Currently transport-layer encryption is implemented but the client/lib blindly accepts the server's certificate.
Update: a basic take on TOFU is in that just throws an error, but realistically there needs to be a way for the user to decide what to do.
Same thing is in the GTK client, nothing is yet in android.
reducing the scope of this issue to just be about TOFU existing at all, since #22 exists.