both require phone numbers, and both concentrate metadata in a central location (Amazon servers, in the case of signal).
both sort of pretend to be free open source software, and sort of are but with a lot of caveats.
telegram doesn’t even have end-to-end encryption (except for some wacky not-peer-reviewed thing in 1:1 ‘secret chats’ which are rarely used); at least signal has it beat there.
simplex.chat is a new messenger which doesn’t have any of the above problems and seems quite promising imo.
I’m not sure what exactly you mean by “always active desktop sessions” but for any definition I could imagine it is possible to do that while having e2ee. Many e2ee messengers have multi-device support nowadays.
Telegram doesn’t need to have e2ee because they’ve pulled some trick of becoming widely perceived as being privacy friendly despite not actually offering any e2ee in most cases, and offering only some 🤡-protocol in the few cases where they do.
Another reason for them not to implement e2ee is that they’re most likely monetizing their users content data as well as the metadata (and in more ways than just charging some types of police for access to it, which is presumably only a small fraction of their revenue).
They say that they don’t, and I think it is extremely likely that Signal employees are entirely sincere when they say that.
But, even if they truly don’t keep metadata, they can’t actually know what their hosting provider (Amazon) is doing. And, their cryptographic “sealed sender” thing doesn’t really solve the problem. If someone with the right access at Amazon really wants the Signal metadata, they can get it, and if they can, anybody who can coerce, compel, or otherwise compromise those people (or their computers) can get it too.
One can say they’re confident that the kind of adversaries they care to protect against don’t have that kind of capability, but it isn’t reasonable to say that Signal’s no-logging policy protects metadata without adding the caveat that routing all the traffic through Amazon makes the metadata of the protocol’s entire userbase available in a single place for the kind of adversaries that do.
What stops them from being able to? They could actually infer a lot of the metadata just from the encrypted network traffic, without even looking inside the VMs at their execution state. But, they can also see inside, so they can keep the kind of logs (outside the VM) which Signal [says that they] wouldn’t.
It’s hard no one cares. Where I live everyone uses whatsapp, and unfortunately what comes closer, and still without enough users base is signal on my list, and it’s the last. Jami is distributed, which makes it best in class, and there are good efforts trying to make it not to steal the whole battery, as opposed to briar. I which more people were interested on not using centralized stuff, not even what has been called lately decentralized, which means centralized but with several central points (only if everyone self hosts it would be decentralized, which is not the case). Currently I use Jami and signal, though I’ve tried all those, plus briar, plus tox, even telegram…
I’ve been using conversations with a friend for almost a year now, the only thing I find it lacking in is the reply feature, but other than that it works great!
I can generally convince people to use Telegram, but not signal. Telegram is better than SMS, GroupMe, WhatsApp, Discord, Facebook Messenger, SnapChat, etc so its what I use.
If anything, I’ve got hopes that Element/Matrix will get enough polish to become viable.
Like telegram, threema insists on making up their own 🤡-crypto constructions which (unsurprisingly) are not very good: breakingthe3ma.app (see also The Register’s summary, and/or here for some earlier research).
Their response to those findings was to reinvent and replace everything (again). It seems like a pretty safe bet that their new amateur cryptographic constructions will get broken too, just as soon as the next bored researcher gets around to looking closely at it.
Add comment