Yall who understand crypto and security and stuff

Putting encryption on the browser for e2ee encryption is a really bad idea, right? I feel like it is, but it's too early to say for sure. I've been studying the matrix documents around libolm

Just noticed "e2ee encryption" is actually saying "end to end encryption encryption"

In my defense, I'm just so fucking tired lmao

@urso the biggest things to look for in any encrypted traffic is the certificate chain - do you know what the remote cert is (can you verify it with the other end) to help understand if the communication isn’t decrypted somewhere along the channel. But whenever remote servers get involved, it gets hazy. Signal has probably the best setup I’ve seen. The certificate chains are explicit and you’re expected to verify them. Especially if they change (new phones for example)

@urso others will probably give you a more eloquent response here but typing it out on my phone leads to brevity

@robdaemon that makes sense, thanks! Yeah, whenever I look, it just becomes more clear I shouldn't even try to implement it. Gotta go back to think about the threat model and leave this stuff to people who are experienced with it

And agreed on signal. I just wish it didn't just rely on phone numbers

Sign in to participate in the conversation is a 18+ only Mastodon server for bears, chubbies and chasers.