“Telegram is not a private messenger. There’s nothing private about it. It’s the opposite. It’s a cloud messenger where every message you’ve ever sent or received is in plain text in a database that Telegram the organization controls and has access to it”
“It’s like a Russian oligarch starting an unencrypted version of WhatsApp, a pixel for pixel clone of WhatsApp. That should be kind of a difficult brand to operate. Somehow, they’ve done a really amazing job of convincing the whole world that this is an encrypted messaging app and that the founder is some kind of Russian dissident, even though he goes there once a month, the whole team lives in Russia, and their families are there.”
" What happened in France is they just chose not to respond to the subpoena. So that’s in violation of the law. And, he gets arrested in France, right? And everyone’s like, oh, France. But I think the key point is they have the data, like they can respond to the subpoenas where as Signal, for instance, doesn’t have access to the data and couldn’t respond to that same request. To me it’s very obvious that Russia would’ve had a much less polite version of that conversation with Pavel Durov and the telegram team before this moment"
It’s also important to continue educating people about the fact that Signal is incredibly problematic as well, but not in the way most people think.
The issue with Signal is that your phone number is metadata. And people who think metadata is “just” data or that cross-referencing is some kind of sci-fi nonsense, are fundamentally misunderstanding how modern surveillance works.
By requiring phone numbers, Signal, despite its good encryption, inherently builds a social graph. The server operators, or anyone who gets that data, can see a map of who is talking to whom. The content is secure, but the connections are not.
Being able to map out who talks to whom is incredibly valuable. A three-letter agency can take the map of connections and overlay it with all the other data they vacuum up from other sources, such as location data, purchase histories, social media activity. If you become a “person of interest” for any reason, they instantly have your entire social circle mapped out.
Worse, the act of seeking out encrypted communication is itself a red flag. It’s a perfect filter: “Show me everyone paranoid enough to use crypto.” You’re basically raising your hand.
So, in a twisted way, Signal being a tool for private conversations, makes it a perfect machine for mapping associations and identifying targets. The fact that Signal is operated centrally with the server located in the US, and it’s being developed by people with connections to US intelligence while being constantly pushed as the best solution for private communication should give everyone a pause.
The kicker is that thanks to gag orders, companies are legally forbidden from telling you if the feds come knocking for this data. So even if Signal’s intentions are pure, we’d never know how the data it collects is being used. The potential for abuse is baked right into the phone-number requirement.
Opinion: I think painting in Signal in such negative light is more harmful in the practical sense. Having fragmented messaging towards the public that does not care about many of these aspects just makes them a lot more hesitant to change, from my perspective.
We as a community should, in my opinion, pick a “good enough” solution for the majority of the people we interact with. That in itself is a market force to show interest and demand for private solutions. Most people I know don’t have the tools or knowledge or time to understand nuances and all they’ll hear are conflicting messages.
For us more technically inclined people: hell yeah, let’s figure out the ideal model and bring it up to maturity so others can join when it’s fleshed out. E.g. when lemmy came to my attention in the reddit 3rd party app fiasco, I was really confused on how to sign up and use it. And I’m no stranger to tech.
Edit: spelling
We as a community should, in my opinion, pick a “good enough” solution for the majority of the people we interact with.
I’d probably suggest Deltachat. It’s decentralized and has always on encryption, but is so incredibly simple and easy to onboard and use, and doesn’t require a phone number or even an email. It also works on all platforms with a single app.
and doesn’t require a phone number or even an email
wait, doesn’t it rely on the email system?
I would rather have signal possibly collect my social graph than google through gmail.
It uses a subset of the email protocol (which makes it very difficult for governments to block) but it no longer uses an an actual email address to function by default.
Even if someone did use a gmail exclusively for this (you can’t use it with an email account you use for normal emails too), everything would be entirely encrypted, and only the app itself would be able to decrypt it (google would not be able to decrypt the messages). But again, no normal user is going to use an actual email address.
