#mastondon Friends!
-
@mray But now you know why I'm asking. There is lots of energy around encryption but it's a very tricky thing to be done right. My point was simply that we start with some simple UX improvements and not wait for the encryption (given we already have private messages)
@scottjenson I'm pessimistic up to the point where you have to have to assume it will fail completely. Just as XMPP and MAIL failed.
The only encryption implementation with success were the approaches where the UX can be controlled centrally.
For MAIL there is #autocrypt now, it is astonishing how good it is – but email is still not encypted today.
XMPP/Jabber has OMEMO, but stillt struggles with client adoption and it isn't omnipresent.
Where it worked: #DeltaChat and #Signal both using a central library that can make sure encryption reliably lands at peoples fingertips.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson one huge problem with private mentions is that they actually aren't equivalent to DMs... because if you try to talk about another person and link to their profile, you effectively "mention" them and they can see the message. I don't know of any other DM that works this way and the UX is extremely confusing to users and just wrong IMO.
I think private mentions should be scrapped entirely and reworked as a different AP object type than Note so that they are treated differently.
-
@scottjenson I was actually just thinking about why private mentions are even needed when there are other options like email for private and sensitive discussions between folks. I guess I never truly understand why they are needed in a public social network in the first place? Just leftover from Twitter precedent?
Private replies can be nice if you have something to say in context which you don't want to share super broadly
-
@scottjenson one huge problem with private mentions is that they actually aren't equivalent to DMs... because if you try to talk about another person and link to their profile, you effectively "mention" them and they can see the message. I don't know of any other DM that works this way and the UX is extremely confusing to users and just wrong IMO.
I think private mentions should be scrapped entirely and reworked as a different AP object type than Note so that they are treated differently.
-
@scottjenson I'm pessimistic up to the point where you have to have to assume it will fail completely. Just as XMPP and MAIL failed.
The only encryption implementation with success were the approaches where the UX can be controlled centrally.
For MAIL there is #autocrypt now, it is astonishing how good it is – but email is still not encypted today.
XMPP/Jabber has OMEMO, but stillt struggles with client adoption and it isn't omnipresent.
Where it worked: #DeltaChat and #Signal both using a central library that can make sure encryption reliably lands at peoples fingertips.
@mray I so appreciate your concerns. It's actually why (personally, I'll add) I'm concerned why encryption may take a while (the Mastodon team is very thorough and would not release a rushed version of this) This is why my original post really had nothing to do with "should we add encryption" but was rather "while we're waiting can we at least make some improvements?"
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson I am kind of surprised that no one has mentioned that "oh the admins of the servers shouldnt see my DMs!" Creates a moderation nightmare and a harassment loophole that really shouldnt be considered worth the hassle. I am on team "just use signal" because if you need to have a really private conversation with someone who didnt give you their private contact information, no you dont.
-
@mray But now you know why I'm asking. There is lots of energy around encryption but it's a very tricky thing to be done right. My point was simply that we start with some simple UX improvements and not wait for the encryption (given we already have private messages)
@scottjenson also dealing with encrypted chat inside the browser is extra spicy. I'd love to see people seriously tackling that, but I remain reserved.
-
@phillycodehound @scottjenson I was going to say that I pretty much feel the same, but on the other hand, Bluesky *kind of* has this feature now already?
A startup called Germ becomes the first private messenger that launches directly from Bluesky's app | TechCrunch
Social network Bluesky now offers private messaging by integrating the startup Germ's E2E encrypted messenger natively in its app.
TechCrunch (techcrunch.com)
Maybe something like this would work here as well rather than built-in?
sort of-- bsky is just verifying/confirming a self-attested Germ identifier. and no android yet, so only half of bsky users in the US and far less outside US.
@stefan @phillycodehound @scottjenson -
sort of-- bsky is just verifying/confirming a self-attested Germ identifier. and no android yet, so only half of bsky users in the US and far less outside US.
@stefan @phillycodehound @scottjensonHuge fan of the Germ team btw, and of MLS generally, i think MLS is the only DMs AP should be using and having groupchats with bsky users in them is kinda easy once we get modern/MLS+MIMI groupchat going across AP implementations... @stefan @phillycodehound @scottjenson
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson imo that’s totally fine. Just need to make it known straight up that the messages are not encrypted, which is more or less just an alert that hard blocks interaction until acknowledgement…
-
@scottjenson @phillycodehound Maybe there are, but that's where everyone I would want to communicate with are.
sadly signal doesn't make integrating or verifying from within Masto or other AP implementation easy (or debatably even possible)
@asmaloney @scottjenson @phillycodehound -
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
Signal makes it easy to create a revocable "message me" link. I have one in my profile. If anyone wants to send me an encrypted message they can click on it and send one pretty easily.
