[Markoff]

TLDR don't use Telegram and Signal as some "alternatives"

Use Matrix clients (Element, Fluffy chat) or Session, Briar (no (video)calls), Delta (no (video)calls), Jami, not recommending Threema because they can tie you through payment and it's centralized

Here simple chart to see what to use and not use (use translate feature):

https://www.messenger-matrix.de/messenger-matrix.html

[Normille]

  >Use Matrix clients (Element, Fluffy chat) or Session, Briar...

With those other clients you mention, one of the reasons your communications will remain secure is that --because so few people use them-- you'll struggle to find anyone to message, in the first place.

[Markoff]

Sure, but in that case you can just go with Whatsapp and Facebook Messenger with WA being at least E2E by default, no point even trying some "alternatives" as Signal or Telegram under pretense of security.

With Telegram I can see at least appeal in using it as news source, chat room or for bots, but what offers Signal besides hype about The Current Thing?

Signal uses centralized server with closed source (they hidden code for one year until they finally gave up when users nagged them, nobody knows what they did during that year), Signal requires your phone number, Signal doesn't allow third party apps officially and tried to push some shady crypto, I mean how many red flags you need to avoid such POS app?

[Normille]

  >With Telegram I can see at least appeal in using it as news source, chat room or for bots, but what offers Signal besides hype about The Current Thing?...

I use Telegram as a less 'facebooky' alternative to WhatsApp. Most of my friends and all my family are on it and, as a convenient messenger, it has a lot going for it; fast, 100% reliable sync across all my devices, generous file transfers, ability to quickly ping someone your location, ability to set up and subscribe to channels, etc. etc.

It also has some infuriatingly shite 'features' such as the fact that one party in a conversation can delete messages from the other party's device and [as is oft-mentioned] the fact that comms are not E2E encrypted by default. But, on the whole, I reckon it's the best all-round messenger app out there. Just so long as you're not under any illusion that your comms are in any way secure.

[wallaBBB]

With the amount of fake news being pushed through Telegram groups that are public, Telegram is by far more Facebooky than WhatsApp. Ukrainian war disinformation and crypto scams being a good example of Facebookiness on Telegram.

[Normille]

Fair point. But at least, on Telegram, you have to actively seek out such channels to join and they don't otherwise impinge on your use of the service. It's not like other social media outlets where there's a central site which endlessly shoves crap you don't want to see in your face, every time you visit.

And yes, I know that, strictly speaking 'Telegram != social media'. But, with Telegram Channels, it does kind of cross over into the 'Discordy' end of social media.

[ls15]

I think you are underestimating exponential growth:

https://news.itsfoss.com/matrix-sixty-million-users/

[Semaphor]

I think you are overestimating. I know more Jabber users than Matrix. And the overlap with people I’m in actual contact with, as opposed to people I used to study C.Sc. with, is 0 for both.

[arlort]

Matrix might become the best option, but as of now I seem to recall it having some rather serious issues, ranging from not handling metadata well to malicious homeservers possibly breaking the encryption of users on other homeservers

I might be misremembering though

[throwaway67743]

Matrix is not secure, Fluffy chat even less so than Element (but client is irrelevant it's still insecure)

[kensai]

Threema can be paid with burner Bitcoin. So I would say that Threema is fairly secure.

[Markoff]

Good luck buying bitcoin with cash. I mean it is possible, but hardly anyone does it, thus you can't really anonymously pay for Threema, you have to jump through way too many hoops to use Threema compared to other apps, which is why it's difficult to recommend it.

[cpach]

Signal is the most secure messaging app out there.

[_8j50]

It is not. Session and Matrix alone use the same protocol Signal uses without needing your phone number or google play services.

[chopin]

I run Signal just fine without Google Play Services. I am using e/OS which doesn't have it bundled.

[_8j50]

I disabled it, it complained a lot and images/media wouldn't load.

[bentley]

Install the alternative APK that doesn’t use Play Services. https://signal.org/android/apk/

[_8j50]

I believe I installed that but what I need is probably microg like the sibling comment suggests.

[chopin]

e/OS comes with MicroG as replacement.

[cpach]

You might want to read up on how Matrix works and what the spec says.

(I won’t comment on Session, I’m not familiar with the finer details there.)