You can read more about how it works in their FAQ. But the short version is once you pick a username, it just gives you a QR code or link to send to people, which connects you immediately in an encrypted chat room with no faffing around with emails.
There are plenty of good enough options like SimpleX Chat out there that don’t have this problem. The whole argument that people should just ignore the obvious issue with Signal is frankly weird.
Accept defects != ignore
My original comment that you replied to was explaining the defects. People are free to decide whether they want to accept them or not. Your comment is saying that it’s harmful to discuss these defects which implies that we should just ignore them.
I was talking about the “educating people” part. I interpreted as “let’s steer them away from Signal towards a better solution”. If it’s not the intent then my comment is irrelevant
Again, I think people should be aware that there are alternatives to Signal, and be able to make an informed decision on the trade offs that matter to them. My personal view is that there are absolutely better platforms than Signal, but if people understand the potential risks with Signal and use it because it’s convenient or their other contacts use it, etc., that’s entirely up to them. It’s just not what I would personally recommend if people want privacy.
Fair enough
You think we’re living in an ideal world, but we’re not. Most of our family and friends use WhatsApp and other big tech messaging apps. You make valid points, but they’re just a dream if messaging means people and if there aren’t people, it’s not messaging.
We have to choose our threat level. Signal is great when you don’t want to expose your data to companies mining it for their profit. It is not so great when you are a person of interest, and need absolute privacy.
The metadata is worthless and pricy to use it for an awarage joe.
The thing is that there’s nothing special about Signal that makes it better than alternatives like SimpleX. I just don’t see why it should be promoted instead of them. Yes, it’s better than WhatsApp where meta has a master key and can read your messages, but why settle when you can use a platform without compromises?
Simple: I already migrated most of my friends over Signal. I did not know better alternatives at the time. While I agree with you, not about SimpleX I dont have enough info about it, but about that there are better solutions.
Yeah, that’s fair. If you’re already stuck on Signal, then it’s difficult to make a move to something else. I’m mostly talking about people who are using something like WhatsApp, and it’s better to make a fresh move to a platform that doesn’t have the issues Signal has.
I appreciate the comment on the matter. This is good information to know and consider.
People should know that Signal is encrypted and private, but won’t make you a ghost.
That being said, the majority of people are not interested in privacy so getting them to use Signal over WhatsApp or SMS is a 99% win.
The question here is why not get people to switch to a better platform like SimpleX or even matrix with something like Element. I don’t find that Signal does anything better in practice.
And I’m not arguing not to.
But I tried to get everybody I know to contact me on signal or simplex. For a year. Only one person switched and they did so to signal. Because it was easier and more people were on it. I myself stopped using simplex because not enough people are using it that I know.
So where the rubber meets the road, if anybody wants to use signal I’m good with that because its good for 99% of all things.
If we (as privacy enthusiasts) want to promote the better apps, they need to be and appear less niche so they’re more acceptable.
Yeah, there are network effects at play here. Getting people to move off a platform is very difficult because they need their contacts to move to, and their contacts need theirs in turn. Some people are willing to use multiple messaging apps, but most don’t. I’d argue that’s why it’s important to promote alternatives to Signal. The more popular they become the easier it is to get people to move to them.
The server operators, or anyone who gets that data, can see a map of who is talking to whom.
!citation needed
I think their point is that signal knows the phone number associated to each account, and in lots of countries nowadays phone numbers are only obtained after identity verification.
sealed sender is supposed to hide the identity of the sender from signal servers, but it’s security is questionable as it’s based on blackbox hardware not even signal staff can audit.
Citation for what exactly? Go read up on how networking works, entire textbooks are available. The server has access to all the data the client sends it. How do you think you get paired with another person to chat, by magic?
signal is open source no?
There are forks that don’t require phone numbers.
Not effectively, since it’s centralized in the US and you have no idea what code the server is running.
Signal does claim to have their server code open, but they went a whole year one time without updating it, until they received some backlash for it.
