Telegram founder and CEO alledges signal has backdoors, they don't provide reproduceible builds, etc.

Here's what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

dolle ,

Yes, sorry, but I can't take something seriously if every paragraph begins and ends with an emoji. I know it's dismissive, but all my Facebook lunatic conspiracy theory alarm bells are blaring.

rottingleaf ,

It's more normal in Russian-speaking Web.

Shouldn't trust this guy anyway, it's VK's founder talking.

ChallengeApathy ,

Sounds like someone is mad that security experts would rather trust a tried-and-true encryption standard over Telegram's encryption which is known to not be anywhere near as secure as the Signal protocol.

Pavel resorting to outright slander to promote Telegram is not something I expected to see.

tetris11 ,
@tetris11@lemmy.ml avatar

he does raise very valid points about reproducible builds, which should be a priority if your product is security

Edit: oh @Wolflink below points out that such builds are available for Android, but iOS has issues stemming from Apple and not Signal. This then begs the question, why is Telegram reproducible on iOS?

NotMyOldRedditName ,

You don't need a backdoor in signal to bypass its encryption.

All you need is to exploit the phone and wait for them to open or use signal.

If you think your phone is safe from the NSA or similar services, I got some bad news for you.

Greg ,
@Greg@lemmy.ca avatar

I'm 100% secure, I have Nord VPN

RGB3x3 ,

This comment sponsored by NordVPN

AnAnonymous ,

If someone really care about privacy you can use Session instead. Good luck!!

hanrahan ,
@hanrahan@slrpnk.net avatar

Sarcasm ? An Australian company, with zero constitutional protection from a 5 eyes nation? It screams honey pot

dessalines ,
@dessalines@lemmy.ml avatar

I don't care about dorsey or whatever, but a lot of privacy advocates don't consider signal secure, drew devault for example. I'm def among them, you should not trust any centralized US-hosted service.

kixik ,

I'm all for Jami, and XMPP.

tcit ,
@tcit@beehaw.org avatar

Linking to their post to say it's a little bit more complicated that "it isn't secure" https://drewdevault.com/2018/08/08/Signal.html

MrSoup ,
@MrSoup@lemmy.zip avatar

Still got server-side code closed source and by default messages are not encrypted.

winterayars ,

I don't think i care what Jack Dorsey says that isn't backed up independently. Even if he's right i just don't trust him.

dessalines ,
@dessalines@lemmy.ml avatar

You shouldn't need to trust open source, it should be independently verifiable. Unfortunately that's not possible with either signal or telegram, as there's no way to tell what server code they're running.

FIST_FILLET ,

well, this is concerning to hear. i had no idea signal was funded by the US state

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

The kettle calls the pot black...

firefly ,
@firefly@neon.nightbulb.net avatar

Telegram: We keep you private. Now enter your phone number to sign up.

SLfgb ,

Signal does the same

smileyhead ,

Telegram: There are backdoors in Signal encryption!

Also Telegram: not encrypted

dsemy ,

Telegram secret chats are e2e encrypted though

ReversalHatchery ,

Secret chats only. With their own, in-house encryption, that, if I remember correctly, the apps don't use according to the specifications.

Maybe I'm mixing up mtproto 1 and 2 with that second part, though.

dsemy ,

I don't mind in-house encryption (the Signal protocol didn't just appear out of nowhere either), however the latter part is worrying.

In any case, I personally don't trust Signal or Telegram.

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

What do you trust? It seems like something like Molly is the best for compatibility and security.

toastal ,

The best is to not trust the centralized server of either of these platforms. Set up your own XMPP server & gives these the boot.

PotatoesFall ,

Okay first things first Jack Dorsey is a tool

The US government / CIA did in fact develop the protocol back in the day, with the goal of helping people in China and other countries message securely, probably with ulterior motives.

But the protocol itself is open source, and you can use it without any affiliation with the US government.

The claim " It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺" is therefore so stupid it almost invalidates everything else being said because the person writing is either an idiot or purposely misrepresenting the facts.

Not having reproducible builds is definitely weird though. Does anybody have more information on that?

darklamer ,
@darklamer@lemmy.dbzer0.com avatar

Not having reproducible builds is definitely weird though.

https://github.com/signalapp/Signal-Android/blob/main/reproducible-builds/README.md

Sims ,

I feel hustled, bc I recommended Signal to others :-( However, ANY contact with the US elite is a clear sign of the NSA/CIA/NED propaganda/spying network. I think It is safest for everyone, to voluntarily adopt the Russian, Chinese, Iranian, etc blocklist/firewall of western big-tech propaganda and spy methods, and seek out trustworthy open source. Oc Lemmy/federation as well as any other point of contact with the commoners are valid targets for these guy's, but a minimum of defense like that seems to be the only way to keep the US Capitalist elite out of our lives.

Anyway, bye bye Signal. Gnu? Alternative ?

shrugal ,
@shrugal@lemm.ee avatar

It's hard to overstate what a nothing-burger this article really is! Let me break it down:

  • Signal got $3 million from the Open Technology Fund at some point in its development
  • Some anonymous source alleges that the OTF's ultimate goal is to promote US foreign interests
  • The current chairman of the board Katherine Maher worked at the National Democratic Institute and Wikipedia before
  • The same anonymous source says she was recruited because of connections to the OTF
  • She has at some point voiced the opinion that a completely free internet without regulation just reproduces existing power structures, and that balancing regulation and 1st amendment rights is a tough problem
  • Signal doesn't have reproducible builds on iOS (it absolutely does on Android btw)
  • Some people feel like Signal chats come up more often than they should in court cases and media reports

That's it, that's the whole story. That's the reason why the Telegram guy of all people thinks you should be careful, and better use his chat service instead, and the Twitter guy agrees.

I mean, reproducible builds on iOS would be nice, but that platform has much bigger problems from a privacy/security/sovereignty/freedom standpoint anyway. And the rest is just nothing turned up to 11.

eager_eagle ,
@eager_eagle@lemmy.world avatar

tl;dr "Signal might be untrustworthy because the tech came from a State-sponsored project and the current chairman acknowledges that Wikipedia has a white and Western bias."

just wait until they find out pretty much all tech we have can be traced back to government-funded research.

eager_eagle ,
@eager_eagle@lemmy.world avatar

Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github.

Not true. Signal has a very similar client verification process to Telegram's, described here. The lack of an iOS reproducible build is an Apple limitation / nuisance.

It’s very complicated, the 2nd jailbroken device is necessary because there’s no other way to download the .ipa, but even if you manage to do that and bit-for-bit reproduce the .ipa you downloaded from source, there’s no way to know if the App Store is sending every user the same .ipa or if your other, non-jailbroken iPhone downloaded a backdoored one.

Telegram docs even acknowledge these limitations.

Ultimately, this client verification is not the selling point Telegram's founder makes it sound like, since most messages are not E2EE and the server code is closed.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • privacy@lemmy.ml
  • test
  • worldmews
  • mews
  • All magazines
    •