[not_me_ever]

We don't know if telegram is secure or not.

We do know that signal is lying: - About it's code being open source - About it's protocol being open - About it's funding - About it's massive white washing campaigns in forums - About smear campaigns against and harassment of journalists who dare to look into them

We do know that signal is probably insecure if(!) - It is actually based on the original white paper - It is actually using any of the code they released ages ago

There have been major security incidents with apps using the signal protocol, e.g. WhatsApp.

Who is the one doing the astroturfing?

You might not like the facts, but that doesn't change them.

[lou1306]

> We don't know if telegram is secure or not.

I don't have anything against Telegram personally, but that sentence is by all intents and purposes equivalent to "Telegram is not secure".

Meanwhile, every person I have met at my past affiliations who did research in security was using Signal as their main IM app. Blind trust is always bad, but I don't think that crowd was using it just for cargo-culting.

[_cenw]

We definitely know Telegram is not secure, because it doesn't encrypt chats by default, and I have never seen anyone turn the encryption on.

Doesn't help the encryption is very badly designed, possibly on purpose: https://words.filippo.io/dispatches/telegram-ecdh/

[jolux]

Signal apps and server are all on GitHub and frequently updated, for what it's worth: https://github.com/signalapp/Signal-Server https://github.com/signalapp/Signal-iOS.

[not_me_ever]

And none of that code can be converted to something that is even close to the published app. They might as well just release the source code for the firmware of a fridge.

[hulitu]

Frequent updates are not a sign of security. They are more like: Move fast, break things.

[jolux]

I was responding to

> code they released ages ago

[palata]

> We don't know if telegram is secure or not.

Last time I checked, everything but the secret chats was not E2EE. So for the most part, it's effectively not secure. For the secret chats you're right, we don't know.

> signal is lying: - About it's code being open source

I compile and run Signal from the sources...

> About it's protocol being open

Are you talking about the Signal protocol here?

> We do know that signal is probably insecure if(!) - It is actually based on the original white paper

Can you elaborate on that?

[not_me_ever]

"We don't know if telegram is secure or not."

The point was: This is a discussion about Signal, not Telegram.

But by now we have gotten pretty used to deflecting every discussion about "is Signal secure" to "look behind you, a three headed monkey" or rather to "but telegram is not secure, because all Russians are stupid".

"I compile and run Signal from the sources..." Yes, so you get a messaging app that might be secure, while 99.999% of users use the one from the store which very likely comes from a completely different source.

"The original whitepaper" Just use you favourite search engine, we have been over this dozens of times by now. If you understand security I would start here: https://cs.nyu.edu/~afb383/publication/uc_signal/uc_signal.p... If not -- it probably takes 15-25 years to teach you.

Very rough, and simplified: "Double Ratchet has some very strong preconditions which have never been addressed by signal, and probably never been implemented by anybody." (Please, don't quote me on that, it's very dumbed down.)

[palata]

> "We don't know if telegram is secure or not."

I did not write that, were you answering to me?

> Yes, so you get a messaging app that might be secure

I was answering to... well to what I quoted: "signal is lying: - About it's code being open source". So it is obviously open source enough that I can compile it from sources.

> "The original whitepaper"

I did not write this either, were you answering to me? I am a little confused.

[quadhome]

What major security incidents?