Nothing new here. E2E is only available in one on one chats and is disabled by default. Dont use Telegram if privacy is your main concern.
At least it has an open-source client. Very few messaging platforms can say that, and fewer have a decent UX.
It’s not perfect, but it’s got a good combination of features and multi-platform availability. None of the other messaging apps support all of my devices except Matrix, and Matrix doesn’t have stickers
Edit: Signal doesn’t support all my devices but maybe someday! The network effect is also big. None of my family and friends are on Signal, but most have Telegram. A few have Matrix.
Also Signal is a US-based company.
Edit 2: Matrix does have stickers, i guess I’m switching
It’s a messaging app, it’s useless if there is nobody to message. I dont have any friends using signal yet.
Also it doesnt work on my phone (Ubuntu touch). There used to be a community app but it’s not currently working.
I sincerely wish them success, but it’s hard to have faith that a US-based company will actually protect your privacy. Not that Telegram does either. I dont know what information they do even collect.
It’s hard to have faith that a US-based company will actually protect your privacy.
You don’t have to, though? 1) The E2EE Signal protocol is well-audited to be robust. 2) The app itself is FOSS, and there are a lot of eyes on it. 3) The server code is FOSS. Even if they’re lying about what code they use, it doesn’t matter because it’s E2EE. 4) If you think Signal might be bait-and-switching by building from different source code, you’d be provably wrong. They have reproducible builds, so were they to actually try this, it would be like sending up a flare to the entire security community. 5) Literally every single time OWS has been subpoenaed, the only information they’ve been able to provide is extremely basic metadata like server connection times.
You have no idea what you’re talking about, I’m sorry. There’s functionally less “trust” here than any messaging application on the planet. The network effect remark is at least valid and can be debated (although I personally have zero friends who use Telegram and at least several who use Signal). This one is just so, so wrong that it’s not even up for debate.
Not just that, but also it’s small in description. If you read their papers, they are very easy to understand. I suppose that’s intentional, clarity and simplicity are among the main criteria of anything intended for security.
“A lot of eyes” is overvalued. There are a lot of eyes on every nation-state in history too, you tell me how that works.
It doesn’t matter because of protocol design. They’ve solved very complex problems and have not stopped doing that. E2EE is the wrong buzzword, zero-knowledge is the right one. No, I’m not remotely qualified enough to explain what that is.
Still supply chain attack on clients is the most probable, but not much they can do with it. It’s similar to fearing trojans on user devices. Yes, 3-letter agencies and such most likely will do that, not bother with pressuring Signal developers. And no, there’s not much you can do to defend against a targeted attack, if it’s targeted, then you’ve already bothered people you shouldn’t have.
Well, it’s not as if one could avoid that. It all lies in the area of smart contracts and distributed computing then, and see point 1, right now Signal’s protocol can be in general strokes understood by someone like me. If they make something like that, it won’t be. Everything is a compromise.
There’s functionally less “trust” here than any messaging application on the planet.
I think Wire and maybe Session use slightly modified Signal protocol. But Signal itself is the thing, made by people with clear vision of the whole architecture, model, which is not limited to protocols, but also to sociology, human psychology, politics. And they’ve explained literally every architectural decision of theirs in articles.
E2E is only available in one on one chats and is disabled by default.
Considering that there’s no technical problem with enabling it for all one-on-one chats, this tells a lot.
Also no E2EE on desktops.
I hate TG’s UX. It’s atrocious. WhatsApp is the closest to something normal, but imperfect too.
At least it has an open-source client.
Chromium is an open-source browser.
OK, more specifically - what matters is that TG’s protocol is a big ugly target moving fast. So its official client with released sources is in practice the only one. There are things like libpurple plugin and some python TUI client and an emacs one, but they are all lagging behind. And I think they are all using official tdlib.
This tells something too, that their talk about possibility of alternative clients is of the same kind as their talk about privacy.
About the network effect - bring your family and friends to Signal one by one. Of course it won’t happen overnight.
Nothing new here. E2E is only available in one on one chats and is disabled by default. Dont use Telegram if privacy is your main concern.
