Any dumbing down of end-to-end encryption will hand Russia and China nuclear powered hacking tools for our economy, infrastructure and digital integrity. With near peer wars ongoing, I would relegate this stuff to a noise filter. The US DoD cannot afford encryption to be dumbed down. And they seem to understand that.
These initiatives will always exist because there will always be people that do not understand what encryption is and what it provides. But lots of smart people understand the consequences would be catastrophic, and rapid. We cannot eliminate dumb politically-motivated ideas.
It got pretty much unnoticed on HN, that Europe recently voted to make all crypto payments illegal unless the seller collects the personal data of the buyer. Independent of the amount. So there will be a track record of everything bought via crypto.
Is it only a matter of time until cash is going away globally, and states have access to everything their people buy?
Regarding end-2-end encryption: It does not prevent a government from reading your messages anyhow. They could instruct Meta (or whichever company is in control of the app you use) to send them the the messages you write directly from your phone. Or from the phone of the receiver. Or to send them the private key from your phone. They could also ask Apple or Google to do so, since those have acceess to everything on your phone.
Everything can already be tracked via crypto, that procedure of attributing a name to it just makes the process easier.
Additionally, everything you do buy is already tracked. Even with cash.
But unlike naysayers, these things already encroaching on our lives gives us even more reason to push for stronger E2E support as a default. Assuming it's done properly, and not "I just need to ask Google for the keys".
> Regarding end-2-end encryption: It does not prevent a government from reading your messages anyhow. They could instruct Meta (or whichever company is in control of the app you use) to send them the the messages you write directly from your phone. Or from the phone of the receiver. Or to send them the private key from your phone. They could also ask Apple or Google to do so, since those have acceess to everything on your phone.
There is a huge difference between "use the encryption key you already have to decrypt this message" and "implement changes in your software that allow attacking this person".
Last I heard, US courts couldn't force companies into doing anything, only to reveal information, or to mandate secrecy. The idea of a warrant canary is 100% based on the idea that the government cannot force the company to publish a statement it does not wish to publish.
Obviously you can't pick up a grocery delivery and remain anonymous.
But in theory if you could pay for groceries with monero (you can't afaik), you could pay from the same wallet you conducted a hack from or purchased a darknet server to host leaked data with. The grocery store wouldn't know the originating wallet or any of its other activity.
Anyone who thinks grocery stores are going to allow monero payments is pretty naive, but Monero at least makes these flows possible.
For example, if Walmart decided to let people pick up orders with monero payments, you'd log in with your walmart account (linked with real name), place your order, pay to the generated wallet address with Monero, and then show ID on pickup. Walmart would have no way of knowing where the money came from.
I don't have any Monero or particularly like it (but mainly because I consider proof of work unsustainable and wasteful). But you have to admit the privacy implications are interesting, and the technology is impressive.
I think it would be much more likely that a startup comes along and makes the transaction tracking efficient, like with a trusted payment app, than finding some way around Orwellian government motives.
I also had an MVP iOS app which was never launched.
The reason I gave up on the project was that no one seemed to be interested. I spent several years looking for customers and collaborators and basically found nothing. The conclusion I came to is that a lot of people complain about the impending end of E2EE but very few people are actually willing to do anything about it except whine.
> The conclusion I came to is that a lot of people complain about the impending end of E2EE but very few people are actually willing to do anything about it except whine.
The connection between E2EE and privacy is to ephemeral to make that kind of judgment. If you live in the united states or similar country with a strong rule of law, the idea of paying for or using a specific E2EE app is functionally like asking somone to pay for free speech.
And even if it was more clear, privacy is like free speech in that you cant really measure enthusiasm for it in that way. Free speech and privacy are fundimental values that people dont want to pay for (for good reason!). But that does not mean they dont care.
People really do care about these things. And many many people will change how they vote and how they engage in civic action based on these principals. But asking someone to change how they live/communicate with others requires more then an intelectual "which party / candidate should I vote for?" kind of thing. For most people you need emotional investment for someone to overcome switching costs based on nothing but ethical / political principal.
As long as the harm to losing these core rights remains abstract you wont be to measure how much they care with metrics like that. Its a value that is too ephemeral and disconnected from day-to-day life to measure with a stick like "who will use this app".
But people can and do donate to groups like the EFF, and vote with their actual votes on this stuff. People really do care. Just like how people really do care about honesty, free speech, candor, trust, and other values of that sort. its just, you know, hard to measure.
I agree that people generally don't concern themselves too much with how their information is protected. Most people simply assume that it already is or that they can't really do much about it without giving up a lot of convenience. However, I have noticed in specific cases, people do pay attention. In my case, I'm protecting contact information while sharing with others and most people think it is a great use of e2ee.
What is it? Seams like it's an implementation of ecc,but does what? A p2p chat? ::Shrugs:: I'm not sure the failure to adopt your one elusive product speaks for the entire pop.
Like it says right there in the README, in the very first sentence after the NEWS section:
"SC4 is a web application that provides secure encrypted communications and secure digital signatures. It is intended to eventually be a replacement for PGP/GPG."
I honestly don't know how it could possibly have been made any clearer.
I have spent 12 years and 1 million dollars to date (no exaggeration, I worked jobs, architected trained / paid my developer team for years, we are now good friends) on a project to hopefully help people get a viable alternative to the Big Tech, and have choice where to host the infrastructure they typically expect from Facebook, Twitter, Telegram etc. It’s open source and it’s the only way you can make it expensive to backdoor everyone in bulk, or shut down a platform altogether:
If you spend an afternoon playing with, I think you’ll feel like you’re discovering superpowers (like Batman or Iron man or something). It’s free to use. We’re launching https://qbix.com/ecosystem soon, with courses and certification so anyone who wants to learn, click on my profile and email me.
And if you like what we do and you’re thinking of supporting us with $100 or more, feel free to do it here… November 5 we are launching, until then you can voluntarily put a “no-obligation” contribution: https://wefunder.com/Qbix
The thing I don't get is... won't bans on end-to-end encryption ban https?
If I go to a website and ask for a web page over https, isn't the request and response between my device and the web server, an end-to-end encrypted message? Because the endpoints are my device and the web server.
If I can't send my credit card details to a payment provider over an end-to-end encrypted channel, doesn't all commerce on the web just fall apart?
How can a ban on end-to-end encrypted communication even fucking work?
Really short answer: They want back doors to all this stuff, including your cc info. As long as only the "good guys have" this ability, what could go wrong?
To be particular, "bans on e2e" are specifically targeting encryption between individuals on communications platforms.
They won't and can't ban secure comms between a user and a site during a web session. But they want the messaging platforms to be able to reveal the plaintext of conversations to law enforcement.
Of course "they" can't stop coded messages, or me sending encrypted messages via email or media platforms. They're just making it harder for non technical people (some of whom are criminals) to have privacy.
Well, HTTPS is not end-to-end. That latter term is reserved for encryption that encrypts the messages between clients so servers can’t parse them.
When you have a centralized system like ICANN DNS, the governments know which IP addresses the domain points to. They can go and serve them National Security Letters or shake them down to install secret backdoors.
WhatsApp and Facebook can lie to you that they’re end-to-end encrypted. There is nothing stopping them from shipping custom updates. In facg they’ve been caught red-handed spying on both your video and audio. The only way you can be SURE an app isnt lying to you is with open source software, then you only have to trust the OS and browser (the Trusted Computing Base).
(That is why I am a big fan of blockchain-based smart contaracts. But blockchains are slow, so the next best thing is hosting your business logic using open source software on servers you control.)
Why do so many people trust Big Tech? Simple. We have no other choice!
Where are the VIABLE AND USER FRIENDLY open source alternatives to Facebook, Twitter, Telegram backends?
No one seems to have built anything better or more efficient than, say, Mastodon.
PS: If you play with it for a afternoon, post your experience or email me. I would be thrilled to hear about your experience, good or bad. And of course use it for anything you want.
