Telegram founder and CEO alledges signal has backdoors, they don't provide reproduceible builds, etc.

MrSoup , 24 days ago

Still got server-side code closed source and by default messages are not encrypted.

alphapuggle , 24 days ago

Not sure if you're referring to telegram or signal. If you're referring to signal:

Is it private? Can I trust it? - Signal Support

Signal conversations are always end-to-end encrypted, which means that they can only be read or heard by your intended recipients. Privacy isn’t an optional mode — it’s just the way that Signal works. Every message, every call, every time.

The complete source code for the Signal clients and the Signal server is available on GitHub. This enables interested parties to examine the code for security and correctness.

biscuitswalrus , 24 days ago

Reasonably sure they mean telegram. Only secret chats are encrypted. Telegrams chat otherwise is basically transport layer encryption.

https://www.wired.com/story/telegram-encryption-end-to-end-features/

MrSoup , 24 days ago

Telegram :P

Dark_Arc , 24 days ago

Server-side source code is a red herring. It's meaningless, it can't be verified.

The latter point is fair.

MrSoup , 24 days ago (edited 23 days ago)

Having server-side source code open can help into finding not on purpose backdoors. But yes, no one can verify that's the same exact version used by the actual servers.

Dark_Arc , 23 days ago

That's fair ... especially in the case of something Telegram like where the server is a major portion of the security model (for non-secret chats).

For truly private E2EE chats though the attacks on Telegram's lack of an open source server side (and Signal's presence of one) is fairly meaningless. If the client E2EE is correct and you're using a reproducible build the server, and even any MITM (man in the middle), shouldn't matter.

winterayars , 24 days ago

I don't think i care what Jack Dorsey says that isn't backed up independently. Even if he's right i just don't trust him.

dessalines , 24 days ago

You shouldn't need to trust open source, it should be independently verifiable. Unfortunately that's not possible with either signal or telegram, as there's no way to tell what server code they're running.

delirious_owl , 24 days ago

If encryption happens client side then it doesn't matter.

Its where the server is open but the client is closed that we need to worry, as is the case with Beeper

ForgotAboutDre , 24 days ago

Closed sources server (even open source with no verification of the code running on the server) means it's possible the server records who you talk to, when, where and the size of the messages. This can be useful to sell to advertisers.

Dark_Arc , 24 days ago

Cloud source server or open source server, you can't know what server their running.

Pavel's whole argument here is basically the same thing for the client; "you can't verify the build in the app store matches what's in the source code, so you have no way of knowing it's actually what you're auditing."

delirious_owl , 24 days ago

If the client is open, then you can check to make sure that all metadata is encrypted.

ForgotAboutDre , 24 days ago

You don't need meta data to know these things. Any server handling the traffic for the app will know these things.

delirious_owl , 23 days ago

Not true for all messengers

ForgotAboutDre , 23 days ago

Only if the messenger is P2P, I don't know of any popular messenger like that.

delirious_owl , 23 days ago

SimpleX for one

whereisk , 23 days ago

I'm wondering if Dorsey has any stakes in Telegram's crypto bullshit..

FIST_FILLET , 24 days ago

well, this is concerning to hear. i had no idea signal was funded by the US state

InternetCitizen2 , 24 days ago

It is an eye raiser, but it is also somewhat of a red herring. Tor is a very solid privacy browser that started as a government project; not sure if they are still funded today. Nothing is ever going to be a perfect solution (cat and mouse game), but it does strike me that Telegram is more concerned about features than it is about privacy.

FIST_FILLET , 24 days ago

oh damn, didn’t know about tor’s history either! thank you for the relief. faith restored cautiously

tcit , 24 days ago

Wait till you hear where the Tor money comes from. Funding is not a direct cause of issues.

FIST_FILLET , 24 days ago

just learned through another reply, thank you for putting my mind more at ease brothers 🤝

possiblylinux127 , 24 days ago

The kettle calls the pot black...

delirious_owl , 24 days ago

Is telegram not providing reproduce builds?

onlooker , 24 days ago

I don't know about reproducible builds, but Telegram has a slew of other problems. For example, they advertise that your messages are "heavily encrypted", but this feature is restricted to secret chats which is NOT the default method of communication and they use their own weird-ass algorhythm called ProtoMT instead of one of many existing algorhythms which have been audited and verified. Not to mention you need to give them your phone number to use the app.

biscuitswalrus , 24 days ago

Telegram isn't encrypting chats (only secret chats).

As far as reproducible builds telegram has got instructions and caveats or excuses around builds for the same issues signal does: https://core.telegram.org/reproducible-builds#reproducible-builds-for-ios

Both easily make Android reproducible builds. This Twitter message is a rock being thrown in a glass house, knowing most people who consume Twitter like it's a firehose, won't swallow the nuance of the details.

