Telegram is the worst kind of "secure" messaging in that it gives you a false sense of security while not really being secure.
this post was submitted on 07 Feb 2025
160 points (98.2% liked)
Technology
61774 readers
3574 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
No proprietary software can truley provide secure messaging
Matrix is not proprietary. The protocol is FOSS, Synapse server is FOSS, Dendrite server is FOSS, there are FOSS clients, Element is FOSS too afaik.
Telegram is the least secure thing there is. Not only it's complete zero effort security, it's also much above zero effort to advertise itself as almost secure. Not a good combination as you know.
I currently use Telegram for my friends and family, but have reluctantly come to the conclusion that the UK Government is either reaching agreement for backdoors with messaging services, or is trying its hardest to.
Unless you start an encrypted chat, Telegram chats are not E2E.
I’m also on Element/Matrix. Before I try to get my contacts to join me on there, should I be aware of any privacy issues or is that a good place to head?
Host your own Matrix node, and then you don't have to worry about prying eyes. Realistically, instead of worrying about the protocol, worry about the content of the text. Use PGP to encrypt your own text and send it over clearnet. Who cares at that point.
Definitely host your own node! It's trivial for a server admin to add a hidden bot to every chat and while it's still E2EE, an unknown party could still have a copy and key to read it.
Really good talk from DEFCON 32 about the service "Anom" by Joseph Cox (sorry for the lack of a link, at lunch, on mobile and about to get back to work).
The biggest issue with Matrix is that the server collects ALL the metadata. If that's your server, that's fine. If thats the default matrix.org server that almost everyone uses, you might as well be using WhatsApp. Same thing goes if any of those people are conversing with people on your server, as they will store all redundant metadata on their server as well.
Signal is easier to use, more private, and faster.
Signal requires a phone number on setup.
Also, matrix has bridges, which alone make it worthwhile for me. They, of course, don't help privacy, but they are so so nice for convenience.
Matrix is definitely slow though, and a grand majority of the clients are heavy terrible buggy electron apps. There are a few good ones ( nheko and the new beeper clients ), but even they have some rough edges.
I still use matrix all the time and love it.
If max privacy was the goal I think simplex looks wonderful. No required info for sign up, no way for them to possibly collect any metadata ( because there are no identifiers sent over internet for anyone at all ), E2EE, and decentralized.
Signal requires a phone number on setup.
It is dumb and annoying and inconvenient but doesn't affect its use or privacy.
I do agree that SimpleX seems like the best chat option.
It affects its use for me definitely. I don't want to have a phone number. At all.
How do you even exist without a phone number. How do you get cellular data? Does the government not require you to have one? Your employer? What about all the services that require one?
To be clear, I have a phone number, but I do not WANT to have one. Most aspects of my life I have removed my phone number from. There are still a few services ( like signal! ) which requires one, and I cope. Cellular data is also something worth avoiding, from a privacy perspective. It is very possible to live a life where you're never very far from wifi, especially in a city. I do not currently do this, but would love to one day.
I have to wonder if you could use a burner number and just disable it after setting up your username
I think you'd have a theoretical issue if the next person who got that number also tried to set up a signal account.
You might be right. I'll have to go double check, but I don't think that you can just set up a new account with the same number without the password you set up.
I might be wrong, though.
Sure but it allows VOIP numbers. I'm using a jmp.chat number with it just fine.
Good to know!
Is the phone number required for 2fa codes or anything like that at any point ?
I got an initial verification code and haven't heard from signal since. Signal doesn't support totp or SMS 2fa. But has a pin code set along with your password. A new device that is added doesn't have access to old messages unless you have the correct seed key iirc
load more comments
(5 replies)
Signal is easier to use, more private, and faster.
Unfortunately, it's also effectively tied to Google services due to the app distribution and push notification channels used by most people on it, and (as a centralised service) is vulnerable to shutdown or network-level metadata monitoring by anyone with sufficient access at the organisation or data center, such as a government who doesn't like encrypted messaging.
You can use Molly, a fork of Signal for android. It offers an alternative for push notifications.
load more comments
(1 replies)
Uhhhh yeah, no literally none of that is true
I’ve honestly found signal better than matrix.
