Abusive clients

[evanp]

"As an ActivityPub user, I want to be confident that the client I’m using is not simply recording the plaintext of my DMs and pushing them online or leaking them in some way, so I can feel safe."

(this may be impossible and we may just have to assume that people choose good, trustworthy clients - this would be a strong area for an SDK to be developed that people can mostly drop into their apps)

[Openmedianetwork]

As you say, this is likely impossible. So we move responsibility from the instance to the app and phone operating syteam?

[nightpool]

In existing, trusted e2ee deployments, clients are verified through several defense in depth mechanisms, many of which are non-technical. We should make sure to understand the constraints and limits of those deployments when designing recommendations for e2ee ActivityPub, since they'll affect the space of possible user stories.

Current e2ee security clients gain trust through several different mechanisms:

• They are cosigned and distributed by a third party, like Google or Apple, who users judge as unlikely to cooperate in coordinated targeted spearphishing campaigns against individual users. That is, users can trust that they are getting the exact same client code / binary as everybody else in the world, which is impossible in a web-based deployment.
• They are audited by security professionals, who are both paid for their services and gain reputation and fame through their public disclosure of security vulnerabilities. This relies on external security professionals having the client code available to decompile, which is reinforced by the previous bullet.
• They are widely used by others who have serious security concerns, and have done their own research and perhaps paid for their own audits of the codebase. They're promulgated by high-reputation organizations that are easy for users to trust (ones with a strong ideological bent and no significant government affiliations, like the Tor Project or the Signal Foundations, or large multinational corporations with a significant amount of reputation on the line that users judge would be compromised if the corporations provided access to third parties or weakened their implementation, like Whatsapp's or Apple's e2ee deployments).

Overall, this means that the baseline for creating a strong, trustable e2ee clients is much, much higher than many organizations in the fediverse today are able to surmount. So we will have to think carefully about what sorts of expectations we'll have for our reference implementations and how we'll find implementors willing to meet those goals.

[evanp]

In existing, trusted e2ee deployments, clients are verified through several defense in depth mechanisms, many of which are non-technical.

I think we can include non-normative language about choosing client apps, and give a non-exhaustive list of the ways client apps can be treacherous.