Chat Apps, Government Ties, and Transparency
threema.ch
external-link
Over the past days, two popular chat services have accused each other of having undisclosed government ties. According to Signal president Meredith Whittaker, Telegram is not only “notoriously insecure” but also “routinely cooperates with governments behind the scenes.” Telegram founder Pavel Durov, on the other hand, claims that “the US government spent $3M to build Signal’s encryption” and Signal’s current leaders are “activists used by the US state department for regime change abroad.”
Chemical Wonka
link
fedilink
4
edit-2
7M

I use Signal as my main daily messenger the two major problems in my opinion are:

  1. Centralized server (AWS)
  2. Requires a phone number to register

Signal is currently the best middleground between security, simplicity and widespread adoption.

how has no one discussed matrix here

The Doctor
link
fedilink
337M

Unable to decrypt message

Unable to decrypt message

Unable to decrypt message

Unable to decrypt message

Unable to decrypt message

Unable to decrypt message

@Tenkard@lemmy.ml
link
fedilink
14
edit-2
7M

That must mean it’s working! :D

Dessalines
link
fedilink
167M

I don’t get it at all. There are plenty of platforms like matrix, xmpp, simplex that don’t require phone numbers tied to your identity. Signal has somehow managed to convince people that it’s a private platform, despite it being a US hosted service that requires phone numbers.

deleted by creator

Say the US government, in a worst-case scenario in which it constantly monitors all traffic that goes through Signal’s data centers, can ‘only’ see phone numbers, IP addresses and timestamps, right? Or am I forgetting something here?

Dessalines
link
fedilink
7
edit-2
7M

Metadata and social graphs are more important than message content, esp since not many people have the time to read through individual messages to build meaning.

Signal stores phone numbers (meaning your identity, and home address), and message timestamps: who texted who and when, and who’s in chats with who else. More than enough to build social graphs and connections, and also figure out where people are through their IP addresses.

Do you happen to know what metadata matrix stores? I assume matrix.org specifically stores email and username, right

Dessalines
link
fedilink
17M

Yes, but I don’t think user metadata outside of your apub url, name, icon, display name, leaves your homeserver. Email or passwords don’t leave iirc.

Brayd
link
fedilink
17M

Signal can’t see who is texting who. They can’t see which groups you are part of. Those information are end to end encrypted, same as your chats itself, your profile picture, your stories, etc.

Signal doesn’t store message timestamps either.

What Signal itself knows of you is your phone number, the timestamp of your registration, the timestamp of your last connection to the server. That’s it.

Yes metadata is critical but Signal handles metadata very well. Indeed, even though I’m a fan of Matrix, better than Matrix. Matrix is a metadata nightmare due to it’s centralized structure and the way the protocol works.

Dessalines
link
fedilink
47M

Signal can’t see who is texting who. They can’t see which groups you are part of. Those information are end to end encrypted, same as your chats itself, your profile picture, your stories, etc.

This is completely false. They can absolutely see who is texting who, in fact they need it to be able to route messages. They have message timestamps, and phone numbers stored in their database.

Question, why do you “trust” signal? You can’t see what code their centralized server is running, unlike matrix which you can self-host and build from source. You don’t have to “trust” matrix, you can verify it for yourself.

Brayd
link
fedilink
07M

Signals server is open source. You can run a server. You just can’t connect to the main net because each server is it’s own thing so it doesn’t make sense besides for development purposes.

Please don’t spread misinformation.

Dessalines
link
fedilink
07M

They went over a year without publishing their server updates. And how do you know signal is running the code they say they are? Do you trust them?

Right. So arguably better than WhatsApp, where each users’ contact books, profile photos, bios, and each group chat name, picture and description is not E2E. But to call it ‘private’ is not logical, looking at the alternatives, of which some are much more private.

Who have they convinced that it is private? I think it has more to do with the overall purpose of the platform. Signal is not made for large group chatting with strangers like Matrix.

I use Matrix for my personal 1 on 1 chats with family and friends, so dunno

The Doctor
link
fedilink
87M

It’s a Google hosted service, which is arguably worse because they may as well be a nation-state unto themselves.

And the largest homeserver, matrix.org, is MITM’d by Crimeflare.

Fuck matrix.org, just selfhost.

The Doctor
link
fedilink
27M

Doable, but a huge pain in the ass because of conflicts in the protocol. I spent about a year trying to suss them out and come up with a fix but never figured it out.

Any homeserver that federates (even indirectly) with matrix.org will still have practically all the same data shared with it, just not your password.

What passwords where?

The password used to login to the homeserver

Wasn’t Amazon involved here as well? It is another “nation-state”.

The Doctor
link
fedilink
37M

I do not think so, no. However, Amazon is certainly big enough to be un-humorously compared to nation-states as well.

I remembered it as being AWS. Checked their blog, and the article about their spending mentions renting space in AWS and Azure too, indeed.

Autonomous User
link
fedilink
18
edit-2
7M
  • Discord/WhatsApp
    • Anti-Libre Software (fails to include AGPL license file: bans us from removing malicious source code) 🚩🚩🚩
  • Telegram/Threema
    • Libre Software ✅
    • Service as a Software Substitute (app needs service and we are missing server software for it: broken app) 🚩🚩
  • Signal
    • Libre Software ✅
    • Self-Hosting (still needs service from us) ☑️
    • Centralised 🚩

Needs phone number Centralised
Suspicious funding Which lines of its libre software source code are malicious?

deleted by creator

Brayd
link
fedilink
17M

The server / backend is not open source. Even though it’s audited that’s a red flag.

Autonomous User
link
fedilink
0
edit-2
7M

‘Open source’ misses the point of libre software.

Autonomous User
link
fedilink
4
edit-2
7M

Yes, app does not work without service and we are missing server software to serve this service it needs: broken app. Threema is SaaSS.

removed by mod

Also Tox, Briar, Session etc.

Autonomous User
link
fedilink
0
edit-2
7M

deleted by creator

I can’t believe people are saying Telegram and Threema might be better than Signal. Signal isn’t perfect but Telegram and Threema are worse.

Signal is much worse than Telegram (in terms of privacy)

Please give several reasons why

@hruzgar@feddit.de
link
fedilink
-3
edit-2
7M
  1. The Encryption algorithm of Signal is basically the same algorithms proposed by the US gov in 2000. There is no way they would release these encryption algorithms if they couldn’t break them themsleves
  2. If you would see which organisations are supporting Signal (look at where Signal gets all the money), you would also agree with me. There is no way these organasations are supporting them for your privacy. Why would they? The same people who are trying their best to get all your data. Believing this is just pure naivity imo but call me what you want

Please stop spreading FUD.

  1. The encryption used by Signal would not be used if it could be easily broken. It’s fully open source and is regularly audited. People would not recommend it if it were so broken like you say; this is just fearmongering.

  2. lol, lmao even

I’m not forcing you to believe anything. Also this is a free platform where I can say what I think. I won’t hold myself back from expressing my view only because the majority has a different opinikn (looking at the downvotes). I personally just wouldn’t trust it. And it also doesn’t have any difference to Whatsapp and co. (encryprion algos are the same) which completely removes the purpose of it even existing (ik open source is still an argument. But they don’t have reproducable builds so even that falls apart) so there really isn’t any reason for me to switch to it or promote it to anybody at all.

wtf, one would be fine

it’s a futurama joke

sometimes my brain’s just a can opener

deleted by creator

Autonomous User
link
fedilink
11
edit-2
7M

Because we keep saying Signal, Telegram, Threema instead of Anti-Libre Software, Service as a Software Substitute and Centralised.

Signal is not applicable when you need a public space for people to just have a discussion, like in discord. Signal clients are clunky and rely on cross sync from what I see, while telegram clients are well made and convenient to use. Even Whatsapp went away from electron so I’d choose it over signal any day.

Signal clients are clunky

Obviously you have never used Element for matrix. Signal is like a Ferrari in comparison.

Yeah I’ve never used matrix really.

Matrix would work for that and would avoid proprietary software and sketchy companies

sketchy companies

I would argue that the standard federation fragmentation issues still apply. Many instances end up defederating from each other and you have no idea which wind you’re pissing into.

Does it sync automatically between desktop and mobile? Can I share an image into it on mobile and have it a few seconds later on laptop?

Possibly linux
link
fedilink
3
edit-2
7M

Yes, just keep in mind the encryption is flaky if you use a browser that clears browsing data. Best option is to use a client

Have you tried Signal recently? On Android it’s very well polished.

In fact I believe it’s a shame that not more people use such a beautiful app, regardless of privacy and security implications.

I have no use for it for now and as long as it’s still electron on desktop I don’t want to have it running.

deleted by creator

It really depends on your use case. Most of my simple chat messages are the same as I would have in any public space. I have no need for encryption, I have need for convenience in that regard. With Telegram I have my chat history on all devices and don’t need to use my phone to connect which are two must-haves for me. For my use case, Signal is the worse option. That doesn’t make Signal bad, just not suitable for me.

As a privacy-concious person I am very much aware of the non-secure nature of my chats, but since that is not a factor of consideration to me when it comes to casual chats with a few friends and family members. The worst thing Telegram could do is analyse my chats and … then what?

@JustMarkov@lemmy.ml
link
fedilink
20
edit-2
1M

deleted by creator

It has had some suspicious funding sources

Wait until you find out where computers, the Internet, GPS, weather satellites and Tor came from.

