Lots of people are looking for secure chat platforms and stuff like that. So I thought I'd create a poster.

I excluded Telegram because it's pretty much like WhatsApp. And this iddqd.press/2019/12/11/telegra

I would've included Signal, but I'm being skeptical here and Signal looks a bit suspicious since it requires your phone number etc.

What are your thoughts on this?




@darksky good call on Telegram. It's actually worse than WhatsApp, WhatsApp is end-to-end encrypted by default, Telegram is not, but the way they portray themselves makes users think it is. Also, no way to end-to-end encrypt groups.

Not sure about Session here. They have a cryptocurrency token tie-in that somehow is supposed to make the network "safer" (than Tor), but some small amount of mined tokens is hard-coded to always go to the organization behind Session:
mastodon.social/@rysiek/106542

🤔

@rysiek @darksky The Telegram is a honeypot link is flat out dumb.

1. Telegram is very open that they are not end-to-end encrypted by default and never portray themselves as anything else. Secret chats are e2e and nothing more.
1. Cloud chats are encrypted in transit and in storage. Encryption keys are broken up into pieces and stored in various jurisdictions, making it virtually impossible to legally force giving up data to governments.
1. Whatsapp is never secure. As there have been countless exploits in it where you can gain full access to the remote device. No such exploit, or really any, has ever existed in Telegram.
1. TG accepts 3rd party clients to it's open API.
1. TG let's you validate that the mobile client you install on your phone is the same as the source code published in their public repos
1. The backend is closed source but I always thought that was a dumb thing to mention because you have no idea what's actually running on the servers in the end.
1. Signal has suspect funding (read Surveillance Valley)
1. Signal does not allow 3rd party clients to use it's open API (suspect!) and also no way to verify your clients
1. Afaik, no government has ever been successful in forcing TG to give up any data.
1. There is a still unclaimed 6 figure bounty for anyone that can break their encryption (for years now)
1. Finally (I could go all day) I think they are the most open about whatever is going on. That comes off as genuine to me.

Yes, obviously I do like to use Telegram but I wouldn't use it, or any similar service, to send anything that was truly sensitive. Also, does appear to collect more metadata than I'd like but it's still fairly minimal.

Just my $0.02

@petersanchez @darksky we can debate this for hours, but the long and short of it is: Telegram makes it *easy* to make a vary serious mistake, and think one is communicating in an end-to-end encrypted way, when one isn't.

And I have seen this happen.

There is no good reason to do that.

I think The Grugq put it best:
medium.com/@thegrugq/operation

@rysiek @darksky

Telegram makes it easy to make a vary serious mistake

This is one of my biggest gripes about TG honestly. People should be better educated on how to use the tool within it's confines. I mean, all the info is there, but someone has to go looking to read it, which rarely happens. Good point.

@petersanchez @darksky it's not about "all the info is there", it's about *misleading messaging* around this from Telegram itself. Go to their website, you'll read that "Telegram messages are heavily encrypted".

Making such claims in the context of groups not being end-to-end encrypted at all, and private chats not e2e encrypted by default, is actively harmful.

And sure, they can say "well, on page 20 of our FAQ you can read that you need to enable encrypted private chats". Doesn't fix it.

@petersanchez @darksky and then there's this bit:

> Telegram keeps your messages safe from hacker attacks.

...also from their website. In e2e encrypted systems there are no messages that system operators need to "keep safe from hacker attacks". And that's how IM systems should work in AD 2022.

If Telegram team really cared about people's privacy they would deploy e2ee by default as soon as possible, and in the meantime have *super-clear* messaging about the current shortfalls. They don't.

@petersanchez @darksky and to me that means that they *don't* care about user's privacy. They have some other, more important things to focus on. What those things are is anyone's guess. But that's enough for me to be very wary about all Telegram's claims about how they protect privacy, encrypt stuff, split keys, etc etc.

They are clearly not 100% honest with their users about e2ee, why should we trust them on anything else?

@rysiek @darksky I'm not sure about that.

Remember TG started a years before Signal existed and before WA added e2ee to it's messaging. Also they're target user isn't security minded hackers/info sec, etc.

I think they're pretty honest about how the tool works. The homepage messaging is definitely marketing dribble but not inaccurate and I don't think anyone but a small subset of people (like you and I) would read that and think "Ah ok, so everything is e2ee by default".

There's nothing in the homepage messaging that to me means "They are clearly not 100% honest with their users about e2ee" - I think that's you reading it through your specific lens.

I also don't think it means they don't care about user privacy. I think they've overwhelmingly shown the opposite to be true.

Like I said before, I wouldn't use TG (or Signal, or <whatever>) to send truly sensitive information ever. I do still think TG is the best daily driver messaging platform and apps that is mostly open about all things and that my messages (as menial as they may be) are protected.

In the end, regardless which of these services we use, there's a level of trust that has to be given by the end users.

Follow

@petersanchez @rysiek

I'm not sure why are we still discussing Telegram if we all know that they literally gave out the users' data to Germany authorities.

How can you trust them after that happened??

Signal is suspicious and it's based in the US, I agree. It might be a honeypot, or maybe it isn't. But right now, all we know is that when FBI asked for the data, Signal only gave one useless thing. The Unix millis when the account of the user was created...

· · Web · 1 · 3 · 3
@darksky @rysiek

I'm not sure why are we still discussing Telegram if we all know that they literally gave out the users' data to Germany authorities.

As of now it's speculation but if it does fall into the categories where TG openly admits to complying, I wouldn't be surprised.

Sign in to participate in the conversation
Linux.Pizza

A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome!