For this reason, I never even considered using Telegram. If I were an unethical intelligence service like a Russian one, I would create a messenger app (and/or social network). Based outside my jurisdiction would add to plausible deniability.
On another note: I wonder how many of those VPN services are actually fronts of intelligence services.
Signal clearly looks like a front shop to collect metadata for US intelligence services.
Their reliance on phone numbers for sign in, their release strategy, their attitude towards unofficial clients, their marketing of e2e encryption... all fits.
Except Signal's client is open source with reproducible builds that have been audited. Their crypto is open, based on standard primitives, and has also been audited. It's also true E2E encryption with alerts on key changes.
The only weakness clear to me is the US could force them to release a compromised client. But then auditors would probably notice within weeks, or even days, and their reputation would be ruined forever.
That's a shame. Still on the whole Signal seems far ahead of Telegram. Hopefully users who need the extra security will be taught to enable that setting.
According to this, it by default implements it for batches of 100 messages or something. And for slow-paced messaging, it is quite a lot. No idea why, maybe doing it somehow else would make the already bad performance even worse.
Also, Signal forces you to use Android or iOS while knowing that "Apple and Google confirm governments spy on users through push notifications ", https://news.ycombinator.com/item?id=38555810
The push notification payloads don't contain message/sender data. Signal also runs fine without Google services, which avoids any potential problem entirely.
> The push notification payloads don't contain message/sender data.
The other metadata may be important too.
> Signal also runs fine without Google services, which avoids any potential problem entirely.
Not everybody is able to avoid Google services on their phone. I can't run it on a desktop (or GNU/Linux phone) without a connection to an Android phone.
I never used Telegram, but was under the impression that it's similar to Signal. However, Pavel Durov recently tried to meddle in the Romanian elections process[0] in a very bizarre, almost desperate attempt to misinform the electorate.
That impression is a testament to Pavel's ability to distort the reality. Telegram is nothing like Signal, because the overwhelming majority of traffic is not E2EE, the server has the plaintext. Even for E2EE chats (that are deliberately hidden away), the protocol is weird in a bad way.
Does anyone really believe their metadata is safe from any government... or non-government for that matter?
I mean, TFA's whole argument is the un-encrypted header portion, designed to route the message, can be used to track who the message is sent to. Oh, and some dude provides internet service to Russian governmental agencies with their ISP located in Russia.
If you're doing dodgy stuff (like political speech) you don't want the government to know about it's probably best to conduct that business offline as they are all watching you.
Not really, the auth_key_id really is simply equivalent to a TLS session ticket, used to avoid repeating the handshake every time a new connection is established: there's nothing "unencryted" about it, it's just an identifier of a previously established encrypted channel, like session tickets in TLS (and on top of that, the MTProto auth key ID is also rotated every 24 hours).
Note that the article employs unwarranted FUD in regards to the auth_key_id, which is fully equivalent to a TLS session ticket, used, like in TLS, to avoid repeating the handshake each time a new connection is established (and on top of that, the MTProto auth key ID is also rotated every 24 hours).
For this reason, I never even considered using Telegram. If I were an unethical intelligence service like a Russian one, I would create a messenger app (and/or social network). Based outside my jurisdiction would add to plausible deniability.
On another note: I wonder how many of those VPN services are actually fronts of intelligence services.
> On another note: I wonder how many of those VPN services are actually fronts of intelligence services.
This is why we need more [MPRs](https://www.privacyguides.org/articles/2024/11/17/where-are-...)
Signal clearly looks like a front shop to collect metadata for US intelligence services.
Their reliance on phone numbers for sign in, their release strategy, their attitude towards unofficial clients, their marketing of e2e encryption... all fits.
Except Signal's client is open source with reproducible builds that have been audited. Their crypto is open, based on standard primitives, and has also been audited. It's also true E2E encryption with alerts on key changes.
The only weakness clear to me is the US could force them to release a compromised client. But then auditors would probably notice within weeks, or even days, and their reputation would be ruined forever.
https://github.com/signalapp/Signal-Android/issues/13842
That's a shame. Still on the whole Signal seems far ahead of Telegram. Hopefully users who need the extra security will be taught to enable that setting.
But is it far ahead of Matrix?
Does Matrix default to E2E yet? With forward secrecy?
If so great! More is better
yup, for the last 5 years: https://matrix.org/blog/2020/05/06/cross-signing-and-end-to-...
Don't know about that.
https://discuss.privacyguides.net/t/so-can-pfs-be-enabled-in...
According to this, it by default implements it for batches of 100 messages or something. And for slow-paced messaging, it is quite a lot. No idea why, maybe doing it somehow else would make the already bad performance even worse.
The corresponding submission: https://news.ycombinator.com/item?id=44240318
Yep.
Related discussion: "Why Not Signal?"
https://news.ycombinator.com/item?id=28544735
https://news.ycombinator.com/item?id=30872361
A few relevant links:
https://news.ycombinator.com/item?id=39445976
https://news.ycombinator.com/item?id=29888228
https://news.ycombinator.com/item?id=42788647
Also, Signal forces you to use Android or iOS while knowing that "Apple and Google confirm governments spy on users through push notifications ", https://news.ycombinator.com/item?id=38555810
Matrix is the actual solution.
Your links are a bunch of user comments?
The push notification payloads don't contain message/sender data. Signal also runs fine without Google services, which avoids any potential problem entirely.
> Your links are a bunch of user comments?
They themselves contain the actual links and also relevant discussions. One more link: https://github.com/signalapp/Signal-Android/issues/13842
> The push notification payloads don't contain message/sender data.
The other metadata may be important too.
> Signal also runs fine without Google services, which avoids any potential problem entirely.
Not everybody is able to avoid Google services on their phone. I can't run it on a desktop (or GNU/Linux phone) without a connection to an Android phone.
SIM hijacking is a thing. Telcos also control phone numbers.
I have never understood the unflinching attitude towards Signal relying on phone numbers.
Do any of the founders or board members of the Signal Foundation show any indication of supporting that?
Are there ethical intelligence services? :P
> an unethical intelligence service
As opposed to which ethical intelligence service that you have in mind ?
This is the bread and butter of "intelligence". Spying. Both enemies, allies & the populace.
I never used Telegram, but was under the impression that it's similar to Signal. However, Pavel Durov recently tried to meddle in the Romanian elections process[0] in a very bizarre, almost desperate attempt to misinform the electorate.
[0] https://www.lemonde.fr/en/pixels/article/2025/05/23/why-is-t...
That impression is a testament to Pavel's ability to distort the reality. Telegram is nothing like Signal, because the overwhelming majority of traffic is not E2EE, the server has the plaintext. Even for E2EE chats (that are deliberately hidden away), the protocol is weird in a bad way.
Does anyone really believe their metadata is safe from any government... or non-government for that matter?
I mean, TFA's whole argument is the un-encrypted header portion, designed to route the message, can be used to track who the message is sent to. Oh, and some dude provides internet service to Russian governmental agencies with their ISP located in Russia.
If you're doing dodgy stuff (like political speech) you don't want the government to know about it's probably best to conduct that business offline as they are all watching you.
This looks like security nihilism: https://news.ycombinator.com/item?id=27897975
Not really, the auth_key_id really is simply equivalent to a TLS session ticket, used to avoid repeating the handshake every time a new connection is established: there's nothing "unencryted" about it, it's just an identifier of a previously established encrypted channel, like session tickets in TLS (and on top of that, the MTProto auth key ID is also rotated every 24 hours).
Note that the article employs unwarranted FUD in regards to the auth_key_id, which is fully equivalent to a TLS session ticket, used, like in TLS, to avoid repeating the handshake each time a new connection is established (and on top of that, the MTProto auth key ID is also rotated every 24 hours).
[flagged]
The authors are ukrainian, or what do you mean?
[flagged]
Can you explain your original statement? Why is "Ukrainian IT" all we need to know?
[flagged]