#mastondon Friends!
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson Thanks for asking! I'm a big fan of Encrypting All The Things, but my impression here is that the dangers of PMs on Mastodon have more to do with the potentially confusing UX, so I think addressing the UX issues would help the most in the short term.
Ultimately, I want users to be able to assume "private" means encrypted, so I'm very glad that's part of the plan. Yes, people can use Signal, but there's still a need to privately transmit one's Signal username at a minimum. Also, private threads can stem from public threads, so it's natural to have some facility for privacy here. Finally, I'm a huge Signal fan, but its centralization means a single point of failure, and makes it a huge target for authoritarian state actors, and I worry about it going down or being compromised.
I would like to see more visual distinction between public and private posts, like different coloring, so fewer people confuse them.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson encryption that still works if one of the parties changes fediverse servers seems like it maybe technically challenging
I also would note that a lot of my interactions on the Fediverse are not very “microblogging” focused. Ie this response isn’t a blog post.
I largely use DMs here for private but non sensitive content (like “hey your url is broken” or “you have a typo on that post”
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson I think making UX improvements to DMs is a great idea.
One of the biggest privacy problems with Mastodon DMs now is that people accidentally make them public.
Separating the private mention UI from the public posting UI will probably avoid a huge percentage of those user errors.
It'd be a big win for privacy.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson Hey Scott! I'm so glad you're tackling this issue. I have lots of trouble with DMs on Mastodon. I think you're addressing, these, but here goes:
The biggest one is how easily they're confused with regular messages. I routinely mess this up, and make private messages public, or vice versa.
The next is how hard it is to visualize threads - especially in the existing notification section. I often lose my place in complex discussions
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson And on encryption, I think you could probably launch with UX improvements only, and leave encryption as a "fast follow". E2EE might not be *critical* but it's a *super-nice-to-have* ~ especially on today's internet.
The fact that we call them "direct messages" isn't enough; people have a natural expectation of privacy when they send DMs, and the Fediverse doesn't really honor that right now.
The more systems we can make "secure by default" the better.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson I rarely use them due to the UX fears, encryption would be a cherry on top
-
@scottjenson And on encryption, I think you could probably launch with UX improvements only, and leave encryption as a "fast follow". E2EE might not be *critical* but it's a *super-nice-to-have* ~ especially on today's internet.
The fact that we call them "direct messages" isn't enough; people have a natural expectation of privacy when they send DMs, and the Fediverse doesn't really honor that right now.
The more systems we can make "secure by default" the better.
And.. you probably know, but just in case:
We have a solid spec for E2EE on the Fediverse now (https://swicg.github.io/activitypub-e2ee/mls) with #Emissary and #Bonfire launching later this year.
As you'd expect with end-to-end-encryption, *most* of the work is on the browser/client. The AP server changes are minimal: a new KeyPackage object to store, a new collection, & other small stuff.
When we have working JS code, it'll be AGPL, and you could use it as a baseline for Mastodon
-
@scottjenson I think making UX improvements to DMs is a great idea.
One of the biggest privacy problems with Mastodon DMs now is that people accidentally make them public.
Separating the private mention UI from the public posting UI will probably avoid a huge percentage of those user errors.
It'd be a big win for privacy.
@evan the already improved UX looks good, to me.
When drafting a reply to a public toot, the word 'Public' is prominent (first screenshot).
When drafting a mention, the separation is clear (second shot).
Without being blasé about privacy: if a person accidentally publishes in either of those contexts, it's human error.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson not at all critical.
Hint: you could re-run this as a poll, for the question.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
I think some people were using PMs for potentially sensitive info (addresses, Venmo, etc.), and having them slightly more secure puts people at ease.
What about standard public-key stuff, dropping a short public key in a metadata field, keeping the private key on the endpoint or in the client?
-
@scottjenson I think making UX improvements to DMs is a great idea.
One of the biggest privacy problems with Mastodon DMs now is that people accidentally make them public.
Separating the private mention UI from the public posting UI will probably avoid a huge percentage of those user errors.
It'd be a big win for privacy.
@evan @scottjenson
phanpy does a great job -
@evan @scottjenson
phanpy does a great job@virtuous_sloth @scottjenson actually, it doesn't separate the composition of private mentions from other types of posts. It's an option on the drop down. If you forget to change the option, your PM goes out with the default visibility -- often public!
-
@virtuous_sloth @scottjenson actually, it doesn't separate the composition of private mentions from other types of posts. It's an option on the drop down. If you forget to change the option, your PM goes out with the default visibility -- often public!
@evan @scottjenson
But if you forget to set it to PM, there are no stripes, which should be a jarring visual clue.I suppose adding a second compose button would make you choose sooner, but ultimately you have to always click on the right buttons in the right order.
They could change the default when you are viewing your PM list. That would make sense.
-
@mray Encryption is being explored by a FEP
Is the FEP public? I’ll love to check it out!
-
I think some people were using PMs for potentially sensitive info (addresses, Venmo, etc.), and having them slightly more secure puts people at ease.
What about standard public-key stuff, dropping a short public key in a metadata field, keeping the private key on the endpoint or in the client?@knapjack
How can the sender validate the public key hasn't been tampered with by the instance or server admin?It is a hard problem. There are solutions but it will be complicated.
-
in 2026, gabe is absolutely right. a few years ago, i would've been the first one debating this position... but it's 2026.
@gabek @scottjenson“It’s 2026” is about to be the final boss of product design:
Dev: Should we do this feature?
Me: It’s 2026, what do you think?
Dev: Say no more… -
@knapjack
How can the sender validate the public key hasn't been tampered with by the instance or server admin?It is a hard problem. There are solutions but it will be complicated.
For sure. Mainly I'm thinking about "Pretty Good Obfuscation" than a good solution. Something better than in the clear.
Really, delivery isn't guaranteed, so there are already potential issues about tampering that encryption won't necessarily fix, just maybe make abusing it harder.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson I would love to see UX improvements. Make it clear the limitations of "Private" Mentions. Make it hard to send a PM publicly. Users are misusing PMs now. The UX doesn't help the user. It would be nice to help them as soon as possible.
E2E would be fantastic, but encryption is going to take a while. And like another reply wrote: I'm not convinced it is possible on a federated system given email and xmpp still have only bad solutions to encrypted messaging.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson without encryption, what is the point of calling it a "private mention" ?
-
@knapjack
How can the sender validate the public key hasn't been tampered with by the instance or server admin?It is a hard problem. There are solutions but it will be complicated.
#TedUnangst seems to be off the Fediverse (and maybe the web) but linking this here for posterity: https://github.com/timkuijsten/honk/blob/fork/encrypt.go
