this post was submitted on 20 Aug 2023
666 points (87.4% liked)
Lemmy.world Support
3212 readers
1 users here now
Lemmy.world Support
Welcome to the official Lemmy.world Support community! Post your issues or questions about Lemmy.world here.
This community is for issues related to the Lemmy World instance only. For Lemmy software requests or bug reports, please go to the Lemmy github page.
This community is subject to the rules defined here for lemmy.world.
You can also DM https://lemmy.world/u/lwreport or email report@lemmy.world (PGP Supported) if you need to reach our directly to the admin team.
Follow us for server news ๐
Outages ๐ฅ
https://status.lemmy.world
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Sure, Lemmy does not offer end-to-end encryption by default, which means that your messages could be intercepted by someone who is able to access your ISP's network or the Lemmy server. A red flag for me is the fact that Lemmy stores some user data on their servers, such as your IP address and email address. This data could be used as breadcrumbs.
Lemmy may not sell user data to third parties, but what about the servers? There have been some security vulnerabilities found in Lemmy's code. These exploits could result in servers being hijacked or user accounts compromised.
So, what does all this mean? It means that it is your personal responsibility to take steps to protect your privacy and security when using Lemmy. This includes using the encryption feature, being aware of the risks associated with using Lemmy, and carefully evaluating the privacy policies of any platform before you use it.
I know it's a lot to keep track of, but it's important. Your privacy is your business, and it's up to you to protect it. So take these things seriously, and don't let anyone take your privacy away from you.
About the concerns with Discord:
Creating a post saying, 'everyone else does it' and locking it is funky in my book. I, like you, I am all about transparency and understanding. I fully understand your anxiety, and it is a bit warranted. I am not trying to sound like an alarmist.
On the subject of Discord, it is amazing and disturbing how much data is curated and harvested. Their business model is quite mysterious. No one really knows what their real motives are. Discord shrouds itself and does not provide clear and concise privacy audits or statements on the subject.
You are concerned about your privacy, and rightfully so. Lemmy is designed for privacy from the ground up when used properly and only with encryption functions enabled. Discord, on the other hand, unfortunately has a stranglehold on the instant messaging backbone.
CVE-2021-29465: This vulnerability allowed attackers to overwrite any file on the system with the command results. This could have been used to steal user data, install malware, or take control of Discord servers.
CVE-2021-29466: This vulnerability allowed attackers to read local files from the server. This could have been used to steal user data, such as passwords or chat logs.
CVE-2021-34491: This vulnerability allowed attackers to bypass Discord's rate limit, which could have been used to send spam or DDoS attacks.
CVE-2022-22936: This vulnerability allowed attackers to take control of Discord servers by exploiting a flaw in the Discord Token Generator.
These are just a few examples, but I would be lying if I said they were not patched. That being said there is no telling how many zero-day security risks are out there at this time, so it is important to stay vigilant and ask the hard questions to ensure that your privacy is protected.
Lastly, you could totally start a community here on .world for Discord alternatives. It's a easy breezy lemon squeezy way to find people who are also into privacy and security.
I just wanted to address a single point from your comment:
If the Lemmy server is using HTTPS, nobody at your ISP or anywhere else between you and the Lemmy server should be able to read your messages (they could see that you are exchanging data with a particular host, but not the contents).
Glad someone mentioned this already, not so surprised OP hasn't either updated their comment or replied