Telegram requires a phone number too? I mean yeah there’s the option to use that blockchain phone number service, but you can do the same for Signal. 🤷

@JustMarkov@lemmy.ml
link
fedilink
6
edit-2
1M

deleted by creator

Signal no longer requires a phone number. You can now create an account. Not sure if that helps your outlook on it, but yeah. It was a fairly recent update that this was rolled out.

Edit: being told we still do need numbers to register. I haven’t gotten a new phone since well before the change was made, so I haven’t actually created an account and gone through the process. It looks like I misinterpreted what was going on when I read the changelog.

@JustMarkov@lemmy.ml
link
fedilink
10
edit-2
1M

deleted by creator

Last I have seen, it still requires a number to register - it just doesn’t have to be public.

What gets me the most is the requirement of a smartphone to register. No way I am trusting my non-public chats to a phone, so that means either Waydroid/VM (which creates issues with copypasting) or signal-cli (which is fairly inconvenient).

Autonomous User
link
fedilink
6
edit-2
7M

suspicious funding

Which lines of its libre software source code are malicious?

requires your phone number

It’s centralised

@JustMarkov@lemmy.ml
link
fedilink
2
edit-2
1M

deleted by creator

Autonomous User
link
fedilink
1
edit-2
7M

So, which malicious lines of libre software source code have been funded? This is how we stop FUD. Don’t let them derail us.

@JustMarkov@lemmy.ml
link
fedilink
0
edit-2
1M

deleted by creator

It’s not. Our devices run software, not funding.

Session is also sus because you effectively cannot host a node, last I have seen. They claim it is “against a Sybil attack” but all it does is making sure only people wih large disposable funds can have nodes, and the effect might be the exact opposite.

Simplex is more interesting in this regard because while I am concerned with initial centralization (the default servers), they made hosting your own easy. But I personally stick with imperfect yet trusty XMPP.

Brayd
link
fedilink
27M

SimpleX is great. BUT it’s not user friendly. Thus general adoption for the average user will be hard. Don’t get me wrong using the app itself is easy but as soon as someone switches their phone that doesn’t have technical knowledge they will loose their chats because they won’t understand the concept of moving their DB. Since you don’t have an identifier like a phone number with SimpleX those people could even lose contacts as a whole since they generate a new DB, hurting their social connections.

That’s the reason I personally never recommend SimpleX to anyone who doesn’t have the technical knowledge to understand stuff like that.

  • It requires your phone number

Not anymore, right? Or does it still need your number for signing up?

Just to sign up

Autonomous User
link
fedilink
-1
edit-2
7M

When it’s anti-libre software, why waste our time showing it fails everything else. These pages are trash, too verbose.

Doing thorough analysis and discussing all the nuance and tradeoffs is “trash”? That is a difficult way to live your life, being anti-intellectualist.

That’s a great way to spread a multiplayer app.

@jet@hackertalks.com
link
fedilink
1
edit-2
7M

I don’t understand your response in the context of refusing to do comparative analysis

I still stand with Signal App.

  • Telegram has no default E2EE.
  • Threema’s encryption was compromised .
  • Threema & Telegram both are for profit companies.
  • Signal is non-profit & all their source code + finances are public. Even their server codes are publically available

I gladly donate it month to Signal. Love my freedom of speech

Even their server codes are publicly available

Last I checked, their provided server code lags behind their production server, so you rarely get to see the current version. However, that’s kinda the point of E2EE, is you don’t have to trust the server.

And one can always self-host or use a different server.

Man, everyone is hopping on the Trash Signal Bandwagon, even though TG is less secure, and nobody (the 99%) uses Threema.

Autonomous User
link
fedilink
7
edit-2
7M

It’s called disinformation and psychological warfare. How else attack E2EE, libre software?

I’m wondering if something interesting will fall off the truck this time :D

Context: before that blogpost, cellebrite claimed they can “hack” signal (or they were kinda closer to the truth, and that was media talking abt hacks without reading stuff)

@TheAnonymouseJoker@lemmy.ml
banned
link
fedilink
2
edit-2
6M

removed by mod

Don’t forget Threem encryption was broken. Threema is not free

Sips'
link
fedilink
57M

Nicely written article and a good read! However I had not heard of Threema before. It looks like a promising messaging app itself, anyone use it?

I am using it to communicate with 3 people (our common ground as I don’t have an iPhone and don’t use Whatsapp).

A few years ago it felt a bit ruff and awkward to use, but many updates later it is as fluent as any chat app.

The security feels ok. Of course it would be a lot better, if they would open source their code.

poVoq
link
fedilink
97M

It’s relatively popular in DACH countries.

I use it sometimes. It has its fair share of issues, and the back end is not open-source, but it is OK for the most part. Main benefit is that you don’t need a mobile number to sign up.

But if you are looking for an alternative IM to use with friends and family, I would rather suggest XMPP, specifically Snikket.

Sips'
link
fedilink
17M

Cool thanks!

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 3.13K Posts
  • 78.3K Comments
  • Modlog