tinsuke

Love how it highlights that big tech (much to capitalism's fault, TBH) can only drive innovation if the tech has a moat around it, if no one else can, or would, copy it and deploy it at a lower cost.

Which is... the argument that people use to defend capitalism? That capitalism drives innovation and makes it accessible to everyone at the lowest possible price.

I like the frugal tech idea as much as I like degrowth.

From their own response (and due to logical thinking about how the LLM service works): https://fosstodon.org/@notesnook/114927444378333659

Strictly speaking, if you consider Lumo's GPU servers to be one of the "ends", then yeah, it is E2EE (you and the server being the ends).

But Proton own the GPU servers, and therefore have access to their private keys, so they can decrypt your messages as they arrive, before they're deleted, which happens after they're encrypted with your asymetric key (so only you can read it) and stored with zero-access.

I don't consider this safe. In a system where you are only interfacing with a computer (and not other users), E2EE should mean that only you have access to the unencrypted data, at any given time. Which is how Proton Drive works.

Stated can be a long way away from reality. That website statement can be changed at a whim and doesn't have any legal binding.

If you wanna rely on encryption to protect your privacy, you have to be encrypted/protected from the service provider too, that's what E2EE is all about, and what many of Proton's services provide, but Lumo not.

Keywords being "stored" and "history".

The LLM doesn't operate with encryption, so it is served and extrudes unencrypted data.

Proton operates the LLM, meaning Proton has access to your unencrypted data.

Comparatively, Proton Drive doesn't leak your files' contents at any point, even to Proton.

"Private" as in only you and Proton can access the messages' unencrypted contents?

This is a far cry from any other of their products where they can't access the user's data.

https://fosstodon.org/@notesnook/114927444378333659

Damn stupid me! Once again thought this was #goodnews

Sigh, feels bad that my subscription is paying for this kind of crap.

Oh, you're right.

It seems to have been implemented and working on 138, but broken since 140 (my current version), with a fix scheduled to come on 142.

I'm looking forward to that one!

Oh, I meant mutual TLS by "it". Edited.

That's no bug, mTLS just isn't implemented on Firefox (for Android) currently.

There are 2 proposed solutions on that thread:

1. It was possible on old versions of FF, but not the current ones. I believe this to be related to the versions prior to the revamp that happened circa 2020. (the author refers to a version that was already "old" by 2022). So it was something supported on OG Firefox, not not on the new (current, by 5 years already) version.
2. Using the debug menu's secret settings to enable "Use third party CA certificates". This is available on current FF, but that's no mutual TLS. It is about allowing CA certificates that you installed yourself on your device for server TLS auth.

Tried it and it was a breeze to set it up with Caddy!

Problem was... lack of client side support, specially on mobile.

Many (most?) client apps don't support it.

Use the PWA from your browser, you said? I hope you like Google and using Chrome, because Firefox for Android doesn't support it (mTLS) 😭 (for now, see replies)

Probably yes.

And probably due to EU mandating new phones to be supported for longer.

https://energy-efficient-products.ec.europa.eu/product-list/smartphones-and-tablets_en