For this reason, I never even considered using Telegram. If I were an unethical intelligence service like a Russian one, I would create a messenger app (and/or social network). Based outside my jurisdiction would add to plausible deniability.
On another note: I wonder how many of those VPN services are actually fronts of intelligence services.
dongcarl 83 days ago [-]
> On another note: I wonder how many of those VPN services are actually fronts of intelligence services.
Signal clearly looks like a front shop to collect metadata for US intelligence services.
Their reliance on phone numbers for sign in, their release strategy, their attitude towards unofficial clients, their marketing of e2e encryption... all fits.
paulryanrogers 83 days ago [-]
Except Signal's client is open source with reproducible builds that have been audited. Their crypto is open, based on standard primitives, and has also been audited. It's also true E2E encryption with alerts on key changes.
The only weakness clear to me is the US could force them to release a compromised client. But then auditors would probably notice within weeks, or even days, and their reputation would be ruined forever.
That's a shame. Still on the whole Signal seems far ahead of Telegram. Hopefully users who need the extra security will be taught to enable that setting.
fsflover 82 days ago [-]
But is it far ahead of Matrix?
paulryanrogers 82 days ago [-]
Does Matrix default to E2E yet? With forward secrecy?
According to this, it by default implements it for batches of 100 messages or something. And for slow-paced messaging, it is quite a lot. No idea why, maybe doing it somehow else would make the already bad performance even worse.
Also, Signal forces you to use Android or iOS while knowing that "Apple and Google confirm governments spy on users through push notifications ", https://news.ycombinator.com/item?id=38555810
Matrix is the actual solution.
neobrain 83 days ago [-]
Your links are a bunch of user comments?
The push notification payloads don't contain message/sender data. Signal also runs fine without Google services, which avoids any potential problem entirely.
> The push notification payloads don't contain message/sender data.
The other metadata may be important too.
> Signal also runs fine without Google services, which avoids any potential problem entirely.
Not everybody is able to avoid Google services on their phone. I can't run it on a desktop (or GNU/Linux phone) without a connection to an Android phone.
hammyhavoc 82 days ago [-]
SIM hijacking is a thing. Telcos also control phone numbers.
I have never understood the unflinching attitude towards Signal relying on phone numbers.
Thorrez 83 days ago [-]
Do any of the founders or board members of the Signal Foundation show any indication of supporting that?
jaoane 83 days ago [-]
Are there ethical intelligence services? :P
4gotunameagain 83 days ago [-]
> an unethical intelligence service
As opposed to which ethical intelligence service that you have in mind ?
This is the bread and butter of "intelligence". Spying. Both enemies, allies & the populace.
thunspa 82 days ago [-]
I never used Telegram, but was under the impression that it's similar to Signal. However, Pavel Durov recently tried to meddle in the Romanian elections process[0] in a very bizarre, almost desperate attempt to misinform the electorate.
That impression is a testament to Pavel's ability to distort the reality. Telegram is nothing like Signal, because the overwhelming majority of traffic is not E2EE, the server has the plaintext. Even for E2EE chats (that are deliberately hidden away), the protocol is weird in a bad way.
UncleEntity 83 days ago [-]
Does anyone really believe their metadata is safe from any government... or non-government for that matter?
I mean, TFA's whole argument is the un-encrypted header portion, designed to route the message, can be used to track who the message is sent to. Oh, and some dude provides internet service to Russian governmental agencies with their ISP located in Russia.
If you're doing dodgy stuff (like political speech) you don't want the government to know about it's probably best to conduct that business offline as they are all watching you.
Not really, the auth_key_id really is simply equivalent to a TLS session ticket, used to avoid repeating the handshake every time a new connection is established: there's nothing "unencryted" about it, it's just an identifier of a previously established encrypted channel, like session tickets in TLS (and on top of that, the MTProto auth key ID is also rotated every 24 hours).
danogentili 82 days ago [-]
Note that the article employs unwarranted FUD in regards to the auth_key_id, which is fully equivalent to a TLS session ticket, used, like in TLS, to avoid repeating the handshake each time a new connection is established (and on top of that, the MTProto auth key ID is also rotated every 24 hours).
lovegrenoble 83 days ago [-]
[flagged]
vaylian 83 days ago [-]
The authors are ukrainian, or what do you mean?
lovegrenoble 83 days ago [-]
[flagged]
vaylian 83 days ago [-]
Can you explain your original statement? Why is "Ukrainian IT" all we need to know?
83 days ago [-]
msgodel 83 days ago [-]
[flagged]
Rendered at 02:27:56 GMT+0000 (UTC) with Wasmer Edge.
On another note: I wonder how many of those VPN services are actually fronts of intelligence services.
This is why we need more [MPRs](https://www.privacyguides.org/articles/2024/11/17/where-are-...)
Their reliance on phone numbers for sign in, their release strategy, their attitude towards unofficial clients, their marketing of e2e encryption... all fits.
The only weakness clear to me is the US could force them to release a compromised client. But then auditors would probably notice within weeks, or even days, and their reputation would be ruined forever.
If so great! More is better
https://discuss.privacyguides.net/t/so-can-pfs-be-enabled-in...
According to this, it by default implements it for batches of 100 messages or something. And for slow-paced messaging, it is quite a lot. No idea why, maybe doing it somehow else would make the already bad performance even worse.
Related discussion: "Why Not Signal?"
https://news.ycombinator.com/item?id=28544735
https://news.ycombinator.com/item?id=30872361
https://news.ycombinator.com/item?id=39445976
https://news.ycombinator.com/item?id=29888228
https://news.ycombinator.com/item?id=42788647
Also, Signal forces you to use Android or iOS while knowing that "Apple and Google confirm governments spy on users through push notifications ", https://news.ycombinator.com/item?id=38555810
Matrix is the actual solution.
The push notification payloads don't contain message/sender data. Signal also runs fine without Google services, which avoids any potential problem entirely.
They themselves contain the actual links and also relevant discussions. One more link: https://github.com/signalapp/Signal-Android/issues/13842
> The push notification payloads don't contain message/sender data.
The other metadata may be important too.
> Signal also runs fine without Google services, which avoids any potential problem entirely.
Not everybody is able to avoid Google services on their phone. I can't run it on a desktop (or GNU/Linux phone) without a connection to an Android phone.
I have never understood the unflinching attitude towards Signal relying on phone numbers.
As opposed to which ethical intelligence service that you have in mind ?
This is the bread and butter of "intelligence". Spying. Both enemies, allies & the populace.
[0] https://www.lemonde.fr/en/pixels/article/2025/05/23/why-is-t...
I mean, TFA's whole argument is the un-encrypted header portion, designed to route the message, can be used to track who the message is sent to. Oh, and some dude provides internet service to Russian governmental agencies with their ISP located in Russia.
If you're doing dodgy stuff (like political speech) you don't want the government to know about it's probably best to conduct that business offline as they are all watching you.