• toneverends
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    3 years ago

    Yet another IM protocol. Walled garden. Fees to be paid to a central company.

    There’s plenty to criticise about signal, but “mesibo” is not the solution.

    Besodes, the signal-dissing in the article seems mostly a FUD exercise.

    • X_Cli
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      3 years ago

      Can you elaborate on how this is FUD, please?

      Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.

      Using phone numbers as identifiers is a well-known Signal flaw.

      And while CBC is indeed less robust that GCM regarding certain types of attacks, it is true that “up-to-date” CBC implementation have no known vulnerability. Yet, would you claim that TLS1.3 is FUDing for dropping CBC support as well?

      I am not promoting mesibo, which I never heard about before. I am just trying to understand how this criticism of Signal would be invalid, or FUD.

      • southerntofu
        link
        fedilink
        arrow-up
        2
        ·
        3 years ago

        Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.

        Oh no it’s a pretty good idea, and unfortunately mosibo isn’t the first project to implement it… in an entirely new protocol that nobody will ever adopt. Implementing SMP in a widely-used protocol (email/PGP, IRC/OTR, XMPP/OMEMO) would benefit a lot more users.

        Using phone numbers as identifiers is a well-known Signal flaw.

        Indeed, but once again we have dozens of protocols providing messaging primitives, whether federated or centralized. Why should we even consider Signal or Mesibo? To be honest, i appreciated Mosibo’s criticism of Signal: it’s fair and strongly deserved. I would add to this that Signal dropped on-disk database encryption which is horrible: users set a passphrase expecting some security… only to find out later that the passphrase is purely cosmetic and the local DB is unencrypted.

        I am just trying to understand how this criticism of Signal would be invalid, or FUD.

        I don’t think it’s either FUD or invalid. It just looks like yet another corporation making yet another protocol for yet the same usecases we already have a dozen protocols for. If mesibo is only about cryptographic research, OMEMO/MegOLM could use a refresher… but unfortunately they’re promoting an entire ecosystem and it’s really not clear what the technical/business model is (i found the code for libmesibo but i don’t see any server implementation on their github).

        I think given the very fragmented ecosystem we already have, the burden is on them to prove that their project is interesting/useful. From my perspective, it looks like some cryptographers wanted to do cool stuff, but need a bullshit business front (like any startup) to operate… like a lot of crypto research, unfortunately…

        • X_Cli
          link
          fedilink
          arrow-up
          2
          ·
          3 years ago

          I agree with all of your points :)