Another statement about #ThriveMessenger
Someone has been saying that its not safe to recommend all because it simply uses SSL/TLS for encryption. They are forgetting that its an early alpha, and once we move into beta it will be using an XMPP protocol most likely. So before anyone starts believing this person in my replies, just know that its safe to use despite what this person is saying.
Edit: Passwords are, not, stored in plain text, so no, the damage is not done.
Discussion
Loading...
@alexchapman Yeah that's not what they said at all. What they said is that it's missing end to end encryption, and to be honest I don't know why you are embarrassing yourself when you clearly aren't a programmer and can't address these technical topics appropriately. Anybody who actually knows how this works will quickly realize that, so you're really just giving this app horrible PR.
@NikJov Not really, but OK, think what you want, there's far more people that are liking this than finding shit to throw around.
@alexchapman Whether I like the app or not is irrelevant to this discussion, and this is the part that's very important to understand. There are no personal feelings involved in "Is this app secure enough for me to use it to chat with my friends?" If you're going to be throwing tantrums each time somebody complains about something, then the app doesn't have a bright future, and I probably won't use it just based on that alone. Being mature is just as important.
@NikJov I'm not, quote unquote, throwing tantrums. I'm saying this is an early alpha, its right there in the releases, alpha, alpha, alpha. Things are not all complete, and people who join on know that when they download the installer, as it is labelled an alpha right there. But end to end encryption will come when we get the XMPP implementation sorted once all the UI stuff is finalised, as there's stuff that's being changed around and improved upon.
@alexchapman That's really cool, an alpha can and should mean things may be buggy, things may crash and not work at all, but for a chatting app, I'm sorry, but an alpha cannot mean we don't care about security right now, because it is open to the public right now, and people are going to be using it for chats right now. One attacker can screw your reputation up forever, no future updates will matter if that happens, so you need to avoid that as best as you can.
@NikJov But it is secure, in the sense that messages aren't stored on server, and passwords are not in plain text. It would take god knows how long to do some end to end encryption shit of our own, that's why we're waiting to get the user facing shit sorted, before we spend time on implementing XMPP. But here's the thing, your attitude honestly raises the question, if you're so bothered about messages not being seen, does that mean you have something to hide? Like literally, you're freaking out all because there's currently no end to end encryption, like that looks so sus dude.
1+ more replies (not shown)
@alexchapman Someone should point out to this person that if they do any online banking, that uses SSL/TLS encryption...
@jaybird110127 @alexchapman But they were, and it should have never been released like that. You can deflect and hollar all you want but yes, the damage was done as soon as someone realized that was happening and pointed it out. Now we know you either didn't know or care enough to check for such a serious and obvious security issue. If you didn't know and now you do, then that's at least something and maybe we can get past this if you survive dealing with the people in this community who have way too much time on their hands so will make running something that requires moderation and legal protections very difficult if not impossible for a team of just a couple people.
@GamingWithEars @jaybird110127 Oh come on, there's no such thing as damage was done, the damage yeah was done at the time, but it has been undone with the commit and subsequent release that then fixed that by autohashing all passwords. So drop it!
@alexchapman @GamingWithEars I see both sides of this. Yes, it's been fixed. But the fact is that storing user passwords as plaintext is something you just don't do in this day and age. Even if no backup copies of older server-side databases with plaintext passwords still exist, there's no way to prove a negative like that to anyone who may be concerned. In my case it doesn't matter, as I used a password I've never used anywhere else.
@jaybird110127 @alexchapman @GamingWithEars ok I will admit, that's fucked up. also Alex, do actually tell me one thing, and I ask this with all respect.
what hashing algorithm is it using?
@adisonverlice @jaybird110127 @GamingWithEars Argon2, its stated in the commits I think.
@alexchapman btw, while we're here, another question. how many argon2 iterations does it use?
1+ more replies (not shown)
@alexchapman @jaybird110127 @GamingWithEars also while, yes, it was fucked up, it has been fixed, which is good. i'd also recommend passkey authentication if possible, it is good at what it does. i'm actually working on a CF implementation using CF workers that uses cloud flare workers, and authenticates based on OIDC
1+ more replies (not shown)
1 more replies (not shown)
@jaybird110127 @GamingWithEars Yeah, and that's why as soon as it came to light it was fixed right away. There's no point in holding that against us now its done.
@alexchapman @jaybird110127 And that's good you fixed it promptly. I may make an account if like I say, it can survive what is going to no-doubt be a huge headache for everyone responsible for the development of this. Not holding it against anyone, but this happened so it does give myself and others pause. But I'm taking the wait-and-see approach.
@GamingWithEars @jaybird110127 OK then. Stu and I are not giving up on this, especially since platforms like Discord are doing stupid stuff, and people are getting sick of the state of WhatsApp on Windows now.
1 more replies (not shown)
@alexchapman @NicksWorld Anything that has stored passwords in plain text is not safe to use, even if that is no longer the case. In my opinion, the damage has already been done. I'm glad this came to light. The person who posted this, originally, did everyone a favor, in my opinion.
@Lynn @NicksWorld Not really, the passwords are not in plain text, so its perfectly safe, people just have to make sure they're on the latest release, and if they are that worried, they can go settings and change password.
@alexchapman I see a lot of crap because it's vibe coded more than that. People love to hate what they can't detect. They know people like me vibe codes because we won't shut up about it, or they look at my code and it's painfully obvious. that's about it. That's what they don't realize.
@serrebi Yeah, well I had to tell this guy to shut up as I'm not spending all day back and forthing about the same shit.
@alexchapman No kidding. Obviously there are limits to vibe coding. I'm realizing this myself. They should give cred where it's due instead of assuming we're all exaggerators.