Isn’t it reproducible?
you can never validate what code a server is running, so having FOSS server code is kinda a moot point: it can’t add anything useful to the privacy conversation
the only way you can guarantee privacy is with the client code, and they have repeatable builds so you can validate the code that’s encrypting the messages, and in that case it barely even matters if their server is streaming all the data they receive to some shady other place… especially with sealed sender
you can never validate what code a server is running
Really? if so how can we trust Lemmy?
you can’t, and shouldn’t… lemmy never claimed to be, nor has the architecture to enable it to be a private service. lemmy instances are run by arbitrary people on the internet, and some of them do run forked versions of the codebase (eg blahaj)… we have no way of verifying what’s running on the server
but interaction on lemmy doesn’t require trust. i don’t think anyone is expecting lemmy to be private
@dessalines@lemmy.ml I’m not a developer could you explain this?
The above poster is wrong. You can absolutely trust lemmy, because its open source and self hostable. You can build the project from source (like a cooking recipe), and run it yourself.
you can never validate what code a server is running
Most halfway-decent messaging services (unlike signal) are self-hostable. So yes with actual open source software, that’s very possible.
that comes down to a difference in philosophy i think… signal have detailed their reasoning for not making signals servers decentralised and self hostable, and i don’t disagree with some of them… i think everything is a trade-off, and decentralisation has scaling and usability issues
signal has done a pretty good job of creating a platform that’s much much better than alternatives in a package that’s consumable by the general public
i’m not sure that something that’s more like matrix, or xmpp, etc could do that
it might be theoretically and technically not quite as perfect, but its impact on increased privacy across the globe has been far larger because they’ve made some of those compromises
I can’t really trust anyone’s security philosophy when they market their service as “secure”, but then have it built on required phone numbers (linkable to your real identity), and a single centralized US-based server subject to national security letters.
Anyone who came up with this idea of security should be laughed out of the room.
I’m convinced signal’s entire support is similar to apple’s : they make vague untestable claims about security, whilst having a shiny and functional app.
There are so many self-hostable alternatives that have signal beat on both those, that make any reason for using it moot.
Yes, but those are basically separate platforms like Session. Signal does not federate, and there’s only a single server in the US that requires your phone number to sign up.
Apparently they don’t store contact info.
https://signal.org/blog/looking-back-as-the-world-moves-forward/
The problem is that you just have to trust them because only people who actually operate the server know what they do or do not store. Trust me bro, is not a viable security model. As a rule, you have to assume that any info an app collects, such as your phone number, can now be used in adversarial fashion against you.
Trust me bro
Yeah, this is the viable security model.
I’m not a developer, but if the client and server code is open (AGPLv3), you can definitely know what they do or store.
Except you have no idea what’s actually running on the server. Only people who operate it know.
Yeah there’s a reason they don’t allow you to use your own self hosted server.
People just accepting what companies say is how we ended up in the current mess. But here we are again. Companies work around how people perceive things to be secure and private all the time. It’s just one small cog in the big machine.
It’s how some NGOs are part of a intelligence and surveillance network but people only focus on the social work and it becomes immoral to criticize the good things they do as a cover.
There’s also reluctance to release it in f-droid. They say they want to becontrol the distribution, but they have no problem with Apple and Google being the main distribution platforms. They haven’t even looked at unified push. And that just adds to the “there’s something else going on” factors.
Signal protocol might be bullet proof but the app supplier, centralized server, and phone number requirement and the most mainstream OS aren’t. When you combine with how mainstream OS companies like Microsoft, Apple and Google work together with the feds, there’s ways that the bulletproof protocol may not be sufficient and is only a part of the bigger picture. There’s also US government spying on notification.
They may work without them but the inconvenience will deter 99% of people. Being dependent these external factors, It just doesn’t feel as bullet proof as a whole.
Whatsapp also uses the signal protocol, but you wouldn’t trust them because they’re under facebook, would you?
