I don't get how people consider Stoat an alternative to Matrix/XMPP/etc when:- It does not support E2EE at all.- It does not support Federation at all.- It does not support video calls (but it's in dev tbf)

@bunch_of_dergs it will happen eventually if server being overloaded is the reason for it. There are also other reasons for it, like the client not properly fetching older keys for encryption. New messages will load fine in that case. But it just goes to show building a client can be counterintuitive for security reasons.

Security in general is tough, and while there could be a lot done to improve the UI/UX around it in Matrix and associated clients, the user will always be the weakest link tbh

@anthropy An "reattempt to fetch keys" button would work, then?

So how does that work? There's an encrypted store on the server that stores the receiving keys for e2ee messages? And the clients sync the keys through there? What the client is missing is it not trying to sync older keys when it should?

As for security UX, I mean... It could've just said: "If you have another way to reach this user, you may send them this string (of emojis, even?) and ask them to check if it's the same on their side. This way you know you are speaking to the same person. This is most secure if done in-person."

There. That'd have solved my issue at the time, instead of pushing me to do some mystery thing that doesn't work

@bunch_of_dergs I don't know the exact details, but I do know that Matrix rotates the keys both for private and group E2EE chats once in a while, and if you miss a key then you won't be able to decrypt those obviously. Every client implements this differently; Element and derivatives (like Schildichat) seem to handle it fairly well.

And yea again, I think Element and many other clients could improve their UI/UX by a lot in many ways also beyond this. It won't fix everything, but it will help.

@anthropy I'd have been such a simple fix UI-wise even... Or just ignore e2ee verification entirely for users who won't understand the need or purpose for such a feature. Just go for blind trust and have verification be optional - the chance they actually got MITMd is kinda low anyway.

So... key syncing is a client-specific thing? There's no main protocol for it? I'll admit, the notion of sending something like decryption keys over the network is a very spicy notion, but I'm also getting the impression it may be unavoidable.

@anthropy Unfortunately, being basically a discord clone is a much better selling point for the friends I have even a remote chance of convincing to switch off discord than having robust security features. And in comparison to matrix, stoat is more hassle-free I must admit.
I also don't have a way to host my own matrix server *with enough uptime* for them to consider it a good option, and without having a selfhosted server there's no discord bridging.
The whole situation kinda stinks, discord shouldn't have become what it is, because now it's just entirely too hard to replace with just *one* other thing, but that's the expectation.

@ItsFunkyCaptain I understand, but my problem is:
- if hassle free and discord-like are the only expectation then there are better alternatives ( see https://mastodon.derg.nz/@anthropy/116079655246734772 )
- If you actually care about not repeating the issues that plague Discord, federation is not optional
- If you actually care about privacy and security, E2EE is not optional, and if you don't care, you can disable that in Matrix/XMPP too and get a more mature and federated alternative.

People don't seem to think this thru

@anthropy No, in theory you *are* right, yes. But what do I do when I'm met with a "I don't want to set up a million options, and preferably I don't want to install a new app at all, because I'm used to being here, so if yall leave we probably won't talk anymore" kinda response?
As for my opinion on the alternatives, I've never heard of those except rocketchat. While I'm not against trying out lesser known options, popularity matters a lot to most people, if Stoat or something else gets enough movement it'll be much easier to convince people to switch.

@ItsFunkyCaptain I have a few options I use, among which even Discord and Telegram because of that exact reason, but I refuse to use them for private matters, and I always offer people better alternatives.

I also think it's easy to overestimate Stoat's popularity because it appears popular within the Fedi bubble, but e.g Mattermost is absolutely far more widely used, and Stoat is already creaking under it's popularity gains, wasn't made for this.

Also: https://mastodon.derg.nz/@anthropy/115772278536082875

@anthropy I kinda feel stuck between a rock and a hard place with this whole situation tbh. Either i get scoffed at and called a problem by the privacy community, or I get in verbal fights and ultimately lose my friends trying to force them into using objectively better options. Don't get me wrong, I *know* there are better things, I just can't get through to all the people I need to be able to utilize them.
That is to say, I myself don't just use Discord, the only reason I still have it at all *is* because of my tiny private "server" for me and friends.

@ItsFunkyCaptain I do empathize there, and honestly same especially with my strong opinions on what actually constitutes as a healthy alternative.

Personally the workaround for me is to just use multiple things, running them all from my browser as much as possible to still deduplicate things a little.

I don't try to force anyone to do anything, but I am quite vocal about what I think makes sense, because otherwise we'll be running around in circles forever, as this isn't exactly the first time