It will be open source, end to end encrypted using Signal’s double ratchet encryption protocol, and he plans to make it easy for fediverse platforms to integrate it. The beta will release later this month.

He’s also the creator of https://fedidb.org btw

  • ren (a they/them)@lemmy.world
    link
    fedilink
    English
    arrow-up
    250
    arrow-down
    1
    ·
    1 year ago

    While I doubt I could get my friends and family on yet ANOTHER messaging app in the year of our lord 2023.

    Sup. Is a fucking brilliant name.

      • Magiwarriorx@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        ·
        1 year ago

        I remember idly wondering how DMs worked in Lemmy, and I was kinda shocked when I realized they aren’t secure.

        • Aloso@programming.dev
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          1
          ·
          1 year ago

          “secure” is relative. They may not be e2e encrypted, but they are still encrypted via TLS, like any HTTPS traffic. It’s the same encryption used for online banking. If you care about your instance admin being able to read your messages, you should use Signal or a Matrix client though.

          But remember that only a few years ago, almost nobody used e2e encryption, and it wasn’t much of an issue.

    • garretble@lemmy.world
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      4
      ·
      1 year ago

      I personally hate the name, but only because I had a roommate in college who would start every conversation with “sup.”

      On text messages, IMs, in person, you name it. It really started to get under my skin.

      But I hope the software is good.

  • Jackthelad@lemmy.world
    link
    fedilink
    English
    arrow-up
    110
    arrow-down
    1
    ·
    1 year ago

    I just saw this on Mastodon and was about to post it here. 😄

    Pretty cool idea. Though I’m not looking forward to trying to convince my friends to switch to yet another new platform. 😂

    • Nix@merv.newsOP
      link
      fedilink
      English
      arrow-up
      93
      ·
      1 year ago

      Im mainly looking forward to it replacing the “DMs” of mastodon and lemmy.

      • Jackthelad@lemmy.world
        link
        fedilink
        English
        arrow-up
        61
        ·
        1 year ago

        I’ve not been on either platform long enough to use the DMs, but this is a good point.

        After all, DMs aren’t actually private on either platform, as far as I’m aware.

        • sab@kbin.social
          link
          fedilink
          arrow-up
          24
          arrow-down
          2
          ·
          1 year ago

          If they’re not end to end encrypted, your messages are not actually private on any platform.

          It’s a bit more obvious in the Fediverse than elsewhere, as direct messages are generally stored on two separate servers (sender and receiver). Furthermore each server tends to be smaller: if Zuckerberg decides to go through people’s DMs it’s unlikely to affect any particular Facebook user, but if the owner of a Mastodon instance does the same it’s small enough that she could actually get an overview. It’s mostly a false sense of security embedded in larger services, but people are all about having a false sense of security.

          • outdated_belated@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            9
            ·
            edit-2
            1 year ago

            Like anything, depends on the threat model. Private from your little sister? Probably. Private from your boss, at least in the next few months prior to them being leaked? Also probably. Private enough?

            That’s to some extent a question that can only be answered individually, as everyone’s threat models differ. I suppose this fact (everyone having differing threat models) is one of the reasons that so many arguments occur over security.

            • sab@kbin.social
              link
              fedilink
              arrow-up
              5
              ·
              1 year ago

              In the end any successful chat service is going to be used by horny teenagers sharing nudes with each other, which is honestly for me better reason than any state secret why all communications should be end to end encrypted at all times. I don’t trust Zuckerberg or Musk with that, or any other third party for that matter.

        • HughJanus@lemmy.ml
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          DMs aren’t actually private on either platform, as far as I’m aware.

          “Private” is not really a binary concept.

          They’re “private” in the sense that no one can see them other than the participants and the server admin (if they really wanted to).

          They’re not private in the sense that they can be hacked and leaked, or subpoenaed.

      • OverfedRaccoon 🦝@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        ·
        1 year ago

        Yep. That was my first thought - how everyone says to use Matrix rather than Lemmy DMs for anything sensitive. This will be fantastic.

    • U de Recife@literature.cafe
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Right now I just think about me and how I’ll use it. I’m eager to try this messaging app to have a way of being reachable by like-minded people.

      To put it differently, I don’t want to be a slave of others’ choices. I know the network effect is real and that I’m powerless to break it. So I’ll just change my attitude, and embrace this wave. Who knows what will happen? And in the meanwhile, I’ll have fun using what to me seems right.

    • SamsonSeinfelder@feddit.de
      link
      fedilink
      English
      arrow-up
      37
      ·
      1 year ago

      It really is. In the past a new messenger or Plattform was always annoying as it inevitable meant, how can I get my friends to use this. But with activity pub it doesn’t matter anymore. Everbody can use the fediverse software of his taste and we can still all be interconnected. What a relieve. So many software solutions can compete against each other without us having always to start from zero. Brave new world.

  • joshuaacasey@lemmy.world
    link
    fedilink
    English
    arrow-up
    46
    ·
    1 year ago

    It’s crazy how much the creator of pixelfed does. And it’s literally only 1 person working on all the things he does.

    • imaradio@lemmy.ca
      link
      fedilink
      English
      arrow-up
      15
      ·
      1 year ago

      I wonder if he is friends with the guy who runs calibre and kitty terminal. I read somewhere that he was seriously planning to single-handedly maintain python 2 after it was EOLed because it was so integral to calibre. But was eventually talked into transitioning to python 3. The idea of that is totally nuts; the guy is a machine.

    • Dr. Moose@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I’ve been following Daniel since he started working on Pixelfed and dude’s a beast. His code and skill improved astronomically and he just doesn’t stop. Great example of how “doing it” is best way to learn anything software related.

  • Margot Robbie@lemmy.world
    link
    fedilink
    English
    arrow-up
    46
    arrow-down
    3
    ·
    1 year ago

    I’ve been unhappy with the direction Signal has taken in recent months and Matrix always felt like it was trying to do too many things at once.

    Happy to see something that would integrate directly into Fediverse platforms as it will greatly enhance interplatform communication.

    Like a better FB messager.

    • ᗪᗩᗰᑎ@lemmy.ml
      link
      fedilink
      English
      arrow-up
      22
      arrow-down
      2
      ·
      1 year ago

      personally love the direction Signal is heading but would be happy to not have “all my eggs in one basket”, as well as diversifying the open source E2EE communication options.

      • Margot Robbie@lemmy.world
        link
        fedilink
        English
        arrow-up
        32
        arrow-down
        1
        ·
        1 year ago

        I felt that removing SMS while still having it tied to your phone number, stories, and that weird cryptocurrency were not what I was looking for in a messanger.

        • randint@lemm.ee
          link
          fedilink
          English
          arrow-up
          9
          ·
          1 year ago

          I also don’t like the fact that Signal needs your phone number and that the only way to connect to other people is by their phone number.

          • Margot Robbie@lemmy.world
            link
            fedilink
            English
            arrow-up
            9
            ·
            1 year ago

            Everybody just want to ask me about my opinion on work, nobody ever ask me about my opinion on tech.

            But using an obvious AI generated profile picture and all of a sudden I can just express opinions on things now.

            • joshuaacasey@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              6
              ·
              1 year ago

              Wait. Is this the actually celebrity and not just someone using the name? Because honestly if this is the actual person it’s always kinda cool to see “famous people” doing normal people things like say having tech related or privacy related interests and hobbies (idk i just listed that because i can relate to it)

        • imaradio@lemmy.ca
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          I agree. As soon as the update that disabled SMS was pushed to my phone, signal was effectively dead.

          Integrating with SMS was so smart. The person who got me into it said “there is literally no reason not to do it” because it was seamless. And I used the same argument to get other people into it. But basically everyone stopped using it as soon as SMS was removed. I don’t have the brain space to remember who is on signal and who is not and go to the appropriate messenger.

          I read the whole long thread on their website where the devs were arguing in favor of this and all the reasons were IMHO stupid. I think someone wanted to tank signal. Got tired of funding it probably. It was too good to be true with no obvious business model so always thought the day would come, and it did. Too bad, it was very good at what it did.