I also find it really weird how aggressively Signal is being pushed everywhere, and how any criticism of it gets dismissed or ridiculed. It feels a bit like a cult at this point.
I’m fully convinced its just like apple’s support: they make some vagueish unprovable claims about privacy, and have a functional and shiny app. That’s enough for people to overlook all the privacy issues, and build a cult-like fanbase.
Like if anyone walked into a privacy conference and said, “Hey everyone, I’m going to make a private messaging service. I need everyone’s phone number!”, they’d get laughed out of the room. But because their app looks nice, then people need to develop the cult-like following whenever it gets attacked, because its touching on an unresolved cognitive dissonance of this being a terrible idea.
Pretty much yeah, and they’ve had a really good marketing campaign too. They got a whole bunch of prominent tech influencers incessantly pushing it, and it just feels like a massive astroturf campaign to me. Like you said, if a random person pitched this idea, they’d be laughed at, but you get some people with clout to do it, and it sticks because everybody respects them and trusts them.
And that is the problem with anything you don’t write yourself. And for anything you do write yourself: Are you smarter than the three-letter agencies?
There are plenty of chat services that aren’t centralized and hosted in the USA.
Sure… and my point is that you have to trust those services that aren’t hosted in the USA. It’s a choice you have to make. I’m not judging either way, just pointing out because what I responded to in the comment to which I replied was:
The problem is that you just have to trust them
Which is true of open source unless you read the code and can verify nothing nefarious exists; which is true if you use a service in a country you trust; which is true no matter what you’re doing.
Not all entities are deserving of the same level of trust - some are more trustworthy than others - but you are still making a decision to trust someone unless you write the code yourself or verify the code yourself.[1]
And had the capability and time to do so ↩︎
Which is true of open source unless you read the code and can verify nothing nefarious exists
Not at all. Not everyone needs to audit open source, only a few interested experts do. Most importantly, auditing is possible because its out in the open.
The just trust me model of signal means its impossible to audit, unless they give us their centralized database and server code.
If you are not auditing the source code, you are trusting those that are.
You don’t have to trust anybody when you run your own server, or you use a server that doesn’t collect information it has no business collecting.
You don’t have to trust anybody when you run your own server,
You have to trust the people that wrote the code.
or you use a server that doesn’t collect information it has no business collecting.
Again, you’re trusting the authors of the code.
Which is fine, but it’s a choice to trust them.
And the client, too.
Precisely.
And it’s worth repeating here - the level of trust needed is affected by the nature of what you might lose if that trust is broken. For non-important things, trusting a third-party company is probably fine. If you’re in a country and being found out might mean you get put to death, though, the stakes are a bit higher.
You have to trust the people that wrote the code.
There’s a big difference between having confidence in open source code that has been audited by many people, and knowing for a fact that the service collects specific information. In the former case, you can never be absolutely sure that the code is not malicious so there is always a risk, but in the latter case you know for a fact that the service is collecting inappropriate information and you have to trust that people operating the service are not using it in adversarial ways. These two scenarios are in no way equivalent.
Which is fine, but it’s a choice to trust them.
It’s a choice to trust the entire open source community around the project and all the security researchers who have been looking at the code.
Frankly, I have trouble believing that you don’t understand the difference here and are making your argument in good faith.
Frankly, I have trouble believing that you don’t understand the difference here and are making your argument in good faith.
Let’s back up to what I replied to in the first place:
You don’t have to trust anybody
I even took the time to quote that, because it’s important.
Of course there are different levels of trust. But what you said is flatly wrong and misinformation, if you want to get technical about it. Arguing in bad faith? I beg your fucking pardon, friend.
Just becuase it’s less likely to find nefarious code in open source doesn’t mean it doesn’t exist. There ahve been multiple cases of it found in open source code. Blindly trusting something because it’s open source or you host it on your own server is a very very false sense of security, especially in the context of the larger discussion, which came about in regard to what information is exposed by certain messaging clients.