[_8j50]

I don't use it these days but please enlighten me or show me the specific section you are talking about. Specifically, I was referring to libolm.

[cpach]

This is a starting point: https://nebuchadnezzar-megolm.github.io/

[_8j50]

Looks like they were addressed: https://matrix.org/blog/category/security

Glad it had nothing to do with libolm itself but how it is used/not-used. I thought they had 3rd party audits for this.

[codedokode]

Signal requires a phone number which is linked to identity and precise location.

[shapefrog]

> which is linked to identity and precise location

I live in a country with strict KYC on phone numbers - my signal account uses a phone number from a different country in the world, not associated with any person in a country I have never been to and activated in a very odd location once only before being destroyed.

If you actually care about security / privacy to the extent of hiding from state actors then it is trivial to do. If you are cosplaying as a privacy enthusiast, then different matter and we can all bang on about open-source, audits, 14 eyes, tor, monero.

[codedokode]

> activated in a very odd location once only before being destroyed.

Phone numbers are recycled so eventually it will become someone else's phone number unless you continue paying for it.

[Markoff]

I hope you bought your phone with cash in that case, since even without providing phone number it's easily indentifiable in network back to you even without SIM card through IMEI when registering to network.

[cpach]

True. That does not affect the message integrity and message confidentiality though.

So let me ask you this: What’s your threat model? Does your threat model require you to hide your location from the Five Eyes?

[codedokode]

In my opinion "secure messenger" should protect from any actor. If we start making exceptions then it cannot be called secure anymore.

Signal requires extra information that is not necessary for exchanging messages. That is at least suspicious. If you are fine with giving away your number you can just use WhatsApp or Telegram.

[cpach]

“If you are fine with giving away your number you can just use WhatsApp or Telegram.”

Those projects do not have the same high standards as Signal has. Especially not Telegram. I use Whatsapp for convenience/social reasons, but I definitely prefer Signal for the additional security. Telegram I don’t use at all.

I don’t believe it’s reasonable to throw out the baby with bath water, just because Signal requires a phone number for registration.

Protection from “any actor” would of course be nice – but do you really believe that threat model is reasonable?

Would using Session, Matrix or OMEMO protect against any actor whatsoever?

If we want to base our discussion in reality, I do believe we need to talk about threat models in more detail than “I want protection from any threat actor”.

Let’s take an example:

If I send a message to a friend I don’t want any script kiddies, ISP, cloud provider or advertising agency to be able to read it. I don’t want any passive eavesdropper to be able to read it e.g. by slurping up all traffic from my nearest IXP (i.e. dragnet surveillance). However, if Five Eyes/Mossad/MUST/FSB really wanted some intel on me, they would probably be able to retrieve it if they were willing to spend some resources. But probably not by decrypting my Signal messages. There would be other, far cheaper ways to retreive the info.

[codedokode]

Your phone number and messages can easily be leaked if there is a vulnerability in your smartphone OS or Signal app. However if you use a messenger not requiring a phone number, then attacker gets only the messages.

Also as I understand you have to give your number to your contacts to be able to chat with them. For comparison, Telegram allows adding contacts without sharing a phone number. So in Signal all contacts know your real identity and your location.

[2Gkashmiri]

as i said, the MOBILE NUMBER IS A PII and the government needs just that bit to extract you from your home and subject you to anything they deem necessary in order to silence you. this is not a fairy tale i am larping about. "sealed sender" or whatever BS tech you throw at the wall doesnt make you secure. if your number can be found out, your goose is cooked.

[cpach]

Feel free to explain your threat model.

We are quite many where the threat model does not depend on hiding our phone number from the government.

[2Gkashmiri]

yeah.... let me present some material

https://gulfnews.com/world/asia/india/kashmir-lockdown-arres...

https://thenextweb.com/news/kashmirs-police-want-people-to-r... >Kashmir’s police want people to ‘register’ their WhatsApp groups

https://www.dailyexcelsior.com/police-crackdown-keypad-jehad... >Police crackdown on ‘keypad jehadis’

https://kashmirobserver.net/2022/01/11/jk-police-launches-cr... >J&K Police Launches Crackdown On People ‘Misusing’ Social Media

"misuing" means writing material that is critical to the ruling party.

https://www.greaterkashmir.com/chenab-valley/authorities-in-... here, the police simply take your name/number and pick you up from the street. open and shut case in an hour.