      • jack@monero.town
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        It’s great, I’m migrating all my contacts to it. AGPL, no phone number or identifier, decentralized, official lemmy community, fast development pace, …

        • ᗪᗩᗰᑎ@lemmy.ml
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          I’ve posted this previously, but I’ll repost again because I think its important people are aware when making a decision on a secure messenger.

          ======== Original Post: https://lemmy.ml/comment/1615043

          Sessions developers dropped Signal’s Perfect Forward Secrecy (PFS) and deniability [0] security features. Personally I would not trust a product that drops an end-user security feature for the sake of making the developer’s life easier [1] .

          Using existing long-term keypairs in place of the Signal protocol massively simplifies 1-1 messaging.

          For those unaware, PFS protects your data/messages from future exploits and breaches. With PFS, each message’s encryption is isolated, preventing compromise of current and past interactions [2].

          A simple example to illustrate why PFS is beneficial. Lets assume any 3 letter agency is collecting all Signal/Session messages - on top of the tons of data they’re already capturing. The great thing is that your messages are encrypted, they can’t see anything - YAY - but they’re storing them basically forever.

          Two ways they may be able to compromise your privacy and view ALL your messages:

          1. A flaw is discovered that allows them to crack/brute force the encryption in weeks instead of years/decades/eternity. If you were using Sessions, because you use the same key for every message, they now have access to everything you’ve ever said. If you were using Signal, they have access to that one message and need to spend considerable resources trying to crack every other message.

          2. Your phone is compromised and they take your encryption keys. If you were using Sessions, this again gives them access to your entire message history. If you were using Signal, because the keys are always rotating (known as ephemeral) they can only use them to unlock the most recent received messages.

          It’s important to state that both cases above only really matter if you delete your messages after a certain time. Otherwise, yes, all they have to do is take your phone and get access to your entire message history - which is why ephemeral messaging (i.e. auto deleting messages after a certain time) is crucial if you suspect you may be targeted.

          [0] https://getsession.org/blog/session-protocol-explained

          [1] https://getsession.org/blog/session-protocol-technical-information

          [2] https://www.signal.org/blog/advanced-ratcheting/

    • Gnubyte@lemdit.com
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      3
      ·
      1 year ago

      Oh god matrix is such a bitch to handle and deal with, laggy and just in need of so much work. I’ll be so happy to have an alternative.

      I used it and hosted it for months with friends and family and we all got locked out due to bugs and had neighboring federated servers that wouldn’t connect.

      • Nikokin@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        1 year ago

        What year? I’ve run a docker synapse for a couple years with no issues (other than iOS client encryption bugs). I was surprised I could run it without a restart for 6months+

        • Gnubyte@lemdit.com
          link
          fedilink
          English
          arrow-up
          8
          ·
          1 year ago

          This year. I gave it a VPS with plenty of cores and memory too. It’s like once I got it working it would work for awhile right, nbd. But then when I’d join a federated room over on matrix.org it would literally take days to add it. I even smoke tested it with their federation tester.

          The lockout I’m describing is like an auth bug. The moment you sign in in a couple different places it has trouble unencrypting messages and even if you verify the other devices identity it will act like it’s still unrecognized, and delete messages. It happened to my girlfriend, then my friend, then me. Twice in two separate attempts to use it daily. I tried using it as a complete iMessage replacement across all platforms so I’m saying I was using it heavily.

          And yeah I used docker too. It’s a neat concept it just falls apart at scale from what I’ve literally seen twice. Doesn’t matter what client I used either.

        • kopper [they/them]@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          just yesterday element literally gave up on joining the nix matrix space after staying at joining for hours on my selfhosted dendrite instance

          a week or so ago the exact same thing happened with the arch matrix channel

    • fmstrat@lemmy.nowsci.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I’m still trying to figure out why this would be used over Matrix. It seems to be the same without bridges?

  • tev@pawb.social
    link
    fedilink
    English
    arrow-up
    36
    arrow-down
    1
    ·
    1 year ago

    this rocks actually. I’ve kinda wanted this for a while

  • PineapplePartisan@lemmy.world
    link
    fedilink
    English
    arrow-up
    35
    arrow-down
    1
    ·
    1 year ago

    I’m not leaving Signal until someone implements keeping data at rest encrypted on both ends and requires multi factor unlock (bio+pin is my choice).