It’s also a matter of the importance of what you’re doing.
I wrote a little CRUD app a while back to track me giving my cat medication. I sanitized inputs, but I left it open without a login on my server, just an obscure URL that didn’t get published anywhere. All you could do was click a button to indicate the cat had been medicated, or another button to delete the latest entry. That was plenty of security for that. If I was writing a banking app, I’d use a bit more.
So yes, in the same way as that, hosting something you use to chat with friends about whatever is one thing; trying to communicate secretly from a country where your comms might lead to being put to death is quite another. And in the latter case, it’s important to know that no matter what you use, unless you wrote it or read all the source code, you are trusting others with your life. Perhaps you feel comfortable doing that, but you should be aware of it.
So no, this is not a discussion in bad faith at all, it is valuable on multiple levels.
No need for that when self hosted open source projects exist
But again, you either read the source to confirm there’s nothing nefarious, or… you trust the programmers.
Which is not a problem, but it is a choice to trust. All I’m pointing out. :)
Well yeah everything is a choice when trust is the matter, but there is a difference between choosing a community project that can be audited by different transparent parties and choosing a private company on their own servers (even on source available projects)
Best alternative?
It really depends on your needs and what people you communicate with are willing to use. A few platforms that are notable in no particular order.
SimpleX Chat is probably the gold standard right now. It uses absolutely no user IDs such as phone numbers, no usernames, no random strings of text. Instead, it creates unique, pairwise decentralized message queues for every single contact you have. Because there is no global identity, there is no metadata connecting your conversations together.
Session is a popular Signal alternative. It doesn’t require a phone number and routes your messages through an onion-routed decentralized network that’s similar to Tor. Since your IP address is hidden and messages are bounced through multiple nodes, no single server ever knows who is talking to whom, stripping away metadata.
Jami is completely decentralized, open-source platform. It uses Distributed Hash Tables to connect users directly to one another without a central server. Notably, it supports high-quality voice and video calls.
I really want simplexchat to evolve and get more features. If they ever make a lot of mod tools and the possibility to make giant servers with thousands with chatrooms like discord I could see it having mass appeal due to the ease of “signup”
yeah it definitely has some promise
Session is a security downgrade. It doesnt support forward secrecy which is hella important.
Session actually does implement a form of forward secrecy through the Session Protocol. https://getsession.org/blog/session-protocol-v2
It seems that forward secrecy is still in development from the blog you showed.
I still wouldnt use session for the reasons stated in this Soatok’s (a cryptographer) blogs. Even if they fix(ed) these problems, I have no trust for their security implementations. Why use session instead of something like Briar?
https://soatok.blog/2025/01/14/dont-use-session-signal-fork/ https://soatok.blog/2025/01/20/session-round-2/
I’m not advocating for using Session specifically, I just listed it as a viable alternative to Signal. Given that it’s forked from Signal presumably it’s an easier switch for people who like the general mechanics of Signal and its encryption system.
Understood.
I like your analysis, and would love your thoughts on matrix(assuming you have ofc)
People keep finding significant vulnerabilities in its cryptography and the Matrix team tries to deflect or create strawmans for why it isnt actually a vuln. Soatok found a vulnerability in 2024 by just browsing the source code for tiny bit of time, and again just two weeks ago after looking for a couple hours. In both cases, Matrix then responded to his vuln report with hostility, saying it wasnt actually a vulnerability. He is sitting on another vulnerability.
Having a cleartext mode is a security downgrade and no secure messenger should support cleartext. It only barely got functional forward secrecy recently. VoIP in most Matrix clients (and servers) still use Jitsi backend which isn’t E2EE, even with the release of the newer (secure) Element call protocol. Matrix leaks tons of metadata, such as usernames, room names, emoji reactions, generate URL embedded previews. Rooms arent encrypted by default. It is also a UX nightmare and often times you cant decrypt your messages.
Matrix is not secure. You’d be better off with XMPP and OMEMO which has its own problems and isn’t secure either. Sill better than Matrix.
