Telegram founder and CEO alledges signal has backdoors, they don't provide reproduceible builds, etc.

Here's what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

grid11 , (edited )

On a different note, did anyone noticed a link to discussion on privacy, referencing this post (2x) on threema blog, see post: Chat Apps, Government Ties, and Transparency ?

PD, on the other hand ...

&

Then, PD chimed in

refs to this:
--> https://lemmy.world/post/15169047

which was federated through .world but originally posted on ml.

rip rd

AsepticFuturisticFox ,
@AsepticFuturisticFox@beehaw.org avatar

The article about Maher is written by a conservative who can't accept that we can limit individual freedom to reach true collective freedom.

Also he wrote for FoxNews lol

Stop spreading propaganda please, it's just a CEO trying to shill its product

yogthos ,
@yogthos@lemmy.ml avatar

I find it weird how any discussion about Signal will inevitably have a bunch of people piling on dismissing any criticisms of it. Believing that Signal is perfect has become like a religion at this point. Whatever people might think of Telegram is completely irrelevant when it comes to the question of whether Signal is actually a secure tool or not.

The fact that people working on Signal have direct ties to US intelligence agencies cannot be ignored. No can the fact that Signal is a centralized system based in US. These two things alone should make everybody very concerned.

sexy_peach ,

Imagine using telegram... It's worse than whatsapp

anon5621 ,

Cannot agree about this.telegram have at least open clientsource code,and a lot pirated stuff u cN find in telegram channels. So if choosing between telegram and WhatsApp.Definitely Telegram.

dolle ,

Yes, sorry, but I can't take something seriously if every paragraph begins and ends with an emoji. I know it's dismissive, but all my Facebook lunatic conspiracy theory alarm bells are blaring.

rottingleaf ,

It's more normal in Russian-speaking Web.

Shouldn't trust this guy anyway, it's VK's founder talking.

Takios ,
@Takios@discuss.tchncs.de avatar

I wonder if their recent blog post promoting conspiracy theorists and right-wing people turned away more people from telegram than they expected and now they feel the need to spread FUD against their competitors.

jherazob ,
@jherazob@beehaw.org avatar

I missed this one, have a link?

Takios ,
@Takios@discuss.tchncs.de avatar

This is the blog post: https://telegram.org/blog/my-profile-and-15-more
This is a post highlighting the problematic content of the blog post: https://plush.city/@PsyChuan/112336464469767051

Though now that I'm more awake I think it's probably unrelated, I haven't seen this circulated around that much.

rottingleaf ,

1488 and other Nazi numbers are, eh, just normal jokes in Russia.

But in general yes, I think this is on purpose. Probably want some people think Telegram is kinda counterculture and more secure. It's not secure at all, of course.

NGC2346 , (edited )

I'll stick to Threema and Session, and SimpleX for those who use it. But thanks.

als ,

Let's all just be adults and start using Matrix

ChallengeApathy ,

Sounds like someone is mad that security experts would rather trust a tried-and-true encryption standard over Telegram's encryption which is known to not be anywhere near as secure as the Signal protocol.

Pavel resorting to outright slander to promote Telegram is not something I expected to see.

tetris11 ,
@tetris11@lemmy.ml avatar

he does raise very valid points about reproducible builds, which should be a priority if your product is security

Edit: oh @Wolflink below points out that such builds are available for Android, but iOS has issues stemming from Apple and not Signal. This then begs the question, why is Telegram reproducible on iOS?

rottingleaf ,

This then begs the question, why is Telegram reproducible on iOS?

Is it really.

tetris11 ,
@tetris11@lemmy.ml avatar

that's indeed what I am asking

aicse ,

You need some loops to jump through to get there. But that can be achieved for Signal as well, if you check the discussions regarding reproducible builds for Signal's iOS client, you'll see that people just decided it is not worth the hassle to push it through.

rottingleaf ,

Sounds like someone is mad that security experts would rather trust a tried-and-true encryption standard over Telegram’s encryption which is known to not be anywhere near as secure as the Signal protocol.

There's an issue in Russia with graduates of a few of the "kinda top" universities considering themselves elite, but not quite being as qualified as they think.

Durov's brother won a few programming competitions for highschoolers. Because of that apparently he should be considered something in cryptography. For people thinking like this at least.

Pavel resorting to outright slander to promote Telegram is not something I expected to see.

Why, it's very much like him.

Legend ,

There is briar . Check it out .

