this post was submitted on 27 Aug 2025
15 points (100.0% liked)

Lemmy Support

4966 readers
3 users here now

Support / questions about Lemmy.

Matrix Space: #lemmy-space

founded 6 years ago
MODERATORS
dessalines@lemmy.ml
15
Private messaging is not "secure" - can this wording be improved? (lemmy.ml)
submitted 4 days ago* (last edited 4 days ago) by vas@lemmy.ml to c/lemmy_support@lemmy.ml
7 comments fedilink hide all child comments
 

Good day dear Lemmy community!
When I try to use lemmy's private messages, I get the following warning:

Warning: Private messages in Lemmy are not secure. Please create an account on Element.io for secure messaging.

It is very good to have this warning! However, can it be improved?
When I first encountered this wording, I was completely unsure whether the DMs would be totally public due to lemmy's limitations or its open stance, or whether the messages would have a similar security to e.g. email where your trust relies on TLS and the servers involved.

My proposal would be to change the wording to something like:

Warning: Private messages in Lemmy are not End-to-End encrypted. Please create an account on Element.io for secure messaging.

Or if the team is open to it,

Warning: Private messages in Lemmy are not End-to-End encrypted. Please use a platform with E2E encryption for private messaging.

Or if the team is even more open to it,

Warning: Private messages in Lemmy are not End-to-End encrypted. Please use a platform with E2E encryption for private messaging. Lemmy recommends Element.io and XMPP.

Thoughts? I'm ready to create a PR.

top 7 comments
sorted by: hot top controversial new old
[–] vas@lemmy.ml 7 points 4 days ago* (last edited 4 days ago)

Based on the comments so far, maybe something like this makes sense:

Warning: Private messages in Lemmy are not End-to-End encrypted, so the respective instance owners are technically able to read them. Please use a platform with E2E encryption for private messaging. Lemmy recommends Element.io and XMPP.

[–] Drewfro66@lemmygrad.ml 5 points 4 days ago (2 children)

I think the larger point is that private messages are visible to instance admins.

[–] vas@lemmy.ml 1 points 4 days ago* (last edited 4 days ago) (1 children)

Yes. And I think saying "messages in Lemmy are not End-to-End encrypted" is clearer communication than "messages in Lemmy are not secure".

[–] Drewfro66@lemmygrad.ml 1 points 4 days ago

I think both are bad communication. When I hear "messages are not end to end encrypted", I think that my ISP or a hacker might be able to see them but not, like, ordinary people. In reality, whatever shitheads are administrating either your or the recipients instances.

I think "private messages are visible to both your and the recipients instance administrators" would be more clear

[–] Steve@communick.news 1 points 4 days ago

Yes. Rather than focusing on encryption, (most normies don't know what that really means anyway) point out that admits not mods have access to all messages sent.

[–] XLE@piefed.social 4 points 4 days ago (1 children)

Messages between two people are not exposed via public APIs, but they can be accessed by admins of 1-2 servers (depending on whether you're sending these messages to someone on a different server).

Element fixes Lemmy's message content exposure problem, but none of the metadata problems (who is communicating with whom, when, how often, etc, are all still available to those 1-2 sets of server admins).

[–] vas@lemmy.ml 2 points 4 days ago

I agree. That's why I propose to clarify the wording.