• X_Cli@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    3 years ago

    Can you elaborate on how this is FUD, please?

    Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.

    Using phone numbers as identifiers is a well-known Signal flaw.

    And while CBC is indeed less robust that GCM regarding certain types of attacks, it is true that “up-to-date” CBC implementation have no known vulnerability. Yet, would you claim that TLS1.3 is FUDing for dropping CBC support as well?

    I am not promoting mesibo, which I never heard about before. I am just trying to understand how this criticism of Signal would be invalid, or FUD.

    • southerntofu@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      3 years ago

      Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.

      Oh no it’s a pretty good idea, and unfortunately mosibo isn’t the first project to implement it… in an entirely new protocol that nobody will ever adopt. Implementing SMP in a widely-used protocol (email/PGP, IRC/OTR, XMPP/OMEMO) would benefit a lot more users.

      Using phone numbers as identifiers is a well-known Signal flaw.

      Indeed, but once again we have dozens of protocols providing messaging primitives, whether federated or centralized. Why should we even consider Signal or Mesibo? To be honest, i appreciated Mosibo’s criticism of Signal: it’s fair and strongly deserved. I would add to this that Signal dropped on-disk database encryption which is horrible: users set a passphrase expecting some security… only to find out later that the passphrase is purely cosmetic and the local DB is unencrypted.

      I am just trying to understand how this criticism of Signal would be invalid, or FUD.

      I don’t think it’s either FUD or invalid. It just looks like yet another corporation making yet another protocol for yet the same usecases we already have a dozen protocols for. If mesibo is only about cryptographic research, OMEMO/MegOLM could use a refresher… but unfortunately they’re promoting an entire ecosystem and it’s really not clear what the technical/business model is (i found the code for libmesibo but i don’t see any server implementation on their github).

      I think given the very fragmented ecosystem we already have, the burden is on them to prove that their project is interesting/useful. From my perspective, it looks like some cryptographers wanted to do cool stuff, but need a bullshit business front (like any startup) to operate… like a lot of crypto research, unfortunately…