DaseinPickle ,

Maybe fix Telegrams privacy problems.

https://www.404media.co/this-tool-shows-some-telegram-users-approximate-physical-location/

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I can't read it because of the paywall but IIRC (based on a similar article) that was such a nothing-burger issue.

People turned on an entirely optional (I think off by default setting) for some feature that allowed discovery of users by location ... and shocked pikachu they could be tracked or something like that.

DaseinPickle ,

It’s not nothing if Telegram makes people believe they only share their location in a limited manner, but instead broadcast it to the whole world. That’s a serious breach of trust. I don’t know why Telegram users keep making excuses for that platform.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I don’t know why Telegram users keep making excuses for that platform.

Honestly? Because the others are just so bad.

  • Element has an extremely clunky UX and uses Electron. The other Matrix app implementations are incomplete buggy messes.
  • Signal can't sync old messages to the desktop, uses a messy Electron interface, and lacks a bunch of features/polish I've come to expect.
  • Discord doesn't even pay lip service to privacy and uses a similarly doesn't invest in native apps.
  • Threema has been saying that cross-platform/multi-device connectivity is coming for like 2+ years and has had nothing but the most minor of unexciting features added.
  • WhatsApp is run by Meta, has a crappy desktop experience, and has had several serious security vulnerabilities.
  • Jami is ... extremely glitchy.
  • Session is basically Signal backed by a Crypto platform.

If someone took Telegram's UX and feature set and paired that with Signal's approach of "everything is encrypted", that would be a winner. I kinda hope someday Telegram just does that and moves everything to E2EE. When Telegram was launched E2EE for group chats/at scale wasn't really a thing ... now it's not nearly as novel but nobody has deployed E2EE with a feature set like Telegram's.

It’s not nothing if Telegram makes people believe they only share their location in a limited manner, but instead broadcast it to the whole world.

That's not even what happens by the way. It's just that you can spoof a device into random locations and eventually figure out where someone is.

DaseinPickle ,

I mean it’s pretty bad to practice mass surveillance.

https://mastodon.social/@alshafei/112413115927959085

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

A "toot" isn't a very persuasive piece of journalism.

I can verify that it absolutely impacts groups run by queer communities in the Gulf, because I was in one such group that was monitored and shut down by Etidal.

That claim needs a lot more investigation and context. At the very least, it needs investigated by a credible third party.

Also, do you even know what the feature you're criticizing is? A "channel"? Because it's not even really a part of the messaging portion of Telegram. It's basically an in-app blogging platform.

DaseinPickle ,

She links to a news article: https://www.saudigazette.com.sa/article/641746/SAUDI-ARABIA/Etidal-Telegram-remove-over-16-million-extremist-contents-in-early-2024

I don’t think Telegram denies doing mass surveillance. They might deny targeting queer groups and claim to only target extremist, whatever that means.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

That news article talks nothing about targeting groups unfairly and only talks about removal of extremist activity from what's a social media platform (which is standard practice for all social media platforms). Specially that article talks about targeting "combating the online propaganda of ISIS, Hay'at Tahrir Al-Sham, and Al-Qaeda" which I believe is uncontroversial for all decent and reasonable people.

DaseinPickle ,

I’m sure the Saudis are super fair and would not dream of targeting queer people.

nix ,

What polish and features is signal missing?

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar
  • Signal can’t sync old messages to the desktop
  • Persistent voice rooms
  • Custom emoji
  • Animated emoji
  • Location sharing
  • Chat folders
  • Topics/rooms for larger group chats
  • Support for larger group chats
  • Quoted replies (i.e., quote part of a reply or create an arbitrary quote block)
  • Code snippets
  • Message forwarding
  • Polls
  • Animations in the UI
  • Detailed custom theming
  • Chat room theming
  • A content index (e.g., view only the files, links, videos, etc that were sent in this chat)
  • Group invite links to people you don't have in your contacts
  • Channels (i.e., micro-ish blogging)
  • A nice bot API
  • Subjective UI/UX changes to put things in more reasonable places (e.g, why can't I right click on a chat to pin it in the desktop client, why is the Electron menu bar shown by default)

And probably several other things I've forgotten because ... basically nobody I know is still using Signal.

nix ,

Thanks for the detailed reply. Signal does have location sharing and invite links, FWIW.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Signal's location share AFAIK can't be a live location share (which is useful during events like amusement park trips and stuff)

They have invite links to group chats? I don't know how that would work

Tehdastehdas ,
@Tehdastehdas@lemmy.world avatar
  • Telegram allows everyone in a chat to delete messages by anyone from anyone without a trace, making gaslighting easy.
    "I told you so!" - "No you didn't!" - (mutual distrust forever)
user ,

Skill issue. Get real friends who don't do this shit.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

If that's your bar for gaslighting I hate to tell you I can just edit my messages all over the place to say things that were never said.

jaypatelani ,
@jaypatelani@lemmy.ml avatar

Also Simplex.chat

01189998819991197253 ,
@01189998819991197253@infosec.pub avatar

Here ya go.

