[eitland]

> The thing I'm most confused about is why Signal and Telegram are always seen as competing.

Well, this is a good question. Telegram is an allround day-to-day messenger with channels, massive groups, broadcasts etc that also works as a login provider while Signal is a research project to create a secure messenger and also something about crypto coins ;-)

Yet, while Telegrams encryption scheme has left a lot to be wished for and their communication has been arrogant:

- Signal has had more than one really bad security problems like remotely exploitable XSS in desktop app and that rather long time span when Signal sometimes sent images to wrong recipients

- Meanwhile Telegram hasn't seen such problems since they were starting out

And WhatsApp? Why it is even mentioned in a discussion about secure messaging after all the blunders they've made I don't know:

- Sending deliberately unencrypted backups to Google with the intention that Google could datamine them.

- Lately there has also been talk about "filtering content on the edges". So much for E2E-encryption when the endpoints report your content through a separate channel.

I believe in Signal and E2E-encryption, but, as I have said a number of times and a number of ways before:

There is a lot more to security than just cool algorithms and buzzwords.

All the E2E-encryption in the world doesn't save you when the service provider gets away with the abuses WhatsApp have been caught red handed with and no algorithm saves you when you can get remotely exploited by receiving a message.

Some might think I am extremely pro Telegram. I have one place where I want a lot less of it:

It really scares me when I see police use it. For any kind of communication that needs to be super secure: stay far away!

[FiloSottile]

Can you keep elaborating about the abuses that WhatsApp has been caught red handed with?

You mentioned only unencrypted OS backups (which were a major issue, but also industry standard, affecting everything but Signal which takes a severe usability hit over it, and apparently fixed https://faq.whatsapp.com/general/chats/about-end-to-end-encr...). "Filtering content on the edges" is a whole debate but not something that ever materialized.

It sounds there's a list, what are the others?

[SahAssar]

Didn't they stop people from forwarding certain messages? https://www.nbcnews.com/tech/tech-news/whatsapp-limits-forwa...

[throwawayair557]

"The Facebook-owned smartphone app said in a blog post that once a message has been forwarded from one user to another more than five times, anyone getting the message will be able to send it along to only one other person or chat group."

They can't read message contents.

[matheusmoreira]

And yet WhatsApp encryption has literally defeated my country's justice system. Judges demanded that the content of the messages be revealed and they didn't get what they wanted. I'll never forget that day. This was years ago before all this client-side content filtering nonsense but still.

WhatsApp is a Facebook product and obviously cannot to be fully trusted. However, I'm still really happy that nearly everyone in my country is using something this secure. There's no point in having the perfect system if nobody uses it.

[throwawayair557]

Here are some cases of mass 'hacking' of Telegram. The problem with Telegram is these 'hacks' give attackers access to entire Telegram chat histories, unlike E2E apps like Signal, WhatsApp, Wire etc.

[1] Brazil politicians' Telegram 'hack' of 2019

https://www.wired.com/story/brazil-hacker-bolsonaro-car-wash...

[2] Iran Telegram 'hack' of 2016

https://www.reuters.com/article/us-iran-cyber-telegram-exclu...

[3] Israeli cryptocurrency executives' 'hacked' on 2020 including their Telegram

https://www.haaretz.com/israel-news/tech-news/.premium-exclu...

[4] Moxie Marlinspike of Signal app on Telegram

https://twitter.com/moxie/status/1474067549574688768

Hack is in quotes because all involve SMS interception.

[exo762]

> Meanwhile Telegram hasn't seen such problems since they were starting out

There is no point of even looking into Telegram's code - it is not encrypted. Why would researchers waste their time?

Encrypted one-to-one chats is not really a feature. It is rarely used since parties need to explicitly request such session. And even than it's clunky as hell.