I would be very happy to be proven wrong and see some more competitors being mentioned here, but if you do, make an honest assessment of how they compare! People need alternatives to the closed walled gardens, but having all these features working and up-to-date with browser tech is extremely hard: https://qbix.com/features.pdf
I'm not well versed for encryption, but isn't this a matter of perspective? If you're downloading a .midi file from a server, the other "end" is that server, isn't it? Will the forces pushing this make any nuanced distinction, outside of this?
I've found our problem. It appears the meaning has (apparently?) changed around 2014. Many search results you can find, including from IBM, and EFF, use the "old" (our) definition.
> The term "end-to-end encryption" originally only meant that the communication is never decrypted during its transport from the sender to the receiver.
> ...
> Later, around 2014, the meaning of "end-to-end encryption" started to evolve when WhatsApp encrypted a portion of its network. ...
But, I don't have confidence that the policy makers will make this distinction.
With that definition of “end”, “end-to-end encryption” isn’t different from just plain “encryption”. The significance of the phrase is that you don’t leak anything outside the ultimate ends of the communication, including to servers in the middle.
> The significance of the phrase is that you don’t leak anything outside the ultimate ends of the communication, including to servers in the middle.
Correct, but when you're viewing a web page (as opposed to using the web for peer-to-peer communications), that webserver is the ultimate end of the communication.
For the reason I just told you — they can be compromised much more easily, and are typically run by a party which isn’t fully aligned with your interests and those of the other participants in your conversation.
So what if I run my own server with a private guestbook. Is https not end to end encryption in that scenario?
I realize your point, that in most circumstances https is not being used as end to end encryption. But it can be, so wouldn't it also be attacked in this war?
Well, HTTPS with certificate chains without backdoors by a government is already technically illegal in some parts of the world.
But as I said, our definitions need to be useful. If the goal is for individuals to safeguard their conversations from prying eyes, then HTTPS is not the way to do it. Hence the government is likely to start with end to end encryption of the sort I have been emphasizing. With servers, they already have the tools… they can even IMPERSONATE YOU in Australia now and post as you.
>When you have a centralized system like ICANN DNS, the governments know which IP addresses the domain points to. They can go and serve them National Security Letters or shake them down to install secret backdoors.
HN opinions on CloudFlare aside, CloudFlare Tunnels mean DNS records point at CloudFlare servers, and the IP address of the origin server isn't discoverable via DNS. Sure, it's a court order away from being figured out even with dynamic IPs and historical logs with ISPs, but it's an interesting thought.
Qbix certainly looks very interesting. How have you guys been around for ten years and flown under the radar?
I’d like to say it was all part of a secret plan to not draw attention to ourselves until we were ready. But it wasn’t.
The sad truth is, we were always low on money and bootstrapping. We spent a lot of time building, and very little time pitching.
We pitched about 10 VCs total in this whole time. I remember being at an event where Reid Hoffman spoke, he said he pitched 99 VCs before he got investment.
But we spent zero on marketing and PR, and 11 million people in 100 countries downloaded our Groups app. But the app is not that interesting, people don’t understand that most of our users are community leaders.
What people don’t get is that in this space, you need ALL THE FEATURES that Big Tech platforms offer before people will switch. It simply took us 10-12 years to get to this point. I picked a hard problem, but a very rewarding one in the end.
Look, MySQL and NGinX took 10 years before VCs funded them. But to be fair, they grew a lot whereas Qbix didn’t. Maybe I and my team simply suck at making things viral. But I believe this year will change that.
Networking is hard. I’m a guy who came from an immigrant family in Brooklyn. I never moved to the West Coast. We applied to HN with Qbix every other year since 2011. Never even got invited to the interview.
Now, I personally know Noam Chomsky, Tulsi Gabbard, Andrew Yang, Tim Berners-Les (see the photo at https://wefunder.com/Qbix), the Rohingya Project guys, Queen Diambi of a tribe in the Congo, the hed of United Nations Capital Development Fund, the head of CoinDesk, and many more randomly assorted people I met over the years. But it took years.
And I still don’t know very good VCs. And many VCs still look at our open source project as ”too big”. They prefer to invest in small feature companies, which we can now spin off from our accelerator.
If you want to introduce me, I’m very happy to take a meeting and demo on Zoom.
And if you want to support it, just go to https://wefunder.com/Qbix and kick in $100 or something. We are gearing up launch the 5th of November this year — and you’ll definitely not forget that :)
The coming war? It's been a protracted war since the 1980's. The NSA and the FBI have been hazing, threatening, infiltrating, and backdooring end-to-end encryption since the early days of PGP.
There are already legal backdoors not actually referred to as that legally and they are used by corporations to meet their regulatory requirements for things like DLP. Google for example supports this. HTTPS doesn't even matter, their site supports DLP appliances logging in and intercepting all corporate interactions on the platform. The same capabilities exist for non corporate but that is used by law enforcement. This exists on all major platforms. This would play into E2EE if the servers create and manage the client E2EE keys which I believe is the case currently on all platforms that support E2EE. I am told that implementing client side libraries like OTR is too hard or too much friction. So what I am saying is that encryption need not be compromised when all corporations willingly create lawful intercept and DLP API's.
To get more information on this have your company reach out to each platform for DLP integrations.
Nice! I worked on something that seems similar to this (https://redact.ws). Unfortunately there are a lot of challenges with adoption that seem difficult to overcome. One of the big challenges is that most people do not understand the nuances of privacy and encryption, and they aren't willing to jump through hoops to protect their data.
I like the intent of this! My main question is, how do we know redact.ws won't suddenly serve different Javascript one day, to certain clients, which send unencrypted payloads somewhere?
I'm not the creator of redact, but it sounds like you're under the impression that the iframe src is redact.ws in which case I'd understand your concern.
My assumption is that the iframe src would be the local redact server, which would keep things as secure as the package the user installed (though there could be compromises at the network level I suppose)
This would be really great if there were an integration for dart/flutter. The fact that the API is implemented with such elderly stacks is kind of concerning
That’s an interesting point. I’m the chief architect of the company so I can speak to this, and happy to discuss / explore alternatives. But keep in mind we don’t have deep pockets, it took me 10 years of scraping by and paying my developers who have their families to support, just to get this far! (If you like mwhat we do and you’re thinking of supporting us with $100 or more, feel free here: https://wefunder.com/Qbix)
Wordpress powers 40% of all websites in the world. It’s written in PHP. Facebook has chosen PHP as well and has helped PHP to new heights of performance. PHP 8 with Swoole or simply AmPHP now outperforms Node.js for instance, in terms of efficiency. But plain old PHP code through php-fpm with enough instances can approach 50% of that with no custom coding.
PHP is the most widely deployed runtime for Web2 hosting, and EVM is the most widely deployed runtime for Web3 smart contracts. We always strived to target the most widely supported platforms, so people could find many hosts, or set up their own easily.
We will be carefully building out https://qbix.com/ecosystem to support hosting in a variety of environments, including with poor and nonexistent internet on commodity computers and wifi mesh networks. We work with groups that range from the Rohingya Project to the Forward Party. We often need high-speed low-latency multimedia to be available locally, eg for educational purposes or planning a dinner.
So why not go with a rock-solid, tried and true platform, and maintain backward compatibility? We purposely avoid even the latest ECMAScript or PHP 8 syntax, to make sure that Qbix can run anywhere, same as Wordpress.
PS: Just like Discourse (another open source project we have integrated with and whose community we are friends with) our entire platform can be used as a headless REST API, so nothing is stopping you from building a front end for it in Flutter or React Native or the newest kid on the block: MAUI from Microsoft. We bet the company on HTML like Zuckerberg did in 2014 and we stuck with it. You don’t need to even install an app these days — just go to a site like https://intercoin.app or https://yang2020.app and use it. Put it on your home screen to get notifications in iOS 16. Use a ContactPicker to invite friends privately. Having said that, we do support Cordova natively out of the box. Sometimes the old ways are best :)
These initiatives will always exist because there will always be people that do not understand what encryption is and what it provides. But lots of smart people understand the consequences would be catastrophic, and rapid. We cannot eliminate dumb politically-motivated ideas.