Matrix is just not there yet in terms of features UI etc and is less private than signal because it collects way more metadata and stuff. I know the idea of federation is cool, but Signal works better for the privacy aspect.
The downside of Signal is that it's centralized, and thus at the whim of those who run it. Structurally, it's not really different from Whatsapp or Telegram except for who owns it.
I don't think that's a fair comparison, simply because their structures are quite different. Signal is FOSS run by a 501(c)3 non-profit, whereas Whatsapp is obviously run by Meta and data mines its users; Telegram is also a nonprofit, but privacy was never their goal or mission.
They're all centralized, which I agree is a negative, but if something must be centralized, being run by a nonprofit foundation whose mission is privacy and E2EE is about the best option you could hope for in that scenario.
Like openai and proton?
We are still in a trust me bro situation... We just trust signal bro more than meta bro.
Sorta like those. Anybody that thought OpenAI was trustworthy just by virtue of being a nonprofit gets what they deserve for being so credulous, and Proton isn't directly comparable, because it's a stack of software, not just one. You would have to compare the analog of Signal, and Proton doesn't have one.
If what you really want to say is that we don't know with 100% certainty that the Signal Foundation is operating in good faith, then I agree, though they seem to have a pretty decent track record thus far.
However, that doesn't mean their software doesn't do what is expected (it's FOSS, go inspect and build it yourself), and E2EE ensures that even if they suddenly wanted or were ordered to turn anything over, the data LEOs get would be limited, if it exists at all.
We are still in a trust me bro situation... We just trust signal bro more than meta bro.
I'm not sure what you think is especially noteworthy here. It's always some level of a "trust me bro" situation. That's how the internet works. If you want to avoid trust issues, stop using the internet.
I'm using simplex :3
Interesting—I feel like I see Matrix touted as more private than Signal b/c of Signal's phone number requirement. What compromising metadata does Matrix require that Signal does not?
Sorry I’ll let someone more knowledgeable answer about metadata, but signal does allow you to set a username and hide your phone number (so people add you with username instead if f number)
I think at this point it would be funnier to just use something obviously unsecure like discord but share your public key with the other user and then send encrypted text.
I guess a vencord plugin for that wouldn't be that difficult to do
Matrix is good for private general messaging. The fact that it's decentralised means it can also withstand things like government-ordered shutdowns or back doors, since there is no central point that controls the whole network.
Two things to be aware of:
- Some non-message bits (e.g. room topic text and membership) have not yet been moved to the encrypted channel, so those could be read by the administrator of a homeserver that participates in your chat room. Since most people care primarily about keeping the message content private, this is an acceptable trade-off to get all the things that Matrix offers.
- The upcoming Matrix 2.0 features and design choices simplify the UI and fix some occasional errors. It might be worth waiting until this stuff officially lands in the client apps before bringing your contacts to Matrix, for a better experience all around.
As long as you onboard them with the ElementX/SchildichatNext(better fork of element) mobile client, their experience and setup should be fairly future proof. Its still changing and growing for sure but the most important stuff is finally working now and the new call systems is a huge improvement.
But yeah if you want zero metadata, your only choice is P2P stuff like Briar.
load more comments
(6 replies)
You may want SimpleX. You can still self-host your own server if you wish, but it doesn't have nearly the metadata issues of matrix and encryption keys are stored in a database that you back up instead of constantly breaking
Last time I tried Simplex, the desktop app was incompatible with the mobile app. Do you know whether this has been fixed?
I haven't personally tried it, but I think there's a setting in the mobile app for using it with a desktop. So I assume it is fixed, but I won't swear to it.
It works. You either have to link it with your mobile app or you use it standalone with a different user/id
There’s also Wire
E2EE and can be used as desktop or phone app interchangeably. No phone number required for signup.
Family has been using this for years now
The two encrypted messaging platforms I currently suggest are XMPP or Matrix. Both are usually fine and are decentralized. The main thing with them is to either self-host or choose a server you trust to set up an account — which applies to the Fediverse in general.
Out of curiosity, is there anything stopping you from suggesting SimpleX? How does SimpleX compare to XMPP or Matrix?
Mostly just that it's still pretty new and thus hasn't been as polished or scrutinized yet. Haven't tried it myself. For the sake of the OP's question, it may also be notable that it's a UK company.
view more: next ›