• rottingleaf
      link
      fedilink
      arrow-up
      17
      arrow-down
      1
      ·
      7 months ago

      Oh, and it’s been potentially backdoored by the FSB (Russia’s CIA) for six years.

      From the very start rather.

      And there’s been a few cases where not FSB, but mundane police was reading suspects’ messages before arresting them.

      Don’t trust Telegram, I use it because, eh, most people use either that or VK DMs in Russia as the default IM. But never trust it for something which should be secret.

      You can even have “opposition”-themed channels there or call for rebellions, but don’t ever expect anything to be secret or even pseudonymous. Even without ill intent regularly flaws are found which allow to get a lot of information, and the code quality is sewer-level.

    • hruzgar@feddit.de
      link
      fedilink
      arrow-up
      3
      arrow-down
      27
      ·
      7 months ago

      non-standard algorithm

      thats exactely the point lol. Why would you use an algorithm designed and proposed by the US government in a “secure” messenger?

      • mox@lemmy.sdf.org
        link
        fedilink
        arrow-up
        42
        ·
        7 months ago

        Which algorithm are you referring to exactly?

        In general, people are wise to use ciphers and protocols that have been examined by the global cryptography community and have held up to that scrutiny.

      • Simon Müller@sopuli.xyz
        link
        fedilink
        arrow-up
        14
        arrow-down
        2
        ·
        7 months ago

        The algorithm was neither proposed nor designed by the US government, it was made by (what is now known as) Signal, a 501c nonprofit.

        The claims of signal being “state-sponsored” come from assuming how money flows through the OTF - Open Tech Fund - which has gotten grants from government programs before. (IIRC)

        It wouldn’t make sense for the US Gov. to make such a grant to make a flawed protocol, as any backdoor they introduce for themselves would work for any outside attacker too - it’s mathematics. It works for everyone or for no one. Would they really wanna make tools that they themselves use, just to have it backdoored by other state actors?

        And again, Durov’s claims are entirely assumptions, and that coming from someone that has had [various](https://mtpsym.github.io// different vulnerabilities and weird bugs on their platform

  • catalog3115@lemmy.world
    link
    fedilink
    arrow-up
    108
    arrow-down
    3
    ·
    edit-2
    7 months ago

    I am going to repeat what I have said for another similar post.

    I still stand for Signal App.

    • Telegram has no default E2EE, Telegram is run by for profit company
    • Multiple flaws were found in Telegram’s encryption algorithm
    • Almost all cleartext messages are stored on telegram server, but signal stores encrypted message temporarily
    • Signal is non-profit & all their source code + finances are public. Even their server codes are publically available
    • rottingleaf
      link
      fedilink
      arrow-up
      24
      arrow-down
      1
      ·
      7 months ago

      Telegram is as safe as just using Facebook DMs (unencrypted), only it’s Russian.

      I suggest you judge for yourself how safe that is.

      • JubilantJaguar@lemmy.world
        link
        fedilink
        arrow-up
        7
        arrow-down
        2
        ·
        7 months ago

        Even if it were encrypted and the backdoor was controlled by the Russian state, logically that would make it safer than Facebook for anyone living in Western jurisdictions. The Russian government cannot get them and is hardly going to exchanging intelligence with its enemies.

        • rottingleaf
          link
          fedilink
          arrow-up
          5
          arrow-down
          3
          ·
          7 months ago

          Even if it were encrypted

          It’s not.

          logically that would make it safer than Facebook for anyone living in Western jurisdictions. The Russian government cannot get them and is hardly going to exchanging intelligence

          No it wouldn’t. You shouldn’t opine on what they’d do. They can negotiate, you know. And they are exchanging intelligence all the time.

          with its enemies.

          If that were true, corporations wouldn’t work with their competitors.

          • JubilantJaguar@lemmy.world
            link
            fedilink
            arrow-up
            6
            arrow-down
            3
            ·
            7 months ago

            You shouldn’t opine

            To “opine” is to have an opinion. Are you suggesting I should refrain from having an opinion? Does this apply to your own opinions too? Odd place to make such an argument.

            Otherwise: interesting point. To me, a state that can obtain personal data by leaning on its owns corporations is, by definition, more threatening than one that has to negotiate for it with a hostile power. But perhaps I underestimate the scale of that practice.

            • rottingleaf
              link
              fedilink
              arrow-up
              4
              arrow-down
              1
              ·
              7 months ago

              On what they would and wouldn’t do - yes, I try not to make opinions.

