[dingo_bat]

> approach to crypto might put you off

It doesn't, anymore than whatsapp. Whatsapp says they have end-end encryption. Has anyone verified it independently? They say they use Signal's tech. Has anybody verified that the app doesn't just take screenshots of the screen and send them to facebook for data mining? When your app is closed source, all claims about security and encryption are meaningless, unless some solid auditing is done.

[mullen]

Same could be said of Telegram. Plus, we know their encryption is not really that great because no real encryption expert will stand behind Telegram's encryption and Telegram says "Trust us" when it comes to the subject of their encryption.

Signal tech is open source, can be checked and has been checked. I am pretty sure that if Whatsapp was lying about using the Signal encryption libraries, word would have leaked out of Whatsapp by now. On top of that, I would trust Moxie 100 times more than I would of the owner of Telegram.

Plus, the idea that Whatsapp is taking screen shots and sending it to Facebook is pretty silly. It would be really simple for them to have the messages copied; one going to true receiver and one going to the Facebook servers. There is no need for elaborate spying by Whatsapp, it would be really simple for them to spy on you if they wanted to.

* I am not calling the owner of Telegram dishonest, but in the Moxie vs Pavel Durov debate, I am going with Moxie.

[inciampati]

You are arguing that we should not blindly trust someone's assertion that a product is good. For WhatsApp we have to trust someone's assertion that things are implemented as they claim. For telegram the e2e stuff is at least open source and directly reviewable.

I don't trust either Moxie or Pavel. At least in one instance we can trust the code.

[mullen]

> You are arguing that we should not blindly trust someone's assertion that a product is good.

Then we both should be using Signal since all of Signal is open source. This is what I use.

> For WhatsApp we have to trust someone's assertion that things are implemented as they claim. For telegram the e2e stuff is at least open source and directly reviewable.

Telegram still has blobs that are not released with the source code, so there is still a bit of a block box related to Telegram.

[reitanqild]

As much as I am a fan of Telegram[0] I still have to admit that I guess the WhatsApp crypto is better.

[0]: my threat model sees Facebook and snooping kids as a bigger risk to me than NSA or FSB. It also says that if those guys come after me I've lost anyway.

[samueloph]

>When your app is closed source, all claims about security and encryption are meaningless, unless some solid auditing is done.

That is not true, closed source does not mean you can't read the source code, last year (and i bet is still possible to do it today) i decompiled the apk into java source code, i remember i made it to confirm the telegram url block[1]. But the point is, if its possible to read the client source code, it should be possible to assure at least some level of security.

And yes, i always recommend whatsapp instead of telegram for family members because telegram doesn't have default e2e (i feel bad everytime i have to say this).

edit->for clarification, obviously i prefer to use a full open source end-to-end encrypted messenger

[1]http://www.androidpolice.com/2016/09/09/whatsapp-is-blocking...