Hacker News new | past | comments | ask | show | jobs | submit login
The Secure Messaging App Conundrum: Signal vs. Telegram [pdf] (usi.ch)
65 points by todsacerdoti 42 days ago | hide | past | favorite | 87 comments

The server code for Signal is so out of date. The last update publicly was April 2020 and people on their forums say certain features don't even work on it. So clearly whats on production is not whats on git publicly.

It amazes me that they are being given a pass on this inspite of being so "transparent". If you can trust signal then you can trust telegram or whatsapp

Take a look for here https://github.com/signalapp/Signal-Server

Plenty of threads about people asking about updates or not being able to run it https://community.signalusers.org/t/wheres-the-server-source... https://community.signalusers.org/t/the-server-sources/10622

1. The client is up-to-date on GitHub, which is a much better situation than with WhatsApp or Telegram. An outdated server code just gives you reason to distrust their metadata handling.

2. Trust is a bit more complicated than that. FB sells your data and Telegram is very shady in many more regards. The situation with Signal is completely different.

3. Even if the server code on GitHub was updated, what exactly would give you reason to believe that they run that version in production? Ultimately, you cannot trust the server. This can only be solved with decentralization.

This does not deal with the very real fact that Signal's server code is out of date by 9 months. Period. Telegram's closed-source server was used as a weapon against the Telegram community by Signal people for ages. But now that the shoe's on the other foot, let's be apologists.

2. Sources. Because all I see is Telegram protecting protestors in Belarus, Hong Kong, and Russia.

Signal is rightfully critiziced by people for their outdated server code. I'm just arguing that a) this does not make them as bad as WhatsApp or Telegram and b) updating the server code does not add as much trust as people tend to think. In fact, it's more of a symbolic act, because it does not give any strong technical guarantees.

All of Telegram's chat clients are open-source and they provide libraries and encourage people to develop new clients if they'd like.

Elaborate on Telegram being "very shady", please? With links, if possible.

telegrams client code is also upto date on GitHub

Is it? A lot of people report problems compiling the iOS client without replies.

It also has no licence in the repo or on the github page.

How is not having a license in the repo an argument against trusting Telegram though?

I mean, the code is right there. Not like it's encrypted.

can you elaborate on "telegram is very shady in many more regards"? im a telegram and signal user but if i knew telegram was shady id probably leave

If the Signal clients are using E2E encryption, then trusting the server code is significantly less important; the whole point is you don't need to trust the server. With Telegram, E2E encryption is not enabled in all modes, and is not the default.

i think the point is if you cant see the code you dont know if its still E2E encrypted and you're just taking them for their word?

I agree with the concern of the server code being out-of-date.

I know the consensus seems to be that it’s E2E so you “don’t need to trust the server”, but still as a principle it seems strange to be so out of date.

Perhaps more importantly, I believe Signal doesn’t have reproducible builds for their iOS client app[0] * whereas, interestingly, it seems Telegram does [1].

For me, the combination of out of date server code and non-reproducible iOS client binaries mean that for all my support of Signal (I donated during their recent outage) the benefits of this being a fully “open source” message solution are somewhat devalued.

Not to be too down on them though, I don’t touch WhatsApp with a barge pole, so they’re still my favoured messaging platform.

* Not necessarily entirely Signal’s fault because, of course, Apple doesn’t make this easy.

[0]: https://github.com/signalapp/Signal-iOS/issues/641

[1]: https://core.telegram.org/reproducible-builds

For the last few years I have always rooted (or rather I hoped) for Matrix/Riot->Element. So much that for my recreational and token FOSS IM usage (because for mainstream conversation in my country it all has moved to WhatsApp) with select friends I made it a point to request/convince them to use Matrix.

But when this WhatsApp T&C thingie happened I had to make a choice and ask all my friends and important IM contacts to move to Signal because let's face it Matrix is simply not usable for the average user as of now and I guess they will take forever to figure out Signal/WhatsApp and Slack/IRC/Zoom are not two different types of animals but are aliens to each other, especially from an end user's UX expectation point of view. So yeah it had to be Signal because no one was going to move to Wire or Threema.

Telegram is perfect for casual groups like the ones which form off places like subreddits — e.g. my country's book/lit subreddit. Besides their apps are a couple of hundred kilometres ahead of others including WhatsApp.

So as of now I am going to use Signal. Come 6-7 Feb, and I am deleting my WhatsApp account. Because I am pissed and as someone who deleted Fb, Instagram 6-7 years ago, I just don't want to accept that T&C even though I know Fb may get my data or would track me by using other means anyway. It'd be my personal tiny F.Y. to Zuck.

Having said that Signal does and have always made me very uncomfortable:

— It's headed literally by a benevolent dictator, and boy he does benevolent dictator.

— After a while I literally gave up on trying to make sense of their feature/dev priority and delivery.

— (As you've pointed out) Dev model of their server code is very much questionable and for an app that is "Signal", this thing has no reason, no excuse — it's either there in the open, regularly, and latest, or it's not.

— It's centralized — a catastrophe waiting to happen (oh wait, a technical one just happened).

Hell, Telegram and Signal both have open source apps (in fact I can make my own in case of Telegram but in case of Signal — naah!) and they both essentially have closed source servers (even if you discount that for a centralized service you don't know what's on the server).

I really wish there was a Telegram like Matrix — esp. the UX — not like Signal/WhatsApp.

https://builtformars.com/creating-an-account-with-signal/ this is good.

As far as Facebook has explicitly stated, the reason for the "changes" to their terms and conditions was to be able to launch a feature where businesses with a Facebook page could use what amounts to a "hosted client" in order to do things like customer service or have chat bots and the such, all with multi-level permissions as you see with other platforms. This feature has been "a long time coming" (in that they have been talking about it publicly on their site for I think two years).

You could argue that anyone could already technically (though against the terms of service) build such a service, so "end to end" only applies to a user's selection of their "end", but since Facebook is WhatsApp, a statement that Facebook never has access to X or Y or Z is no longer true, and so they carefully went through everything and adjusted those terms in a way that was confusing, totally forgetting that this is the Internet and no one would understand the nuance.

The original big article about this had a statement from a Facebook representative about this that went out of its way to note that nothing was going to change for "non-business chats and account data", but almost no one seems to have even paid attention to what was actually going on or what was changing. I am betting that Facebook saying they are delaying this rollout now is going to include them spending more time on the wording to make it clearer (not that I bet the people who like to get upset about this stuff will read it carefully).

> The move, the spokeswoman said, is part of a previously disclosed move to allow businesses to store and manage WhatsApp chats using Facebook's infrastructure. Users won't have to use WhatsApp to interact with the businesses and have the option of blocking the businesses. She said there will be no change in how WhatsApp shares provides data with Facebook for non-business chats and account data.

Then, a couple days later, people were going crazy over an update to their security whitepaper that now supposedly claimed that Facebook no longer didn't not (double negative, sorry) have access to a chat's private keys... but the update was actually careful and rather specific to scope it correctly to this new hosted client for businesses feature, having the following paragraph, which seems to still be sufficient and carry the same goal as the removed sentence elsewhere.

> All chats use the same Signal protocol outlined in this whitepaper, regardless of their end-to-end encryption status. The WhatsApp server has no access to the client’s private keys, though if a business user delegates operation of their Business API client to a vendor, that vendor will have access to their private keys - including if that vendor is Facebook.

As far as I can tell, this change was blown entirely out of proportion into what almost feels like a hit on one of the few secure messenger options we have, and the only one that actually "works well" for all users, including true "end" users who barely understand what they are doing. Hell: WhatsApp is an interesting case of a product that was less secure before Facebook bought it and meddled, as it wasn't originally end-to-end encrypted!

Now, I do appreciate the arguments from people who say "you can't trust the WhatsApp client, as it isn't open source". As a reverse engineer, I think people have a bit of a warped perspective of the value of this, as I can both easily show you how to hide a backdoor in an open source project that no one will question you on (just throw in a use after free bug with an info leak in your network stack) and also attest to how "easy" (for someone like me) it is to audit these things to at least surface verify it isn't doing something ridiculous in the general case (for all users, not for you in specific... but again: that is also true of the open source client!).

That said, I really really do appreciate the point: this kind of software should be open source with secure reproducible builds, and it should have open protocols and alternative clients (which FWIW, Moxie doesn't believe in--he won't even allow Signal in F-Droid--but that's another argument). If someone wants to never use a program for this that isn't open source, I totally can buy into that belief system (though I am also going to hope they don't use an off-the-shelf closed source operating system, for some consistency).

But... none of that changed two weeks ago. If you were happy with WhatsApp before two weeks ago, it seems like you should still be happy now. And if you weren't happy with WhatsApp before two weeks ago, I can't imagine you will ever be happy with WhatsApp. You, FWIW, sound like you might have been in the first category of people, not the second? You also just seem to despite Facebook to the point where it doesn't matter what they do, good or bad :(. Regardless, to the extent to which a subset of the second people tried to capitalize on uncertainty here to essentially misrepresent what was going on as a massive change, I want to say "shame on them", as that feels like dirty politics to me.

IMHO that's too much psychoanalysis, tangential at that.

> If you were happy with WhatsApp before two weeks ago, it seems like you should still be happy now

And this, unfortunately, is just an obtuse argument.

Even if you “trust” FB/WA, they’re still monetising a model of you and your friends, they expect you to update that model, and don’t share the profile from that model beyond letting you use the tools that update the model.

I have some contacts that use Signal, and others Telegram, and so I end up using both apps on a day to day basis.

Signal is secure by default yes, but their UX/UI is very lacking outside of "basic" communication, which ends up being the use case for me.

Messaging that's media-heavy or involving stickers, GIFs, multi-accounts, links (Instant View is amazing), or file sharing is better achieved in Telegram, in my experience.

In some ways they both support different security postures, with Telegram being more flexible with opt-in E2E so the user can take advantage of the cloud features, while Signal foregoes these bells and whistles for a most-secure-by-default approach.

It seems to me thats it could be interpreted as a choice vs. opinion, but I wouldn't go that far.

For me, Telegram is akin to org-mode; the Saved Messages personal cloud is where I store all my links and files that I need to share between my desktop and mobile devices, and I make use of private Groups to further aggregate links and ideas, not to mention groups and chats where bots for things like Integromat, IFTTT, UpDown.io, etc. provide me with information. Telegram's native applications really make a difference here, they are a cut above the rest compared to today's messaging offerings, in my opinion.

Hence my messaging and contents to some extent is governed by which app I use, but I don't ask my Signal contacts to use Telegram because if we're both chatting on Signal, we know why. Vice-versa, I don't ask Telegram contacts to use Signal because in general those chats are with my SO and friends who need overall security that's feature-rich but not bulletproof 24/7.

That being said, I appreciate the article clearing up the technical differences for a wider non-technical audience, I do have a feeling however that when users experience both apps they'll make a decision to use them based on UX/UI more than anything else (skewing towards security or features as they personally see fit).

Telegram’s group chats are unencrypted. Telegram’s direct messages are not E2E by defaulted, and when secure messaging is enabled, many features stop working (like desktop support). Telegram has plans to monetize metadata just like WhatsApp.

Use Signal.

This does not need to be a war between Signal people and Telegram people. It's not an either/or scenario. For those people who desire E2EE by default, well let them use Signal in peace. For those people who desire the greater flexibility of infinite independent chat clients and a higher uptime, let them use Telegram in peace.

The Signal community took a wrong turn into if it's not E2EE we hate it. There are people who should be using E2EE but it's not everyone and to insist on this narrative is going to drive a lot more people away from Signal than it is going to recruit.

Those people desiring greater flexibility etc have no reason to move away from Whatsapp. I mean, if Telegram has the same ups and downs including security approach as Whatsapp, then what's the upside of moving to it?

It's not owned by Facebook. The client code is all open source. You can have as many independent clients open as you want. First class desktop apps.

The motivation for a lot of this discussion lately is people leaving WhatsApp for something that is more privacy respecting; for the reasons I said above (especially the monetization point), Telegram is maybe no better than sticking with WhatsApp or FB Messenger.

Telegram is a better app.

Telegram does not have and will not have a monetization model that sells user privacy. Durov has been explicit in this. [1]

And it should be made clear that Telegram was forced into this position by the SEC who torpedoed any chance Telegram had of building out a decentralized network (TON).

[1] https://t.me/durov/142

We heard a lot of promises about Whatsapp too, about how it wouldn't share data with Facebook. Promises are worth nothing.

It's commonly misquoted that WhatsApp data will be shared with Facebook, but the Signal protocol for WhatsApp personal chats remains as is. It's the WhatsApp user-business communication that will be visible on third-party interfaces, like Facebook. It's in this process the e2ee aspect of the chat is lost. [1]

Overall, WhatsApp still remains a safe platform for 1:1 communications and group chats, but there are still many other factors that could be sold by Facebook, including location data, contact info, online status, and other aspects of the platform.

Durov did announce plans to offer more features for premium customers. [2] Hopefully that will help offset their hosting/development costs, without them succumbing to data selling practices.

[1] https://gizmodo.com/this-was-whatsapps-plan-all-along-184606...

[2] https://t.me/durov/142

Which is why you should look at what Telegram has actually done and that has been to protect and preserve the privacy of its users since the beginning.

> Telegram has plans to monetize metadata just like WhatsApp.

This is a blatant lie without any evidence. Durov said they might consider advertising in channels, as is currently already done in many languages -- just not through Telegram directly.

Source on the metadata claim.

> Telegram’s group chats are unencrypted. Telegram’s direct messages are not E2E by defaulted

In case anyone is confused by this phrasing, Telegram group chats are encrypted, just not E2E. Telegram is not blasting plaintext messages over the internet.

It feels like Telegram's security posture might end up being quite dangerous for less technical users. Given that it is marketed so strongly as "secure", it's not necessarily obvious that chats aren't E2E-encrypted and it takes several taps through the UI to even find the option for secret chats. I wonder how many users just don't discover secret chats at all.

Worse than that, me and the techies among my Telegram contacts don't even bother with Telegram secret chats because there's too much friction compared to Telegram default mode.

edit: Moreover only Telegram on mobile has access to those chats (and no search). Which likely is one of the reasons why secret message hasn't become the default for us.

I like Telegram, but it would be much nicer if secret chats could be synchronised between devices.

The distinction isn't just "mobile". Each mobile device a person uses has a separate secret chat, not synchronised with their other devices.

There's someone I talk with on Telegram where we have two secret chats open all the time, one for their iPhone and one for their iPad. Both channels are connected to my phone.

I have to guess which chat to write in for the other person to notice that I'm writing to them...

That's because when using their iPad they often don't have the iPhone nearby (no need for most purposes). It's lucky I don't have two mobile devices too, as then we would have four secret chats.

When I'm at my computer, we can only use the non-secret Telegram chat, which has a nice GUI but unlike my phone cannot connect to either of the secret chats. This isn't really a problem because we use the non-secret chat for most topics anyway, because of the search and synchronisation.

(Aside, the ability for the other party to delete old messages in Telegram is not very cool imho. I know someone who fell out with a friend and their friend deleted their entire multi-year conversation history, which was heartbreaking. Once you have a long history of messages with someone I think it should be part of your personal archive to look back on. It feels permanent until that point, so it's a surprise to find it can all disappear.)

You'd have to change the model. Signal and WhatsApp can sync the private E2E chats because the web frontend is talking (securely) directly to the app instance and communicating through that. With Telegram you do not need an app or anything, you can just use the desktop client.

This is partially incorrect.

Signal's desktop does not require the mobile app to be active. Differently put, the desktop app does not depend on the mobile app's state. Mobile can be switched off/in airplane/far away from your physical location, but Signal desktop can continue to work.

For WhatsApp, the chats on desktop are e2ee too, but require the mobile phone to be active/online.

For Telegram, secret chats initiated on the desktop remain on that desktop app. They are not synchronized to the mobile apps.

Ah, I was wrong about Signal, I think perhaps one of the early desktop clients was a projected version? It does indeed seem to be working with my phone on airplane mode.

Signal Desktop doesn't require the phone, so no, it doesn't work that way.

Yes, the phone has to be connected to the internet for it to work. It says so in the documentation, and on the very first page "To use the Signal desktop app, Signal must first be installed on your phone."

You have confused me. The statement you quote seems to say that Signal must be install on the phone in order to get Signal working on the desktop. That does not, to me, imply that Signal must be up and running on your phone while you use Signal on the desktop.

Suppose I install and configure Signal/Phone, then install and configure Signal/Desktop, then turn off the phone.

Will Signal/Desktop still work while the phone is turned off?

* If yes, then what you say appears to be wrong.

* If no, then that's genuinely astonishing to me, and I've learning something.

The previous thread is incorrect. Signal desktop can work despite having the mobile phone active. That's the key advantage over Telegram and WhatsApp. Telegram's secret chats are not synchronized. Neither is WhatsApp's, and even worse, WhatsApp's desktop-based chat is just a projected copy of mobile. In other words, WhatsApp's desktop version works as long as mobile is active/is connected to the internet.

What? WhatsApp groups do work on desktop because it is a projected copy of the mobile.

It'd stop. That's why Signal for desktop constantly asks to relink the connection.

No. I just switched off my mobile and I still can send messages on desktop with Signal.

Is there a grace period ?

Desktop app is designed to work even without having your mobile Signal app active. It's a standalone app in itself.

This is incorrect. Signal desktop can continue to work without having Signal mobile active. My mobile phone is on airplane mode and is being charged at the moment, but I am on a call with my colleague using Signal desktop. They are on Signal mobile.

It reminds me of Teslas "autopilot". Different people may have a different understanding what a word means. The outcome can be catastrophic. Clear definitions must be provided. As in: What do we exactly mean when we say "secure"? In the case of messengers: First the user must have an understanding of the problem. This is not realistic for 99.8% of users.

I do wonder why I almost never see Session[1] mentioned in these conversations. Free, open source, encrypted by default, distributed, no metadata sharing, phone number not required..... I'd love to see more technical discussion about this tool as an option.

[1] https://getsession.org

I wish more people would use Jami which is p2p fully encrypted. https://jami.net/

Are group chats implemented yet?

All I see is a 504 Gateway Timeout.

Mentions get downvoted "because cryptocurrency".

> Either choice gives you better security guarantees than WhatsApp

You can argue that there's no strict comparison between Telegram and WhatsApp, e.g., if you trust Telegram more than WhatsApp, then you'd rather have both your metadata and your data going through Telegram's servers rather than only your metadata through WhatsApp's servers.

But you can't say that a non-E2EE messenger (by default) gives you better security guarantees than WhatsApp which is E2EE by default.

Apparently the main argument is open-source vs closed-source. Links between being open-source and being secure have also been debunked many times already. It's strange because the author mentions that server software being open-source cannot give you more confidence that it's secure, while apparently using an open-source app you didn't build yourself does.

> while apparently using an open-source app you didn't build yourself does.

