@guardianproject @textbook very nice. Also lets one infer how to make privacy-oriented choices on some (e.g. not allowing backups or sync of iMessages to iCloud).

Worth reminding too that this is lawful access. It doesn't get into weaknesses that an adversary who doesn't care about the law could do. Very relevant for some use cases.

@guardianproject

We need more than one platform at signal's level of privacy.

@jlgnt @emma @guardianproject And XMPP gives us a high level of encryption, known as OMEMO, based on the same technology than Signal Protocol... Except that XMPP is federated.

@guardianproject

I had zero trust in any of those apps so I don't use them. I notice there is no mention of Matrix; XMPP or Session.

@PublicNuisance @guardianproject Matrix and XMPP vary between implementation. You could for example, have a server in RAM that reboots daily, which would keep very little logs

@kspatlas fyi, there is a project to run matrix dendrite server as wasm in the browser as throwaway instance. it's a bit stale though.. github.com/matrix-org/dendrite
@PublicNuisance @guardianproject

@guardianproject That's the Unclassified version. I'm pretty sure there's a more secret and complete version out there somewhere.

@guardianproject Huh, looks like Telegram isn't as bad of a honeypot as people made it seem. And it's the easiest place to lure friends into as well.

@guardianproject All of them: leaked backdoors through display drivers, virtual keyboards, IMEs, etc.

If you're using commodity hardware your security is nonexistent anyway.

@guardianproject I wonder, what the corresponding chart "Non Lawful Access" says...

@guardianproject crazy, this makes it looks like Telegram is the least accessible to the FBI, despite missing encryption by default 🤔

@gabor @guardianproject it’s more like Telegram is private by policy, while Signal is private by design

@blueberry @gabor @guardianproject

Very well said. Signal’s E2EE is just empirically better than Telegram’s “secret chats” too. And that’s fact not opinion or preference.

Telegram is good for convenience if you want something not owned by FB or Google etc, but for privacy and security Signal wins.

@Upjohn94 @blueberry @guardianproject I can't speak to the encryption but I just know trust is a very important factor, too! So I wouldn't underestimate the value of "privacy by policy" either...
I also don't get why encrypted chats aren't the default for Telegram. But I think people don't give Telegram enough credit. (It's also the superior app IMHO)

@gabor @Upjohn94 @guardianproject yes, trust is important but at least I’d trust Sugnal who not only says they’ll protect your data, but also uses the tech to do so.

Secret chats in Telegram are only single device so they’d lose a lot of users, and although I do agree Telegram has a better UI/UX, it’s mostly bc they can just do a lot of it *not* E2EE

@blueberry @Upjohn94 @guardianproject Signal's servers are in the US and they received US gov funding... I suppose all of that would not matter if the E2EE encryption was solid but I can see how some people would have trust issues. But all of this doesn't really matter anyway, since I have 2 contacts on Signal, about 6-8 on Telegram and the rest is still on WhatsApp (this is Germany) I have Matrix and XMPP but I have no contacts there outside of the foss community 😅

@gabor @blueberry @guardianproject

Signal and Telegram both have servers around the world. In both cases some of those servers are in the US. A load balancer is used to direct your traffic to the server with the lightest load and lowest latency just like anything else behind a CDN.

The physical location of the servers is a red herring regardless. Check out the US CLOUD Act. The US government can legally access data on any server around the world.

The important thing then is what is stored on those servers?

In the case of Signal it is basically nothing.

In the case of Telegram it is your entire chat history unless you exclusively use the poorly coded "secret chats."

Don't misunderstand me, I'm not outright dissing Telegram. It is far better than WhatsApp and it isn't owned by Facebook. But its place isn't as a secure encrypted messenger.

I have a family group chat on Telegram, it was easier to convince them to install it than Signal because of the UX. Telegram deserves credit there.

But at the same time, my family group chat doesn't contain anything private. You could publish it online publicly and I would only be mildly annoyed.

My private chats are conducted on Signal.
@gabor @blueberry @guardianproject

There's public documentation on exactly how every piece of the Signal Protocol works and as it's open source this can be verified too.

Wrt the law, Signal's policy is better than Telegram imo. Telegram says we store all your messages but we promise not to share them. So far they seem to have stayed true to this promise but we don't know for certain, all we know for sure is they don't play nice with the FBI.

Signal's design means you don't have to place trust in them. So their policy is they will honour legal court orders if presented with a phone number registered to their service.

But here's the kicker. The only data they store is the number, the date the account was created, and the date it was last used. No metadata is stored at all. No contacts, no names, no groups, nothing. By design this data is only ever handled by the client.

You can verify this for yourself in two ways:

* Check the open source code. Specifically the "sealed sender" feature. That's what encrypts metadata end to end.

* Check their responses to FBI subpoena requests for user data. They fight for courts to declassify these. When they do, they publish them on their website so you can see exactly how much info Signal provided: https://signa...

Now the main complaint I hear about Signal is lack of federation and self-hosting options. Perfectly valid but easily fixed. Wanna use the Signal Protocol on a self-hosted, federated platform? Install XMPP or Matrix and knock yourself out.

Yes both use OMEMO which is an adaptation of the Signal Protocol primarily modified to work on multiple devices at once.

You want the pure Signal Protocol, maybe you don't trust OMEMO to be secure enough of an implementation? Set up an XMPP server with support for the original Signal Protocol. That's ultimately all WhatsApp is after all, just an XMPP client with Signal support, except you'll be running it instead of Zuckerfuck.
@Co @guardianproject considering Apple built a backdoor into their devices just a few months ago I'm honestly more surprised iMessage doesn't have a real-time backdoor like WhatsApp tbh

@Upjohn94 @guardianproject I honestly despise apple, and elon musk (elon you do not know more than data scientists).

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml