137
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 17 Sep 2024
137 points (94.2% liked)
Technology
59598 readers
2060 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
That last bit is a little concerning. E2EE is widely understood to mean full end-to-end encryption of communications, not selective encryption of just the audio/video bits while passing the text around in the clear. If Discord starts writing "E2EE" for short when describing their partial solution, it is likely to mislead people into thinking their text chats are protected, or thinking that Discord is comparable to real E2EE systems. They aren't, and it isn't.
Their use of the word "auditable" here is also concerning. What does it mean for a protocol to be auditable? Sure, it's nice that they're publishing their design, but that doesn't allow independent audit of the implementation that actually runs on their servers and (importantly) people's devices. Without publicly auditable code that can be independently, built, run, and used instead of the binaries they provide, there's no practical way to know that it matches the design that was reviewed. And even if code is made available, without a way to verify that the code being run is the code that was inspected, any claim giving the impression that the system was audited is misleading at best.
This sort of thing has historically been ripe for abuse. (See also: downgrade attack.) I hope they are very careful about how they implement it.
Interesting. This makes me wonder if their motivation might be eventual compliance with the European Digital Markets Act. If that is the case, perhaps they also have a plan in the works for protecting text chats?
My early impression, based on what they wrote:
This won't fix Discord's major fundamental flaws. However, if their E2EE A/V design holds up to scrutiny, and if they were to fix their problematic language and provide truly auditable client code, the protection offered for audio & video could at least reduce Discord users' exposure to unwanted harvesting of voice & face samples. A step in the right direction, and a timely one, given that biometric data collection and AI impersonation are on the rise.
Their whole writeup is somewhwere between "trust me bro" and "enough holes you can legally sell it as swiss cheese".
I'm utterly confused as to who the target market for this is since their current userbase clearly does not care if shits encrypted or not, and any even remotely privacy oriented person is going to have the exact same take you did.
The code is very auditable. I have not audited it myself though so I have no idea if it's actually good, but you can absolutely audit it.
EDIT: Just read through the Javascript portion, which seems incredibly anemic. Each file is like 20 to 40 lines of code max. I did notice there is a C++ folder though, I'm guessing that's where the meat and potatoes are.
Is Discord client code available?
kind of
If you download the client, it's just an electron app, so all of the bits written in js/css/etc are sitting right there in the client itself. People have used this to repackage it with customizations, such as webcord (nicer user experience on Linux) and others.
As for the compiled bits... well, every binary executable is open source if you're brave enough