I really wish Telegram would embrace open source, security audits, etc. It's one of, if not the, best UX chat message apps with so many features it's sort of mindblowing. I'd love to use them. But.. i avoid it, because something doesn't smell right.
Allowing me to pay would be yet another right direction for Telegram, but i just can't move past the audit (and to a lesser extent, FOSS)
> It's one of, if not the, best UX chat message apps with so many features it's sort of mindblowing.
I'd go as far as saying it's by far the best. I have used the word unnerving to describe the fact it's so beyond the rest of the competition, yet free and without a viable business model.
I use Signal with friends and Matrix with other nerds.
I totally agree. And I can't understand why FB - a much wealthier corporation - can't fix numerous problems with its Messenger app. Sometimes the messages don't sync correctly, sometimes voice messages don't play, sometimes images are not loaded in high quality, the search sucks, removing a single message requires 3 taps!, etc. etc. None of these happened in tg for me, and yet, I don't know why more people aren't using it.
Given the open-source nature of tg, I would imagine someone would put together a Messenger client based on tg source code. I guess that would solve many problems with FB's own messenger.
It’s mind blowing how the app has had millions of users and massive development for years and it was all paid for by one billionaire’s personal funds without a plan to make the money back. It’s only being monetised now because it costs too much.
It goes too far for me. Every time I set it up I have to turn the background to white and turn off emojis that take up the entire window and wipe out all context. I actually prefer the simplicity of Signal's apps.
Telegram, the client, is fully FLOSS. You can even find it on f-droid¹, contrary to e.g. Signal, which is only available for installation via closed app stores.
Do you refer to the server-stack? How would that being Open Source help you when you cannot ever verify what a server actually runs?
I did not say, nor wanted to imply that Signal is not FLOSS.
Just that Signal is not on F-Droid. Which has a bit of a history and some drama. It was there, log ago. Still textsecure back then.
Sure, you can build it yourself. And from there, with some hoops to jump, install it on your phone over adb (it's what I did). But that is far from fdroid or some other app store. E.g. there are no updates, which is a crucial feature in a security-critical app.
There is also fdroid repos such as [1] that contain signal. Fdroid policy requires approval from the author to be included, which is a bit weird take at FLOSS.
This had nothing to do with code vulnerabilities let alone open-source in general. It was a social engineering hack relying on default voicemail passwords.
> Do you refer to the server-stack? How would that being Open Source help you when you cannot ever verify what a server actually runs?
Primarily yes, and while true - that's an extreme and a bit pointless, imo. I can say the same about Linux, which i'm on now, as i've never verified what i'm _actually_ running. Or Matrix servers i'm connected to, and what they're _actually_ running.
Yet the idea remains that something some people have analyzed is better than something "no one" (outside Telegram lol) has analyzed.
Your question feels as if we may as well all be running entirely closed source. I'm unsure why the benefits and/or supporting arguments for FOSS need to be stated here. Is there a degree of your question i'm missing?
edit: Oh and, of course, the FOSS nature is even more important in the case where the majority of Telegram communication seems to lack security. If this was a zero knowledge platform i'd be far less concerned about their serverside implementation.
There's a big difference between something that's possible with some effort (i.e. compile the Linux kernel from source, compare the binaries with what ships with your distro), and it doesn't need to be you personally that does it. If a distro has 100k users, only 1 of them has to discover and make a scandal out of it. Projects like Debian take it even further and make a promise that it should be easy to reproduce the builds of their packages.
That's literally impossible with any closed-source server-side software. You can't even inspect the binary as you can with a client.
I understand the confusion. I was talking about the current situation where you cannot run your own server or even choose amongst servers.
It is pointless if you can view the source-code of that server, but have no way to check if the one server that you can ever use, runs that code at all.
It makes sense in a federated or decentralised setup, where you can run your own servers, choose instances, or even build your own version of the client with other backend-urls baked in. For Telegram all it offers is validation that the code is good, or not good. Without any power to do anything about that.
Despite the potential security issues, I still use Telegram.
Where possible, I prefer to type on my proper desktop keyboard, because I am a stubborn old man and you kids with your phones, and Telegram is just so nice in that context. It uses no resources, the UI largely gets out of the way, and message sync and delivery is 99.9% reliable in my experience. (Looking at you, Messages app.)
I do worry on some level that, by not paying, I am the product in some sense. And I wish they had a full security audit. But, I have so many other potentially insecure ways for people to get my info, and really I’m too boring to stalk anyways, so I just can’t make myself too bothered.
It's not your info that people can get, it's your chats, which makes "info" sound like the understatement of the year. Less so the past year that we've been in the same house at all times, but I generally chat with my SO all day long about everything on my messaging app. It's _not_ okay to have years of that history stored on a Russian app server based in Dubai. A security audit doesn't matter. I'll take for granted that the chats get to the server securely before being stored in plain text forever. Even if I could trust the current company to be 100% altruistic, I can't trust that data to be safe with them forever. Through state-sponsored attacks, company sales, new CEOs, new boards, etc.
Allowing me to pay would be yet another right direction for Telegram, but i just can't move past the audit (and to a lesser extent, FOSS)