• Arthur Besse@lemmy.ml
    link
    fedilink
    arrow-up
    39
    arrow-down
    6
    ·
    1 year ago

    🤔

    both require phone numbers, and both concentrate metadata in a central location (Amazon servers, in the case of signal).

    both sort of pretend to be free open source software, and sort of are but with a lot of caveats.

    telegram doesn't even have end-to-end encryption (except for some wacky not-peer-reviewed thing in 1:1 'secret chats' which are rarely used); at least signal has it beat there.

    https://simplex.chat/ is a new messenger which doesn't have any of the above problems and seems quite promising imo.

    • PropaGandalf@lemmy.world
      link
      fedilink
      arrow-up
      14
      arrow-down
      1
      ·
      1 year ago

      Hey fellow SimpleX enjoyer. It's still very early but only by spreading the word we can inform people about this great alternative!

    • randompepsi@lemmy.ml
      link
      fedilink
      arrow-up
      11
      arrow-down
      3
      ·
      1 year ago

      Telegram probably doesn’t have E2E so that people can have always active desktop sessions

      • Arthur Besse@lemmy.ml
        link
        fedilink
        arrow-up
        17
        arrow-down
        2
        ·
        edit-2
        1 year ago

        I'm not sure what exactly you mean by "always active desktop sessions" but for any definition I could imagine it is possible to do that while having e2ee. Many e2ee messengers have multi-device support nowadays.

        Telegram doesn't need to have e2ee because they've pulled some trick of becoming widely perceived as being privacy friendly despite not actually offering any e2ee in most cases, and offering only some 🤡-protocol in the few cases where they do.

        Another reason for them not to implement e2ee is that they're most likely monetizing their users content data as well as the metadata (and in more ways than just charging some types of police for access to it, which is presumably only a small fraction of their revenue).

      • Boring@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        E2ee doesn't have to be 2 devices. It can be for any amount of endpoints as long as they have the key to decrypt the data.

        For example my nextcloud instance has e2ee for my phone, computer, and tablet.

      • Arthur Besse@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        They say that they don't, and I think it is extremely likely that Signal employees are entirely sincere when they say that.

        But, even if they truly don't keep metadata, they can't actually know what their hosting provider (Amazon) is doing. And, their cryptographic "sealed sender" thing doesn't really solve the problem. If someone with the right access at Amazon really wants the Signal metadata, they can get it, and if they can, anybody who can coerce, compel, or otherwise compromise those people (or their computers) can get it too.

        One can say they're confident that the kind of adversaries they care to protect against don't have that kind of capability, but it isn't reasonable to say that Signal's no-logging policy protects metadata without adding the caveat that routing all the traffic through Amazon makes the metadata of the protocol's entire userbase available in a single place for the kind of adversaries that do.

              • Arthur Besse@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                What stops them from being able to? They could actually infer a lot of the metadata just from the encrypted network traffic, without even looking inside the VMs at their execution state. But, they can also see inside, so they can keep the kind of logs (outside the VM) which Signal [says that they] wouldn't.