Assuming that the app can be reproducibly built, then yes, using an open-source app does give you more confidence that it's secure.

For a closed-source app, you can try to decompile it, which is far harder, or monitor its behaviour, which is far less reliable.

Telegram can be used just to read public groups. In that case you are not leaving any traces as a passive reader. Group owners deliver their news/messages very efficiently to thousands and millions of users. In some sense Telegram is like Reddit, Facebook, Gmail, Dropbox, and WatsApp combined.

> Telegram does not publish server-side code

Given this, why should anyone trust Telegram over WhatsApp?

For the average person I don't see why you should use Telegram instead of WhatsApp if most other people are using the latter.

For journalist or activists, or anyone that might face persecution Signal is the only reasonable option. I guess you could make the argument people falling into that category stand out more unless Signal has lots of users?

And does that imply Signal will eventually have to find ways of monetization other than donations?

The security of an E2E encrypted messaging client shouldn't depend on the server-side code. That's kinda the whole point of E2E encryption.

Neither does Signal (publish server side code). See the top comment in this thread. Their last server code dump was 9 months ago.

It is also worth noting that Telegram has a much larger marketing budget due to their future plans to monetise groups chats with advertising. The non-expert (as targeted by this article) is much more likely to read positive articles about Telegram than negative ones. They are also more likely to hear about Telegram over Signal so it will be unsurprising if Telegram grows faster than Signal imo. I believe that Signal is advertised primarily by word of mouth.

I find it sad that Threema whose apps are free (as in freedom, which is the important part), is explicitly disqualified for not being free (as in free beer).

Yes, at least in financially non-precarious circles there is no good excuse on that front. People spend way more money on way less important things.

Threema is literally the price of a latte.

Lol, I don't think I can buy a latte for that low of a price anywhere in Switzerland.

I am no fan of Signal -- their well-known anti-federation rants are basically a dealkiller for me. This does not exclude Telegram being even worse.

But sigh that the "secure messaging app conundrum" is apparently limited to two terrible choices.

>But sigh that the "secure messaging app conundrum" is apparently limited to two terrible choices.

I share that sentiment. There are encrypted messaging apps out there that don't rely on servers, like Jami, tox or Briar, the last of those three being the best one, in my estimation, as it uses Tor and can function on a mesh network, the only drawback being not having the ability to send media attachments.

There are good alternatives to centralized, corporativistic messaging apps (I include Signal here); we just have to be willing to look for them and make the switch.

Or, if you want, sigh that the federated system we had before sucked worse.

(I eventually just deinstalled my XMPP clients; XMPP is federated but that was no saving grace. And anyway, whoever controlled jabber.ccc.de had a lot of the traffic.)

Anything that is not federated is out of the question. There's is just way too much risk involved. I don't care if the clients offer integrated GIF meme search.

Actually I would even rate decentralization as preferable over encryption.

And if you ask me I had never heard of jabber.ccc.de -- never saw anyone from there. I would have said that either jabber.at or xmpp.jp dominated the network.

> In Telegram, E2E encryption is not on by default in chats (it is on by default in calls), and is only available for one-to-one chats (the so-called Secret Chats) and calls (including video-calls). Groups, independently of their size, are not E2E encrypted.

Correct me if I'm wrong, but isn't WhatsApp E2E encrypted by default for a while now?

> The fact that Telegram does not publish server-side code while Signal does has no impact in the security assessment of these services... Still, from a security standpoint either of them is a better choice than WhatsApp

So if WhatsApp published the client code it would be at least as secure as Telegram, maybe better because it has E2E encryption enabled by default?

> So if WhatsApp published the client code it would be at least as secure as Telegram, maybe better because it has E2E encryption enabled by default?

Whatsapp backups to Google Drive and iCloud. Telegram backs to their servers. More private since less parties involved.

I can't control my contact's backup settings on Whatsapp. On telegram, I can start a 'secret chat' and make sure it never leaves that device.

You fundamentally never have control over your contact, and an honest piece of software doesn't put you in a position to make you believe you ever somehow do.

>Telegram claims that E2E encryption cannot be extended to group chats for backup reasons: to keep the highest level of security, messages from Secret Chats are not stored after delivery. Hence, if a phone is lost, the content of Telegram’s Secret Chats is lost.

This sounds like a feature to me. Keeping old messages conveniently available to the user means they are conveniently available to an attacker. This is particularly important on a device like a smart phone that keeps everything conveniently available to the user all the time.

This way of doing things does in fact make those Secret Chats more secure than Signal's regular chats in practice.

XMPP anyone? I mean seriously why not? Signal has nothing for itself apart from having advanced the state of the art in chat encryption. XMPP has clients running everywhere (very much decent), lightweight servers you can run on any toaster and signal-style multi-device&group encryption. Dead simple to self-host and some internet communities which you trust is probably already running one.

Signal forcing you to give your phone number to anyone you want to contact is a much bigger security problem to me, especially when in my country it's both somewhat hard to acquire an anonymous sim card and a relatively small sum of money can get you a lot of private information from just having someone's phone number.

Luckily they are working on transitioning away from requiring a number. That will be an improvement.

Do you happen to know anything about what they'll do about spam?

fAt present, a spammer needs your phone number and a source phone number in order to spam you. A suitable source phone number isn't difficult to get, but presumably spammers' numbers will be blacklisted by Signal as soon as someone complains about the spam. If they drop the need for a source phone number, what will replace that threshold? Do you know?

They could at least still require a phone number to register, but allow to hide it and set a username for contacting people.

I haven't heard anything about that. Do you have a link or reference?

This is the only mention I've found, although I suspect there may be more but I haven't been able to find mentions:


I wish they'd be more open about this, since it's one of the biggest hurdles with Signal.

Telegram's popularity comes from its superior feature set. It allows mass channels, groups with up to 200,000 members, cloud sync, filesharing, easily-configurable bots and greater customisability. Even if it's technically less secure, Telegram has more versatile uses than Signal.

> In the last few days I have been asked by many non-crypto friends “to recommend a secure messaging app alternative to WhatsApp”.

It seems bizarre to me start an essay with a sentence referring to “the last few days” and yet not indicate when the essay was written.

While the report mentions Threema, there are quite a lot more messaging apps. I found a nice list comparing them here: https://www.securemessagingapps.com/

It is unlikely that anyone is going to verify the identity of their contacts in either case so you end up trusting the people running the servers in either case.

How can I verify that the version of Signal from App Store is a version built from open source code? Does it have reproducible builds?

I've been a Signal fan since the days of Redphone/TextSecure but the biggest differentiating point for Telegram that I can see (other than a network effect) is the public groups. These are especially important i've noticed in Asia (e.g. Hong Kong Protests) and Latin America. Unfortunately one of the usages i've seen it popular for in Western Europe and the US is far right organising.

> TL;DR:Signal gives stronger security guarantees than Telegram.If you want to prioritize security, use Signal. If you really like cool stickers, ginormous groups (100 000 of users!),and are willing to trust the guys at Telegram (they are not Facebook after all), go for Telegram.Either choice gives you better security guarantees than WhatsAp :)

(from the article, including the smile)

I get it that WhatsApp leaks more private info to Facebook but why is it less secure than Telegram or Signal ? Especially considering that Telegram default mode is not e2e.

If you or anyone you interact with has cloud backups on for WhatsApp, which in my experience ~90% of people do, all your chats are uploaded to Google Drive/iCloud in what is essentially plaintext.

If not for this flaw and the fact that we can't tell whether the encryption is implemented as they say in their whitepaper for their clients, I would have put it well above Telegram and closer to Signal in terms of security and privacy.

There are groups in Telegram with more than a million of users. Actually, Telegram is now more like a very good aggregator of news. You can use it just for that purpose alone.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact