Hacker News

meonkeys · 2024-09-29T18:52:29 1727635949

This looks kinda sus. Why would or should anyone use this, @exfildotcloud?

exfildotcloud · 2024-09-29T19:34:13 1727638453

Good question. All encryption happens in the browser. I may release the code but it's really just Go Age WASM with a KV backend.

What's suspicious?

meonkeys · 2024-09-30T00:59:20 1727657960

Closed source, and the HN account just for this purpose/service.

dartos · 2024-09-30T01:05:34 1727658334

Second the closed source nature. Believing that something closed source is actually encrypting messages is the same as believing in “trust me bro”

Tho, you can be open source without being FOSS if you want to give customers the ability to verify what you’re doing without giving away your IP.

exfildotcloud · 2024-09-30T15:25:08 1727709908

Thank you.

Age encryption is open source. I suppose I could open source it as I am not looking to make sell anything with this service. I am mostly looking for feedback.

What would give you the peace of mind to use this with confidence? Considering that Signal, WhatApp, etc are all closed source tied with phone numbers requiring extra identifying info I put this together as an experiment.

I will start on releasing the code and build.

meonkeys · 2024-10-01T18:06:03 1727805963

> I will start on releasing the code and build

Good! This is a great way to get more feedback and potentially more users. I'd encourage you to make it easy for folks to self-host.

You can still maintain control and the ability to make it a paid service, even if you choose an AGPL license.

> Signal, WhatApp, etc are all closed source

False. Signal is open source. See https://news.ycombinator.com/item?id=38585458

Except a server-side anti-spam component, apparently? See https://en.wikipedia.org/wiki/Signal_(software)#Licensing

> tied with phone numbers

This is a valid concern about Signal and it comes up often. I believe any privacy risk around your phone number leaking or being tied to your activity on Signal is sufficiently mitigated by the folks who run the Signal servers (the Signal Foundation) since plaintext phone numbers are only used for initial SMS verification. They are then discarded, apparently. Contact discovery/matching is done on the device only with SHA256 hashes of phone numbers.

And now you can discover/connect with others via usernames that can be changed at any time and hide phone numbers altogether.

Hmm, but https://support.signal.org/hc/en-us/articles/360007061452-Do... disagrees with https://en.wikipedia.org/wiki/Signal_(software)#Contact_disc... ... that's not good.

dartos · 2024-09-30T15:48:48 1727711328

I don’t personally use signal or what’s app, but I also don’t seek out extra secure messaging apps.

Right now, if I was to go extra secure, my go to would be something built on the matrix protocol. I would probably spin up my own synapse node for total control. But I am a programmer, technophile, and FOSS nerd, so I may not be your target audience.

That being said, I think I’d have confidence if I could see the code and a signed build with some way to verify that the code I see published by you is in fact the code on my device.

ric2b · 2024-10-02T20:21:22 1727900482

Signal clients are open source.