• @tal@lemmy.today
    link
    fedilink
    English
    36
    edit-2
    3 months ago

    it would require “social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.”

    Mmmhmm. Apparently the Threadiverse is about to become illegal in Florida.

    First, let’s generate a strong public-private GPG keypair for myself and some hypothetical other Threadiverse user, anotheruser@lemmy.today:

    $ gpg --quick-generate-key tal@lemmy.today
    $ gpg --quick-generate-key anotheruser@lemmy.today
    

    And show the tal@lemmy.today public key:

    long keyblock
    $ gpg -a --export tal@lemmy.today
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQGNBGf6kRMBDAD3qJIznSVVQZu092nTthUt8R8DNXS6eYNqgbpYHTY+6i+RSFMe
    YDDnOz0cL3drxnWpNC37l9HouJGohua/Cjx2Iju/zd4A5mZkXchIt4lfZ3bbXx2k
    p0eC1m9+B3Dc37lSLPgEpTnfPGtMfKJU4bNVBdwkFCyS9Mxc499uIrAUpjPQLmgP
    1rQ2Wk1wzGfAh3VNCxg8xsHcOHWQZqSUzsLk/PeG1QtfGTVBG44tI6msGawwQct6
    XVnVOk0DfEGmoru4dGuQDk+oZRVz/O4/wLOQzfAVCzsbv/RrCzywrcQM3WAoVBDI
    awe9UG++Y4N6Eof46UQ1KnzA2ndkHFt35KybidaqxlWM4Sslx/Is+wCgqt+FpJRN
    MPLsAet6Eg6vGB6ES3Fk/IXX5OEvtWMfKKrgSP88NwoP/VFr/BU7SsJW1Opo4Ccf
    DDPuWlgMCmsVE9xsPS1oFMzxiHbJYj8gWgH7AOtl24NgYXVi/QdetYA6SZqonU0T
    xnGmEw5JdcvWdmMAEQEAAbQPdGFsQGxlbW15LnRvZGF5iQHUBBMBCgA+FiEE7S76
    Je3x/gWVtrNsdlwPXPfD8YIFAmf6kRMCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYC
    AwECHgECF4AACgkQdlwPXPfD8YJy+wv+JJ3MP+zZRy4pJZ+u7iiSOwVVwUboT8Pi
    kX7rxLl6TF9wGuLPjl/P8Cfy0WMsZQ2Ab0S/84cE2bIVbcISwqeqkMZ1Puk6y5Nn
    8uHK3qHrYb1n89uOwjgeBIC3XopdJpSPtaKBWHZn/s0AYQ3suqJt/BoJo+hTv4oJ
    /8Rtcs2+YKnQtoLtM/0tKO3J4Qzvqrzi0F14R1Rv6kiFzePkEPQFSPN4uIR5CPJm
    t6HuYWYcWNKhfIkKJH08GAV0jP+qrbe/yacO0tKt8gnxKBdpXLRwLePx5sDV14ch
    Ay/3n1aVa7PbUGA4m51xOSl0Ro54s6K8uwJ2fz6z5fdjpOkbvDw51tPEdxQzW0JH
    myyaC31j4h5YwzOAfGaK6lp3pAHStDFhDJXZPLYsDlcMGSPvV+qBMAh86t8mqIqd
    tBPjNj60aIbps+mImBpRlO/xRvUWjjVsm1FKqxBq7QQR5SW0MLnkwvcnUMDCbOs/
    wMN6ghyZp6RDhUXGgb9HJVSQhXLjaqf+uQGNBGf6kRMBDADFYNE00Rr2Ujm9+i7k
    LsHz49xqJUNtv3b7pHWTOZNhkSFf/OieayE45lkBMQl1ZkuY56QjmcgYZWsOf7+y
    kbrsQjdNE5lHl/hRAqGV13LUscTKPUCvTXnfFX+/p64Kgv1f74fAdfkQu663sGOM
    xbFP9/3jOQLF9dI2M8H14TPF/JDhjXDZvvoMrMBxwFlRctvwbeS6Yar+XKxKZQvh
    I63Ad2OyFc0p+pnJOnrWN3Q6iEqnAq0SA/EdsjVx3MWpqZW15YDyU0lIWrHAn/yD
    PfMaAqcgXj2LLBDziYdfm1ACBceS+WAu6w7i07xMAbdypKOsPB2cL1PlX//WEiwW
    55iBTJ7oRAW7Q0LRsk2k40mq61xfOLyOBT8gHJfEb7ked9KuSXQdBn9K2hT2SH+U
    OT2E63ShPHL9F2F1yQSbjFbHJve2klIuqrMeJ21QtDWgz+Auzp7PPWZ59SN+XCVj
    qzrueXIvzsK3Shfqf636/Buj1g5heIY3nBd3dtbq4gUBO90AEQEAAYkBtgQYAQoA
    IBYhBO0u+iXt8f4FlbazbHZcD1z3w/GCBQJn+pETAhsMAAoJEHZcD1z3w/GCzXkL
    /i1k5ra/YZPpiJgCOO61x6Iog5/hyL/APhHT/CMg1ZAYObfqCD0QT0f+n0qdZXhH
    ALGXzCMsbFqr0oxqOFFccLGQzUxv9AkyrO94HLoL726fxi3gkF+UekHjWgcxkcXQ
    PHZCOdHczxyCIGRB+mKn+tGweXpCwMNkymagdoyzOs+t+5cGUTv18ceun72Mqf1H
    4vCZ4LLb94NLkSJqGKeQuzjVhopDVCJ8t/exRuk2ra2SkeChKPCpq5zJP+OpzAx3
    hPNSL9v8xRD6D/NKQP/zYXvry1dfQaaOYUbw+GMgSxtVNsTyGMtDg2kE8ZSuvVKq
    ZIoODdjZRZvTB90+UKFRF3st1MeBXGNskvcZJhit7K1eMGhUbjykNWrq0A8aoRAN
    P0DBRg09Uumub1GNnJlHFNxAS5e0A686YHzA6AOify+lhscdrFKiv8GRFBZGK39W
    vY5YDDdpY632O6w1Te1UFIhS7pIWXsm5AfffFPDc/UJd6ZaBOcnKH45R4y2qObS2
    eA==
    =ommg
    -----END PGP PUBLIC KEY BLOCK-----
    

    And then show an example of someone else importing it, pretending that they’re anotheruser@lemmy.today (though in my case, I’ve already got the tal@lemmy.today public key in my keyring):

    another long keyblock
    $ gpg -a --import <
    
    • @CosmicTurtle0@lemmy.dbzer0.com
      link
      fedilink
      English
      103 months ago

      Not that I disagree with your point, but Florida law is only relevant within Florida and, to a limited extent, the United States. Admins of US-based instances could likely be subpoenaed and then held in contempt if they refused, assuming they don’t pull a PornHub and just block all of Florida.

      That said, this is very worrying since subpoenas have a MUCH lower threshold of legal bearing than warrants. I suspect that Apple will likely challenge this in court or they stop selling iPhones there.

      • @tal@lemmy.today
        link
        fedilink
        English
        6
        edit-2
        3 months ago

        Oh, yeah, my concern isn’t really that Florida is planning to go after instance admins — I’m just being sardonic — so much as to point out that any practical enforceability of this is going to have a lot of issues.

        I mean, do you mandate that Lemmy disallow third party clients? Try to force them to detect and block encrypted messages? What happens if I start dumping big PGP messages steganographically in images and simply send those? What happens if the image I’m sending is just a link to isn’t even uploaded to pict-rs on a Lemmy instance?

        I don’t need to move a whole lot of bits to send messages, and it’s really hard to block people who can send any data at all from having software send data that cannot be read by intermediaries, use the existing social media channel to agree upon out-of-band communications channels that social media operators have no control over, and so forth. Like, okay. Say I am a child-molesting terrorist drug running money launderer or whatever. I know someone who uses Facebook.

        Let’s even say that Facebook does a fantastic job of detecting and blocking any E2E-encrypted communications like PGP messages of the sort I mentioned in the above comment.

        Okay. Now let’s say that there is some other non-social-media system that uses OTR. I use Facebook to send someone my identity on that OTR system, as well as – which doesn’t need to be in any kind of standardized format — the shared secret OTR uses to bootstrap trust between two parties. That shared secret becomes useless after the initial handshake completes. Is Florida going to figure out everything that I’m saying, manage to break into whatever other channel I’m using, and MITM the thing? Probably not, since even if they supoena Facebook and Facebook gives them that shared secret, it doesn’t let them later MITM the OTR communications.

        That sounds complicated, but from a user standpoint it’s “Let’s talk on . I’m , and here’s .” The other person fires up their program, pastes string in, and unless Florida have already supoenaed and MITMed that channel, at that point, the deed is done – out-of-band E2E-encrypted communications are bootstrapped, and Mark Zuckerberg can’t read them or let anyone else read them even if he wants to do so.

      • taco
        link
        fedilink
        English
        13 months ago

        …Florida law is only relevant within Florida and, to a limited extent, the United States.

        And even then only to the extent those with the power to do so choose to enforce it. It might matter if you or I break the law; it will not matter in any meaningful way if Meta does.

    • @tal@lemmy.today
      link
      fedilink
      English
      4
      edit-2
      3 months ago

      Actually, on second thought, maybe the automated in-webpage decryption via the plugin thing I stuck at the end is a bad idea if it just inserts the decrypted stuff right into the page (not sure if this is the case). Like, I bet that a malicious or compromised instance could serve up Javascript in the webpage it provides to read and send the decrypted content from the web page.

      But not a problem for the approach in general, just decrypting-in-place in a webpage. Would benefit from client support in general, though.

      EDIT: Also would be nice to have user profile bios have enough space to actually fit a PGP public key, if that is to be used to distribute PGP public keys (rather than keyservers or something, though one issue with using Lemmy instances to distribute them is that a compromised instance could list bogus pubkeys for users who haven’t yet obtained a local copy of the pubkey for a given user). Presently, it looks like the character limit is extremely short on lemmy.today, which is presumably using the Lemmy default; 300 characters. I’d think that it could at least be boosted to the comment length limit of 10,000 characters.