Revolt
Replies: 2 comments 8 replies
-
|
You forget about everything being hosted on Amazon servers and whats even worse, that Cloudflare is used ontop of that. What is the purpose of using TLS over HTTP if you use Cloudflare, which is able to (and even needs to) decrypt all the traffic that goes through their network, so basically everything you send to revolt, starting with your login credentials and over to every single message (private or not). It's all readable cleartext for those companies, despite telling users that your connection is encrypted, those companies still can see every byte you push through their networks. This gives quite a bitter taste over everything. But to come back to the maintopic a little more, yes it seems that everything runs on more of an trust-based relation. Since everything is stored in cleartext, all u can do is just trusting them at the current point. Federation would help with alot of these issues, but it seems that (at least in the near future) is not going to happen for us sadly :/ |
Beta Was this translation helpful? Give feedback.
-
We don't use AWS, we host on Hetzner.
see https://github.com/orgs/revoltchat/discussions/248, there is no better option than Cloudflare. Even if we did switch to a different software that does similar things it would still have the same issues as what you are having with Cloudflare.
There is no way around this apart from using E2EE, which will be available for DMs and group DMs in the future.
Federation doesn't solve security issues, it only allows for accounts to be imported and for servers to communicate and allow seamless transitioning between instances, each instance still has access to all the messages on that instance, it doesn't increase security in any way. If you don't agree with how we run the official revolt you are able to selfhost it and run it differently to how we run our instance. |
Beta Was this translation helpful? Give feedback.
-
Which brings us to
That post sadly didnt tell me what Cloudflare makes it "THE" service for you guys to use it, nor why you really need to use it in the first place. For just migrating some attacks there should be much simpler solutions that can be build yourselfs for really little money. DDoS protected servers that also could be used for caching static files at the same time arent something new nor hard to set up. And this would ensure that the data of the users would be kept in the right hands.
Seems like you got me a bit wrong there. Despite federation CAN add security in some cases, it would mostly solve alot of the problems that come with actually trusting where the users data goes to, which obviously is a thing people like to care about here, otherwise why mentioning it on the landingpage? :v |
Beta Was this translation helpful? Give feedback.
-
|
Vercel is a static site host which we deploy our frontend on, no user requests are routed though it. We use Cloudflare for multiple of there features, a large part of it we rely on is the DDOS prevention which is near impossible to do our self - if we did it would be very costly to do at scale. That's why its outsourced to a separate service.
As said above, we use Vercel for static file hosting so this isn't an issue for us.
Federation does not solve trust, it merealy shifts the trust from us (Revolt) to whoever is running the instance, you still have to trust that instance as they would still hold your data if you use that instance. |
Beta Was this translation helpful? Give feedback.
-
Exactly. Why should I trust you? This is the entire problem with most services. If they take off they get sold to other larger companies or venture capital firms who have no qualms about using the data to make as much money or let governments sift through it as much as they want. If I trust myself or my buddy or my friends friend to handle my data responsibly than that is my choice. At least I know it's handled by a regular Joe like myself and I have a personal relationship with that person. The chance of it being misused is significantly lower than if some company that has to keep the lights on has it |
Beta Was this translation helpful? Give feedback.
-
"Privacy first" can have lots of meaning, the way we use is in the way that we don't sell, or use your data outside of what's needed for revolt to run, we also allow you to delete all of your data from our platform on request.
Cloudflare is a trusted company and doesn't store any personal information like login information that is sent between the client and revolt. Cloudflare also does other things for us, such as DDOS protection, CMAS, DNS and other features.
We are still in beta and lots of the features we plan on having are not finished yet, do not expect everything to be finished yet.
Revolt is an alternative to other chat platforms, we don't aim to compete or bring down any other chat platform. If you don't agree with how we run the official revolt you are able to selfhost it and run it differently to how we run our instance. |
Beta Was this translation helpful? Give feedback.
-
That's maybe a feel goody corporate marketing version of privacy. I wouldn't call it "privacy first" considering there isn't any real effort to ensure privacy on the platform. At best, you're privacy respecting by adhering to minimum guidelines defined by applicable law. You're still operating on a "just trust me bro" approach like any other company. It isn't just myself that has a problem with your description by the way. Every person I've talked to (each with 10-25+ years experience in the tech industry) and shown the project to that has been working in the sector for years has also taken umbrage with your use of "privacy first". I'd recommend you change it to something more accurate like "privacy respecting" or "GDPR compliant" |
Beta Was this translation helpful? Give feedback.
-
|
Mate, these folks are making something pretty cool. If you need to live in a bomb shelter, fork it & host it yourself. Or you could actually be helpful & make a pull request with some privacy features. |
Beta Was this translation helpful? Give feedback.
-
|
Even if Revolt isn't "privacy first", it's still user-first which is a huge improvement over other services. |
Beta Was this translation helpful? Give feedback.
-
|
Being privacy first is being user first. If you can't be privacy first, you aren't user first |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
On the landing page for revolt the claim that the project is "Privacy first". Generally when a group makes that claim they are attempting to build a platform that is zero trust, federated, and/or zero knowledge. Based on what I've seen, this project does none of that. Chats are currently stored in cleartext on the host server (from what I can tell) operated by Revolt and while there is a plan for E2EE DMs that hasn't been implemented yet. My question is how exactly is this a "privacy first" platform when the operators themselves have knowledge of every bit flowing through their system? So far the only difference I see is this platform is open source and isn't a mid-size company like Discord.
Beta Was this translation helpful? Give feedback.
All reactions