I don't even, not to complete lengths.

firefly , 24 days ago

Telegram: We keep you private. Now enter your phone number to sign up.

SLfgb , 24 days ago

Signal does the same

Bookmeat , 24 days ago

I didn't think that's required anymore?

SLfgb , 24 days ago

You still need a phone number to register an account as far as I could tell when I did the other day. You no longer need to share your number with any contacts and can set it so noone who has your number can look you up on signal. You can optionally set a unique alphanumeric 'username' instead to hand to people to look you up. But yea, Signal still requires you to give them and their authenticatian service (through sms code) your phone number.

Bookmeat , 24 days ago

Thanks for the clarification.

SLfgb , 24 days ago

Np

Omniraptor , 24 days ago

Are there any equivalents that don't need a phone number?

SLfgb , 23 days ago

Yes, XMPP, a long-standing protocol that's also not a walled garden, doesn't require a phone number or even a phone.
For android I use the Conversations client combined with Dino on computers. Currently logged in to a handful of devices synchronously. You can choose what server to make an account on; conversations.im I found to be reliable. Drawback is Signal doesn't let you bridge to it from anywhere outside of Signal. So I have accounts on both.

delirious_owl , 24 days ago

It is

miss_brainfarts , 24 days ago

That breaks anonymity, not privacy

delirious_owl , 24 days ago

It breaks both

Ferk , 19 days ago (edited 19 days ago)

You mean "confidentiality", not privacy.
Just the metadata related to whether you personally, traceable to your full name and address, have a Signal account and how much you use it might be considered a privacy breach already, even if the content of the messages is confidential.

Ferk , 24 days ago

Signal is the same in that regards.

Tja , 24 days ago

Was

Matt , 24 days ago

Signal still requires a phone number to use it. What they recently added is the ability to message people without needing to know their phone number.

Tja , 24 days ago

Oh, that sucks. My bad.

electro1 , 24 days ago

Yeah, he needs to fix his broken secret chat feature first... I think it's broken on purpose..

After seeing his interview with Tucker Carlson, I'm 100% the guy has some really dark agenda..

rdri , 24 days ago

What's broken there?

electro1 , 24 days ago (edited 24 days ago)

It stops working after a while ( days or weeks ), your receipents will stop receiving your messages, and you'll not receive theirs, or you'll receive them with a big delay, it happens more frequently with iOS users

most people have to go out of their way to start a secret chat, the user journey to activate it is too long, it's safe to consider it hidden...

smileyhead , 25 days ago

Telegram: There are backdoors in Signal encryption!

Also Telegram: not encrypted

dsemy , 25 days ago

Telegram secret chats are e2e encrypted though

ReversalHatchery , 25 days ago

Secret chats only. With their own, in-house encryption, that, if I remember correctly, the apps don't use according to the specifications.

Maybe I'm mixing up mtproto 1 and 2 with that second part, though.

EngineerGaming , 25 days ago

AND only available on mobile.

noodlejetski , 24 days ago

AND 1-on-1 chats only, no e2ee for group chats available at all.

dsemy , 24 days ago

I don't mind in-house encryption (the Signal protocol didn't just appear out of nowhere either), however the latter part is worrying.

In any case, I personally don't trust Signal or Telegram.

possiblylinux127 , 24 days ago

What do you trust? It seems like something like Molly is the best for compatibility and security.

SLfgb , 24 days ago

Molly is just Signal with a different name and on more depositories

possiblylinux127 , 24 days ago

And no proprietary software or dependencies

SLfgb , 24 days ago

The Signal servers it connects to run proprietary or unauditable software, no?

possiblylinux127 , 24 days ago

All server side software is proprietary as you don't control it. With that being said having a centralized design isn't great but Signal is well known and pretty well proven.

There are other messagers but don't though Signal out so quickly.

dsemy , 24 days ago

Molly still depends on Signal's centralized servers.

Best solution I know of currently is SimpleX, though Veilid (and VeilidChat by extension) also seem promising, though it might take a while for those to be usable.

possiblylinux127 , 24 days ago

From a cryptographic and usability perspective Signal still has a few benefits. However Simplex is promising.

toastal , 24 days ago

The best is to not trust the centralized server of either of these platforms. Set up your own XMPP server & gives these the boot.

possiblylinux127 , 24 days ago

No thanks. XMPP is old and dead

toastal , 24 days ago

XMPP is battle-tested* and thriving*

I don’t think you know how many commercial use cases are relying on XMPP, nor how much the community has been working on updates. Older technologies tend to have maturity is spec but also in implementations where the servers are robust & already at the point of optimization over chasing features. We see this with how little specs it takes to run a server & have Conversation forks on Android have some of the best battery life & data plan usage in the chat space. The network is massively decentralized too… unlike Matrix where almost everyone is on Matrix.org or a server provided/hosted by Matrix.org giving them all the metadata.

