Good day dear Lemmy community!
When I try to use lemmy’s private messages, I get the following warning:
Warning: Private messages in Lemmy are not secure. Please create an account on Element.io for secure messaging.
It is very good to have this warning! However, can it be improved?
When I first encountered this wording, I was completely unsure whether the DMs would be totally public due to lemmy’s limitations or its open stance, or whether the messages would have a similar security to e.g. email where your trust relies on TLS and the servers involved.
My proposal would be to change the wording to something like:
Warning: Private messages in Lemmy are not End-to-End encrypted. Please create an account on Element.io for secure messaging.
Or if the team is open to it,
Warning: Private messages in Lemmy are not End-to-End encrypted. Please use a platform with E2E encryption for private messaging.
Or if the team is even more open to it,
Warning: Private messages in Lemmy are not End-to-End encrypted. Please use a platform with E2E encryption for private messaging. Lemmy recommends Element.io and XMPP.
Thoughts? I’m ready to create a PR.
Based on the comments so far, maybe something like this makes sense:
Warning: Private messages in Lemmy are not End-to-End encrypted, so the respective instance owners are technically able to read them. Please use a platform with E2E encryption for private messaging. Lemmy recommends Element.io and XMPP.
Messages between two people are not exposed via public APIs, but they can be accessed by admins of 1-2 servers (depending on whether you’re sending these messages to someone on a different server).
Element fixes Lemmy’s message content exposure problem, but none of the metadata problems (who is communicating with whom, when, how often, etc, are all still available to those 1-2 sets of server admins).
I agree. That’s why I propose to clarify the wording.
I think the larger point is that private messages are visible to instance admins.
Yes. And I think saying “messages in Lemmy are not End-to-End encrypted” is clearer communication than “messages in Lemmy are not secure”.
I think both are bad communication. When I hear “messages are not end to end encrypted”, I think that my ISP or a hacker might be able to see them but not, like, ordinary people. In reality, whatever shitheads are administrating either your or the recipients instances.
I think “private messages are visible to both your and the recipients instance administrators” would be more clear
Yes. Rather than focusing on encryption, (most normies don’t know what that really means anyway) point out that admits not mods have access to all messages sent.
