Greetings!
A friend of mine wants to be more secure and private in light of recent events in the USA.
They originally told me they were going to use telegram, in which I explained how Telegram is considered compromised, and Signal is far more secure to use.
But they want more detailed explanations then what I provided verbally. Please help me explain things better to them! ✨
I am going to forward this thread to them, so they can see all your responses! And if you can, please cite!
Thank you! ✨
You must log in or register to comment.
In my view, by far the biggest reason to switch is that Telegram doesn’t end-to-end encrypt chats by default.
Yes you can start encrypted chats specifically, but i’ll bet 99% of chats on telegram aren’t encrypted - meaning whoever has access to the telegram servers can read all the messages.
Signal claims to end-to-end encrypt all chats by default, and if you want to be 100% sure you can in theory read the source code and compile the app yourself. this means signal cannot read any of your messages, even if police asks them to or servers get seized. That’s a massive advantage in privacy.
Telegram for random public chatter/file storage(with password lock), talking to strangers without giving them your number. Signal for personal/private conversations.
Spread your data (encrypted or not) around, so a single entity doesn’t own your digital life. Your device can handle 2 apps and don’t give them permissions willy nilly. Geez, every one of these posts just wants to start a flame war.
If you have a safe, but cannot open it, do you own the contents inside? Signal has no way of accessing your data, I would argue they don’t own it.
Telegram rolls their own crypto. That should be the biggest red flag by far. I say this as a telegram user
The encryption method they use was made up by them, and the chats aren’t even end to end encrypted by default. Which I would argue is a larger red flag.
I can’t speak about telegram, but signal is absolutely not secure to use. Its a US-based service (that must adhere to NSLs), and requires phone numbers (meaning your real identity in the US).
Matrix, XMPP, or SimpleX are all decentralized, and don’t require US hosting.
So if I understand it Signal has your phone number but only logs sign up date and last activity date. So yes they can say this person has Signal and last used it on date X. Other than that no information.
Matrix doesn’t require a phone number but has no standard on logging activity so it’s up to the server admin what they log, and they could retain ip address, what users are talking in what, rooms, etc. and E2EE is not required.
I think both have different approaches. I’m just trying to understand. On one hand you have centralized system that has a standard to minimize logs or decentralized system that must be configured to use E2EE and to remove logs.
They have your phone number (meaning your full identity, and even current address), and as the primary identifier, it means they have message timestamps and social graphs.
Its impossible to verify what code their server is running. Or that they delete their logs, because they say they do? You should never rely on someone saying “just trust us”. Truly secure systems have much harder verifiability tests to pass.
This entire article is guessing at hypothetical backdoors. Its like saying that AES is backdoored because the US government chose it as the standard defacto symmetrical encryption.
There is no proof that Signal has done anything nefarious at all.
There was also no proof that a ton of US companies were spying on their users, until the global surveillance disclosures. Crypto AG ran a honeypot that spied on communications between world leaders for > 40 years until it got exposed.
Right but Signal has been audited by various security firms throughout its lifetime, and each time they generally report back that this messenger has encryption locked down properly.
This entire article is guessing at hypothetical backdoors. Its like saying that AES is backdoored because the US government chose it as the standard defacto symmetrical encryption.
There is no proof that Signal has done anything nefarious at all.
As an outsider, I mean isn’t that the same for news coverage for chinese/russian backdoors, but everyone believes it without any proof.
Why is US company being a US honeypot a big surprise, and its government recommending it not a big red flag? but it is when China recommends wechat? Can’t we be critical and suspicious of both authoritarian countries?
Do you have access to Signal servers to verify your claims by any chance? Afaik their servers are running modified codebase, and third party apps cannot use them. So how do you claim anything that goes behind closed doors at all? Genuinel curious.
Being critical is good, and we should always hold them accountable for our security. We can look to third party audits for help with that.
https://community.signalusers.org/t/overview-of-third-party-security-audits/13243
Do you have access to Signal servers to verify your claims by any chance?
That’s not how it works. The signal protocol is designed in a way that the server can’t have access to your message contents if the client encrypts them properly. You’re supposed to assume the server might be compromised at any time. The parts you actually need to verify for safe communication are:
- the code running on your device
- the public key of your intended recipient
Thank you for your post!
I want you to know your effort and knowledge is appreciated, this will help future readers make better decisions.✨
But the situation stands that my friend and their friends are not as technologically literate as we are, and I would rather have them on something easy and secured than unsecured at all, especially from my experience with getting communities to use such decentralized platforms you mentioned.
Matrix is no more difficult to sign up on than signal, and they don’t forward your information to the US government.
I am not uneducated in this matter, I run Matrix instances and have dabbled in development of tools around it.
Perhaps our experience is different, but I have had great difficulty in helping groups on the ground to use Matrix.
Regardless of our agreement that Matrix is better than Signal, it should not cloud our judgement in at least reducing the harm that is Telegram.
In the future we can keep joining hands to work towards a better future, but for now I hope you can understand my perspective and choice.
Matrix is centralized around Matrix.org or servers they run tho. Since the protocol is a big data/metadata sync by design & medium–large-sized servers are expensive to run, almost all of metadata is with Matrix.org—of which was originally funded my Israeli intelligence & I wouldn’t be surprised if they were getting data out of it to this day.
As you say yourself (cryptocraphic nerd here):
Signal’s E2EE protocol means that, most likely, message content between persons is secure.
So a shame there are no free servers, are the server soft not open source, only the signal app itself?
The server is supposedly open source, but they did anger the open source community a few years back, by going a whole year without posting any code updates. Either way that’s not reliable, because signal isn’t self-hostable, so you have no idea what code the server is running. Never rely on someone saying “just trust us.”
I have read that it is self hostable (but I haven’t digged into it) but as it’s not a federating service so not better than other alternative out there.
Also read that the keys are stored locally but also somehow stored in the cloud (??), which makes it all completely worthless if it is true.
That said, the three letter agencies can probably get in any android/apple phones if they want to, like I’m not forgetting the oh so convenient “bug” heartbleed…
Signal is USA government approved. Definitely don’t trust it. Use Matrix.
This is unfortunately completely wrong, since you can learn from the homepage of matrix very own client Element, that its supported an trusted by a whole bunch of NATO Armys, including the US of course…
I don’t mean by that you shouldnt use matrix, but arguing against signal with matrix is, in so many means, hilarious.
The arguable, but professional cryptographer soatok discribes from a mathematical/cryptographical point of view, what it needs to be a Signal competitor, where matrix (and others) dont catch up (unfortunately)
Used by a bunch of NATO armies isn’t the same as promoted by or made by. It just means they trust Element not to share their secrets. And that blog post is without merit. The author discredits Matrix because it has support for unencrypted messaging. That’s not a negative, it’s just a nice feature for when it’s appropriate. Whereas Signal’s major drawback of requiring your government ID and that you only use their servers is actually grounds to discredit a platform. Your post is the crossed arms furry avatar equivalent of “I drew you as the soyjack”. The article has no substance on the cryptographic integrity of Matrix, because there’s nothing to criticise there.
There’s a lot of answers itt but heres a simpler one:
If you want to prevent people in power from having access to communications there are two methods employed, broadly speaking:
The first is to make a very secure, zero knowledge, zero trust, zero log system so that when the authorities come calling you can show them your empty hands and smirk.
Signal doesn’t actually do this, but they’re closer to this model than the second one I’m about to describe. Bear in mind they’re a us company so when the us authorities come to their door or authorities from some nation the us has a treaty with come to their door signal is legally required to comply and provide all the information they have.
The second is to simply not talk to the authorities. Telegram was closer to this model than signal, using a bunch of different servers in nations with wildly different extradition and information sharing mechanisms in order to make forcing them to comply with some order Byzantine to the point of not being worth it.
Eventually the powers that be got their shit together and put hands on telegrams owner so now they’re complying with all lawful orders and a comparison of the tech is how you’d pick one.
The technology behind the two doesn’t matter really but default telegram is less “secure” than default imessage (I was talking with someone about it so it’s on the old noggin’).
I really like this explanation. Not many are aware of how telegram was designed to make it as cumbersome for authorities as possible by splitting their data across different nations.
I’m not an expert but I’ll use this analogy.
Signal is you meeting a person who gives you secure devices. This person then can only ever provide the following information to someone else. From Signal website. “The phone number. the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.” Only your device and your friends device can read the messages. It goes direct from you to them. The only way to read any message is having the device.
Telegram is like you making an agreement with another person. By default messages are encrypted but go to the other person for decryption before going to your friends device. This other person Telegram has and will give the phone number, messages, serverlogs, dates to legal entities by request. Now there is an option to bypass this person by using “secret chats” . This will make it so the message is directly from your device to their device. Telegram can’t read messages but as I understand they can still potentially have metadata, server logs of when messages are sent, how many, what device they are sent from. Bottomline is they have activity logs Signal can only provide the date you signed up and the last time you used the app. Not only that but just being on the Telegram platform which allows bots makes you a target. Bots will contact you like spam. Sending you harmful links, etc.
Almost every security person I’ve ever read says. “I use Signal”. Why wouldn’t you go with the service that by default has end to end encryption? Telegram makes it a option you have to select for each person. Both use your phone number.
These are very basic descriptions. I’m Happy to remove or update if I got anything wrong.
The fact that telegram operates in a country that scores 18/100 on global freedom and 30/100 on internet freedom.
You don’t have to learn Morse code.