WolfLink ,

Go read the GitHub issue. The main difficulty in implementing reproducible builds is the code signing Apple requires as well as other tweaks Apple makes to modify the binary from what the dev submits to what gets downloaded from the App Store. Note that Android already has reproducible builds. Also the reason the GitHub issue was closed wasn’t “refusal” to implement the feature, they wanted to move the discussion to their forums.

tetris11 ,
@tetris11@lemmy.ml avatar

How does Telegram ensure reproducible builds for iOS? Or is Dorsey lying

Thetimefarm ,

Who knows how apple decides to do anything? There may be some really stupid arbitrary reason apple modifies signal but not telegram just because apple insists on being difficult. If you don't trust apple don't use an iPhone and just download it on android.

tetris11 ,
@tetris11@lemmy.ml avatar

that's not a fantastic answer to my question...

NotMyOldRedditName ,

You don't need a backdoor in signal to bypass its encryption.

All you need is to exploit the phone and wait for them to open or use signal.

If you think your phone is safe from the NSA or similar services, I got some bad news for you.

Greg ,
@Greg@lemmy.ca avatar

I'm 100% secure, I have Nord VPN

RGB3x3 ,

This comment sponsored by NordVPN

Greg ,
@Greg@lemmy.ca avatar

I forgot to post an affiliate link and explain how routing all your internet traffic though one company equals security

ArcaneSlime ,

routing all your internet traffic though one company

You mean my ISP which is known to monitor, censor, keep logs, and sell my info or Mullvad who hasn't been caught doing that yet?

rottingleaf ,

That works for every IM.

NotMyOldRedditName ,

It'd almost like... phones aren't secure.

rottingleaf ,

Nothing is against the attack described TBF.

Say, if I run only OpenBSD, carefully selecting non-base applications, with tightened setup and so on, the baddies may just come when I'm not at home and flash a trojan into my laptop's UEFI.

Well, it's easier with phones because these likely already have plenty of backdoors to do this remotely, available only for nation-states.

I'm starting to like the taste of this "conspiracy theorist" thing.

emergencyfood ,

All you need is to exploit the phone and wait for them to open or use signal.

Physical access is root access. But just because you can't make something NSA-proof dosen't mean you can't make it bloody difficult to break into.

NotMyOldRedditName , (edited )

There's been enough zero day remote exploits that there's bound to be more.

Pretty sure there's more than 1 about receiving an SMS and the payload rooting the phone and you not even knowing it happened. At least 1 but I think 2 or more.

Something about a malicious image also rooting a phone.

It goes on and on and phones don't always get security updates.

You can do your best, but then longer you use a given phone the higher the risk. That's why people switch out phones frequently when doing shady or important shit

AnAnonymous , (edited )

If someone really care about privacy you can use Session instead. Good luck!!

hanrahan ,
@hanrahan@slrpnk.net avatar

Sarcasm ? An Australian company, with zero constitutional protection from a 5 eyes nation? It screams honey pot

AnAnonymous ,

It's that or the CIA, your choice..

dfense ,

Try Threema...
Open source, Swiss based, audited.
As you and your data are not the product of this company, it costs 5 bucks.
Less than a Starbucks coffee, but I still have a hard time convincing my peers to switch.
(Not affiliated with Threema, just a fan)

AnAnonymous ,

Thx for the info mate 👍👍

dfense ,

You are welcome!

GroteStreet ,

With the 5 Eyes agreement, the they're one and the same.

telep ,

session doesnt have perfect forward secrecy. they removed it from signals protocol to make it more easily compatible with their onion routing/crypto network. makes it one of the easiest apps to be "backdoored" if any keys were to be compromised.

dessalines ,
@dessalines@lemmy.ml avatar

I don't care about dorsey or whatever, but a lot of privacy advocates don't consider signal secure, drew devault for example. I'm def among them, you should not trust any centralized US-hosted service.

kixik ,

I'm all for Jami, and XMPP.

tcit ,
@tcit@beehaw.org avatar

Linking to their post to say it's a little bit more complicated that "it isn't secure" https://drewdevault.com/2018/08/08/Signal.html

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • privacy@lemmy.ml
  • All magazines
    •