So I’m in a somewhat unfortunate situation. My circle of friends doesn’t want to switch to another messenger and we are currently stuck on the worst possible platform for security: Telegram.
The problem is that it is very hard to convince anyone to switch, if they are all perfectly fine and like Telegram. I mean I can get why they like it: The UX and UI of Telegram are amazing and there are well functioning clients available for any platform. It has more features and gimmicks than any other messenger I know BUT it lacks one mayor thing: E2EE. And that’s mostly what I care about. The second problem is that I was the person who recommended the switch to Telegram right after WhatsApp was bought by Facebook. I know, that was a bad recommendation, but back then I didn’t know shit about privacy or why E2EE mattered. I was just like “Hey, it’s not by Facebook, so it must be better”. And now everyone I know is there and won’t leave.
If - in the hypothetical situation of me setting an ultimatum and deleting my Telegram after that - I wanted to make them switch somewhere else: What messenger would that be? Currently I’m mostly thinking Signal. I know it’s not perfect either, it is centralized, and the servers are in the US, but it has a bigger user base already than most of its competitors like Threema or Matrix/Element and it is very easy to set up and use. I’m already a user of Signal, Threema, Matrix, WhatsApp and Telegram (every platform for some contacts, but most of them on Telegram sadly), so having yet another option is not a problem for me, as well as getting rid of one is also no problem. I’d love to delete both Telegram and WhatsApp in this move.
So, in conclusion, what I need is a messenger that has all or most of the following:
- best possible security (E2EE is minimum)
- easy to use (no complicated setup, simple UI)
- already has some users (not too niche)
- cross-platform and multi-device (should run on Android, iOS and Windows/Web)
- some flashy dumb features like stickers and so on to keep them entertained
My choice would be Signal. But I am unsure if that is the best choice or if I should just wait a bit and see what all of the new EU laws about messengers and gatekeepers bring to the game and if anything chances with that.
Telegram is absolutely not the worst one. Those are whatsapp, facebook messenger, and viber. Telegram is not good, but I think it’s an acceptable compromise
WhatsApp and in some cases even Facebook Messenger is end to end encrypted. Telegram is absolutely one of the worst messengers in terms of privacy.
fb messenger has a hidden e2ee feature that probably nobody uses, like with telegram, that’s at most feature parity, not a pro compared to telegram. But then since fb apps are closed source and heavily obfuscated, you can’t check for messenger nor whatsapp whether it actually does what it says.
That was about trust in the available encryption and how the app handles your messages. So far I fail to see how fb messenger is better than telegram.
But that’s not the only relevant aspect in privacy. It’s also important what else the app is doing, and whether there are alternative clients if you don’t trust the official one. This is the reason why I won’t ever accept facebook solutions being described as private options. I’d be surprised if any of facebook’s apps wouldn’t be doing everything in their power to collect every kind of information the OS provides to it, while the telegram client is not exactly fixated on harvesting everything.
Telegram has much less tracking components in the app, but if even that amount bothers you, telegram foss from f-droid is absolutely clean. You’ll never get anywhere near with facebook services.
And then also don’t forget that whatsapp somehow regularly has vulnerabilities that allow arbitrary code execution on your phone by an attacker. I don’t remember the last time there was such a problem with telegram, but probably is was many years ago, if it all.
“It could be sending all sorts of information” is a valid reason to distrust a company, but Signal occasionally stops publishing their source code for months at a time, so what messengers are even left at that point.
WhatsApp and Telegram are harvesting the exact same information (phone number, IP address, location, and shitty metrics like “how often did you click the new chat button this week”). Unlike Telegram, WhatsApp doesn’t put ads into their product. I don’t know where this idea comes from that the WhatsApp client is somehow uploading a copy of your entire phone to Facebook, but that shit gets pulled apart hours after each beta rolls out by people looking for tech scoops.
WhatsApp is better than Telegram and many other messengers because it’s using good encryption. That doesn’t make it great, but it’s also not the evil data vacuum people like to pretend it is.
Signal is full of RCEs as well. Most of them stem from their low latency code (often related to calling), but I’ll take “dedicated spyware groups find RCE in most popular chat app on several continents” bugs over “Signal starts sending random media files to random contacts all by itself” bugs any day.
Telegram releases plenty of vulnerable software but they don’t seem to get much media attention. There have been a whole bunch of RCEs for Telegram over the years, but the media doesn’t seem to care.
I did not tell about Signal. Never made them a good example.
I believe their tech is cryptographically sound, but they are doing things with their app and the service too that I don’t like, to put it that way. I want to switch from telegram, but signal is not an option to me as a primary messenger for several reasons.
Simplex, Matrix, Telegram. Or there’s Molly too, but it inherits some of the problems of Signal.
Are you sure whatsapp does not collect anything more than that? And if so, why?
I haven’t seen any ads so far, and I don’t pay for telegram. Yes there are channels that I follow.
That is obviously not possible without root access, unless someone snoops in a rootkit for your system through a specially cradted whatsapp voice call.
Hopefully they are doing that for every message, and hopefully they refrain from analyzing screen content or typing stats for “a better advertisement experience”.
And last but not least, hopefully they are not bundling such components that inspect the app memory contents, and neither do allow other processes to do that through them, unlike signal does. (Alternative source: drew devault’s take on the same problem (too, but it also covers more)). Oh wait, it does make use of google play services… what a pity
I call bullshit. That article is about the telegram proxy server, which is not even official Telegram software, it is made by a dude in their free time.
So far that is
onezero software released by telegram, definitely nowhere near plenty.Are there that many known vulnerabilities in the clients too?
Maybe you’re right and I just haven’t heard of them, but then please point to CVEs or something that demonstrates them. And don’t come with the issues of MtProto 1.0, that was ages ago and irrelevant today.
Whatsapp is only more private compared to facebook’s other, less secure messenger.
Did facebook employees just raid lemmy or what the fuck is happening in this post?
I’m convinced unencrypted messengers are just mining tools these days. Matrix does implement encryption, but it’s not even close to privacy friendly in terms of the metadata it shares.
I’ve never heard of Simplex before and my impression of Molly wasn’t great either.
Why are you sure that they are? How do I prove a negative? Last time I set up my phone for MitM interception, WhatsApp just sent rather boring, useful data, but it’s possible that they detect mitmproxy and switched to super duper hiding mode.
In the same vein: how do you know Simplex, Matrix, and Telegram don’t do the same thing? Have you audited their entire source code?
Every time I open the app I get told to buy Telegram Premium or whatever it’s called. Probably because I don’t get channels so I don’t see any ads.
Yeah, it was a hyperbole.
I haven’t seen any mention of advertising or analysis in the privacy policy I’ve been shown, or any indication that WhatsApp is trying to read my messages. If they would do something like that, that’d become international news and basically kill their platform.
Is using Google as a dumb pipe a problem, now? Firebase is how you get notifications to a phone without draining the battery in the process.
About as many as for WhatsApp: 0. Well, there’s supposedly a macOS exploit that’s not been patched and being kept under wraps for now, but that’s not reliable information.
As for Telegram’s history, here’s a bunch one guy found in a row, for three different clients: https://www.shielder.com/blog/2021/02/hunting-for-bugs-in-telegrams-animated-stickers-remote-attack-surface/
I don’t get the fuss about WhatsApp because nobody has ever come with any conclusive proof about all the conspiracies people come up with. Yes, they link your account to your Facebook account, but if you care about privacy you don’t have a Facebook account. They use your WhatsApp contact list to enrich your Facebook account, but you don’t have that account. That’s it, really.
Don’t trust them? Fine by me. But I don’t understand how you could possibly trust Telegram, the free messenger that was run from a fake location for a while and tried to get funded by cryptocurrency fraud after the guy who funded it (the Russian guy behind VKontakte) started running out of money, is better than Signal at the very least. At least the Signal people can’t read your messages on their servers, who knows what Telegram is doing with all that data and how long it’ll take before they get hacked and their entire database gets dumped. Telegram doesn’t even pretend to care about your privacy, even Meta gives you the courtesy of encrypting your messages.
Because it’s being developed by facebook, the company that does not fail to use any chance to mine you for your data.
Those apps are open source. Yes, I have looked into them on occasions. Telegram’s mobile app has problems, which are fixed by telegram foss.
The official Matrix app has opt-in tracking, but whatever.
I’m also quite sure that if they would be doing something actually shady in the background, it would be known at least in the privacy community.
I see your next argument being “open source is actually less secure”
That has never happened to me.
I fail to see how. facebook does not care about fines, and whatsapp users don’t care about privacy.
UnifiedPush, if your service cares about privacy. By the way, the Matrix app supports it.
Highly doubt that. Since whatsapp has got e2ee, every year (2017, 2018, 2019, 2020) whatsapp has serious vulnerabilities, not in the encryption, worse: allowing arbitrary code to be executed on your phone by technically any other whatsapp user.
From the nature of these vulnerabilities it seems very suspicious, as it’s always the worst kind of security breach (RCE), and when one gets fixed, somehow there’s other of the same kind the next time researches look for it. Oh and these vulnerabilities are always in components that are hosted by binary code, which is harder to reverse engineer even without obfuscation.
You admit that, then why do you claim it to be a private messaging service?
That does not matter. The point is that facebook is looking in your data, including who you know, and how frequently do you talk to them, but also how often and when are you online. If they can’t your it into a facebook account, who cares? They just make you a shadow profile, like it has been their tradition for many years.
But also, almost everyone had a facebook account at one point in time.
Earlier you asked why would they track you? Here I ask why wouldn’t they use all the tracking code they have already developed for the other facebook apps?
Sorry, where did I say that? Probably I was unclear. Encryption wise signal is absolutely better, but all things considered the transparency of the client software and it being clean of programming libraries doing shady things is more important to me. What good is good encryption if it can be nullified? It would be ok if they would be working on it, but instead of that, as drew devault said, they are going to war to justify including google services, and that attitude does not help to trust them more.
And as I said, there are also other problems, including that you can’t log in on multiple devices is a deal breaker for me, and that I have had telegram for many years, but for the better part of it I’m determined to not register to any more services with a phone number.
How the fucking hell? Through the just as obscure option in messenger as in telegram to have an e2ee chat?
Oh, no, you mean whatsapp, which still can’t be verified if it does not do anything with the cleartext messages before encryption, or after decryption on the other side. I see that you don’t trust telegram, and I agree that they have problems, but trusting facebook’s maybe-privacy that they will handle your data correctly when you have no way to check it is not better either. Who cares about e2ee when each of the ends cannot be trusted either. It is just privacy theater.
Do you have any info on Viber being a bad service privacy-wise? It’s a lesser-known messenger that prides itself on its privacy policy but I can’t find any info on it being the case or not.
Check this analysis from 3 days ago.
7 different tracking components, from 4 different companies, including facebook.
I don’t think it should pride itself on anything related to privacy.
It also has quite a few hard to explain permissions.