Scolding7300 , 24 days ago

But for some reason they don't develop features for e2ee like the other chats. Perhaps it's just hard

delirious_owl , 24 days ago

But extremely hard to use to the point that nobody uses them. I send a secret chat to someone and they write me back in the unencrypted chat.

It shouldn't be possible to send anything unencrypted

efstajas , 24 days ago (edited 24 days ago)

Tbf not all the chats being E2E encrypted is a UX compromise. It makes Telegram a lot nicer to use across devices and allows just accessing your messages from anywhere without needing your phone to be on. Plus no need to back up chats etc. because they're all just on the server. As opposed to secret chats, which of course are bound to one particular device and can only be accessed from there.

I'm all for E2E by default but I must say I actually like the idea of having a choice in this particular case.

delirious_owl , 24 days ago

There's no reason for secret chsts to not be stored on the server and to not be synced to all your devices. We've had double ratchet for a while. Telegram rolling their own crypto is dumb for many reasons

efstajas , 24 days ago

Correct me if I'm wrong, but even with double ratchet, retrieving and decrypting the message history is tricky / impossible, no? Afaik signal does allow you to receive new messages on multiple "linked devices", but a new linked device doesn't have access to any messaging history.

delirious_owl , 24 days ago

That behavior would be a major improvement to telegram

efstajas , 24 days ago

From a privacy POV, sure, not trying to argue that. Just saying that Telegram does have a bunch of features like that that wouldn't really work if all chats were always E2E encrypted, so there's a reason that it's opt-in. Whether it's a good one or not is up to you to decide for yourself.

Though I definitely think that Telegram could do a much better job explaining the trade-off, especially in a world where many major messengers are always e2e encrypted, and people somewhat expect it to be the default.

fushuan , 23 days ago

It's encrypted though?

You are trusting their server security and them as a company, sure, but it is encrypted against the server for sure.

It's not as good as ir could be but that's no reason to spread misinformation.

kellenoffdagrid , 25 days ago (edited 24 days ago)

Saw someone post that City Journal article on mastodon a couple days ago and I'm amazed that so few people picked up that the City Journal and the article's author are basically puppets of the Manhattan Institute, a conservative think tank. I know most people aren't tuned to look out for think tank propaganda but it came off as really obviously FUD-y and unsubstantiated.

resetbypeer , 25 days ago (edited 24 days ago)

Dorsey isn't that the guy who fell into the anti vacation rabbit hole and backed JRFK Jr ? I mean let's be honest. If these guys are concerned then I am pretty sure it's safe.

PotatoesFall , 25 days ago

Okay first things first Jack Dorsey is a tool

The US government / CIA did in fact develop the protocol back in the day, with the goal of helping people in China and other countries message securely, probably with ulterior motives.

But the protocol itself is open source, and you can use it without any affiliation with the US government.

The claim " It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺" is therefore so stupid it almost invalidates everything else being said because the person writing is either an idiot or purposely misrepresenting the facts.

Not having reproducible builds is definitely weird though. Does anybody have more information on that?

Steamymoomilk , 25 days ago

My theory is that apple wont let the developer share there code for IOS because of "security"

I remember an emulator (retro arch i think?) Got on ios at one point and was later removed because it showed apples file system layout. Which apples reason was "because it could be used to make malware for IOS"

I feel like there is some similar thing with signal IOS

kellenoffdagrid , 25 days ago

EagerEagle posted a good comment under this post going over the client code stuff, pretty enlightening stuff.

darklamer , 25 days ago

Not having reproducible builds is definitely weird though.

https://github.com/signalapp/Signal-Android/blob/main/reproducible-builds/README.md

bamboo , 24 days ago

Not having reproducible builds is definitely weird though. Does anybody have more information on that?

They boast this as a feature, but on the instructions for how to do this for iOS, even Telegram admits "As things stand now, you'll need a jailbroken device, at least 1,5 hours and approximately 90GB of free space to properly set up a virtual machine for the verification process". Browsing the steps, it's extremely complex, and doesn't seem like something that is very user friendly and that you'd do weekly or monthly when a new version is released.

On the GitHub issue linked to in the body, it's disingenuous to claim they refused to implement this, and that the technical hurdles Apple has in place make this extremely difficult which halted progress. In the community forums where the conversation was moved to, someone pointed out that even if you were to reproduce it on a jailbroken iPhone, that there's no way to confirm that non-jailbroken iPhones aren't receiving a version with a backdoor.

And even if you are using a jailbroken device exclusively and can confirm the reproducibility of the iOS app, then the risk becomes the latest available jailbroken iOS could be outdated from the real versions, and you'd have other issues with not receiving timely security updates. This same issue applies to Telegram also.

ArcaneSlime , 22 days ago

then the risk becomes the latest available jailbroken iOS could be outdated from the real versions

Flipper0: iOS 17 Lockup Crash has entered the chat juuuust to be annoying.

