Marcus Adams

2 years ago

Marcus Adams
2 years ago

Today I learned that when you "edit" or "correct" a message in #XMPP, the original message is still technically stored on the server or device. It's the client side that understands that the new message is an edit of the previous message, and "displays" it as such. But, if you send a password or something sensitive, "editing" the message after it has been sent might not remove the actual contents of the original version of the message, so make sure you use #encryption too.

#privacy #security

A screenshot of an edited message being displayed in the conversation view of the Dino XMPP desktop client. The message reads, "Disregard this message", and on the right the message encryption selection box is opened to read Unencrypted, OMEMO and OpenPGP.

This is a screenshot of the database entries for a message sent via Dino. These messages are stored in plain text by Dino, despite the fact they were encrypted in transit by OpenPGP. Message 2363 was the original message, 2364 was the edit made. Only message 2364 is displayed in the conversation view, but both versions of the message are stored in the database.

This entry was edited (2 years ago)

in reply to Marcus Adams

Nicoco

in reply to Marcus Adams 2 years ago

as a general rule, you should consider everything you send on the internet as non revokable, and yes, e2ee mitigates that.
That said, XEP0424 is starting to see adoption by clients and should make messages erasable from archives. But you'll still have to trust that clients and server are playing fair.

in reply to Nicoco

j.r / Julian

in reply to Nicoco 2 years ago

@nicoco this is also true for the proprietary/centralised messengers. If someone has a modified Signal or WhatsApp client, they could also not delete the message on request. So yeah, if you send a password in a chat I would always recommend changing it!

@Nicoco

⇧

Marcus Adams

Marcus Adams 2 years ago • •

Nicoco

j.r / Julian

Marcus Adams
2 years ago