At least it has an open-source client. Very few messaging platforms can say that, and fewer have a decent UX.
It’s not perfect, but it’s got a good combination of features and multi-platform availability. None of the other messaging apps support all of my devices except Matrix, and
Matrix doesn’t have stickersEdit: Signal doesn’t support all my devices but maybe someday! The network effect is also big. None of my family and friends are on Signal, but most have Telegram. A few have Matrix.
Also Signal is a US-based company.
Edit 2: Matrix does have stickers, i guess I’m switching
A platform that values my privacy? Or stickers? Tough choice, I guess, except Signal has both.
It’s a messaging app, it’s useless if there is nobody to message. I dont have any friends using signal yet.
Also it doesnt work on my phone (Ubuntu touch). There used to be a community app but it’s not currently working.
I sincerely wish them success, but it’s hard to have faith that a US-based company will actually protect your privacy. Not that Telegram does either. I dont know what information they do even collect.
You don’t have to, though? 1) The E2EE Signal protocol is well-audited to be robust. 2) The app itself is FOSS, and there are a lot of eyes on it. 3) The server code is FOSS. Even if they’re lying about what code they use, it doesn’t matter because it’s E2EE. 4) If you think Signal might be bait-and-switching by building from different source code, you’d be provably wrong. They have reproducible builds, so were they to actually try this, it would be like sending up a flare to the entire security community. 5) Literally every single time OWS has been subpoenaed, the only information they’ve been able to provide is extremely basic metadata like server connection times.
You have no idea what you’re talking about, I’m sorry. There’s functionally less “trust” here than any messaging application on the planet. The network effect remark is at least valid and can be debated (although I personally have zero friends who use Telegram and at least several who use Signal). This one is just so, so wrong that it’s not even up for debate.
Not just that, but also it’s small in description. If you read their papers, they are very easy to understand. I suppose that’s intentional, clarity and simplicity are among the main criteria of anything intended for security.
“A lot of eyes” is overvalued. There are a lot of eyes on every nation-state in history too, you tell me how that works.
It doesn’t matter because of protocol design. They’ve solved very complex problems and have not stopped doing that. E2EE is the wrong buzzword, zero-knowledge is the right one. No, I’m not remotely qualified enough to explain what that is.
Still supply chain attack on clients is the most probable, but not much they can do with it. It’s similar to fearing trojans on user devices. Yes, 3-letter agencies and such most likely will do that, not bother with pressuring Signal developers. And no, there’s not much you can do to defend against a targeted attack, if it’s targeted, then you’ve already bothered people you shouldn’t have.
Well, it’s not as if one could avoid that. It all lies in the area of smart contracts and distributed computing then, and see point 1, right now Signal’s protocol can be in general strokes understood by someone like me. If they make something like that, it won’t be. Everything is a compromise.
I think Wire and maybe Session use slightly modified Signal protocol. But Signal itself is the thing, made by people with clear vision of the whole architecture, model, which is not limited to protocols, but also to sociology, human psychology, politics. And they’ve explained literally every architectural decision of theirs in articles.
Thanks for the elaboration. I’m not familiar with how Signal works.
Considering that there’s no technical problem with enabling it for all one-on-one chats, this tells a lot.
Also no E2EE on desktops.
I hate TG’s UX. It’s atrocious. WhatsApp is the closest to something normal, but imperfect too.
Chromium is an open-source browser.
OK, more specifically - what matters is that TG’s protocol is a big ugly target moving fast. So its official client with released sources is in practice the only one. There are things like libpurple plugin and some python TUI client and an emacs one, but they are all lagging behind. And I think they are all using official tdlib.
This tells something too, that their talk about possibility of alternative clients is of the same kind as their talk about privacy.
About the network effect - bring your family and friends to Signal one by one. Of course it won’t happen overnight.
Can you elaborate on your last sentence? Is the US more or less trustworthy than alternatives?
Less than some. The US gov has a history of forcing US-based corporations to disclose private data regardless of their policies or the law.
I can’t give you a good alternative though. I’m sure the same thing happens in many countries