, and if you support direct messaging, you should support end-to-end.
No other microblogging service with DM support has e2e anything. Because they're websites. To have meaningful e2e you need to have key exchange and device keys, and if you have a website you can look at your DMs on then the website has to have a key. If the website has a key the owner of the website can look at your DMs. This is just fundamental to hosted web services, and it's why if you use icloud messaging with imessage you're no longer guaranteed e2e, and why signal just doesn't even have a website for you to use.
LE has nothing to do with this? The key exchange I'm talking about is the end keys. User keys. LE doesn't provide those. For e2e IM systems a server has to manage user/device:key mappings, and are a central point of trust. They can potentially inject a "listening key" into your recipient list without you knowing and tap you or even impersonate you (but only in a forward way).
E2E is not a panacea, but it's also largely irrelevant to websites.
Eh, if you don't trust your masto instance admin to not read your DMs do you really trust them to not break the "your password never leaves the client" guarantees that protonmail for eg. promises?
This is the thing about this argument: Either you trust your instance admins or not. If they promise you e2e and you don't trust them, you should rightly look at that as snakeoil.
This is meaningless if you don't trust the site admins, and the reason to use e2ee in the first place is to avoid trusting the site admins. All it takes is for them to serve you different JavaScript one time that exfiltrates your messages, and I guarantee you'll never notice.
What I'm suggesting is that the same certificate infrastructure that is used to secure the connection between a server and a client could also be used to secure the connections between users.
There's nothing specific to HTTPS about CAs and trust chains.
But for encrypted DMs you need per user keys that are stored on the users computer, otherwise the owner of the server has control over the key and we're back at square one. Or am I somehow misunderstanding you?
Go look at that PR and read the details and ask yourself who you have to trust with a list of device keys you're encrypting your dm for.
You might be surprised to discover that you're still trusting an instance admin.
It does improve some things, potentially, in terms of intermediaries being able to read things, but there are a lot of things that are still reliant on trusting your admin, or are outright unclear how they'll work in practice.
That said, I take back that "no one has begun to explain..." - they've begun. But so far they've kinda just thrown some well established protocols at it but not done much to explain how it really helps the "trust your admin" problem.
Mastodon is an interesting case because it was a splinter of Twitter but it basically had the same moderation policies so it was the same thing and imo had no appeal of its own. Now with Musk it's possible that things will change in Twitter's policies so Mastodon may become useful, but we'll see.
