Follow

Lots of people are looking for secure chat platforms and stuff like that. So I thought I'd create a poster.

I excluded Telegram because it's pretty much like WhatsApp. And this iddqd.press/2019/12/11/telegra

I would've included Signal, but I'm being skeptical here and Signal looks a bit suspicious since it requires your phone number etc.

What are your thoughts on this?




For those who couldn't read due to the light font (my bad)

Element - decentralized, cross-platform, end-to-end encrypted, completely opensource.

Session - decentralized, cross-platform, end-to-end encrypted. Doesn't require phone number or email to sign up. Similar to Element, but in an earlier stage of development.

Jami - end-to-end encrypted instant messaging and video calling, cross-platform, P2P, opensource.

Briar - decentralized, end-to-end encrypted, Online sync via Tor. (Phone only)

@paul @selea I wish I could edit the photo, but I can't find the Krita document on my pc 😭

I'll see what I can do

@darksky @selea also, you're right about not including Telegram or signal, but I would personally treat signal as a worse option than Telegram, being entirely US based, but that's irrelevant for the poster as neither are great

@paul @selea well honestly Signal isn't the best option either, that's why I didn't include it.

But I did research on Telegram and Signal.

Telegram recently gave out users' data to Germany's authorities. (Check the links I posted)

It also kind of seems like a honeypot (check links). The guy who posted that article had a point.

I'm not supporting Signal tho. It's a bit suspicious if you ask me.

Although, they didn't give any useful data to the FBI once they were asked to.

@darksky @selea yeah, they're both terrible for privacy. Didn't know about Telegram giving data out, they've often said that isn't possible given the way they store the data in chunks on different countries data centers... Interesting, I'll read about that.
Signals problem is they are entirely in the US, so even though they say they don't store data, they could be sanctioned to do so by a single government without care or attention to any other countries.

My political and legal understanding may be poor, and I could be wrong, but they're both pretty awful

@paul @darksky @selea AND American NDAs, we know how the American government think about foreigner privacy...

I see Signal as an okay middle ground to get people of WhatsApp and Telegram. Even though we can be suspicious of the Signal foundation and people running it, underlying infrastructure offers way better privacy and security than WhatsApp and Telegram.

Also, unlike Telegram, Signal is okay with opening accounts using VOIP number. Get a number from jmp.chat or MySudo and use that to open a Signal account.

@sotolf @paul @darksky @selea

@murtezayesil @paul @darksky @selea

Their infrastructure is in the US and is therefore per definition way worse than Telegram and WA in that case.

For Signal: worst case it will be shutdown spontenously. Without exposing your messages or information to whoever seizes and gets physical access to server thanks to strong encrypted data at rest.

Telegram and WhatsApp have datacentres in US too, so how come Signal is way worse than others?
docs.pyrogram.org/faq/what-are

datacenterdynamics.com/en/news
datacenters.fb.com/

@sotolf @paul @darksky @selea

@murtezayesil @sotolf @darksky @selea They’re all bad… we’re all agreed there

My only note about Signal is they only have datacentres in the US, this is a massive red flag for me which makes them worse than the others

@murtezayesil @paul @darksky @selea

> For Signal: worst case it will be shutdown spontenously. Without exposing your messages or information to whoever seizes

Have you read the server source to confirm this?

github.com/signalapp/Signal-Se
I didn't read it but it is available for more experienced to read.

Have you read WhatsApp and Telegram server source codes to confirm that Signal is way worse?
Both WhatsApp and Telegram keep their server software closed source.
telegram.org/faq#q-can-i-get-t
Allegedly WhatsApp is XMPP implemented in Erlang. But this says nothing about how the encryption was implemented.

@sotolf @paul @darksky @selea

@murtezayesil @sotolf @paul @selea yeah that's what my thoughts on Signal are. It's def not something that I could trust, but it's better than Telegram

@murtezayesil @paul @darksky @selea

> Have you read WhatsApp and Telegram server source codes to confirm that Signal is way worse?

