feld@feld@friedcheese.us: @phnt @benpate good question. I think the reality will be more like - flawed implementation, terrible rollout - Mastodon and maybe Pixelfed support it (seems like something dansup would jump on) - all the logic has to be in the client (or frontend) alright. Now we've got an app store with a ton of shady looking fedi clients (we're that popular guys). How long before any of those are modified to exfiltrate your keys? How long before the first incel server admin that wants to spy on some female account so they backdoor the FE to steal their keys next time they login? As soon as one of those events happens, now trust is gone. So Mastodon has to restrict access to this feature to the official Mastodon app and the official Mastodon servers. UHOH SPAGHETTI-O

Home | Notifications | New Note | Local | Federated | Search | Logout

Note Detail

Reply to @feld@friedcheese.us
Phantasm@phnt@fluffytail.org (2026-04-15 00:41:27)
@feld @benpate I wonder what Soatok thinks of this after trying for years to wedge E2EE into ActivityPub. But ultimately, they went the easy route and chose MLS and AP as a dumb transport protocol.

They probably won't bother with proper key management and instead make it device-to-device, or copy the way OMEMO does it. Maybe with only publishing a new public key being possible by approving it from a device with an already published key.

I don't think any of this matters anyway as the whole concept is kinda useless when you already have 10+ secure messaging apps at your disposal.
---Reply---
feld@feld@friedcheese.us (2026-04-15 01:29:09)
@phnt @benpate good question. I think the reality will be more like

- flawed implementation, terrible rollout

- Mastodon and maybe Pixelfed support it (seems like something dansup would jump on)

- all the logic has to be in the client (or frontend)

alright. Now we've got an app store with a ton of shady looking fedi clients (we're that popular guys).

How long before any of those are modified to exfiltrate your keys? How long before the first incel server admin that wants to spy on some female account so they backdoor the FE to steal their keys next time they login?

As soon as one of those events happens, now trust is gone. So Mastodon has to restrict access to this feature to the official Mastodon app and the official Mastodon servers.

UHOH SPAGHETTI-O


---Replies---

silverpill@silverpill@mitra.social (2026-04-15 01:34:54)
@feld @phnt @benpate It doesn't seem to be an issue in the Matrix ecosystem where people often self host web clients.