I think reply controls and UX improvements should come first, maybe with, as others suggested, a note that the message is not encrypted (yet)
-
@scottjenson I am kind of surprised that no one has mentioned that "oh the admins of the servers shouldnt see my DMs!" Creates a moderation nightmare and a harassment loophole that really shouldnt be considered worth the hassle. I am on team "just use signal" because if you need to have a really private conversation with someone who didnt give you their private contact information, no you dont.
@Montaagge There is a lot of traffic on this thread and that point has been made by the way. It's a reasonable request. I just appreciate that it's not a simple ask and I'm hoping we can tackle some UX improvements WHILE the background work is going on.
-
@scottjenson I think, given today's climate, encryption should be a priority over UX changes. My thought is not whether microblogging DMs should be encrypted or not, but simply if *any* kind of messaging exists that is not public, on any service, it should be encrypted. It's the sad world we live in now where services can't be trusted. Non-public messaging that isn't encrypted shouldn't exist. Should microblogging services be Signal? Not at all. But DMs already exist, so now it has to be dealt with. Simply telling users "it's not for private discussions" isn't enough.
in 2026, gabe is absolutely right. a few years ago, i would've been the first one debating this position... but it's 2026.
@gabek @scottjenson -
Signal makes it easy to create a revocable "message me" link. I have one in my profile. If anyone wants to send me an encrypted message they can click on it and send one pretty easily.
I think reply controls and UX improvements should come first, maybe with, as others suggested, a note that the message is not encrypted (yet)
@gbargoud makes sense, thank you
-
Because "private" means "private", on whatever platform.
Platforms have different purposes. I'm not seeking for a Signal replacement, I just want the promise of "private" conversations to be kept. Like I'd expect it from any other platform that is speaking of "private" messages.
Like I expect every car to have functional safety belts.
More pointedly, I would accept DMs from (and periodically check my inbox for) Mastodon but i would not give my unique and precious signal identifier to all of mastodon and all who crawl it @katzenberger @scottjenson
-
in 2026, gabe is absolutely right. a few years ago, i would've been the first one debating this position... but it's 2026.
@gabek @scottjenson@by_caballero @gabek We've publicly announced we're working on encryption. It's a TON of backend work. It can proceed in parallel with UX work. It's not one vs the other. Especially as the UX work is FAR less than the encryption work
-
More pointedly, I would accept DMs from (and periodically check my inbox for) Mastodon but i would not give my unique and precious signal identifier to all of mastodon and all who crawl it @katzenberger @scottjenson
@by_caballero @katzenberger This is something that I have to admit a blindspot. There appear to be so many nuanced layers to "sending and encrypted message". For example, some just want to keep the admin from seeing stuff (that seems like the lowest level)
But at the highest level is for example protext organizing. I can't imagine ANYONE wanting to do that from a Mastodon account only because your profile and public posts likely leak a tremendous amount of personal info.
If you had a LOCKED DOWN account, sure it could work. My point is that I'm trying to understand these very different usages as we could naively asume we're good at one when we aren't. For example, I strongly feel that Signal very much still has a role here even if we do implement it correctly.
-
@by_caballero @katzenberger This is something that I have to admit a blindspot. There appear to be so many nuanced layers to "sending and encrypted message". For example, some just want to keep the admin from seeing stuff (that seems like the lowest level)
But at the highest level is for example protext organizing. I can't imagine ANYONE wanting to do that from a Mastodon account only because your profile and public posts likely leak a tremendous amount of personal info.
If you had a LOCKED DOWN account, sure it could work. My point is that I'm trying to understand these very different usages as we could naively asume we're good at one when we aren't. For example, I strongly feel that Signal very much still has a role here even if we do implement it correctly.
You know who's thought a lot about secure messaging? SWF's @mallory .
See also:
https://socialwebfoundation.org/2025/12/19/implementing-encrypted-messaging-over-activitypub/ -
You know who's thought a lot about secure messaging? SWF's @mallory .
See also:
https://socialwebfoundation.org/2025/12/19/implementing-encrypted-messaging-over-activitypub/@by_caballero @mallory @katzenberger Thanks for the intro!
