>Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones.
I remember Telegram not publishing their Android source code for extended periods of time, which caused Telegram-FOSS to be significantly behind:
Which aren't enabled by default so almost nobody uses them. Telegram users are often surprised to find out their messages aren't end-to-end encrypted at all.
Telegram can be used on multiple devices simultaneously. Syncing the private key for each chat across multiple devices can be an issue. That's why secret chats are only available on the device they were created on, and having encryption on by default would not make sense.
Just fine is a bit of an overstatement for matrix. I think it got much better now, but the user experience for multi device key syncing on element and other clients gives room for improvement. I ended up having to reinstall because I could not figure out the mess I created myself. There wer so many keys involved that even having a PhD in computer science I could not easily grasp their meaning and function. I understand at least why key syncing ist not easy and I understand why someone would not support it. I however do not understand telegrams choice of obscure crypto as well as it does not make it easier to support this. But I guess their business model (pushing contextual advertisement into chats) relies on not having crypto.
I agree, but most of these issues stem from not having enough funding, as active as matrix seems to be, they are struggling to actually fund its development.
Whatsapp being e2e is almost (but not entirely) worthless, it tells me that they are likely not training LLMs on my messages, but I have zero trust of their safety from client-side backdoors.
The security of e2e cannot be higher than the security of the clients
AFAIK, whatsapp is still dependent on your mobile being the primary source. It has "link a device" feature, which has some of the features but cannot be used as an independent client. For example if you're using the web version and want to see some old chats, you can't unless you use it from your mobile. WhatsApp's encryption keys are tied to the device, not the account. In Matrix, encryption keys are tied to the user's account, not the device, and thus it wont be an issue.
> AFAIK, whatsapp is still dependent on your mobile being the primary source. It has "link a device" feature, which has some of the features but cannot be used as an independent client.
"Not all messages and chats are synced to linked devices from your phone. WhatsApp Desktop syncs more message history than WhatsApp Web. To see or search your full history, check your phone."
This is pretty rich coming from the founder of Telegram, which doesn't have any End to End encryption by default, nor are group chats encrypted in any way.
Client devices have many routes of compromise available, it's very possible that the data exfilaration is occuring there rather than server side.
You'd think the backers of Matrix (largely European Governments) or the privacy focused userbase of XMPP would go beyond forklifting in the same double rachet library that Signal and ilk use, but apparently they all think it's the best available option.
off the topic but any updates on eu dma integration with messenger et al?
also, an unanswered question remaining was that the integration with meta viz DMA would apply to element only or the matrix ecosystem in general like i would be able to use fluffychat or cinny for example
Says the guy when his messenger is not e2ee by default(meaning the same as plain text), groups not encrypted e2e at all and uses some shady encryption mechanism
Plain text means any intermediary can read the data. Encrypted (without e2ee) means only you, the service provider and the recipient can read the data. e2ee means only you and the recipient can read it.
Do we agree on that?
If so you must agree that "any intermediary" like a ISP, network provider or similar being able to read or modify the data is strictly worse than just "you, the service provider and the recipient", right?
because telegram has group chats and channels, which are also accessible cross platform, it doesn't make sense to turn on e2e by default. secret chat feature is encrypted and thus only available on the device you start it from.
What does being multi platform have to do with E2E? Matrix does the same thing yet supports E2E, whatsapp allows multi platform access while also having full E2E support.
In whatsapp, there is a primary source (your phone) and you can "link" other devices with the primary source. This is different from how telegram handles it. In telegram you can use sms login to use the client from multiple clients, within the same smartphone, or different devices. With whatsapp, you can only have one sms login device, which would be primary device. If you use sms login with another device, you wont be able to use the previous device. To overcome this, it has a feature which can allow you to link your primary client with other clients but it is janky and does not have all the features. For matrix on the other hand, the encryption keys are tied to the account.
If you want security and a paranoid like setup just use Tox. If you want a no-brainer chat app with video support, there's GNU Jami. If you want resilence on natural disasters, keep Braid somewhere.
Tox is not secure.
Jason Donnenfeld (of Wireguard fame) filed a very alarming issue about how obviously bad the handshake was implemented[1], and lead developer Andre Almeida (iphydf/noavarice) continued to downplay the severity in public, while fashioning exploits based on it inside his "Club Cyberia" Tox group to weaponize said issue.
Apart from telegram not having any kind of actually used E2E Encryption, they store everything, which means the cost of running their service is crazy high compared to something like whatsapp which AFAIK only stores stuff up to 3 months when the device isn't online.
So we have an app which has access to everything you send, and has incredibly high hosting costs with no real income, you put 1 and 1 together and you can see it for yourself.
Ironically they claim cloud storage as the reason for not having E2E, yet matrix seems to be able to do just that.
Every time I've used telegram it smacks of a data collection tool for an Eastern Bloc nation.
I'll stick with what I know, thanks.
Edit: Also the article linked is just a hit piece on the current signal leadership by a guy promoting a book about "the radical left". This is just reinforcing my tendency to say "fuck telegram".
Tucker Carlson interviewed the founder of Telegram, interesting interview. Telegram is based out of UAE to avoid jurisdiction of Russian and Western intelligence agencies.
Tucker Carlson also revealed that he's had the contents of his private signal messages leaked to media (allegedly by US Intel agencies monitoring his communication).
Want to bet that any messenger service that requires your phone number to register and id you on their network is compromised?
For those interested, watch this interview of the Telegram founder by the US right- media as it offers an interesting insight about the politics and competition behind these messenger / social networks - https://www.youtube.com/watch?v=1Ut6RouSs0w ... (And this is, by the way, the original source of the story - https://www.city-journal.org/article/signals-katherine-maher... - which also seems to be US right- media. Looks like a concerted Republican / Trump followers attempt to have their flock use Telegram now.)
You don't need government backdoors when os trust isnt user-trustable and you could chain whatever into a sesame backdoor: https://eprint.iacr.org/2021/626.pdf (for the tldr crowd; this explains a fairly glaring failure mode in signal's post-compromise security when any secondary devices are involved)
Anything that operates in the US, specially telecom, is subject to American law, therefore weak to US intelligence agencies, that's how it is, since 9/11
Probably the reason is this post was bullshit? I’ve been using Telegram since forever and haven’t found yet any neonazi content. I’ve not tried hard enough probably though.
That is a pretty damming accusation. Can you provide more details? This should be the sort of thing you should be hearing from a disclosure or ideally a vendor advisory - not an HN comment thread on a vaguely related article. Failures of randomness are almost always fatal to a cryptosystem.
Why would I need to spend two decades? You already did it. Congratulations on probably one of the biggest exposés of this decade. Ignore the haters with their "delusions of grandeur" insults. You will soon have global fame. So, when are you publishing your bombastic exposé? Or do you plan to sell it for it's minimum $1 billion value? Either way, great job!
I remember Telegram not publishing their Android source code for extended periods of time, which caused Telegram-FOSS to be significantly behind:
https://github.com/Telegram-FOSS-Team/Telegram-FOSS/issues/1...
I'm not up to date on the current state of affairs, but I hope this has improved since then.