              But perhaps I underestimate the scale of that practice.

              Considering that the balance of power between US government and, say, Meta is not much different from the same between it and Russian government (Meta doesn’t have a military, but has ways to compensate for that), that should be right.

    • TCB13@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      46
      ·
      edit-2
      7 months ago

      Yes, yet telegram isn’t a piece of shit of an app that runs slowly on every device, can’t sync messages because “something went wrong” and doesn’t depend on electron to run. Also, not funded by the CIA.

      • Linguist@lemmy.world
        link
        fedilink
        arrow-up
        32
        arrow-down
        2
        ·
        7 months ago

        Could you not apply this “funded by the CIA” argument to other things such as… The Tor Network? Which was created by the US Military Naval Research? Also some US government departments have donated to Tor. Does that mean Tor is breached?

        • TCB13@lemmy.world
          link
          fedilink
          arrow-up
          3
          arrow-down
          10
          ·
          7 months ago

          Okay that’s fair, even if remove that and assume they hold zero influence / there are no cleaver backdoors Signal is still not good when it comes to performance and reliability.

      • hruzgar@feddit.de
        link
        fedilink
        arrow-up
        9
        arrow-down
        25
        ·
        7 months ago

        completely agree with you. I can’t believe why you are getting downvoted. Promoting a platform which is funded by the CIA, US gov and Israel. Completely insane really I don’t understand how people are still believing this. They really need to wake up to the truth otherwise things will never change. Privacy will stay an illusion we give ourselves to believe that nobody can read our messages (even if they absolutely can)

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    88
    ·
    edit-2
    7 months ago

    The CEO also claims that users’ Signal messages have popped up in court cases or in the media, and implies that this has happened because the app’s encryption isn’t completely secure. However, Durov cites “important people I’ve spoken to” and doesn’t mention any specific instance of this happening.

    […]

    The Register could not find public reports of Signal messages leaking due to faulty encryption.

    Claims made without evidence can be dismissed without evidence.

    Durov’s entire criticism seems to be based on implications and have no actual evidence of any technical problems with Signal. He’s basically just throwing shade at a competing business, which amounts to whining.

    • EngineerGaming@feddit.nl
      link
      fedilink
      arrow-up
      13
      ·
      edit-2
      7 months ago

      Funny how first association is “end-to-end encryption is broken” and not, you know, that whoever used the message got hold of one of the “ends”.

  • UnfortunateShort@lemmy.world
    link
    fedilink
    arrow-up
    64
    arrow-down
    7
    ·
    edit-2
    7 months ago

    Edward fucking Snowden has recommend Signal and I think if anyone knows whether it’s secure, it’s probably him and the NSA.

    That and he is paranoid to a point where he physically kills all mics and cameras on his devices, so if he claims anything is secure, I will believe him unconditionally.

      • rottingleaf
        link
        fedilink
        arrow-up
        8
        arrow-down
        2
        ·
        7 months ago

        This is how you know the brain has rotten and become a slick turd.

        Agreed. Making it a contest of “this talking head seems smarter” means exactly that.

        Try explaining that to normies though. They don’t want to understand shit, and they want to think they are safe without understanding shit. That this is impossible they just don’t want to believe, because they don’t understand shit.

          • rottingleaf
            link
            fedilink
            arrow-up
            3
            ·
            7 months ago

            That you can’t do something well or at all without understanding it is philosophy. Philosophy is weak in the sense that it exists on the same level as aesthetics or instincts. So it’s fighting instinct in a system built to make crowd management through instinct convenient, - in disadvantaged position.

            Also NT people like to champion their stupidest ideas as a banner to assemble under. Stupidest exactly to exclude any rational reason, so that only the feeling of community would remain.

            They don’t always say what they mean. They might say “this thing is better”, but what they mean is “I’m with the group which distinguishes itself by support for this thing, don’t be against us”.

    • rottingleaf
      link
      fedilink
      arrow-up
      10
      arrow-down
      6
      ·
      7 months ago

      so if he claims anything is secure, I will believe him unconditionally.

      That’s much more stupid than just using Facebook and unencrypted e-mail with Outlook address for communication, but knowing how safe exactly those are.

  • shortwavesurfer@monero.town
    link
    fedilink
    English
    arrow-up
    54
    arrow-down
    1
    ·
    7 months ago

    Yeah, I’m going to take this with a massive dose of salt. At least, Signal has encryption on by default for people. Where Telegram does not.

