• Peasley@lemmy.world
    link
    fedilink
    English
    arrow-up
    83
    arrow-down
    16
    ·
    edit-2
    3 days ago

    Nothing new here. E2E is only available in one on one chats and is disabled by default. Dont use Telegram if privacy is your main concern.

    At least it has an open-source client. Very few messaging platforms can say that, and fewer have a decent UX.

    It’s not perfect, but it’s got a good combination of features and multi-platform availability. None of the other messaging apps support all of my devices except Matrix, and Matrix doesn’t have stickers

    Edit: Signal doesn’t support all my devices but maybe someday! The network effect is also big. None of my family and friends are on Signal, but most have Telegram. A few have Matrix.

    Also Signal is a US-based company.

    Edit 2: Matrix does have stickers, i guess I’m switching

    • rottingleaf@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      11 hours ago

      E2E is only available in one on one chats and is disabled by default.

      Considering that there’s no technical problem with enabling it for all one-on-one chats, this tells a lot.

      Also no E2EE on desktops.

      I hate TG’s UX. It’s atrocious. WhatsApp is the closest to something normal, but imperfect too.

      At least it has an open-source client.

      Chromium is an open-source browser.

      OK, more specifically - what matters is that TG’s protocol is a big ugly target moving fast. So its official client with released sources is in practice the only one. There are things like libpurple plugin and some python TUI client and an emacs one, but they are all lagging behind. And I think they are all using official tdlib.

      This tells something too, that their talk about possibility of alternative clients is of the same kind as their talk about privacy.

      About the network effect - bring your family and friends to Signal one by one. Of course it won’t happen overnight.

        • sunzu2@thebrainbin.org
          link
          fedilink
          arrow-up
          17
          arrow-down
          5
          ·
          3 days ago

          They still tie it to your ID since you need the phone number.

          And we just trust them not to share your social map to NSA which they totally don’t do. Trust me bro

          • WhatAmLemmy@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            ·
            edit-2
            2 days ago

            The NSA already has your social map from Apple, Google, Facebook/whatsapp, plus a hundred other sources you’ve given access to your contacts in the past decade.

            Even if you’ve never used any of those, or given any app access to your contacts, 99% of your contacts have.

            • sunzu2@thebrainbin.org
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              2 days ago

              Data is about as good as it is current though and many people are reducing their exposure to these parasites

              A person can now pretty easily go without logging into any of these apps with a few adjustments.

              Hence why signal relationship maps will be even more valuable going forward. Hence my theory about signal…

              • rottingleaf@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                11 hours ago

                I’m not getting you.

                There’s correspondence, there’s metadata, and there’s phone-ID relationship.

                Signal still protects #1 and #2 better than #3. And the way it works, infrastructure load is much bigger than for most other messaging platforms. So it makes total sense they limit registration somehow .

                I’m not sure I remember by now what I’ve read about Signal protocol, but I think the fact of who messages whom they don’t have, so it’s not just trust.

                ~~Anyway, if you’ve read about 90s’ mixmaster servers for mail, while Signal developers don’t approve of alternative clients, there are libraries and it’s possible to make some kind of a mixmaster bot. ~~

                I’ve left this, because it’s funny as a good illustration of why they don’t want alternative clients, among other things - because I’ve described a voluntary MITM.

          • anamethatisnt@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            2
            ·
            3 days ago

            That they do, but your contacts doesn’t have to get it anymore.
            A self-hosted matrix stack built from source with matrix clients built from source with e2ee implemented that you yourself have the competence to verify the encryption and safety of would be the only secure communication I know of if you don’t want to trust a third party.

              • sugar_in_your_tea@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                3 days ago

                Doesn’t XMPP tend to use always-active sockets? I looked into switching my number to a VOIP service and considered jmp.chat, but I heard people complain about phone battery life. I’m going to test it out soon, but if I go that route, I may consider hosting my own XMPP server if it can handle both my phone (i.e. answer calls on my computer instead of phone) and regular IM.

                And Simplex is awesome, but my issue is having the same account on multiple devices. I want to be able to see and respond to messages on my work laptop, personal laptop, personal desktop, and phone, and it seems Simplex only has basic support for it. I’m still playing with it, and I may end up switching to it, but for now, the experience isn’t very user-friendly.

                • EngineerGaming@feddit.nl
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  3 days ago

                  I am very unfamiliar with jmp.chat and don’t use notifications, but from what I’ve heard - Conversations (with UnifiedPush notifications) isn’t that bad.

                  As for Simplex - a problem indeed, you effectively can’t have an account shared between devices, but I just have identical profiles on my phone and computer. Also, people have complained about it consuming battery quickly (they switch to checking for notification every set interval to save it).

                  But yeah - I think both are worth trying to see if maybe one of them fits you! They’re both super easy to host.

                  • sugar_in_your_tea@sh.itjust.works
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    arrow-down
                    1
                    ·
                    3 days ago

                    Yup. I got my SO to try out Signal as an alternative to SMS, so hopefully that works. If we can consistently use it, I’m going to nudge my other contacts (mostly my family members) to switch as well, because it’s certainly better than SMS. Signal is the most popular SMS alternative AFAICT, so it’s the safe choice.

                    That said, I installed Simplex on both my phones and connected them, and my kids had a blast sending messages to each other. I’m going to keep playing with it and probably host my own collection of nodes, but so far, the implementation details bleed through and kind of tarnish the user experience. I’ll keep messing with it though, and maybe we’ll end up using it as an in-house chat or something as a kind of Discord alternative. Or maybe I’ll host a Matrix node. We’ll see.

          • dustycups@aussie.zone
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            3 days ago

            Guess I better stick with Facebook messenger then.
            /s Does that even exist still?

          • TheRealKuni@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            1 day ago

            Why would you use iOS if you care about privacy?

            Because it’s far better for privacy than any Google-Play-Services-ridden version of Android, and sometimes in life you don’t want to have to deal with custom ROMs anymore.

            But also that’s an exceptionally dumb question, because the implication is that privacy can’t matter to people who don’t go to the same precise lengths someone else does.

      • BearOfaTime@lemm.ee
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        7
        ·
        3 days ago

        After Signal’s lie about dropping SMS support because of “engineering costs”, I really can’t believe anything else they say.

        Plus the app experience sucks, it’s no better than SMS.

        • Kusimulkku@lemm.ee
          link
          fedilink
          English
          arrow-up
          5
          ·
          3 days ago

          Wasn’t another explanation people mistakenly sending SMS and getting fucked when they meant to send a Signal message?

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          3 days ago

          it’s no better than SMS

          That’s not true, but even so, the whole point is to be an alternative to SMS. It provides that experience, so I’m happy.

      • reev@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        3
        ·
        3 days ago

        Doesn’t have unlimited storage though. It’s really nice being able to jump to any of the 15,000+ images shared with a single person dating back to like 2015 within a couple seconds. I know that’s a privacy concern but nothing comes close to telegram’s searchability and the unlimited storage.

      • Peasley@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        3
        ·
        edit-2
        2 days ago

        It’s a messaging app, it’s useless if there is nobody to message. I dont have any friends using signal yet.

        Also it doesnt work on my phone (Ubuntu touch). There used to be a community app but it’s not currently working.

        I sincerely wish them success, but it’s hard to have faith that a US-based company will actually protect your privacy. Not that Telegram does either. I dont know what information they do even collect.

        • TheTechnician27@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          arrow-down
          4
          ·
          edit-2
          3 days ago

          It’s hard to have faith that a US-based company will actually protect your privacy.

          You don’t have to, though? 1) The E2EE Signal protocol is well-audited to be robust. 2) The app itself is FOSS, and there are a lot of eyes on it. 3) The server code is FOSS. Even if they’re lying about what code they use, it doesn’t matter because it’s E2EE. 4) If you think Signal might be bait-and-switching by building from different source code, you’d be provably wrong. They have reproducible builds, so were they to actually try this, it would be like sending up a flare to the entire security community. 5) Literally every single time OWS has been subpoenaed, the only information they’ve been able to provide is extremely basic metadata like server connection times.

          You have no idea what you’re talking about, I’m sorry. There’s functionally less “trust” here than any messaging application on the planet. The network effect remark is at least valid and can be debated (although I personally have zero friends who use Telegram and at least several who use Signal). This one is just so, so wrong that it’s not even up for debate.

          • rottingleaf@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 hours ago
            1. Not just that, but also it’s small in description. If you read their papers, they are very easy to understand. I suppose that’s intentional, clarity and simplicity are among the main criteria of anything intended for security.

            2. “A lot of eyes” is overvalued. There are a lot of eyes on every nation-state in history too, you tell me how that works.

            3. It doesn’t matter because of protocol design. They’ve solved very complex problems and have not stopped doing that. E2EE is the wrong buzzword, zero-knowledge is the right one. No, I’m not remotely qualified enough to explain what that is.

            4. Still supply chain attack on clients is the most probable, but not much they can do with it. It’s similar to fearing trojans on user devices. Yes, 3-letter agencies and such most likely will do that, not bother with pressuring Signal developers. And no, there’s not much you can do to defend against a targeted attack, if it’s targeted, then you’ve already bothered people you shouldn’t have.

            5. Well, it’s not as if one could avoid that. It all lies in the area of smart contracts and distributed computing then, and see point 1, right now Signal’s protocol can be in general strokes understood by someone like me. If they make something like that, it won’t be. Everything is a compromise.

            There’s functionally less “trust” here than any messaging application on the planet.

            I think Wire and maybe Session use slightly modified Signal protocol. But Signal itself is the thing, made by people with clear vision of the whole architecture, model, which is not limited to protocols, but also to sociology, human psychology, politics. And they’ve explained literally every architectural decision of theirs in articles.

          • Peasley@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            edit-2
            3 days ago

            Thanks for the elaboration. I’m not familiar with how Signal works.

            • Thetimefarm@lemm.ee
              link
              fedilink
              English
              arrow-up
              3
              arrow-down
              1
              ·
              2 days ago

              Educating yourself on topic is a good idea BEFORE you plan on arguing about it online.

    • daniskarma@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 days ago

      Problem I have with matrix is that, afaik, does not currently support temporal or self destructing messages. Which is a big no-no for privacy conscious usage.

      • viking@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 days ago

        I tried it, and it looks decent, but there wasn’t a single person I know around.

        • shortwavesurfer@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 days ago

          I’m not surprised due to my involvement in the Monero community, at least some people I know from previous online chat rooms are there, but I don’t know anybody directly in person like from my day-to-day life that uses it.

    • r0ertel@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 days ago

      Can you elaborate on your last sentence? Is the US more or less trustworthy than alternatives?

      • Peasley@lemmy.world
        link
        fedilink
        English
        arrow-up
        17
        ·
        3 days ago

        Less than some. The US gov has a history of forcing US-based corporations to disclose private data regardless of their policies or the law.

        I can’t give you a good alternative though. I’m sure the same thing happens in many countries

        • EngineerGaming@feddit.nl
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          3 days ago

          A good alternative is a federated, selfhosted solution hosted in a jurisdiction unfriendly to yours.

          • dan@upvote.au
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 days ago

            If you want to self-host chat, Conduit (implementation of a Matrix server) is really nice. Much better than the official Matrix implementation (Synapse).

            • EngineerGaming@feddit.nl
              link
              fedilink
              English
              arrow-up
              2
              ·
              2 days ago

              Yes!! I hosted it, indeed much lighter on resources! Broke encrypted rooms a few times, but overall was fine. However, it lacks deletion of old media and messages, so I broke it while trying to delete big media one by one (it broke displaying of ALL media). And when I reinstalled, a reinstall just didn’t launch. So… While it is 100% on me, feels like it’s still not the optimal solution if you’re constrained on disk space.