    So sick of E2E clients that leave the data in plaintext on the devices and then back it up in plaintext to the cloud.

    • outdated_belated@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Does Signal back up in plaintext in the cloud? (If so that doesn’t sound like E2E encryption… unless the ‘ends’ are uh… also constituted as the cloud itself which is… defeating the purpose).

      Where do the pub/ private keys live, exactly, tbh. (Assuming it is asymmetric encryption that they use?)

      Edit: ah, misread. I thought you said that you were not joining it due to it storing plain text in the cloud.

      • dinckel@lemmy.world
        link
        fedilink
        English
        arrow-up
        30
        ·
        1 year ago

        Signal doesn’t store any of your chats at all. They’re all on-device by design

        • XaeroDegreaz@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          edit-2
          1 year ago

          Hm… If they’re not being stored on the cloud, that means offline users would never receive messages, unless Signal is purely P2P. I haven’t looked at the project, or the source, but I find it hard to believe – you can’t really do user lookups without some sort of middleware in the cloud.

          • dinckel@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            All the data they have on any specific user is the account creation date, and the last online timestamp. They’ve already done loops around this topic in the DOJ.

            And I thought it should be obvious that an online service doesn’t work if you’re offline

            • XaeroDegreaz@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              1 year ago

              Yeah, but messengers, such as WhatsApp for instance, will send you missed messages once you’re back online. That’s what I was referring to.

          • ᗪᗩᗰᑎ@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            You’re right, Signal is not P2P. The way Signals messaging pipeline works is like this - note I’m oversimplifying it for accessibility.


            Sending a message to Bob

            1. You press Send.
            2. The message is encrypted on your device with a key that can only be unlocked by Bob.
            3. The message is then “sealed” so that there’s only a “deliver to” field visible (not a “from”).
            4. The “deliver to” field is addressed with a hashed/salted label for Bob - this means Signal’s server can see its a unique user, but not what their name is.
            5. The message is finally sent to Signal’s servers.
            6. Your message sits on Signals servers until it can be delivered to the intended recipient.

            you can’t really do user lookups without some sort of middleware in the cloud.

            See their blog post about Private Contact Discovery, they’ve spent a long time figuring out how to engineer a method to know as little as possible about you.

  • randint@lemm.ee
    link
    fedilink
    English
    arrow-up
    30
    ·
    1 year ago

    Your link, https://mastodon.social/@dansup/110836811082599292%20sup.%20is%20an%20open%20source%20encrypted%20fediverse%20instant%20messenger,%20similar%20to%20whatsapp,%20made%20by%20pixelfed.%20%20The%20beta%20will%20be%20launching%20later%20this%20month,%20and%20btw%20most%20fediverse%20accounts%20will%20work,%20not%20just%20Pixelfed%20%F0%9F%98%89 is broken. I think you accidentally copied the body text as well. Cleaning up the link results in https://mastodon.social/@dansup/110836811082599292, which works fine.

  • vacuumflower@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    2
    ·
    1 year ago

    Desktop fscking client, please. Not electron based would be nice, yes? QT is good.

    ICQ-style or old Skype-style user directory would be wonderful too. VoIP is not something I’d care about, file transfers are.

    This is cool.

    • exapsy@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      4
      ·
      1 year ago

      Chill, you’re not the only one here.

      VoIP in a mainstream messenger is something that most people use nowadays to avoid calling people from their SIM cards which costs them much.

      Video calling too is something I personally use too especially on iMessage or Telegram.

      I’m a software engineer, I appreciate some old school things that work perfectly well like ICQ or Vim or emacs or working only with shortcuts. But you know what’s also a shortcut? Not having to use 50 different messengers just because this one doesn’t have VoIP and I can’t bring my friends or my mom here but I can bring only my nerd friends”.

      This is all business and target audience oriented. You are not the only target audience out there and especially when you don’t demand from a messenger to be able to have VoIP. Even Instagram has VoIP these days. A photo-video-media sharing app. Let alone a messenger.

        • exapsy@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          I talked about various audiences not just myself. The person I replied to talked as if the app was made for him explicitly. “VoIP is not something I’d care about, file transfers are” like this kind of talking is like bruh, the app is not made only for you.

          • mckean@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            1 year ago

            yeah, the app is made for you and him. So doing the math we have a -1 “VoIP is not something I’d care about” and a +1 “Video calling too is something I personally use…” which results in 0% significance. So let’s just talk, voice our opinions, and chill.

            • exapsy@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              2
              ·
              edit-2
              1 year ago

              No, the app is made for everybody who wants to use a messenger. Not just you and him. It’s supposed to be under the standards of the feddiverse.

              The comments here are not a poll. Providing especially personal comments about a nerdy user like me and the guy I replied about “I would like it like ICQ” and such shit, would not help the creator make a good choice. Most people nowadays, especially zoomers, dont even know what ICQ is or how it works or how to even login to it. Most people, proven by ehm … the success of messenger, discord, whatsapp, telegram, viber, signal everything … want a messenger that provides what the mainstream messenger wants with most of the features that everybody provides and are mainstream used while having ease of access.

              We should try to help the creator. Not misguide him. Again, the comments are not a poll, they’re supposed to help to make a constructive conversation. And when you talk as if the app is made only about yourself, you’re not really helping.

        • TWeaK@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          2
          ·
          1 year ago

          We don’t take kindly to people who think they’re the only one here.

  • NeonPayload@infosec.pub
    link
    fedilink
    English
    arrow-up
    25
    ·
    1 year ago

    I’m not a fan of Pixelfed, or instaclones. But the idea of a messenger e2ee that works with all the fedi is such a awesome idea.

  • zitronen@feddit.de
    link
    fedilink
    English
    arrow-up
    25
    ·
    1 year ago

    I wonder, what 'works with the fediverse ’ could mean for a messenger and what could be features not already implemented by different messengers, like elements or the very signal.

    • Rinox@feddit.it
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      From the side of the Messanger, it could implement stories from pixelfed and communities from Lemmy/mastodon/kbin etc.

      I don’t know if anyone is asking for this, but Whatsapp has both, so someone must be using them, right?

      As from the side of every other fediverse app, I think it could be a good way of implementing DM functionality without developing and maintaining it for every single app. Maybe. I don’t know really, depends on how it’s developed/implemented

  • blunderworld@lemmy.ca
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    2
    ·
    edit-2
    1 year ago

    Great news that it will work across the fediverse. I’d love to try pixelfed for example, but its got too much of a walled garden thing going on since nobody I know uses it.

    • Polar@lemmy.ca
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      2
      ·
      1 year ago

      I just uninstalled Pixelfed. Mostly because the app is absolutely garbage on Android, and the developer made it look like an iOS app.

      The app is just so dead. I’m happy to revisit later, but as for now I’ll stick with posting my stuff on Mastodon and Lemmy.

  • notenoughbutter@lemmy.ml
    link
    fedilink
    English
    arrow-up
    23
    ·
    1 year ago

    so this is basically fb messenger but it works with twitter, YouTube and reddit (their federated alternatives mastodon peertube lemmy) and is e2ee!

    super cool!

  • llama_spit@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    How is this different than something like Matrix? I’m probably just not understanding something…

    • NeonWoofGenesis@l.henlo.fi
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      1
      ·
      1 year ago

      This is meant to work with the ActivityPub fediverse ie. Mastodon, Lemmy, Kbin, Pixelfed etc. and you would be able to use your current lemmy.world account for messaging.

      • waldyrious@lemm.ee
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        But why is that such a great benefit? We already have a myriad accounts for different services/platforms; would this be merely a marginal improvement over the current situation?

        • besbin@lemmygrad.ml
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          One of the most used feature of Facebook and Instagram is their messenger. It’s much easier for people to use the same account they use for social media to communicate with each other. A direct messaging feature within fediverse would augment the current ecosystem and make more people transition away from big corporations

          • waldyrious@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            I see, makes sense. So if I get it correctly, the idea is to make it easier for new people to join the fediverse, and not so much to improve the experience for those of us already here (although it seems that is also a goal).