this post was submitted on 31 Aug 2024
907 points (99.0% liked)

Privacy

32173 readers
1028 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Chat control is back on the agenda again and the works is kept in secret.

Link to document

Take Action!

Edit: More information about the meeting

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 3 months ago (1 children)

They can order Signal to turn over data (and the have) and signal has complied when it was legally required of them to do so, handing over all of their no data.

That's the difference.

If that weren't true they wouldn't be so constantly upset about E2EE.

[–] [email protected] -1 points 2 months ago (1 children)

nd when a judge or a 3 letters agency will request to Signal that they want access to the messages that somebody will send from a date?

It's their app, and they can do it. Do you think that they will refuse?

[–] [email protected] 3 points 2 months ago* (last edited 2 months ago) (1 children)

No, they cannot do it. That's what E2EE means. It means they do not have the technological ability to do it. It is not possible.

Yes, even if a judge orders. You can see instances of that on their website: https://signal.org/bigbrother/

Yes there are weak points (the huge one with Signal being: requiring your cell phone number as a part of authentication) but that's far beyond the level of technical expertise required to, say, just intercept clear text communications, ex from Telegram. If a government is wiretapping you then you've got problems that neither Signal nor Telegram can solve.

Now maybe you will suspect that a three letter agency will force them to do something bad, like send a suspect a hacked/backdoored version of the app or something but by and large i don't think they would do that. They'd just go to Google or Apple and put a keylogger on your phone, or some other solution. Realistically, though, this is a level of effort far beyond what >99% of all humans need to worry about. Choosing Telegram over Signal because you're afraid the government is manipulating your Signal app is a sign of incoherent paranoia.

A more serious concern would be, for example, the government capturing all data sent across the Internet and then holding onto it until some hypothetical future computer is developed that can just break the encryption. That's still pretty silly but it's something the US (at least) is doing. Still way beyond what they would need to get your Telegram messages because, again, they don't need to decrypt those. They can just look.

The difference being: Signal cooperates as they're legally required to buy do not have the technological capability to betray you. Telegram has the technological capability to betray you (and governments can spy on Telegram, with or without Telegram's assistance) but refuses to cooperate.

Signal is much better and more reliable in this.

[–] [email protected] -1 points 2 months ago (1 children)

Signal can add backdoors to their own app and, if the app get compromised (or the device) the security of the encryption model is not relevant. It's the reason because I see comparable Signal and Telegram.

Signal is open source, but (info based in this 3 years old thread on f-droid):

  1. Have binary blobs and propietary dependencies.
  2. Don't let reproducible builds.
  3. It's hostile to forks (they blocked libreSignal from their servers)
  4. Don't want independent builds from f-droid (nor any fork in f-droid)

Which no seems FOSS friendly.

[–] [email protected] 3 points 2 months ago (1 children)

I've already addressed this but i guess i'll expand on it.

Signal would not be able to add backdoors to all its users. Security researchers would see pretty quickly (more below) and that would be pretty big news because Signal is quite popular with people who care about their privacy.

They could in theory backdoor an individual's Signal app but, again, that's pretty inefficient. If anyone ever noticed it would be a big black mark against Signal, though they may not have much choice in the matter if it really came to it. However, we know that big governments and other sophisticated attackers usually prefer to just stick spyware on your phone. It's easier, more comprehensive, and doesn't require collaboration with Signal.

In contrast, you don't need to do any of that with Telegram because it's not E2EE. Your argument is basically "security features can be defeated by a sufficiently advanced attacker so use this other service that doesn't have them to begin with." This makes no fucking sense.

I don't know what you're talking about with FOSS stuff. Yeah, Telegram is open source. Signal is too. Some Signal forks (particularly the ones with "Signal" in their names) have been killed but others still exist, ex molly.im.

Signal client does have reproducible builds and has since 2016, as far as i know. This is another point against Signal being backdoored.

Beyond that, Signal has gone through a number of formal security audits. As far as i know, Telegram has not.

Finally, Telegram itself. Telegram could simply enable E2EE for all chats. They choose not to and that is concerning if you care about your privacy or security.

Yeah Signal could be better but that isn't a case to use Telegram over Signal when Telegram is worse in almost every respect.

[–] [email protected] 0 points 2 months ago

I agree that signal has a more robust security model. What I mean is that itbhasbalso habe risks, and a lot of people are ignoring it.

The backdoor could be a sleeping function activated from outside to targets of interest or 'special' updates from the google store (i.e.: with the help of google install a different version of the app to the target). But I'm not a security nor android expert, and it's all theoretical if this attack vector is possible, but I think that is unlikely.

Also, if the NATO country where I live wants to spy my mobile, it would use Pegasus 🤷🏽‍♀️

Off topic: The Signal reproducible builds don't work since, at least, may.