    • Clent@lemmy.world
      link
      fedilink
      arrow-up
      23
      arrow-down
      2
      ·
      7 months ago

      Sounds like projection. Probably just got back from meeting with his Russian handlers and posted this to sooth their impotent rage.

    • doona@aussie.zone
      link
      fedilink
      arrow-up
      5
      ·
      6 months ago

      Even Facebook Messenger has E2EE on by default now. Pavel Durov talks a lot of shit considering Telegram still treats encryption as an afterthought.

  • tuckerm@supermeter.social
    link
    fedilink
    arrow-up
    38
    arrow-down
    1
    ·
    7 months ago

    I know that Telegram has a lot of users, so I’m not describing all of them here. But I’ve noticed that it seems especially popular among people who kind of like to “play pretend” as underground hackers. You know, the kind of person who likes to imagine that the government would be after them.

    This mudslinging feels like more of a marketing campaign than anything else. An info op that will work well on the Telegram users who like to imagine that they have outmaneuvered all the info ops.

    • rottingleaf
      link
      fedilink
      arrow-up
      8
      ·
      7 months ago

      Yes. And those pretenders are always people who can’t install Synapse and “delete” their messages thinking that’s very smart.

    • Autonomous User@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      7 months ago

      Because we keeping saying Signal and Telegram instead of Anti-Libre Software, Service as a Software Substitute, and Centralised.

      We should reach them in their spaces, moding, hacking, piracy and beginner programming channels.

  • Citizen@lemmy.ml
    link
    fedilink
    arrow-up
    37
    arrow-down
    4
    ·
    7 months ago

    If one is to compare apple to apples, imho the decision to choose between Signal, Whatsapp and Telegram and other “messengers” is obvious and clear.

    Signal is fully open source! You can run it on-premises, if you know your business!

    Why are we not talking about it?

    I hope my comment will not be discarded/removed as not being in sync with the narative… 😉

    • mox@lemmy.sdf.org
      link
      fedilink
      arrow-up
      8
      ·
      6 months ago

      Signal is fully open source! You can run it on-premises, if you know your business!

      Why are we not talking about it?

      Unless something has drastically changed recently, the official Signal service won’t interoperate with anyone else’s instance. That makes its source code practically useless for general-purpose messaging, which might explain why few are talking about it.

      • Citizen@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        6 months ago

        My point is that you have all the open source software components needed to run secure communications, on your own premises, for your own users/community in case you are not trusting Signal’s infrastructure.

        If you know any other similar alternative with strong encryption open source protocols please let me know! I love learning new things everyday!

        Cheers!

        • mox@lemmy.sdf.org
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          6 months ago

          on your own premises, for your own users/community in case you are not trusting Signal’s infrastructure.

          Yes, that’s an example of data (and infrastructure) sovereignty. It’s good for self-contained groups, but is not general-purpose messaging, since it doesn’t allow communication with anyone outside your group.

          If you know any other similar alternative with strong encryption open source protocols please let me know! I love learning new things everyday!

          Matrix can do this. It also has support for communicating across different server instances worldwide (both public and private), and actively supports interoperability with other messaging networks, both in the short term through bridges and in the long term through the IETF’s More Instant Messaging Interoperability (MIMI) working group.

          XMPP can do on-premise encrypted messaging, too. Technically, it can also support global encrypted messaging with fairly modern features, with the help of carefully selected extensions and server software and clients, although this quickly becomes impractical for general-purpose messaging, mainly because of availability and usability: Managed free servers with the right components are in short supply and often don’t last for long, and the general public doesn’t have the tech skills to do it themselves. (Availability was not a problem when Google and Facebook supported it, but that support ended years ago.) It’s still useful for relatively small groups, though, if you have a skilled admin to maintain the servers and help the users.

    • rottingleaf
      link
      fedilink
      arrow-up
      3
      ·
      7 months ago

      An FSB (or AP, don’t know which, the main thing is it’s Russian) honeypot at that.

    • extant@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      7 months ago

      There’s no oversight for any of these agencies and they have the means and incentive to backdoor cryptography, what would stop them from doing this morality? There’s no possible way that they both aren’t compromised and all we’re seeing now is them firing pot shots at each other trying to convince the reader to join their honeypot because its sweeter.

      • tastysnacks@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        No sure if you mean government agencies but if you do, there’s definitely oversight. Don’t think that your Congress peoples aren’t in on it too.

  • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
    link
    fedilink
    arrow-up
    22
    arrow-down
    13
    ·
    edit-2
    7 months ago

    I’m always amazed how people come out of the woodwork to defend Signal any time any criticism of it comes up. It’s become a sacred cow that cannot be questioned. Whatever you may think of Telegram should bear zero weight on your views of Signal.

    The reality is that developers of Signal have close ties to US security agencies. It’s a centralized app hosted in US and subject to US laws. It’s been forcing people to use their phone numbers to register, and this creates a graph of real world contacts people have. This alone is terrible from security/privacy perspective. It doesn’t have reproducible builds on iOS, which means you have no guarantee regarding what you’re actually running. These are just a handful of things that are publicly known.

    And then we know stuff like this happens. NSA suggested using specific numbers for encryption that it knew how to factor quickly. The algorithm itself was secure, but the specific configuration of how the algorithm was implemented allowed for the exploit https://thehackernews.com/2015/10/nsa-crack-encryption.html

    These kinds of backdoors are very difficult to audit for because if you don’t know what to look for then you won’t have any reason to suspect a particular configuration to be malicious. Given the relationship between people working on Signal and US government, this is a real concern.

    The same kind of scrutiny people apply to Telegram and other messaging apps should absolutely be applied to Signal as well.

    • devraza@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      7 months ago

      I’d just like to add that you can use a temporary phone number service to sign up to Signal as you only need a phone number to register, not to actually use Signal.

    • The_Dark_Knight@lemmy.sdf.org
      link
      fedilink
      arrow-up
      3
      arrow-down
      5
      ·
      edit-2
      7 months ago

      Matrix is shit atm mate stop recommending it maybe one day it will become good but that day is not today also they are said to be scattering metadata and bashes XMPP for no real reason . Briar and SimpleX is the gold standard for now only if they had more users .

      • Autonomous User@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        7 months ago

        bashes XMPP for no real reason .

        This is a lie.

        The whole area of XMPP vs Matrix is quite subjective. Rather than fighting over which open interoperable communication standard works the best, we should just collaborate and bridge everything together. The more federation and interoperability the better.

        https://matrix.org/docs/older/faq/

      • mox@lemmy.sdf.org
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        7 months ago

        Matrix is shit atm mate

        No, it is not.

        bashes XMPP for no real reason .

        No, it does not.

        Briar and SimpleX is the gold standard for now

        No, they are not. They might fit a certain niche (or could once they mature) but neither is a good general-purpose messenger, because their goals and designs inherently limit usability.

        No messaging platform fits every use case, but Matrix is great for general-purpose private messaging that anyone, anywhere can easily use, without Google services, without a phone number, and without being vulnerable to shutdown if a single country’s laws turn unfavorable. It has other advantages as well. It’s not flawless, but is constantly improving, and is already very useful to many people.

        If you have a specific criticism that you can actually support with facts, you could bring it up for discussion. Slinging vague attacks that look a lot like something one might see in a poorly-informed reddit post doesn’t help anyone.

        • The_Dark_Knight@lemmy.sdf.org
          link
          fedilink
          arrow-up
          1
          arrow-down
          2
          ·
          7 months ago

          Its like you have never used it . The clients and servers are laggy federation is shit etc . but you seem to have your mind set no hope in arguing .

          • mox@lemmy.sdf.org
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            7 months ago

            The clients and servers are laggy

            Which ones, exactly? The largest public server was laggy about two or three years ago, but hasn’t been recently in my experience, and in any case, you can pick a different server or run your own. I have never seen a laggy client.

            federation is shit etc .

            Again, that doesn’t match my experience, and what you’ve written is too vague to have any useful meaning.

            no hope in arguing .

            Apparently not. Good day.

            • devraza@lemmy.ml
              link
              fedilink
              arrow-up
              2
              ·
              7 months ago

              I’ve previously had issues with Matrix being incredibly slow and unreliable with federation (I’m self-hosting). However, that’s pretty much in the past now and I seem to have somehow resolved that issue.

              • mox@lemmy.sdf.org
                link
                fedilink
                arrow-up
                2
                ·
                7 months ago

                Which server software are you running? Any recent experience with Conduit or Dendrite?

                • devraza@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  edit-2
                  6 months ago

                  I’ve been using Conduit within a docker container for a while now, and it’s worked pretty well aside from the mautrix-signal bridge (this was fixed in version v7.0.0, I think). Other than conduit, I tried out dendrite, but the latency in sending messages was unbearable.