Here’s what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

  • swooosh@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    6 months ago

    You can verify builds on android. That’s just an iphone problem.

    Use Grapheneos if you need good security and privacy

  • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    6 months ago

    Yeah, he needs to fix his broken secret chat feature first… I think it’s broken on purpose…

    After seeing his interview with Tucker Carlson, I’m 100% sure the guy has some really dark agenda…

  • MrSoup@lemmy.zip
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    Still got server-side code closed source and by default messages are not encrypted.

    • Nate@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Not sure if you’re referring to telegram or signal. If you’re referring to signal:

      Is it private? Can I trust it? - Signal Support

      Signal conversations are always end-to-end encrypted, which means that they can only be read or heard by your intended recipients. Privacy isn’t an optional mode — it’s just the way that Signal works. Every message, every call, every time.

      The complete source code for the Signal clients and the Signal server is available on GitHub. This enables interested parties to examine the code for security and correctness.

      • MrSoup@lemmy.zip
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        6 months ago

        Having server-side source code open can help into finding not on purpose backdoors. But yes, no can verify that’s the same exact version used by the actual servers.

        • Dark Arc@social.packetloss.gg
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          That’s fair … especially in the case of something Telegram like where the server is a major portion of the security model (for non-secret chats).

          For truly private E2EE chats though the attacks on Telegram’s lack of an open source server side (and Signal’s presence of one) is fairly meaningless. If the client E2EE is correct and you’re using a reproducible build the server, and even any MITM (man in the middle), shouldn’t matter.

      • biscuitswalrus@aussie.zone
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        6 months ago

        Telegram isn’t encrypting chats (only secret chats).

        As far as reproducible builds telegram has got instructions and caveats or excuses around builds for the same issues signal does: https://core.telegram.org/reproducible-builds#reproducible-builds-for-ios

        Both easily make Android reproducible builds. This Twitter message is a rock being thrown in a glass house, knowing most people who consume Twitter like it’s a firehose, won’t swallow the nuance of the details.

        I don’t even, not to complete lengths.

      • onlooker@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        I don’t know about reproducible builds, but Telegram has a slew of other problems. For example, they advertise that your messages are “heavily encrypted”, but this feature is restricted to secret chats which is NOT the default method of communication and they use their own weird-ass algorhythm called ProtoMT instead of one of many existing algorhythms which have been audited and verified. Not to mention you need to give them your phone number to use the app.

  • Takios@discuss.tchncs.de
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    I wonder if their recent blog post promoting conspiracy theorists and right-wing people turned away more people from telegram than they expected and now they feel the need to spread FUD against their competitors.

    • tcit@beehaw.org
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      Wait till you hear where the Tor money comes from. Funding is not a direct cause of issues.

      • FIST_FILLET@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        just learned through another reply, thank you for putting my mind more at ease brothers 🤝

    • InternetCitizen2@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      It is an eye raiser, but it is also somewhat of a red herring. Tor is a very solid privacy browser that started as a government project; not sure if they are still funded today. Nothing is ever going to be a perfect solution (cat and mouse game), but it does strike me that Telegram is more concerned about features than it is about privacy.

      • FIST_FILLET@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        oh damn, didn’t know about tor’s history either! thank you for the relief. faith restored cautiously

  • WolfLink@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    Go read the GitHub issue. The main difficulty in implementing reproducible builds is the code signing Apple requires as well as other tweaks Apple makes to modify the binary from what the dev submits to what gets downloaded from the App Store. Note that Android already has reproducible builds. Also the reason the GitHub issue was closed wasn’t “refusal” to implement the feature, they wanted to move the discussion to their forums.

      • Thetimefarm@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        Who knows how apple decides to do anything? There may be some really stupid arbitrary reason apple modifies signal but not telegram just because apple insists on being difficult. If you don’t trust apple don’t use an iPhone and just download it on android.

  • NotMyOldRedditName@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    You don’t need a backdoor in signal to bypass its encryption.

    All you need is to exploit the phone and wait for them to open or use signal.

    If you think your phone is safe from the NSA or similar services, I got some bad news for you.

    • emergencyfood@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      All you need is to exploit the phone and wait for them to open or use signal.

      Physical access is root access. But just because you can’t make something NSA-proof dosen’t mean you can’t make it bloody difficult to break into.

      • NotMyOldRedditName@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        6 months ago

        There’s been enough zero day remote exploits that there’s bound to be more.

        Pretty sure there’s more than 1 about receiving an SMS and the payload rooting the phone and you not even knowing it happened. At least 1 but I think 2 or more.

        Something about a malicious image also rooting a phone.

        It goes on and on and phones don’t always get security updates.

        You can do your best, but then longer you use a given phone the higher the risk. That’s why people switch out phones frequently when doing shady or important shit

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      I can’t read it because of the paywall but IIRC (based on a similar article) that was such a nothing-burger issue.

      People turned on an entirely optional (I think off by default setting) for some feature that allowed discovery of users by location … and shocked pikachu they could be tracked or something like that.

      • DaseinPickle@leminal.space
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        It’s not nothing if Telegram makes people believe they only share their location in a limited manner, but instead broadcast it to the whole world. That’s a serious breach of trust. I don’t know why Telegram users keep making excuses for that platform.

        • Dark Arc@social.packetloss.gg
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          6 months ago

          I don’t know why Telegram users keep making excuses for that platform.

          Honestly? Because the others are just so bad.

          • Element has an extremely clunky UX and uses Electron. The other Matrix app implementations are incomplete buggy messes.
          • Signal can’t sync old messages to the desktop, uses a messy Electron interface, and lacks a bunch of features/polish I’ve come to expect.
          • Discord doesn’t even pay lip service to privacy and uses a similarly doesn’t invest in native apps.
          • Threema has been saying that cross-platform/multi-device connectivity is coming for like 2+ years and has had nothing but the most minor of unexciting features added.
          • WhatsApp is run by Meta, has a crappy desktop experience, and has had several serious security vulnerabilities.
          • Jami is … extremely glitchy.
          • Session is basically Signal backed by a Crypto platform.

          If someone took Telegram’s UX and feature set and paired that with Signal’s approach of “everything is encrypted”, that would be a winner. I kinda hope someday Telegram just does that and moves everything to E2EE. When Telegram was launched E2EE for group chats/at scale wasn’t really a thing … now it’s not nearly as novel but nobody has deployed E2EE with a feature set like Telegram’s.

          It’s not nothing if Telegram makes people believe they only share their location in a limited manner, but instead broadcast it to the whole world.

          That’s not even what happens by the way. It’s just that you can spoof a device into random locations and eventually figure out where someone is.

            • Dark Arc@social.packetloss.gg
              link
              fedilink
              English
              arrow-up
              0
              ·
              6 months ago
              • Signal can’t sync old messages to the desktop
              • Persistent voice rooms
              • Custom emoji
              • Animated emoji
              • Location sharing
              • Chat folders
              • Topics/rooms for larger group chats
              • Support for larger group chats
              • Quoted replies (i.e., quote part of a reply or create an arbitrary quote block)
              • Code snippets
              • Message forwarding
              • Polls
              • Animations in the UI
              • Detailed custom theming
              • Chat room theming
              • A content index (e.g., view only the files, links, videos, etc that were sent in this chat)
              • Group invite links to people you don’t have in your contacts
              • Channels (i.e., micro-ish blogging)
              • A nice bot API
              • Subjective UI/UX changes to put things in more reasonable places (e.g, why can’t I right click on a chat to pin it in the desktop client, why is the Electron menu bar shown by default)

              And probably several other things I’ve forgotten because … basically nobody I know is still using Signal.

              • nix@midwest.social
                link
                fedilink
                English
                arrow-up
                0
                ·
                6 months ago

                Thanks for the detailed reply. Signal does have location sharing and invite links, FWIW.

                • Dark Arc@social.packetloss.gg
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  6 months ago

                  Signal’s location share AFAIK can’t be a live location share (which is useful during events like amusement park trips and stuff)

                  They have invite links to group chats? I don’t know how that would work

            • Dark Arc@social.packetloss.gg
              link
              fedilink
              English
              arrow-up
              0
              ·
              6 months ago

              A “toot” isn’t a very persuasive piece of journalism.

              I can verify that it absolutely impacts groups run by queer communities in the Gulf, because I was in one such group that was monitored and shut down by Etidal.

              That claim needs a lot more investigation and context. At the very least, it needs investigated by a credible third party.

              Also, do you even know what the feature you’re criticizing is? A “channel”? Because it’s not even really a part of the messaging portion of Telegram. It’s basically an in-app blogging platform.

          • Tehdastehdas@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            6 months ago
            • Telegram allows everyone in a chat to delete messages by anyone from anyone without a trace, making gaslighting easy.

            “I told you so!” - “No you didn’t!” - (mutual distrust forever)

  • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    I find it weird how any discussion about Signal will inevitably have a bunch of people piling on dismissing any criticisms of it. Believing that Signal is perfect has become like a religion at this point. Whatever people might think of Telegram is completely irrelevant when it comes to the question of whether Signal is actually a secure tool or not.

    The fact that people working on Signal have direct ties to US intelligence agencies cannot be ignored. No can the fact that Signal is a centralized system based in US. These two things alone should make everybody very concerned.

    • rollerbang@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      Isn’t it that Telegram doesn’t claim to be super secure, apart from possibly their encryption on mobile?

      This doesn’t prevent them from uncovering other possible plots in supposedly secure platforms.

  • rivvvver@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    6 months ago

    arent telegram chats unencrypted by default?

    An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media

    source?? (i bet this ends up being a “they had full access to my unlocked phone” situation again)

    also the whole thing abt US funded encryption is the same bullshit argument ppl use against Tor all the time. it doesnt mean shit.

    this just reads like someone desperately trying to get more market share by spreading FUD

    • rdri@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      arent telegram chats unencrypted by default?

      Encryption is always there. Problem is, some people refer to anything “not e2e encrypted” as “unencrypted” for some reason.

      • Fushuan [he/him]@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        6 months ago

        And it infuriates me to no end. It’s one thing to trust them and their servers and it’s another thing altogether to send actual plaintext data around the net, that’s crazy and it’s what people are implying.

        For the record, until WhatsApp implemented e2e their messages were indeed fucking plaintext, and it took a while before they were pressured into e2e. It helps for them that their platform is very mobile based vs telegram, where the service is more server based. Telegram did have enough time to implement a server based e2e 0 knowledge encryption protocol though, it’s not really rocket science at this point.

        • rdri@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          Telegram did have enough time to implement a server based e2e 0 knowledge encryption protocol though, it’s not really rocket science at this point.

          What do you mean by server based e2e? From what I get, most people’s complain is that Telegram doesn’t support e2e in group chats, and that is what seems to be close to rocket science in my opinion. Also Telegram is historically filled with ever growing group chats, which means quite serious implications for server requirements from what I understand.

          • Fushuan [he/him]@lemm.ee
            link
            fedilink
            English
            arrow-up
            0
            ·
            6 months ago

            Tegram stores all the conversation in their servers, since you don’t need to be connected in the phone or have the phone witchednon if you want to chat in the pc, or in another phone. This means that the authority is the server. WhatsApp it’s not like that, if you delete a shared photo after a while it will be cached out and you will lost access to it, meaning that they don’t store that stuff. The same thing happens with WhatsApp desktop or web, they stay in an infinite loading icon until you twitch on the phone or sometimes even unlock it.

            This means that whatever telegram develops must not only keep the group chat encrypted in the server, but any valid client of a user must be able to decipher the content, so every client must somehow have the key to unlock the content. One way of doing it would be for every client of a single user to generate keys (which I’m sure they already do) and reform a key exchange between them, to share that way a single shared key, which is what identifies your account. Then toy could use that shared key to decipher the group chat shared key which telegram can store on their server or do whatever is done in those cases, I’m not that well versed.

            The problem here lies in what happens when you delete and/or logout of all the accounts, currently you can login into the server again, because telegram has all the info required, but if they store the “shared key” then it’s all moot, I guess they could store a user identifying key pair, with the private key encrypted with a password, so that it can be accessed from wherever. They should as always offer MFA and passkey alternatives to be able to identify as yourself every time you want to log into a new client, without requiring the password and so on.

            This is some roughly designed idea I just had that should theoretically work, but I’m sure that there’s more elegant ways to go about this.

            It’s work for sure to implement all of this in a secure way, provided that you have to somehow merge everything that already exists into the new encryption model, make everyone create a password and yada yada while making sure that it’s as seamless as possible for users. However, I feel like it’s been quite a while and that if they did not do it already, theybjist won’t, we either trust them with our data or search for an alternative, and sadly there’s no alternative that has all the fuzz right now.

            • rdri@lemmy.world
              link
              fedilink
              arrow-up
              0
              ·
              6 months ago

              Sorry I have a hard time understanding the gist of your text. I don’t think it’s viable to be upset about what happens with access that was already acquired previously because that very fact already poses a bigger threat (which might have more to do with the nature of conversations vs how the platform works).

              • Fushuan [he/him]@lemm.ee
                link
                fedilink
                English
                arrow-up
                0
                ·
                edit-2
                6 months ago

                I wasn’t talking about situations with compromised accounts, I was talking about legitimate accounts that were created in a typical way being converted to a zero knowledge encryption method, I was aknowledging that it’s hard doing that conversion when a user might have several clients logged on (2 phones, 6 computers…).

                My point was that if they have not put any motivation in the transition, they never will because the bigger the userbase, the harder for them to manage the transition. Also, I find that sad because they should have invested more effort in that instead of all the features we are getting, but whatever.

                If you found the technical terms confusing, public/private keys are some sort of asymmetric “passwords” used in cryptography that secure messages, and shared keys would be symmetrical passwords. The theory between key exchanges and all around those protocols are taught in introductory courses to cryptography in bachelors and masters, and I’m sorry to say that I don’t have the energy to explain more but feel free to read about the terms if you feel like it.

                If you however found it confusing because I write like crap, I’m sorry for potentially offending you with the above paragraph and I’ll blame my phone keyboard about it :)

                • rdri@lemmy.world
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  edit-2
                  6 months ago

                  No that’s not what I didn’t understand. The problem itself as you described it seems either a non-issue or something very few people (who’s already using telegram for some time) would care about. I don’t understand the scenario that would pose a problem for the user. The moment some account legitimately gains access to some chat is probably what should trouble you instead.

    • VeganCheesecake@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      https://www.spiegel.de/netzwelt/apps/telegram-gibt-nutzerdaten-an-das-bundeskriminalamt-a-0e4d3fcb-8081-4b87-b062-db412bbc294b

      Well, Telegram seems to be giving user data to the German Federal Criminal Police Office, and if they’re cooperating with the German authorities, I don’t see why I’d presume they aren’t cooperating with others as well.

      All this is actually documented, compared to those nebulous “important people”.

      • UnfortunateShort@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        Tbf, they held a user vote in Germany (supposedly, although the app did ask me to vote) whether to work with them or risk to cease services. Iirc the backgrounds were extremist (terrorist?) groups operating on the platform