No, that’s like 20% of the blog post. This was a “2025 Retrospective” blog post. I always try to give a fun title to my end-of-year blogs. 2024’s was https://soatok.blog/2024/12/18/the-better-daemons-of-our-profession/

You’re thinking of the wrong admin lol

Until the mods randomly decide to censor you, like they did with my post about tech companies disrespecting user consent.

Oh, fair. I just remember getting a LOT of notifications from both apps. I didn’t check the exact ratio,

why it this separate mechanism needed in the first place?

Because ActivityPub was not designed for E2EE. That’s the simplest answer.

The longer, and more technical answer, is that doing the actual “Encryption” part of E2EE is relatively easy. Key management is much harder.

I initially set out to just do E2EE in 2022, but got roadblocked by the more difficult problem of “which public key does the client trust?”.

Certainly. Thanks <3

The client side is its own beast. See https://github.com/soatok/mastodon-e2ee-specification?tab=readme-ov-file#components from my initial project (the “key transparency” thing from today slots neatly into the “Federated PKI” hole).

No, if you read the post it will make more sense.

Or the specification if you’re more technical.

If you want E2EE for Mastodon, you need key management to be solved first.

This solves a lot of the key management pain. It’s not v1.0 stable yet, but it’s finally implemented. I’ve been working on the spec for nearly 2 years.

It’s a building block to make E2EE possible at Fediverse scale.

I’ve written about this topic pretty extensively: https://soatok.blog/category/technology/open-source/fediverse-e2ee-project/

If you can build in Federated Key Transparency, it’s much easier to reason about “how do I know this public key actually belongs to my friend?” which in turn makes it much easier to get people onboarded with E2EE without major risks.

Correct

Don’t use Commercial VPN services.

Thanks. Happy to help! <3

You’re the one that chose to comment on my post lol

Hell, even Mullvad uses WireGuard. Your argument is the most confidently incorrect I’ve seen on Lemmy ever since that one furry shouted over me to recommend Matrix instead of Signal.

Wireguard is not a vpn, there is no usable vpns built on wireguard,

Tailscale

Oh hell yeah.

TL;DR from oss-security:

At a glance, what I found is the following:

1. Session only uses 128 bits of entropy for Ed25519 keys. This means their ECDLP is at most 64 bits, which is pretty reasonably in the realm of possibility for nation state attackers to exploit.
2. Session has an Ed25519 verification algorithm that verifies a signature for a message against a public key provided by the message. This is amateur hour.
3. Session uses an X25519 public key as the symmetric key for AES-GCM as part of their encryption for onion routing.

Additional gripes about their source code were also included in the blog post.

That’s a reasonable thing to dislike about it.

I dislike that I can’t reply to another message with a sticker.

I also dislike that, despite having admin access, I can’t delete abusive messages left in groups for anyone but myself. That makes it unsuitable for building communities.

How much can you control the conversation if the entity you are discussing only wants their name published?

It’s not about what they want published. It’s about what they don’t want published.

Sure there will be a few GDPR letters and maybe an inquiry by some regulatory body. Satisfyingly annoying to them, but compared to the cost of an advertising campaign; would this not be just a drop in the bucket.

Advertising campaigns generally don’t include OSINT on the people behind it and evidence of their crimes. How does what I published help them increase their revenue or reduce their costs? Everything is ruled by incentives.