Conversation

Okay so just people don't misuse my experience here: the person I'm talking about here was christel, so good riddance of her. Migrate to Libera Chat, if you're in doubt. Also remember "privmsg" is not private, though. Doesn't matter who's on the staff.

Quote Tweet

Diego Elio Pettenò

@flameeyes

May 19, 2021

In unrelated small world news, what's the chance that there's an overlap between the people involved in today's Freenode shenanigans and the group of people that hated me so much as to Photoshop my face on top of photos of Nazi soldiers back in the Gentoo fights, ay?

Show this thread

Replying to

Re: "privmsg is not private", IRC is a great medium for public discussion of topics where it's fine for anyone to join and listen, & the limitations of the medium help to remind of that. It's not a suitable medium for secrets.

Replying to

and

Public chat rooms act as a starting point for private discussions. It's natural to direct message people in the room as a way of starting a private discussion. Needing to move to another platform for private discussions draws into question the use of IRC for the public channels.

Replying to

and

Yes, this is a client failing though. They could/should just do e2ee for private one on one chats over IRC transport.

Replying to

and

I guess DCC used to be the hotness to solve that stuff back in the days. But yeah, no particular reason, beside standardizing a common way for clients to do it.

Replying to

and

Yep. That was back when ISPs weren't dragnet spy infrastructure. Nowadays there's no need for DCC; the server transport is fine as long as you use e2ee. Not sure how OTR works but Noise handshake over IRC would be low overhead and trivial to implement.

Replying to

and

It can be painful due to lack of persistent state on the server though. The sessions need to keep being re-synchronized, etc. It was always a pain to use IRC OTR. Element's session verification and cross-signing is now smoother than any other E2E encrypted chat apps I've used.

Replying to

and

Does OTR have signing (nonrepudiation)? That would be so awful for IRC. Big advantage of authenticated DH handshake over signing here is that it doesn't provide nonrepudiation.

Replying to

and

OTR avoids this via the forward secrecy approach as does the more modern Signal protocol. Signal protocol was essentially a successor for OTR designed around making it into a proper asynchronous communication protocol. Matrix gives it proper multi-session support.

Replying to

and

Cross-signing in Element means that after you verify your own sessions on the same account from each other, they can bootstrap trust for each other. For example, if you have a desktop and mobile session and verify with someone else from mobile, it verifies the desktop one too.

7:27 PM · May 24, 2021Twitter Web App

Replying to

and

You can use separate accounts when you want them to be separate or multiple sessions on the same account when you want it to be transparent to other people. If you add a session, you verify from an existing one and it ends up being verified by other people through you doing it.

Replying to

and

Everyone can see that you have multiple sessions though, and they can choose if they want to rely on the cross-signing to verify them. It's really nice to have this transparent by default though. Element has the most usable experience that I've seen for non-technical users.