Sims , 25 days ago

I feel hustled, bc I recommended Signal to others :-( However, ANY contact with the US elite is a clear sign of the NSA/CIA/NED propaganda/spying network. I think It is safest for everyone, to voluntarily adopt the Russian, Chinese, Iranian, etc blocklist/firewall of western big-tech propaganda and spy methods, and seek out trustworthy open source. Oc Lemmy/federation as well as any other point of contact with the commoners are valid targets for these guy's, but a minimum of defense like that seems to be the only way to keep the US Capitalist elite out of our lives.

Anyway, bye bye Signal. Gnu? Alternative ?

rivvvver , 25 days ago

please get some more opinions on this, try to understand the arguments here better, before making up ur mind and believing the founder and CEO of a competing platform that u should switch away from their competitors

kixik , 24 days ago

Jami is the GNU alternative, if you're wondering

dukethorion , 24 days ago

I read something on the internet, so it must be true!

shrugal , 25 days ago (edited 25 days ago)

It's hard to overstate what a nothing-burger this article really is! Let me break it down:

• Signal got $3 million from the Open Technology Fund at some point in its development
• Some anonymous source alleges that the OTF's ultimate goal is to promote US foreign interests
• The current chairman of the board Katherine Maher worked at the National Democratic Institute and Wikipedia before
• The same anonymous source says she was recruited because of connections to the OTF
• She has at some point voiced the opinion that a completely free internet without regulation just reproduces existing power structures, and that balancing regulation and 1st amendment rights is a tough problem
• Signal doesn't have reproducible builds on iOS (it absolutely does on Android btw)
• Some people feel like Signal chats come up more often than they should in court cases and media reports

That's it, that's the whole story. That's the reason why the Telegram guy of all people thinks you should be careful, and better use his chat service instead, and the Twitter guy agrees.

I mean, reproducible builds on iOS would be nice, but that platform has much bigger problems from a privacy/security/sovereignty/freedom standpoint anyway. And the rest is just nothing turned up to 11.

eager_eagle , 25 days ago

tl;dr "Signal might be untrustworthy because the tech came from a State-sponsored project and the current chairman acknowledges that Wikipedia has a white and Western bias."

just wait until they find out pretty much all tech we have can be traced back to government-funded research.

9488fcea02a9 , 24 days ago

Did you know the early early internet researchers were part of a clandestine government organization known as ARPANET???? The entire TCP/IP stack is just a state-sponsored backdoor into your life!!!

WAKE UP SHEEPLE!!!!

refalo , 24 days ago

yea just wait until they find out why the first digital computer was made:

ENIAC was designed by John Mauchly and J. Presper Eckert to calculate artillery firing tables for the United States Army's Ballistic Research Laboratory (which later became a part of the Army Research Laboratory). However, its first program was a study of the feasibility of the thermonuclear weapon.

Coasting0942 , 23 days ago

Getting “Tor is pentagon spyware” vibes from OP

eveninghere , 22 days ago

I guess it's the usual Russian propaganda tactic throughout Telegram. Mixing conspiracy theories with half-truths.

The NSA indeed distributed a defected encryption library in the past. These days I'm pretty sure big techs use open source encryption to avoid this trap.

And Telegram says blah, blah, iPhone is exploited. But IF Telegram is correct on this one, Andriod versions would be defect as well.

eager_eagle , 25 days ago (edited 24 days ago)

Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github.

Not true. Signal has a very similar client verification process to Telegram's, described here. The lack of an iOS reproducible build is an Apple limitation / nuisance.

It’s very complicated, the 2nd jailbroken device is necessary because there’s no other way to download the .ipa, but even if you manage to do that and bit-for-bit reproduce the .ipa you downloaded from source, there’s no way to know if the App Store is sending every user the same .ipa or if your other, non-jailbroken iPhone downloaded a backdoored one.

Telegram docs even acknowledge these limitations.

Ultimately, this client verification is not the selling point Telegram's founder makes it sound like, since most messages are not E2EE and the server code is closed.

jmanes , 25 days ago (edited 24 days ago)

I logged into Telegram today to this update from Durov. It reads like a bunch of hogwash from someone who is hiding something. They are eyeing investor funding soon, right? (EDIT: eyeing an IPO https://www.techopedia.com/news/telegram-eyes-ipo-as-it-aims-to-become-profitable-in-2025) A lot of things seem to be coinciding with him slinging mud about his competitors.

drwho , 25 days ago

Points 0 and 1: None of this is new. This goes back to 2011 or 2012.

Point 2: If someone gets hold of your phone and unlocks it (meaning, they can interact with it), they have access to your Signal messages on-board. This is why additional security measures (not using biometrics, encrypting your phone natively) are recommended. If your phone is off and someone dumps the data from it, they get encrypted data.