• LinuxSBC@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Beeper is pretty good with it, as they make it clear that it’s insecure and use an encrypted protocol to get the messages to the server. Still, it’s better to host your own (which Beeper lets you do, as it’s just Matrix) or not use it.

      • Bipta@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Your security is actually worse than a pinky promise in that case because you also have to consider that they could be hacked.

      • Rustmilian@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Due to complexity and limited auditing a number of vulnerabilites have slipped through again & again, like zero-click exploits for example. Take a look at the sear volume of CVEs and more importantly what they entail. While they do eventually get found & patched, its not ideal compared to other messaging apps like signal that are very much security first, features 2nd.
        A lot of people(normies), especially Apple users tend to think it’s super secure virtually impenetrable technology.

        • PlexSheep@feddit.de
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          The sheer volume of cves is not necessarily an indicator for insecurity. The CVE system is pretty bad and rulings are mostly arbitrary. For example, there was a recent curl “CVE”, where an overflow happened in some part of the app which was not relevant to security. I don’t remember the details, but the only solution to this apperent mess was that the main contributor of curl is becoming one of the guys that evaluate CVEs.

          CVE is a measure for the US government, and always assumes the worst in any case.

          That being said, I agree with you.

          • Rustmilian@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            I know what curl CVE you’re referring too.
            Yeah, that was pretty stupid, they marked it high severity when 1 It was already patched like a year prior and 2 it was a complete non-issue in the first place.
            Then some fuckin AI put forth another bogus CVE based on the one you’re referring.
            The curl dev was pissed, and rightfully so.

            And You’re right, it’s more so the details of the CVEs that’s important then the actual CVEs themselves.