Sorry for breaking the thread, but I arrived late to the list. Excuse my bluntness, but to my understanding of secure messaging there isn't a single secure messaging tool listed on https://www.eff.org/secure-messaging-scorecard
Everywhere we hear the buzz that metadata is the actual essence of bulk surveillance. It's the stuff that undermines the founding pillars of democracy and occasionally even kills people. How can it be ethically acceptable to call any tool "secure" that does not protect the metadata? Correct me if I am wrong, but I seriously do not see any of the metadata-protecting messaging systems in that list. I know very well that they are all experimental, but it is irresponsible not to openly say: Sorry people, there IS no well established and stable messaging system that will actually protect you as it should. All we can offer are tools that will protect what you talk about, not you as a person. Whereas tools designed to protect not only the words, but also the person, aren't even known to the EFF it seems: There are several not so realtime things such as - Bitmessage - Cables (possibly needing an upgrade of its DHT) - I2P Bote (possibly needing an upgrade of its DHT) - Pond, if you DON'T use any known public server [1] - Tor-SMTP, again only if you keep your SMTP server secret And a few that are actually real-time capable: - Retroshare over Tor [2] - various TorChat thingies - maybe some serverless I2P thing I should be aware of Not to speak of how surreal it is to even list audits for proprietary software. We know by now that the agencies do anything which is in their power, so they WILL put backdoors into proprietary messaging tools AFTER the audit has been done. Betting on any proprietary tool to be safe is playing Russian roulette. It is therefore NOT OK to put a column for audits next to the column for source code availability, suggesting that those are orthogonal features that equally deserve a column. That is... unintentionally whitewashing PRISM. It is absolutely inappropriate to list proprietary tools with ANY green ticks and to think it is a step forward to incentivate audits that serve no purpose at all while there are hundreds of GNU projects that deserve maximum attention concerning audits. Focusing on irrelevant audits harms the projects that NEED audits now. No personal offence at anyone intended, I am just trying to make you change your minds on certain things by saying things the way I see them. Correct me if I'm wrong - correct your own thinking and actions if I am right. What we are doing here is relevant to the long-term future of humanity, so put pride aside and stick to the facts. Only facts can keep us from political manipulation, and it may be happening here. [1] As Trevor Perrin smartly pointed out in https://moderncrypto.org/mail-archive/messaging/2014/000434.html "Tor Hidden Services in (Cables, SMTorP, Pond)", Sat Jun 14 13:31:19 PDT 2014 [2] The Retroshare promised a year ago, Retroshare would soon be delivered with out-of-the-box support for Tor hidden services. By default Retroshare does direct F2F which is the worst thing you could possibly do metadatawise. Combined with hidden services, one for each person, it will not scale terribly and not be so great for file sharing, but it fulfils Trevor's requirements stated in [1]. And Retroshare, even though ugly and confusing, has a better usability than enigmail - simply because there is no SMTP failing underneath. -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