“sitting on a vulnerability” does this mean he’s discovered another exploit but refuses to disclose it essentially?
It is a denial of service attack. He discloses all vulnerabilities ahead of time. The only reason he released the previous one so quickly is because the Matrix team said it “wasnt a real vulnerability”.
It’s better than Signal since you don’t have to disclose any personal info, but people have pointed out some issues with federation in it. Again, it’s one of those things that may or may not matter based on your use case.
That link seems dated (Nov. 2024). If anyone finds a more current critique, pls send. I also get auto-kicked from HLC simplex group, so I’m not sure what to think of them but commando’s matrix server was amazing befored abandoned
heard SimpleX is really good, the only thing that bothers me is their vc funding model. It makes me feel a bit suspicious.
Yeah, I’m leery about anything where vcs are involved as well for obvious reasons. The tech itself does seem solid though, and it is open source. If it does start moving in a sketchy direction at least it could be forked at that point.
You mean the messenger that requires you give them your phone number to make an account? Yeah, fuck that.
I’m on dat Molly
I stopped using Telegram as soon as I learned their chats aren’t E2E encrypted unless you create a secret chat. Their advertising is so misleading. Even WhatsApp is more private than Telegram.
Why don’t we all just truly go FOSS and use matrix?
Matrix results in way more meta data and through federation those meta data could be stored jn way more places.
Besides their main developer (element messenger) are cop / military boot lickers.
Those are some examples for why you might not use it, but depending on you use case you might still prefer it over signal.
Because it’s not p2p.
I don’t understand his point about restoring your messages to a new phone. How does that prove it isn’t encrypted? Couldn’t Telegram store the encrypted data on their server, send the encrypted data back to you and then you automatically decrypt it because you have the key?
With my limited knowledge of cryptography, this is how I understand it:
The distinction to make is that the user’s password is not the encryption key - it only gives access to the key. So even if the user has the same password on a new device, there would be no way to decrypt the data without the original key.
In order to maintain full privacy, data has to be encrypted on device before sending it through any server (whether to another participant in a chat, or for backup). This means that the encryption key has to be on device.
If that key was copied over to a location not controlled by the user (e.g. Telegram server), then that location would have access to the key and can decrypt any data encrypted by that key. In the same vein, if a user loses their phone then that encryption key must be lost, so encrypted data cannot be decrypted on a new phone.
Which means that the only way that Telegram can provide the chats on a new phone (when the user has no access to the old phone) is if they have access to the encryption key and can provide it to the new phone.
From my experience with that: Telegram restored all unecrypted chats when I swapped phones without asking me for any passwort / key. I literally just confirmed my phone number and all my chats / groups / contacts appeared.
I assume you still had access to your old phone and could approve the transfer from it. If not, then your phone number is your password, which is even worse, in my opinion (it’s basically public information).
I got a one time password via SMS to confirm I am the one with access to this phone number.
That’s absurd coming from the founder of a FOSS messaging app who actively decided not to let Signal federate and rejected any other open source Signal client. Not only that, even now you can’t truly use Signal’s new “username” feature. If any of the recipients have your number stored in their phonebook, irrespective of whether you know them or not, the username goes for a toss. This was/is the problem with Telegram’s username feature. Signal knew this and still decided to go ahead with it. Not to mention never doing anything about completely removing the phone number from the account after its creation. This has been, by design, a privacy and hence safety threat, and even after the username feature was implemented, this not getting implemented is very concerning.
I’m sorry your free messaging app isn’t perfect. /s
And I always assumed that nicknames was just as much to prevent screenshots from becoming a liability.
you can’t truly use Signal’s new “username” feature. If any of the recipients have your number stored in their phonebook, irrespective of whether you know them or not, the username goes for a toss.
Hm. I haven’t interacted with a new Signal user in a while… but I do see in settings two knobs: “who can see my phone number” and “who can find me with my phone number”. Both of these settings can be set to “nobody”.
I’m guessing if I set “who can find me with my phone number” to “nobody”, then even if someone has my phone number in their contacts, they wouldn’t know I’m a Signal user?
Don’t forget not allowing you to sync historical messages between your phone and PC. Apparently somehow that’s just too complicated.
Its not about being complicated, its about dumping the whole chat history with just a few seconds of physical acceas to the device.
LEA has used this method with messangers like Whatsapp for years to quicly exfiltrade the data from a victims phone to other software.
There’s a pin. Just require the pin.
The Pin is not designed and used for such an authentication. Also can be changed at any time:
How do I manage or change my PIN?
On your phone, go to Signal Settings > Account > Change your PIN
What are you talking about?
I literally installed Signal on my Linux laptop yesterday and it automatically downloaded all my messages from my phone.
Last time I did that, it would only sync new messages
What is a Moxie Marlinspike?
She’s pretty hot for a programmer.
And with a name like that she was destined for greatness.
Moxie is the guy
Hmm. Looks more like a Bill
Unlike Signal, Telegram is successful in getting people to move away from Meta’s Whatsapp.
Idk about that. Signal is the main alternative to WA in some parts of europe.
Telegram has approximately 1 billion global users. Signal only has around 100 million. Telegram is about 10x the size of Signal.
they definately installed signal and fucked afterward
Removed by mod
Telegram is used by Ukrainian armed forces for military actions, ruskie pests use it too for the same… so its probably hard to hack, as these REALLY want to see the messages of each other…
You see, these arguments are just impolite when made against the man in the post going out of his way to provide you with an experiment based on logic that you don’t need computer science knowledge to verify.
As far as I have heard, Ukrainian servicemen are forbidden to use Telegram. Ukrainian civilians do, and Ukrainian special services might do that sometimes perhaps.
Telegram had a good PR from Mr. Robot.
I predict yet another Signal-related hack within the month.
Could you maybe resfresh my memory a bit and share a few previous signal hacks? Thanks
And it will again be about someone added to the wrong group. Meaning - not a hack.
See this is why I’m reluctant to start listing them because I don’t want to get dragged into an interminable discussion about how hacks like https://thehackernews.com/2025/02/hackers-exploit-signals-linked-devices.html?m=1 somehow “don’t count” because it was the user’s fault, or https://support.signal.org/hc/en-us/articles/4850133017242-Twilio-Incident-What-Signal-Users-Need-to-Know doesn’t count because it didn’t include chat messages.
The irony is I very carefully chose my words when I said “Signal-related hack” instead of “Signal hack” because I knew fanbois would show up to argue that anything short of a central database leak isn’t really a hack.
It’s a thread about comparing Signal to Telegram of all things. In comparison to Signal as anything secure Telegram doesn’t exist in any quality.
At the same time Signal doesn’t have mass group chats and is not intended for that purpose.
The first link does count, it’s a valid failure from Signal devs. Humans err.
The second link does not, it’s an unofficial centralized aggregator, not from Signal devs, and the “hack” was a direct consequence of how it worked. It’s absolutely something that no sane person would use.
It’s a thread about comparing Signal to Telegram of all things
The relevance is that it’s not some unaligned security professional talking in the article, it’s literally the guy that runs Signal having a pop at his competition.
it’s literally the guy that runs Signal having a pop at his competition.
The right kind of pop, saying only the obvious and nothing more.
yet another? what dou mean?
It should be the law that any information a online service collects about it’s users should be given to the government immediately and unconditionally, then suddenly people will start really caring about how much information a service has access to.
then suddenly people will start really caring about how much information a service has access to
I sincerely doubt it. The majority of people will accept that this is just “how it is” and will move on with life. After all, they’re not doing anything wrong.
I agree, if majority of people would care, Linux PCs would be the most popular option. They care about convenience only, but not even that much. Instead of researching the best they are just ok with the advertised options. They eat what they get.