Why would I? I'm not making claims, you are.

Have you confirmed that's what's running on their servers?

I'm not advocating for WA nor am I for telegram, so no need for all this shitty pushing blame tactics...

@murtezayesil @paul @darksky @selea

"I didn't read it but I'm sure someone else did" great praise there.. Makes me have a lot of confidence in your claims.

@sotolf @murtezayesil @paul @selea alright calm down guys :blobono:

I appreciate both of your opinions on this :)

@darksky @murtezayesil @paul @selea

You might appreciate the opinions, I do however not appreciate bullying shitty "power tactics" to "win" a discussion when someone doesn't have the knowledge to, it's such a disingenous and shitty thing to do.

@sotolf @murtezayesil @paul @selea I haven't seen any bullying here. I just see someone being mad over nothing and overreacting for no reason.

@sotolf @murtezayesil @paul @selea

`You might appreciate the opinions, I do however not appreciate bullying shitty "power tactics"`

No clue what you were trying to say here

@darksky @murtezayesil @paul @selea

Moving the goalpoasts, arguements from authority, strawmen, logical fallacies summed up.

@arh in that case I should've mentioned IRC as well. Kind of left those out :/

@darksky IRC is not much secure though. Old people like me still use XMPP because it provided us privacy and security in messaging since 20 years ago. But it's your web site and I have no right to tell you what to do.

@darksky I feel matrix should be left out, it's not a good protocol and it's encryption is whack, @inference can probably ellaborate on this.

Although signal forces you to use your phone number for registration, that is really all they get from you. It's easy for people who don't know much about tech to use it.

XMPP? For the advances users it's a solid choice for a private messenger, it's decentralized and it's easy AF to setup your own server (I run my own on Alpine Linux, nothing but a positive experiance for me)

I don't use the P2P messengers, although I feel they have a solid usecase (briar is insane)

@itzzenxx @inference

I'm not so sure what you dislike about Matrix tho? You might be right about the encryption itself.

But they're using E2EE, the server and the client sides are opensource and if someone gets into your account, they cant do anything because the decryption keys are on your device. It seems pretty reliable to me.

@darksky @inference Matrix is slow, many public servers are clogged up. I host my own matrix server w/ element and it's fast sometimes but doing other things can cause it slow to a crawl.

Element is even worse, when I run it on my phone it constantly soft resets it for whatever reason.

@itzzenxx @inference

I haven't any trouble with Matrix or Element, so I can't really relate.

Maybe it was a bit buggy on my phone, but the desktop version runs perfectly.

The server speeds might be a bit slower than the usual, but it's definitely usable if you ask me.

@darksky @itzzenxx Matrix key system is *very* broken. The encryption is solid, and it has reasonable privacy, but the key system you're talking about makes it useless because you will always lose your messages when logging into other clients with the same account.

Matrix claims to successfully import keys, then throws and error. Avoid Matrix if your messages mean anything to you.
@darksky @inference Briar for the right usecase and threat model can be really nifty, I haven't used it much myself though because I have no use for it.

@itzzenxx @inference I mean yeah it's pretty new, not many people use it. But I've heard great reviews about it, seemed pretty nice for me.

@darksky Here's a maybe-useful exchange I had with @cherti , who makes many thoughtful points, as does @ilyess. I tried to summarize some problems people have with #Signal, both today and as a long-term choice.

freeradical.zone/@spoon/107934

EDIT: Deleted and redrafted, since I failed to make this a reply the first time! Sorry.

@darksky good call on Telegram. It's actually worse than WhatsApp, WhatsApp is end-to-end encrypted by default, Telegram is not, but the way they portray themselves makes users think it is. Also, no way to end-to-end encrypt groups.

Not sure about Session here. They have a cryptocurrency token tie-in that somehow is supposed to make the network "safer" (than Tor), but some small amount of mined tokens is hard-coded to always go to the organization behind Session:
mastodon.social/@rysiek/106542

🤔

@darksky don't get me wrong, FLOSS developers need to be paid for their work. But making a "decentralized" IM and hard-coding the wallet address in the blockchain thingamajig is just extremely sus.

@rysiek @darksky The Telegram is a honeypot link is flat out dumb.

1. Telegram is very open that they are not end-to-end encrypted by default and never portray themselves as anything else. Secret chats are e2e and nothing more.
1. Cloud chats are encrypted in transit and in storage. Encryption keys are broken up into pieces and stored in various jurisdictions, making it virtually impossible to legally force giving up data to governments.
1. Whatsapp is never secure. As there have been countless exploits in it where you can gain full access to the remote device. No such exploit, or really any, has ever existed in Telegram.
1. TG accepts 3rd party clients to it's open API.
1. TG let's you validate that the mobile client you install on your phone is the same as the source code published in their public repos
1. The backend is closed source but I always thought that was a dumb thing to mention because you have no idea what's actually running on the servers in the end.
1. Signal has suspect funding (read Surveillance Valley)
1. Signal does not allow 3rd party clients to use it's open API (suspect!) and also no way to verify your clients
1. Afaik, no government has ever been successful in forcing TG to give up any data.
1. There is a still unclaimed 6 figure bounty for anyone that can break their encryption (for years now)
1. Finally (I could go all day) I think they are the most open about whatever is going on. That comes off as genuine to me.

Yes, obviously I do like to use Telegram but I wouldn't use it, or any similar service, to send anything that was truly sensitive. Also, does appear to collect more metadata than I'd like but it's still fairly minimal.

Just my $0.02

@petersanchez @rysiek

I can agree with some points that you made.

But what about Telegram handing out the data to Germany authorities?

@darksky @rysiek They're very open about cases of terror being specific to work with authorities.

I can see how that can be abused by governments though.

@petersanchez @darksky we can debate this for hours, but the long and short of it is: Telegram makes it *easy* to make a vary serious mistake, and think one is communicating in an end-to-end encrypted way, when one isn't.

And I have seen this happen.

There is no good reason to do that.

I think The Grugq put it best:
medium.com/@thegrugq/operation

@rysiek @darksky

Telegram makes it easy to make a vary serious mistake

This is one of my biggest gripes about TG honestly. People should be better educated on how to use the tool within it's confines. I mean, all the info is there, but someone has to go looking to read it, which rarely happens. Good point.

@rysiek @darksky

Oh and the Gronq article, there are good points. Especially about meta data. Most of them also apply to Signal and others.

That post was from 2015 and to date the encryption still stands unbroken. Sure, 300K is nothing to worry about for a nation state so if they broke it they surely would never announce it, but that's just us assuming.

And you know what they say when you assume... Makes an Ass out of U and Me ;)

@petersanchez @darksky for any non end-to-end encrypted thing one can (and should) assume nation states have much better ways of getting the data they want, than breaking encryption.

@petersanchez @darksky it's not about "all the info is there", it's about *misleading messaging* around this from Telegram itself. Go to their website, you'll read that "Telegram messages are heavily encrypted".

Making such claims in the context of groups not being end-to-end encrypted at all, and private chats not e2e encrypted by default, is actively harmful.

And sure, they can say "well, on page 20 of our FAQ you can read that you need to enable encrypted private chats". Doesn't fix it.

@petersanchez @darksky and then there's this bit:

> Telegram keeps your messages safe from hacker attacks.

...also from their website. In e2e encrypted systems there are no messages that system operators need to "keep safe from hacker attacks". And that's how IM systems should work in AD 2022.

If Telegram team really cared about people's privacy they would deploy e2ee by default as soon as possible, and in the meantime have *super-clear* messaging about the current shortfalls. They don't.

@petersanchez @darksky and to me that means that they *don't* care about user's privacy. They have some other, more important things to focus on. What those things are is anyone's guess. But that's enough for me to be very wary about all Telegram's claims about how they protect privacy, encrypt stuff, split keys, etc etc.

They are clearly not 100% honest with their users about e2ee, why should we trust them on anything else?

@rysiek @darksky I'm not sure about that.

Remember TG started a years before Signal existed and before WA added e2ee to it's messaging. Also they're target user isn't security minded hackers/info sec, etc.

I think they're pretty honest about how the tool works. The homepage messaging is definitely marketing dribble but not inaccurate and I don't think anyone but a small subset of people (like you and I) would read that and think "Ah ok, so everything is e2ee by default".

There's nothing in the homepage messaging that to me means "They are clearly not 100% honest with their users about e2ee" - I think that's you reading it through your specific lens.

I also don't think it means they don't care about user privacy. I think they've overwhelmingly shown the opposite to be true.

Like I said before, I wouldn't use TG (or Signal, or <whatever>) to send truly sensitive information ever. I do still think TG is the best daily driver messaging platform and apps that is mostly open about all things and that my messages (as menial as they may be) are protected.

In the end, regardless which of these services we use, there's a level of trust that has to be given by the end users.

@petersanchez @darksky they have been informed, time and again, that the specific way they choose to inform users about how their encryption works is leading users to make assumptions about Telegram's encryption that do not actually hold.

They chose *not* to update and clarify their messaging around this.

In other words, they *know* people misunderstand their messaging around this to mean that e2ee is enabled by default and available for groups, and they *know* this puts people in danger. 🤷‍♀️

@petersanchez @darksky to put it bluntly, it's very hard to not see this as them *willfully* and *knowingly* putting at-risk people (journalists, whistleblowers, etc) in danger.

@petersanchez@honk.petersanchez.com @rysiek@mastodon.technology @darksky@social.linux.pizza

In the end, regardless which of these services we use, there's a level of trust that has to be given by the end users.

Not with XMPP! Self hosted, federated, true e2e chatting my beloved

@thatonecalculator @petersanchez @darksky ah, I was waiting for the XMPP crowd to butt in.

I've set-up and run five XMPP servers. I've been a pretty heavy XMPP user, and used both OpenPGP and OTR encryption on XMPP.

XMPP is unusable for most people, because the matrix of which client/server software implements which XEPs is a kilometer deep and a mile long.

This means I cannot reliably know if the person I will be talking to will have the particular combination of XEPs available.

@thatonecalculator @petersanchez @darksky until XMPP solves this problem, it is effectively useless as a general purpose IM. Projects like @snikket_im are trying, and I do hope they succeed. The sooner, the better.

@rysiek@mastodon.technology @petersanchez@honk.petersanchez.com @darksky@social.linux.pizza

XMPP is unusable for most people, because the matrix of which client/server software implements which XEPs is a kilometer deep and a mile long.

My mom, dad, boyfriend, and some of my best friends use XMPP. Far from unusable, especially on mobile

@thatonecalculator @petersanchez @darksky good for you.

Meanwhile, I've spent a decade trying to get people to move to XMPP, only to find that the compatibility matrix is what makes it effectively impossible, on a global scale.

Wake me up when XMPP ecosystem on the whole starts recognizing this as a problem, instead of insisting XMPP is perfect and wondering why more people are not using it.

@rysiek @darksky @thatonecalculator

only to find that the compatibility matrix is what makes it effectively impossible, on a global scale.

This has always been my issue with XMPP.

@rysiek @thatonecalculator @petersanchez @darksky

> XMPP is unusable for most people, because the matrix of which client/server software implements which XEPs is a kilometer deep and a mile long.

> This means I cannot reliably know if the person I will be talking to will have the particular combination of XEPs available.

Wait what? Why would you need to know? It doesn't matter what XEPs their client or server support, you can still easily communicate with them. That's the entire point of the "eXtensible" in the name.

I've had everyone I know on XMPP since 2013ish and have never once had to know or care about what XEPs their software supported.
Sign in to participate in the conversation
Linux.Pizza

A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome!