Thanks for links and information. Iād like to do as good as possible on the privacy front, without knowing enough about cryptography to judge that myself. And I also try to spread the word.
With that background, Iām wondering why in all of this thread, Threema has not come up. We (family and friends) use it because (we heard) itās E2EE, thereās an easy QR-based connection, and itās hosted in Switzerland (neither US nor Russia :-). Unfortunately, I canāt by Threema for others in Play Store - otherwise I would buy it for the people I want to communicate with.
How does Threema compare? Are we on the wrong track?
Threema is not open source, which is a red flag. In theory, they could just pretend to be super secure while secretly selling your data. Iām not saying this is the case, and I doubt it is, but you canāt prove it.
Thereāre reasons for that (because their security threat are human right activists in dangerous countries):
Briar doesnāt use Gobbleās push notification service (FCM), the only one not boycotted in Android. Thatās the one Signal, Telegram, and Conversations use (last two when gotten from Play Store, but not when gotten from F-Droid), and why Briar needs a permanent notification.
Briar routes all connections through the Tor anonimity network.
Briar is a standalone client. That means all processing is made exclusively on the phone: there are no central or federated servers to call, so it need to ādiscoverā where to send data. Iām not sure about this, honestly, but I think it could be another battery-hungry process.
I distrust Telegram because EE2E is not on by default and because the fail to fulfill their initial promise of releasing server source code. If itās opaque and has unencrypted data =
P.S.: Thanks @Winfried for your pretty useful reply and personal experience.
You can use Conversations without Google Cloud Messaging, like I do. It runs remarkable good like that and doesnāt hog your battery, but there are two things needed for that: you must allow it to run as background process and your XMPP server must support some of the extensions for mobile devices (see the Conversations documentation).
Last time I tried Briar, some months ago, it was still a battery hog. I guess it is inherent on running over Tor.
The article of gizmodo is misleading and wrong, please read this.
You can read here about the choice of telegram regarding e2ee.
Furthermore, a detailed article that compares whatsapp, signal, telegram and wire:.
Is signal still a good choice after SVR and PIN features?
No one think so except its founder Moxie. SVR and PIN invalidate e2ee by moving the trust from your device to signal servers.
Greene security expert.
SVR is based on flawed technology.
I wonder to know what is the thought of Snowden and Schneier.
This recent article shows that username support is a mandatory feature for every service, signal included. Moreover, it shows that telegram is better than signal and whatsapp, with the default settings too, about the mitigations on adding random contacts while leaving some personal information visible (online status, profile data, etc.).
Last year, after the Hong Kong protest, telegram allows to hide all your personal information even phone number to your contacts. So, at the moment, you can protect yourself in the protest and in this scenario is better than signal.
Also im Vergleich zur WA ist Telegram zumindest client-seitig OpenSource. Wieso ist die Datensicherheit bei Telegram nicht gewƤhrleistet ist mir auch ehrlich gesagt unklar.
Mir persoenlich ist Telegram sehr szmpatisch, weil sie keine Angst haben sich mit den Grossen und Starken dieser Welt anzulegen. (Russland und Iran). Allein schon deswegen hat es meine Unterstuetzung.
Also auch Signal wird von Rechtsradikalen genutzt, du kannst es so nicht pauschalisieren.
ich aboniere nur die kanƤle, die ich will. und kommuniziere nur mit menschen, die mir sympatisch sind.
aber zu sagen, das der messenger Telegram scheisse ist, nur weil es von rechtsradikalen genutzt wird ist naja. Das ist wie zu sagen: ich Trinke kein Bier, weil rechtsradikale Bier trinken.
Ich habe nicht pauschal gesagt, dass Telegram scheiĆe sei, sondern mir suspekt. Und warum, das habe ich im Gegensatz zu dir belegt. NatĆ¼rlich ist jede Technik ein zweischneidiges Schwert und wird immer auch missbraucht ā bei Telegram hat das aber m. E. lƤngst Ć¼berhand genommen.
Klar kann man nicht ganz ausschliessen, dass es auch bei Signal einigige Rechtsradikale und VerschwƶrungserzƤhler*innen hat.
Die Struktur von Signal jedoch eignet sich weniger dazu, grosse Netzwerke aufzubauen. So gibt es bei Signal keine Channels, die in diesen Kreisen eine grosse Rolle spielen.
Die ganzen Verschwƶrungs- und Nazi-Gruppen und -Channels sind im Ć¼brigen bei Telegram ƶffentlich einsehbar und bekannt (!) - die Entwickler**innen hƤtten sehr wohl die Mƶglichkeit, solche demokratieunterwandernden Gruppen und Channels zu lƶschen, wollen sie aber nicht. Dies empfinde ich persƶnlich als sehr problematischā¦
Ganz abgesehen davon, dass Ende-zu-Ende-VerschlĆ¼sselung bei Telegram lediglich ein optionales Feature ist, welches manuell aktiviert werden muss und wodurch die Chats dann nur auf dem Mobiltelefon zugƤnglich sind: Auf dem PC-Client sucht man die Mƶglichkeit nach einer Ende-zu-Ende-VerschlĆ¼sselung vergeblich.
Etwas, das Signal problemlos auf die Reihe kriegt - sogar bei Gruppenchats!
WhatsApp im Ć¼brigen setzt seit einigen Jahren auch die als Open Source verfĆ¼gbare VerschlĆ¼sselungstechnologie von Signal ein
Daneben setzt Telegram - anders als Signal - auf eine Cloud-Lƶsung, wodurch die Chats nicht lokal gespeichert werden.
Ich habe persoenlich nichts gegen Signal. Eine sehr gute technologie, die ich auch gerne verwende. Allerdings: Aus meinen knapp 2000 kontakten sind bei Signal ca. 10 Leute, bei Telegram dagegen knapp 700. Bei Signal, habe ich niemandem, mit dem ich kommunizieren kann. Ansonsten nichts gegen diesen Messenger. Die von euch erwaehnten Telegram-Kanaele, die rechtsradikales Kontent anbietenā¦ klar, so etwas gibt es. Auch Kanaele o man Waffen und Drogen kaufen kann. Da mich es aber nicht interessiert, habe ich auch keine Beruehrungspunkte mit diesen Menschen, und es stellt keinen Problem fuer mich dar. Ich habe lediglich Telegram mit Whatsapp verglichen. Und wenn man diese beiden Messenger vergleicht - finde ich persoenlich, das Telegram um Welten besser ist als Whatsapp. Meine persoenliche Meinung. Ich will hier niemandem bekehren. Jeder soll das nutzen, was er mag.
Yes, well, I find proper E2EE and proper permissions of application far more important than what you mentioned. Telegram has no E2EE in group chats, and 1on1 it only applies it when explicitly enabled. Nice default settingsā¦
They also insist(ed) on their homebrew crypto, which is incredibly amateurish and arrogant to say the least.
Furthermore, doesnāt Telegram also use SMS to verify phone number?
You are right, cloud chats of telegram are not e2ee while signal chats are e2ee (telegram is working on e2ee group chat link).
However, you have to consider the whole setting.
Signal as the majority of e2ee protocol (wire, whatsapp, telegram secret chat, etc.) is Trust On First Use (TOFU) with a centralised server and therefore, in the absence of verification (via a secure channel, by person) of the public encryption keys of your partners (practically impossible for groups, especially if N is large and users live in distant areas), it still requires you to trust the message delivery server.
Telegram MTproto v2.0 is formally verified as signal protocol. The MTproto v1.0 had some theoretical weaknesses (hashing primitive SHA1 and the absence of the IND-CCA criterion) that were not practically exploitable link.
Telegram apps are fully open source and reproducible while on signal android app only is reproducible. Telegram is available as FOSS on f-droid while signal not.
Telegram server is closed source while signal server is open source (even if the repository is not up to date). This is a false sense of security since you cannot verify which is the code that is running on the server. Moreover, signal does not support server federation and if you want to install your own private instance, you need amazon, google, apple and twilio account.
Telegram own its server infrastructure and servers are geographically distributed around the world in various jurisdictions to protect data from mass control by government authorities. Moreover, data, without end-to-end encryption, is protected by its distribution on servers located around the world in various jurisdictions and by their separation from the respective decryption keys. Telegram allows you to delete for all and for an unlimited time the data sent and received.
Signal claims to store little data and metadata. Signal is based in USA and on AWS. The data is stored on their servers with SVR technology that relies on flawed SGX. The operators of the servers, amazon, can obtain data and metadata by exploiting the vulnerabilities (at the request of the US cloud act (CLOUD Act - Wikipedia)). Fortunately, the content of chats is not copied to the cloud for now.
So, I agree that in theory signal is better in terms of trust, but in practice the difference is very small.
P.S. the article about contacts discovery is this.
Signal not being perfect does not diminish Telegrams flaws and does not make the lack of end-to-end-encryption acceptable, respectively the difference very small.
Anyways, I have discovered Matrix/Element.
Gives cloud chats with federation, end-to-end-encryption, arbitrary many devices and does not require phone numbers or a phone.
Prospectively, itāll provide a P2P-mode as well.
Hi all.im not sure if this is the right plĆ ce for me to be asking this question/questions,.Iāve got a friend who is abroad at the moment and has their SIM compromised
Someone is able to see everything being said over the phone on messenger and Ć ll the other apps ā¦Iāve suggested telegram but Iām concerned that the confirmation code could be intercepted and be use to clone the account and be back to square oneā¦so my main question isā¦can a telegram account be set up and be safe on secret conversation for secure conversation even if the other person has a clone of the phone/SIM.any other suggestions to getting a secure channel set up in this situation would be welcome too.cheers.jim.
Right, but again, signal is not so good compared to telegram. At first glance, it is better, after a detailed analysis is not.
There are two projects that analyse terms of service and privacy policy of software and services:
PrivacySpy: most people donāt have the patience to read privacy policies. But privacy is important, and we shouldnāt just trust that products are treating our data right. PrivacySpy uses a consistent rubric to grade privacy policies on a ten-point scale.
ToS;DR: terms of service are often too long to read, but itās important to understand whatās in them. Your rights online depend on them. We are a user rights initiative to rate and label website terms & privacy policies, from very good Class A to very bad Class E.
