Unless you’re from the USA, the land of free SMS. You probably use a messaging app like WhatsApp, Signal or Telegram.

Why? You get cross device sync, newer features, you can ditch phone numbers as identifiers, privacy controls, cool stickers and emojis

Does Privacy = Security?

A prime example of this is ‘WhatsApp’. News and media websites keep using that buzzword ~ End To End Encryption and say your messages are secure. Why? - because Facebook says so. They don’t school users about ‘verifying’ over ‘trusting’. They don’t shed a light on the fact that WhatsApp is closed source. and don’t make apple-to-apple comparisons - comparing ‘Telegram cloud chats’ to Signal chats wheres TG vs Matrix would be a fair article. [Matrix does 0 knowledge encryption by default]

Facebook says that WhatsApp is end to end encrypted but the app is proprietary so how would you know?

Major news sites just jump on the bandwagon and copy paste first hand information from the app’s page or a spokesperson without explaining or justifying what it really means to the user and infact does more harm than good.

Here are some examples

> End to end is useless when WhatsApp itself can not assure their users that data of both parties in a chat would not be backed up to Google Drive or iCloud

Free for the NCB or any government agency) to clone the SIM and take over all the chats. They don’t enforce 2FA pins too like Signal.

Nor can they prove that they use the latest version of the Signal Protocol plus you have to trust Moxie’s word from 2017. Since WhatsApp is proprietary. Moxie keeps mum when asked about this.

Please help me understand why is GPL3 library used in proprietary software WhatsApp? https://github.com/signalapp/libsignal-protocol-java/issues/42


Signal

Bad UX everywhere. It’s half baked plus their Desktop App sucks. Both in performance and features. It’s another Electron app. An extension to the Signal App and unless you use their mobile app or another CLI tool, you can’t sign up there. Most importantly, security wise it stores the session encryption key in plaintext. In the user’s app data folder for any app to see. Try it out now..

Quick reminder: In these hard times, when we focus on local vulnerabilities as @zoom_us had, @signalapp on Desktop still stores the encryption key in a plaintext file. So, any malicious app running with typical user permissions may decrypt your messages. 😅 1/x

— Wojciech Reguła (@_r3ggi) April 7, 2020


A rouge program can be used to scan and send the encryption key to the attacker. There’s no way to bulk unsend messages you’ve already sent like Telegram or Matrix. Your only hope is to use ‘disappearing messages’ with everyone.

Other deceiveing cheeky stuff.

We’d announce that we’re stopping too, but we never started turning over user data to HK police. Also, we don’t have user data to turn over. — Signal (@signalapp) July 6, 2020

This is false, after Signal PINs (Signal) has more data to hand over than what they had 4 years ago.

Signal » Government Requests » Grand jury subpoena for Signal user data, Eastern District of Virginia using this article as to defend ‘We hand over data to US Gov but it’s of no use’ is no longer valid. They can bruteforce the encrypted data on PINs.

I’d highlight this

“Because Signal doesn’t have access to your keys or your data” By data they mean your encrypted data. Signal PINs are at least 4 digits, but they can also be longer or alphanumeric if you prefer. Because Signal doesn’t have access to your keys – or your data – your PIN isn’t recoverable if you forget it, so our apps help you remember your PIN with periodic reminders. Don’t worry, these reminders get less frequent over time.

Instead of giving users a 12 word seed phrase they default to a minimum of 4 digits. Sure your cloud PINs don’t contain messages but it’s vaild meta data they [3 letter agencies] can get.

Even more than what they could 4 years ago.

They make an unfair compromise and are hostile to forks working with them. “I don’t want Signal and any of their cloud stuff, I’d rather use Matrix for that, I only want the 2FA lock. Nothing more, nothing less, not possible as of right now”

Signal PINs can be bruteforced easily if the average normie user sets a 4 digit pin instead of somethings more secure like a seed phrase of 12 words.

By default notifications are visible to the host OS. Here Telegram Secret Chats > Better than normal Signal chats it hides previews for ‘both sides’

This can be read by proprietary OSs like iOS or Android

This can be read by proprietary OSs like iOS or Android

Moxie being shady / promoting centralization

Please help me understand why is GPL3 library used in proprietary software WhatsApp? https://github.com/signalapp/libsignal-protocol-java/issues/42

Reflections: The ecosystem is moving https://signal.org/blog/the-ecosystem-is-moving/

Server side code was last updated on 23rd April 2020 and is licensed under AGPL 3.0 https://web.archive.org/web/20210118184819/https://github.com/signalapp/Signal-Server


Telegram

The biggest problem in Telegram is that people tag it as an end-to-end encrypted app everywhere and in news articles they compare Secret Chats with the other messengers. If you ask any Telegram user they don’t use Secret Chats unless it’s needed. It’s also a hybrid between Twitter / Discord with their public chatrooms and channels. So even if you don’t plan to use it for 1-1 chats it still is better than Twitter or Discord for group chats. That being said - Mastodon or Matrix is a better future proof solution.

Other deceiveing stuff.

Their [CEO: Durov] keeps claiming till date they’ve disclosed 0 bytes of cloudchat data with 3rd parties and claim Signal, Tor and other US Open Tech Fund projects have vulnerabilties and backdoors. Here again there’s no proof for or against the first half of the statement. No one except Durov knows about the ‘0 bytes shared’ part. But the backdoor in Tor or Signal can be proved clearly false. Tor is open-sourced and reviewed. Signal as well as Telegram’s clients are open sourced so there’s no point in bundling backdoors. You can mathematically verify ‘e2e encryption’ with QR / verification codes.

Durov is biased towards Tor, I think here’s what he was planning to do ~ TON, to build a Tor clone as a proxy for Telegram in censorship prone regions. It was almost done, and then poof. The US gov killed it. I assume this is his bias against Tor/US Gov.

Signal is a tool of the US Gov, backed by the US National Security State. Here’s a good summary of its history https://surveillancevalley.com/blog/government-backed-privacy-tools-are-not-going-to-protect-us-from-president-trump

— Pavel Durov (@durov) June 8, 2017

Signal might seem shady outside the Signal ecosystem But their native mobile apps are solid in terms of security. i.e. If you verify QR codes.

I don’t need to trust Tor or Signal here. I can verify by default, all chats in person with a QR code that my chats aren’t being intercepted. You can do this on Telegram too [Secret Chats] but not ON by default. Also Tor is mature, Durov planned to compete with Tor via TON proxy and TON which would take years to reach mass adoption if they were succesful in the first place. [update: Telegram plans to extend Secret chats to group chats soon]

Edward Snowden explains it well

“We’ve seen some improvements, and that’s not nothing. But not the revolutionary rework it needs. Telegram still seems to encourage dangerous cloud messaging instead of secret chats. Experts ask “why?” And the answer is “convenience.” That’s unsafe.

— Edward Snowden (@Snowden) December 30, 2017

By ‘dangerous’ - imo he means not giving users 0 knowledge encryption so that we can control the keys which really sucks.

And this is where we start getting to my core concerns. @Telegram has for years faced criticisms about the basic structure of its security by prominent cryptographers and technologists. Many defenses rely upon unbroken trust in a central authority (the company). “Trust us."

— Edward Snowden (@Snowden) December 30, 2017

Trust us not to turn over data. Trust us not to read your messages. Trust us not to close your channel. Maybe @Durov is an angel. I hope so! But angels have fallen before. Telegram should have been working to make channels decentralized—meaning outside their control—for years.

— Edward Snowden (@Snowden) December 30, 2017

So Telegram’s bad?

What Telegram does right now is they manage the keys and assure you as long as Durov is CEO that they will keep your cloud chats safe. This is still trust Trust as in ~ that they haven’t handed over keys using various legal safeguards like splitting encryption keys in different jurisdicitons, although they can in the future just give up and knock you off your feet. Because this is privacy by trust and not by design as far as cloud chats go.

Verifing, clearly gives you peace of mind than trusting someone. Like using Telegram one on one Secret Chats. You can’t predict the future. You can still use it as a hybrid social media app. It’s the best centralized social media app in terms of a their generic privacy policy and freedom of speech. But real freedom / privacy only exists on federated platforms like Matrix or the fediverse. Where you set your own rules. So prioritize that over Telegram, unless they decide to join the Fediverse.

But cloud chats and instant sync is something that can help with IRL privacy + convinence.

If my phone gets stolen I can unsend all the years of chats from another device. Or a chat with my friend and I from my friend’s device. If you value security, you should use Signal. But as I said Security does not equal privacy. You can’t unsend messages on Signal that easily. Telegram gives you IRL applications of privacy.

In case of an emergency or decide to delete your account - what you can do on Telegram is delete your chats from both ends, assuming they don’t log stuff (No way to prove or disprove this yet).

What they need to do is roll out - 0 knowledge encryption

Reducing the trust factor and let you set a minimium a - 12 word seed as a passphrase like how Bitwarden, ProtonMail, Bitwarden, MEGA Cloud or most crypto wallets do. All encryption and decryption should happen, ‘on device’. End to end 0 knowledge encryption for all users, no opt out like Signal PINs

Therefore assuring 2FA and an event should they have to hand over data, it would take years to decrypt depending on the encryption algorithm they plan to use. Something MTProto 3 should tackle. The only thing left out in terms of security would be perfect forward secrecy. Infact right now that’s how Telegram Passport works.

Update: Durov says he’s exploring that path when I asked him.. This would mean no server side search.. I think it’s a valid compromise.

Regarding the 24 word seed - they themselves built a TON wallet which had all of this but for the TON network. Here are some screenshots.

New account setup with 24 word Seed.

This replaces 2FA during signup.

This replaces 2FA during signup.

A note to say, don’t lose your seed phrase as it’s going to encrypt everthing with this

A note to say, don’t lose your seed phrase as it’s going to encrypt everthing with this

here’s the seed 12 or 24 depending on how much security you want

here’s the seed 12 or 24 depending on how much security you want

when you login again on another device which can’t scan a QR code

when you login again on another device which can’t scan a QR code

i.e. 2FA setup and Telegram Passport (End To End Encrypted)

Settings page showing Telegram Passport

Settings page showing Telegram Passport

Setup a new passcode ~ but in my theory the passcode would be a seed of at least 12 random words (TON wallet photo above) ^

Setup a new passcode ~ but in my theory the passcode would be a seed of at least 12 random words (TON wallet photo above) ^

when you login again on another device but you get the TON wallet screen.

when you login again on another device but you get the TON wallet screen.

Here the keys to the chat are stored on device.. end to end encrypted.. You handle your keys like a password manager.

Here the keys to the chat are stored on device.. end to end encrypted.. You handle your keys like a password manager.

blog post of Telegram Passport

blog post of Telegram Passport

faq post for Telegram Passport

faq post for Telegram Passport


[Matrix] is a protocol rather than a messaging app.

Matrix could solve decentralized peer to peer and federated messaging. Personally if you’d hypothetically ask me if you’d give me 100USD to donate to any of these messaging platforms. I would fund Matrix. Public money ~ Public code and the most aspiring among the others. I know it’s not the best because of it’s decentralized nature, but I would rather fund them to fix those issues than fund Signal which says - ‘we don’t care’

What would you rather fund? a 100 dollars to improve on that or stick to centralized ones. But I would not recommend it for 1 on 1 messaging just yet. As of now it leaks “a lot” of meta data. It’s practical for public forums, government forums and events but not for one on one chats unless they’re peer to peer.

If it’s a public group I’d plan to host as an inclusive leader, I would host/pick a matrix server and make sure to bridge everyone from all the platforms. Even for schools, coding events, fundraisers, protests “easy to circumvent censorship since ~ it’s not one server they need to block” users can login from one web client to another. Any matrix client can be used.


Discord

Forget privacy. Discord is cringey and it’ll die soon. It’s quite childish watch this video..

People (mostly gamers) use it for public stuff, all public domain, not even encrypted on rest. (Right click on an image in a chat and see the cdn link) Just like Google Photos, Instagram or Messenger DMs. The only reason I would use Discord is to bring everyone trapped in Discord to Matrix. Just like my stratergy of #FediFirst

Discord proudly says, they spy on all your running apps and messages, they run it through their AI and flag it. So don’t expect privacy on Discord.

our squeeky little robot monkeys would like to spy on u, hey fren you trust us rite? your best frens at discord UwU

our squeeky little robot monkeys would like to spy on u, hey fren you trust us rite? your best frens at discord UwU

Why do people use Discord? There’s no competition just yet.

There’s Matrix servers which run jitsi but UX is confusing and they’re not aiming towards fixing calls yet. Telegram and Signal are bringing end to end group calls ‘everywhere’ with supposedly a huge cap (I guess 100) for max users. But let’s be honest no one is going above 50 people in a group call. Not all 50 are speaking together.


Synopsis

  • Use Signal with Disappearing messages and set a long 2FA passphrase. but: miss out on unsending messages, cloud chats and other UX stuff found on Telegram.

  • Use Matrix for Public group chats or at least ensure you can bridge it to matrix first. but: don’t use it for DMs unless you’re Peer To Peer or own the homeserver

  • Use Telegram for Public protests, casual chats and clear chats for both sides at least once a year. Set a long 2FA passphrase make sure you keep an eye out if Telegram server’s get raided or if Durov resignes, then you should unsend every single chat if Telegram doesn’t roll out 0 knowledge by then.. [update: Telegram says they’re interested in 0 knowledge encryption which is a good sign]


#1 - SMDL.io (email)[https://polarhive.ml/contact] me if you have any suggestions or queries.