What small, easy things can the average person do to start protecting their privacy today?
“Just do what you can without overburdening yourself. So, use #ProtonMail, use #Signal or #Threema, use #DuckDuckGo — these are very good alternatives. And whenever you can, say no to cookies.
@sergeant Solid advice 👍
@ilyess @sergeant When Protonmail sends you a notice that you have a msg waiting, there's apparently no way of knowing if the msg that's waiting is actually just an announcement from Protonmail themselves. So you could be forced through hoops like Protonmail's #CAPTCHA only to find spam waiting. CAPTCHA has ruined #Protonmail as far as I'm concerned. I wouldn't want to lead someone their CAPTCHA trap
@sergeant @ilyess #Signal is not a good recommendation either: https://github.com/privacytoolsIO/privacytools.io/issues/779 And #DuckDuckGo is also quite lousy: http://techrights.org/2021/03/15/duckduckgo-in-2021/
@sergeant @resist1984 you’re right. Unfortunately, as it stands today #Signal remains the best #privacy preserving messaging service out there for novice users. I’m thinking of users who just wanna put in their phone number and find all their contacts and start conversations, just like they did on Whatsapp.
We might not all agree with Signal’s move to introduce crypto but we don’t have proof that it makes the messaging service less secure or less private.
@ilyess @sergeant The mobile phone number requirement makes #Signal less secure than #Wire, #Jami, #Briar, & #Snikket. It creates a large & unpredictable attack surface in addition to expanding threat agents from the cryptocurrency. The worst part is it pushes an ultamatim on people: get mobile phone svc (huge can of worms) or be excluded.
@resist1984 That depends on your threat model, right? I don't think requiring a phone number makes #signal less secure, it makes it not anonymous for sure but the cryptographic strength of the underlying Signal protocol remains state-of-the-art.
Wire and Briar are not fair contenders here because the former is not free and the latter solves a different problem than Signal which comes with its set of feature limitations.
1/2
@ilyess It's the other way around. Your threat model depends on the threats. By inviting a new threat (by introducing cryptocurrency), you must expand your threat model. If you don't, your threat model simply suffers from being unfit for purpose. The phone number also makes Signal less secure because that's a needless vector for key recovery.
@resist1984 Oh is it? They must work on their website then, it only shows 2 tiers on the Pricing section: Pro, and Ent. https://wire.com/en/
It also seems focused on corporate users and not individuals. Not a reason to discard obviously, just something to point out. What are your thoughts on the product in general, if you’ve used it?
@ilyess #Wire is not forthcoming about the gratis service. Obviously the corp premium service pays their bills so it makes sense that they would focus on that & downplay the less profitable services. Wire #justWorks, it's usable for normies, and most importantly it's inclusive (unlike #Signal). It works on mac,win,linux,ios,android. The metadata is public but it works over tor automatically
Can you explain your remark
"The metadata is public but it works over tor automatically"
Can you provide your source of that info? I was not aware Wire works over tor. Thanks.
@NatCor @ilyess This differs between the desktop & mobile versions. The mobile version seems Tor-unaware when I look at the settings, but a transparent proxy (#Netguard + #Orbot) will force it over Tor (and it works). The desktop app is based on #Electron. It's broken the recent #Debian #Bullseye but when I ran it on past OSs I noticed that it detected and utilized Tor automatically.
@resist1984
@ilyess
So Wire does not officially claim their msgr is tor enabled. As I have not read anywhere on the Wire website their msgr is tor enabled. I just want to be clear. Its the own user setup. ok.
@NatCor @ilyess I see nothing written that claims Wireapp auto connects to Tor, only that it is Tor-capable. See https://github.com/wireapp/wire-webapp/issues/1882 and https://support.wire.com/hc/en-us/articles/115005697189-How-I-can-connect-through-a-proxy-server-on-desktop- I think it was a forum or blog that told me Wire connects to Tor automatically, and I confirmed it w/tests.
@ilyess @NatCor But i have to say this statement is a bit alarming: “some features like calling might not work or lower the anonymity of Tor or I2P”. I think what drives that comment is the latency inherent in Tor (which harm voice quality substantially), but I've not had signficant issues with that.
@NatCor @ilyess Wire does not require a phone number, but you must give either a phone number OR an email address. If you choose to give a phone number, or you give Wire an email address that is tied to your identity, then that metadata could then perhaps be aggregated with the Tor exit node that you might be using. But OTOH every app gets a different Tor circuit anyway.
What's your thoughts on Session Msgr?
No phone, No email. federated, virtually zero metadata, e2ee, PFS, ephemeral, 3-hop onion routed, data locally stored on device, non profit org, FOSS, voice video onion routed on the horizon.
@NatCor @resist1984 #session is great especially for a one-off exchange with a stranger thanks to the lack of phone number requirement. I also use it with more privacy-conscious contacts that don’t mind the reduced feature set.
@NatCor @resist1984 @ilyess prefer session over wire.
@resist1984 Metadata is public as in details about who’s talking to who, when, and for how long is accessible by Wire?