All protocols are invented at some point. Telegram did a terrible job marketing this one but it has been a long time now and the only issue I ever heard of was fixed some years ago. It's still not exactly pretty, but then look at TLS and I'm actually quite okay with mtproto.
The real issue is that mtproto is never used. It isn't implemented in most clients for no apparent reason ("can't keep state for encryption keys!" is the usual excuse - dude you keep my login token what's the big deal here) and if you try to use it, it doesn't sync between devices. One of the core selling points is a solid desktop experience.
You mean Signal which was created by Moxie Marlinspike and other legit cryptogaphers and security researchers? Who rolled Telegram's crypto? No idea. Why should we trust them? No idea. I think I'll go with the people who have been contributing to the field for years and are highly respected.
I'd rather go with cryptanalysis and/or audits than big names. Both protocols are old enough now to have had ample opportunity.
And I can't tell if Moxie really means to improve the status quo or works for some three letter agency and builds just enough metadata opportunities into popular messengers and opportunistic encryption into WhatsApp to be helpful without being suspicious. To avoid redundancy, I posted these only yesterday and it includes some of the reasons: https://news.ycombinator.com/item?id=25669531https://news.ycombinator.com/item?id=25669267
They don't cover everything unfortunately but I'm also getting annoyed with the ephemerality of HN. What's posted last week is forgotten and never looked at again. I can try to find old posts that cover it or type it all out again (and it's a big claim so very few people will even take the time to read a big comment with reasons in the middle of another thread). I'm also not denying he does good stuff, just that there are enough weird opinions (decentralization = evil, anybody but us = evil, bug bounties = evil...) that I carefully look at what he makes and would rather there were better alternatives than their central servers.
Signal is still the only realistic messenger to use for good security and usability, unfortunately. Wire is a good second but Signal is definitely more smooth and I'd still recommend that to the general public, with the asterisk that it's an American company and that they should try Matrix if they're feeling adventurous (Wire falling somewhere in the middle, at that point you might as well try Matrix).
> And I can't tell if Moxie really means to improve the status quo or works for some three letter agency and builds just enough metadata opportunities into popular messengers and opportunistic encryption into WhatsApp to be helpful without being suspicious.
Moxie is an anarchist (or near to it) and has been so for a long time. Secretly working for the NSA would be a stupendously long con.
Might not have been planed from the get go. But let me quote myself from a sibling comment:
> it's more of a hyperbole than something I truly suspect. It's just that their opinions are in line with the hacker community 50% of the time, and in line with surveillance organisations the other 50% of the time. Of course, he always has some reason for having the opinion, it's all covered up just fine, so it could also be perfectly legit. It's just weird to argue both sides at the same time.
His being an alleged anarchist, how does that hold with the prohibition for forks to use Signal's servers? Or the insistence that Google is the only place you should get the apk from? Shouldn't we all build from source, not trust a central distribution point? They argue both sides and I find it hard to tell what they really believe in.
That said, I definitely see your point and, as said, he does plenty things to improve the status quo. It's just his rejection of other things that would be even better.
> And I can't tell if Moxie really means to improve the status quo or works for some three letter agency and builds just enough metadata opportunities into popular messengers and opportunistic encryption into WhatsApp to be helpful without being suspicious.
As if Moxie having opinions that you don’t agree with is evidence for some covert NSA operation or some such. What nonesense.
Yeah it's more of a hyperbole than something I truly suspect. It's just that their opinions are in line with the hacker community 50% of the time, and in line with surveillance organisations the other 50% of the time. Of course, he always has some reason for having the opinion, it's all covered up just fine, so it could also be perfectly legit. It's just weird to argue both sides at the same time.
Sorry, was still editing in a bit of context, please see the current version. If there is anything in particular feel free to ask, but the whole analysis is more of a submission of its own that I'm not sure I'm up to writing today.
No this is fine. I fully agree with your points and that's precisely why I'm not a fan of his. But yeah, Signal is the shiniest turd we have for secure messaging that's normie (as in not someone in tech) friendly.
All protocols are invented at some point. Telegram did a terrible job marketing this one but it has been a long time now and the only issue I ever heard of was fixed some years ago. It's still not exactly pretty, but then look at TLS and I'm actually quite okay with mtproto.
The real issue is that mtproto is never used. It isn't implemented in most clients for no apparent reason ("can't keep state for encryption keys!" is the usual excuse - dude you keep my login token what's the big deal here) and if you try to use it, it doesn't sync between devices. One of the core selling points is a solid desktop experience.