this post was submitted on 08 May 2024
219 points (78.9% liked)

Privacy

32156 readers
858 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Here's what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 236 points 6 months ago (2 children)

Telegram's server side software is closed source, owned and ran by them exclusively so they really have no room to talk. WhatsApp doesn't even have OSS clients so they're even worse in that regard

[–] eager_eagle 55 points 6 months ago* (last edited 6 months ago) (1 children)

exactly, they (Telegram) don't need to put sketchy code in the clients when most messages are not E2E encrypted and they control the servers lol

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 171 points 6 months ago* (last edited 6 months ago) (2 children)

It's hard to overstate what a nothing-burger this article really is! Let me break it down:

  • Signal got $3 million from the Open Technology Fund at some point in its development
  • Some anonymous source alleges that the OTF's ultimate goal is to promote US foreign interests
  • The current chairman of the board Katherine Maher worked at the National Democratic Institute and Wikipedia before
  • The same anonymous source says she was recruited because of connections to the OTF
  • She has at some point voiced the opinion that a completely free internet without regulation just reproduces existing power structures, and that balancing regulation and 1st amendment rights is a tough problem
  • Signal doesn't have reproducible builds on iOS (it absolutely does on Android btw)
  • Some people feel like Signal chats come up more often than they should in court cases and media reports

That's it, that's the whole story. That's the reason why the Telegram guy of all people thinks you should be careful, and better use his chat service instead, and the Twitter guy agrees.

I mean, reproducible builds on iOS would be nice, but that platform has much bigger problems from a privacy/security/sovereignty/freedom standpoint anyway. And the rest is just nothing turned up to 11.

[–] eager_eagle 89 points 6 months ago (1 children)

tl;dr "Signal might be untrustworthy because the tech came from a State-sponsored project and the current chairman acknowledges that Wikipedia has a white and Western bias."

just wait until they find out pretty much all tech we have can be traced back to government-funded research.

[–] [email protected] 46 points 6 months ago (1 children)

Did you know the early early internet researchers were part of a clandestine government organization known as ARPANET???? The entire TCP/IP stack is just a state-sponsored backdoor into your life!!!

WAKE UP SHEEPLE!!!!

[–] [email protected] 16 points 6 months ago* (last edited 6 months ago)

yea just wait until they find out why the first digital computer was made:

ENIAC was designed by John Mauchly and J. Presper Eckert to calculate artillery firing tables for the United States Army's Ballistic Research Laboratory (which later became a part of the Army Research Laboratory). However, its first program was a study of the feasibility of the thermonuclear weapon.

load more comments (1 replies)
[–] eating3645 153 points 6 months ago (2 children)

Lol telegram calling signal insecure is too funny.

load more comments (2 replies)
[–] [email protected] 116 points 6 months ago

Maybe he should focus on adding e2e encryption to the default chats and group chats instead of spreading FUD.

[–] [email protected] 100 points 6 months ago (3 children)

Looks like a push to discredit Signal right now. While I know Signal isn't perfect, I do like it and I haven't seen anything that is better (on the whole). The 3rd "emoji-point" is quite an accusation, and I would love to see any evidence of this kind of thing, that didn't result from the cops unlocking a defendants phone, or having infiltrated a chat.

[–] [email protected] 17 points 6 months ago* (last edited 6 months ago) (2 children)

While I know Signal isn't perfect, I do like it and I haven't seen anything that is better (on the whole).

Agreed. But it is worth mentioning that XMPP with OMEMO seems to be the current gold standard - runs almost everywhere, tons of available (free) servers, secure end to end messages, and fully auditable public source code.

[–] [email protected] 11 points 6 months ago (8 children)

I have used xmpp a lot, but I can't really recommend it to friends and family as a secure messenger. There are too many compatibility issues between clients and servers. If your friend is on a client or server that doesn't support the same encryption protocols, then you can't have a secure chat. Basically there is too much user knowledge and effort required at this time, for xmpp to be a good, secure, general use chat. I very much look forward to this changing. I also really like Matrix, but it is still a bit rough around the edges as of my last check.

load more comments (8 replies)
load more comments (1 replies)
[–] [email protected] 14 points 6 months ago (4 children)

Tin hat time:

I wonder if Russia's trying to get everyone on Telegram because they have control over it.

load more comments (4 replies)
load more comments (1 replies)
[–] [email protected] 98 points 6 months ago (2 children)

Telegram: There are backdoors in Signal encryption!

Also Telegram: not encrypted

[–] [email protected] 11 points 6 months ago (7 children)

Telegram secret chats are e2e encrypted though

load more comments (7 replies)
load more comments (1 replies)
[–] [email protected] 77 points 6 months ago* (last edited 6 months ago) (11 children)

arent telegram chats unencrypted by default?

An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media

source?? (i bet this ends up being a "they had full access to my unlocked phone" situation again)

also the whole thing abt US funded encryption is the same bullshit argument ppl use against Tor all the time. it doesnt mean shit.

this just reads like someone desperately trying to get more market share by spreading FUD

[–] [email protected] 23 points 6 months ago (5 children)

"an alarming number of important people" is the source. That's more than enough, right?

load more comments (5 replies)
load more comments (10 replies)
[–] [email protected] 66 points 6 months ago (3 children)

Go read the GitHub issue. The main difficulty in implementing reproducible builds is the code signing Apple requires as well as other tweaks Apple makes to modify the binary from what the dev submits to what gets downloaded from the App Store. Note that Android already has reproducible builds. Also the reason the GitHub issue was closed wasn’t “refusal” to implement the feature, they wanted to move the discussion to their forums.

load more comments (3 replies)
[–] [email protected] 65 points 6 months ago (2 children)

Sounds like someone is mad that security experts would rather trust a tried-and-true encryption standard over Telegram's encryption which is known to not be anywhere near as secure as the Signal protocol.

Pavel resorting to outright slander to promote Telegram is not something I expected to see.

[–] [email protected] 28 points 6 months ago* (last edited 6 months ago) (3 children)

he does raise very valid points about reproducible builds, which should be a priority if your product is security

Edit: oh @Wolflink below points out that such builds are available for Android, but iOS has issues stemming from Apple and not Signal. This then begs the question, why is Telegram reproducible on iOS?

load more comments (3 replies)
load more comments (1 replies)
[–] [email protected] 61 points 6 months ago (3 children)

Why all the emojis? Why can't people just write an article?

[–] [email protected] 16 points 6 months ago

he is maybe flexing the "custom emojis" feature of telegram, see original post

load more comments (2 replies)
[–] [email protected] 49 points 6 months ago (3 children)

This comes a few days after Jack Dorsey confirmed that he had left the board of Bluesky and then starting to use Tw(X)tter and calling Tw(X)tter "freedom technology". Coincidence ?

load more comments (3 replies)
[–] NotMyOldRedditName 47 points 6 months ago (9 children)

You don't need a backdoor in signal to bypass its encryption.

All you need is to exploit the phone and wait for them to open or use signal.

If you think your phone is safe from the NSA or similar services, I got some bad news for you.

load more comments (9 replies)
[–] [email protected] 44 points 6 months ago (5 children)

Okay first things first Jack Dorsey is a tool

The US government / CIA did in fact develop the protocol back in the day, with the goal of helping people in China and other countries message securely, probably with ulterior motives.

But the protocol itself is open source, and you can use it without any affiliation with the US government.

The claim " It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺" is therefore so stupid it almost invalidates everything else being said because the person writing is either an idiot or purposely misrepresenting the facts.

Not having reproducible builds is definitely weird though. Does anybody have more information on that?

[–] [email protected] 11 points 6 months ago
[–] [email protected] 10 points 6 months ago (1 children)

Not having reproducible builds is definitely weird though. Does anybody have more information on that?

They boast this as a feature, but on the instructions for how to do this for iOS, even Telegram admits "As things stand now, you'll need a jailbroken device, at least 1,5 hours and approximately 90GB of free space to properly set up a virtual machine for the verification process". Browsing the steps, it's extremely complex, and doesn't seem like something that is very user friendly and that you'd do weekly or monthly when a new version is released.

On the GitHub issue linked to in the body, it's disingenuous to claim they refused to implement this, and that the technical hurdles Apple has in place make this extremely difficult which halted progress. In the community forums where the conversation was moved to, someone pointed out that even if you were to reproduce it on a jailbroken iPhone, that there's no way to confirm that non-jailbroken iPhones aren't receiving a version with a backdoor.

And even if you are using a jailbroken device exclusively and can confirm the reproducibility of the iOS app, then the risk becomes the latest available jailbroken iOS could be outdated from the real versions, and you'd have other issues with not receiving timely security updates. This same issue applies to Telegram also.

load more comments (1 replies)
load more comments (3 replies)
[–] [email protected] 32 points 6 months ago (2 children)

I don't think i care what Jack Dorsey says that isn't backed up independently. Even if he's right i just don't trust him.

[–] [email protected] 12 points 6 months ago (8 children)

You shouldn't need to trust open source, it should be independently verifiable. Unfortunately that's not possible with either signal or telegram, as there's no way to tell what server code they're running.

load more comments (8 replies)
load more comments (1 replies)
[–] [email protected] 32 points 6 months ago (20 children)
load more comments (20 replies)
[–] eager_eagle 29 points 6 months ago* (last edited 6 months ago)

Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github.

Not true. Signal has a very similar client verification process to Telegram's, described here. The lack of an iOS reproducible build is an Apple limitation / nuisance.

It’s very complicated, the 2nd jailbroken device is necessary because there’s no other way to download the .ipa, but even if you manage to do that and bit-for-bit reproduce the .ipa you downloaded from source, there’s no way to know if the App Store is sending every user the same .ipa or if your other, non-jailbroken iPhone downloaded a backdoored one.

Telegram docs even acknowledge these limitations.

Ultimately, this client verification is not the selling point Telegram's founder makes it sound like, since most messages are not E2EE and the server code is closed.

[–] [email protected] 27 points 6 months ago (3 children)

The kettle calls the pot black...

load more comments (3 replies)
[–] [email protected] 26 points 6 months ago (1 children)

Yes, sorry, but I can't take something seriously if every paragraph begins and ends with an emoji. I know it's dismissive, but all my Facebook lunatic conspiracy theory alarm bells are blaring.

[–] [email protected] 11 points 6 months ago

It's more normal in Russian-speaking Web.

Shouldn't trust this guy anyway, it's VK's founder talking.

[–] [email protected] 25 points 6 months ago (8 children)

Telegram: We keep you private. Now enter your phone number to sign up.

[–] [email protected] 18 points 6 months ago (7 children)
load more comments (7 replies)
load more comments (7 replies)
[–] [email protected] 24 points 6 months ago (1 children)

I don't care about dorsey or whatever, but a lot of privacy advocates don't consider signal secure, drew devault for example. I'm def among them, you should not trust any centralized US-hosted service.

load more comments (1 replies)
[–] NoLifeGaming 24 points 6 months ago

One is open source and you can check the code while the other is not completely open source and uses proprietary encryption. That's right, proprietary encryption.

[–] [email protected] 24 points 6 months ago (2 children)

This is also just a few days after Durov published Nazi dogwhistles in the latest Telegram update blog post.

https://plush.city/@PsyChuan/112336464469767051

load more comments (2 replies)
[–] [email protected] 23 points 6 months ago (6 children)

Still got server-side code closed source and by default messages are not encrypted.

load more comments (6 replies)
[–] [email protected] 23 points 6 months ago* (last edited 6 months ago)

Saw someone post that City Journal article on mastodon a couple days ago and I'm amazed that so few people picked up that the City Journal and the article's author are basically puppets of the Manhattan Institute, a conservative think tank. I know most people aren't tuned to look out for think tank propaganda but it came off as really obviously FUD-y and unsubstantiated.

[–] [email protected] 19 points 6 months ago

I wonder if their recent blog post promoting conspiracy theorists and right-wing people turned away more people from telegram than they expected and now they feel the need to spread FUD against their competitors.

[–] [email protected] 19 points 6 months ago* (last edited 6 months ago) (2 children)

Yeah, he needs to fix his broken secret chat feature first... I think it's broken on purpose..

After seeing his interview with Tucker Carlson, I'm 100% sure the guy has some really dark agenda..

load more comments (2 replies)
[–] [email protected] 13 points 6 months ago (1 children)
load more comments (1 replies)
load more comments
view more: next ›