Why should whatsapp/facebook/twitter help them? 1. they have business interests in india and they NEED to please the government if they want to survive in india so there are no court orders or anything needed. the police have carte blanche to demand any information and for them, name/number is good enough because the data is available with them.

an example from my own home. A family member was active on twitter last year and would get into "twitter debates" and that nonsense. they would use their own name because of the websites ask for "firstname/last name" and normally people don't care about that. anyway, during one such online fight, a random opponent apparently told them "you wont listen to me so i will have police explain it to you" or something to that end. 3 days later the police comes home "enquiring" about them. we had a hard time "explaining" the situation and some money exchanged hands after which we were off the hook. "never again they said, later"...

afterwards, i did a checkup of their account and they had 2FA activated on their number which i strongly suspect was passed on to the police. again, no "evidence" but my own anecdata.

>Feel free to explain your threat model.

i am "living" this threat model so the techniques used in iran for example used by dissidents or anti-government protestors or in china by anti-ccp protestors for example, i am going through that myself and PII in any form is dangerous.

sure, lets say i don't use my real name in twitter or use 2fa and twitter gives my "ip address" or something. they would have to corelate that information with a separate demand with ISP.... not low hanging fruit as much. mobile numbers, well they have dumps and mobile numbers dont change hands a lot.

OTOH, if i use my selfhosted matrix for example, the provider, some random DMCA ignore ones would laugh at them. even if they asked for payment, i pay from crypto so what will they get? and its not like the webmaster of my own server(read me) would not give any details to any demand from even PM of india so short of blocking my server IP,what can they do?

[Gasp0de]

The only threat that comes from Signal using phone numbers is that if the police arrests someone you are communicating with, and police somehow unlocks their phone (https://xkcd.com/538/), then they can see what you and them wrote as well as your phone number and therefore know who you are. I agree that in some situations, for example anti-government activists, journalists communicating with whistleblowers or criminals, this is bad. For these situations, Signal is not the solution.

[Markoff]

ROFL

Signal uses centralized server with closed source (they hidden code for one year until they finally gave up when users nagged them, nobody knows what they did during that year), Signal requires your phone number, Signal doesn't allow third party apps officially and tried to push some shady crypto, I mean how many red flags you need to avoid such POS app?

[vore]

The Signal client has always been open source: you can inspect precisely what the client is sending to the server (if you trust the source). If you're not sending undesirable information from the client to the server, no amount of closed source-ness of the server is going to get that from you.

Signal has always been transparent about what information get sent to the server: https://signal.org/blog/private-contact-discovery/

Even if some adversary is doing some kind of correlation to glean metadata from your traffic, they are definitely doing the table stakes here to preserve privacy and not just send your information off willy-nilly.

[yieldcrv]

yes, we can transparently see that it is a failure of a solution due to having our phone number and check this out: Signal's application isn't the only participant in Signal's application we don't want having that

speaking of dense exotic matter https://en.wikipedia.org/wiki/White_dwarf

[_8j50]

Backdoors are funny that way, sometimes the client operates correctly but a weakness in implementation can be abused by the server. Not that i know or think this is happening but they do insist on that phone number at all costs which these days is more identifying than a finger print which allows targeted exploitation if the server facilitating connectivity was hostile for whatever reason.

[cpach]

“Signal doesn't allow third party apps officially”

Feel free to explain how that affects message integrity/message confidentiality in a negative way.

[rvz]

This.

As Signal is on a centralized Google Cloud instance, it can easily be shut down by the providers and that is that.

> nobody knows what they did during that year).

They (and Moxie) were too busy shoving their private cryptocurrency scam project in Signal to later get as many users using it as possible to then pump and dump the coins on exchanges.

Signal is a complete joke.

[yoavm]

The fact that it can be shut down easily has nothing to do with how secure it is. I too dislike the fact that it is centralized, and the cryptocurrency thing, but from this to say that Signal is "complete joke" - it's not just a long way, it's non-sense.

[em-bee]

deltachat now integrates nicely with jitsi and similar solutions to provide a video chat feature