On 2012.08.06 18.40, Jacob Appelbaum wrote: > Eleanor Saitta: >> It is true that you have to trust the server operator in both cases. >> However, having a server configuration which does not completely >> compromise user privacy (vs. the operator) by default, like Facebook >> does, is still a significant improvement in many use cases, as is the >> ability to have a diversity of server operators. > > That is only true if they play nice.
No, some potentially good server operators, in aggregate, are better for a population of users than a single operator known to leak data under many conditions. > So this is where a lot of people take issue - you say "will be" without > the acknowledgement that SSL has major issues and that it is thus, > broken by many actors, right now. At least with the plugin version, we > can try to mitigate that harm right now. Except that with your harm mitigation, you push many potential users back to plaintext, where they are guaranteed to be owned. What percentage of potential cryptocat users would the plugin version have to stop from using the tool for you to accept that there was a place for the non-plugin version? If it's 100%, what you're actually saying is that you would rather those users had no security than even a chance at security through diversity. >> It has been 21 years since PGP was released. To this day, it remains a >> niche product at best. Users with real world security concerns rarely >> if ever use encrypted email. It is exactly this attitude which is to blame. > > Right and OTR is the counter example. Will Cryptocat be the middle > ground, where it's perfectly easy to use cryptography but missing key > items that make it safe? OTR in a traditional thick client is an example of a tool which provides good security while being realistically usable for technical users with full access to their machine. Don't get me wrong, it's great, but there are also users who can and will not be able to use it. They need tools too. > It seems that you're speaking generally here because otherwise, it's > unbelievably rude and frankly, silly. For better or worse - I've > contributed countless hours to helping Nadim with Cryptocat. I am largely speaking generally, but I'm also speaking specifically in the sense that you've actively undermined the utility of a tool here by encouraging Nadim to not make it available to users who cannot install software, which is and was the only reason to use it. Having both versions available is a reasonable compromise, but suggesting that the web version never be used is counterproductive given the userbase in question. I understand and appreciate your contributions in time -- I'm definitely not attempting to minimize that -- but you're still refusing to acknowledge that there exists an underserved userbase. E. -- Ideas are my favorite toys.
_______________________________________________ liberationtech mailing list [email protected] Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
