this post was submitted on 27 Aug 2025
1 points (100.0% liked)

Lemmy Support

5065 readers
1 users here now

Support / questions about Lemmy.

Matrix Space: #lemmy-space

founded 7 years ago
MODERATORS
dessalines@lemmy.ml
1
Private messaging is not "secure" - can this wording be improved? (lemmy.ml)
submitted 8 months ago* (last edited 8 months ago) by vas@lemmy.ml to c/lemmy_support@lemmy.ml
5 comments fedilink hide all child comments
 

Good day dear Lemmy community!
When I try to use lemmy's private messages, I get the following warning:

Warning: Private messages in Lemmy are not secure. Please create an account on Element.io for secure messaging.

It is very good to have this warning! However, can it be improved?
When I first encountered this wording, I was completely unsure whether the DMs would be totally public due to lemmy's limitations or its open stance, or whether the messages would have a similar security to e.g. email where your trust relies on TLS and the servers involved.

My proposal would be to change the wording to something like:

Warning: Private messages in Lemmy are not End-to-End encrypted. Please create an account on Element.io for secure messaging.

Or if the team is open to it,

Warning: Private messages in Lemmy are not End-to-End encrypted. Please use a platform with E2E encryption for private messaging.

Or if the team is even more open to it,

Warning: Private messages in Lemmy are not End-to-End encrypted. Please use a platform with E2E encryption for private messaging. Lemmy recommends Element.io and XMPP.

Thoughts? I'm ready to create a PR.

top 5 comments
sorted by: hot top controversial new old
[–] Drewfro66@lemmygrad.ml 0 points 8 months ago (1 children)

I think the larger point is that private messages are visible to instance admins.

[–] vas@lemmy.ml 0 points 8 months ago* (last edited 8 months ago)

Yes. And I think saying "messages in Lemmy are not End-to-End encrypted" is clearer communication than "messages in Lemmy are not secure".

[–] XLE@piefed.social 0 points 8 months ago (1 children)

Messages between two people are not exposed via public APIs, but they can be accessed by admins of 1-2 servers (depending on whether you're sending these messages to someone on a different server).

Element fixes Lemmy's message content exposure problem, but none of the metadata problems (who is communicating with whom, when, how often, etc, are all still available to those 1-2 sets of server admins).

[–] vas@lemmy.ml 0 points 8 months ago

I agree. That's why I propose to clarify the wording.

[–] vas@lemmy.ml 0 points 8 months ago* (last edited 8 months ago)

Based on the comments so far, maybe something like this makes sense:

Warning: Private messages in Lemmy are not End-to-End encrypted, so the respective instance owners are technically able to read them. Please use a platform with E2E encryption for private messaging. Lemmy recommends Element.io and XMPP.