Here’s what he said in a post on his telegram channel:
🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷
🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕🦺
🕵️♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡
🕵️♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤
🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪
Original post: https://t.me/durov/274
Telegram: We keep you private. Now enter your phone number to sign up.
Signal does the same
I didn’t think that’s required anymore?
You still need a phone number to register an account as far as I could tell when I did the other day. You no longer need to share your number with any contacts and can set it so noone who has your number can look you up on signal. You can optionally set a unique alphanumeric ‘username’ instead to hand to people to look you up. But yea, Signal still requires you to give them and their authenticatian service (through sms code) your phone number.
Thanks for the clarification.
Np
Are there any equivalents that don’t need a phone number?
Yes, XMPP, a long-standing protocol that’s also not a walled garden, doesn’t require a phone number or even a phone. For android I use the Conversations client combined with Dino on computers. Currently logged in to a handful of devices synchronously. You can choose what server to make an account on; conversations.im I found to be reliable. Drawback is Signal doesn’t let you bridge to it from anywhere outside of Signal. So I have accounts on both.
It is
Signal is the same in that regards.
Was
Signal still requires a phone number to use it. What they recently added is the ability to message people without needing to know their phone number.
Oh, that sucks. My bad.
That breaks anonymity, not privacy
It breaks both
Yeah, he needs to fix his broken secret chat feature first… I think it’s broken on purpose…
After seeing his interview with Tucker Carlson, I’m 100% sure the guy has some really dark agenda…
What’s broken there?
I don’t think i care what Jack Dorsey says that isn’t backed up independently. Even if he’s right i just don’t trust him.
You shouldn’t need to trust open source, it should be independently verifiable. Unfortunately that’s not possible with either signal or telegram, as there’s no way to tell what server code they’re running.
If encryption happens client side then it doesn’t matter.
Its where the server is open but the client is closed that we need to worry, as is the case with Beeper
Closed sources server (even open source with no verification of the code running on the server) means it’s possible the server records who you talk to, when, where and the size of the messages. This can be useful to sell to advertisers.
Cloud source server or open source server, you can’t know what server their running.
Pavel’s whole argument here is basically the same thing for the client; “you can’t verify the build in the app store matches what’s in the source code, so you have no way of knowing it’s actually what you’re auditing.”
If the client is open, then you can check to make sure that all metadata is encrypted.
You don’t need meta data to know these things. Any server handling the traffic for the app will know these things.
Not true for all messengers
Only if the messenger is P2P, I don’t know of any popular messenger like that.
Still got server-side code closed source and by default messages are not encrypted.
Not sure if you’re referring to telegram or signal. If you’re referring to signal:
Is it private? Can I trust it? - Signal Support
Signal conversations are always end-to-end encrypted, which means that they can only be read or heard by your intended recipients. Privacy isn’t an optional mode — it’s just the way that Signal works. Every message, every call, every time.
The complete source code for the Signal clients and the Signal server is available on GitHub. This enables interested parties to examine the code for security and correctness.
Reasonably sure they mean telegram. Only secret chats are encrypted. Telegrams chat otherwise is basically transport layer encryption.
https://www.wired.com/story/telegram-encryption-end-to-end-features/
Telegram :P
Server-side source code is a red herring. It’s meaningless, it can’t be verified.
The latter point is fair.
Having server-side source code open can help into finding not on purpose backdoors. But yes, no can verify that’s the same exact version used by the actual servers.
That’s fair … especially in the case of something Telegram like where the server is a major portion of the security model (for non-secret chats).
For truly private E2EE chats though the attacks on Telegram’s lack of an open source server side (and Signal’s presence of one) is fairly meaningless. If the client E2EE is correct and you’re using a reproducible build the server, and even any MITM (man in the middle), shouldn’t matter.
Dorsey isn’t that the guy who fell into the anti vacation rabbit hole and backed
JRFK Jr ? I mean let’s be honest. If these guys are concerned then I am pretty sure it’s safe.I logged into Telegram today to this update from Durov. It reads like a bunch of hogwash from someone who is hiding something. They are eyeing investor funding soon, right? (EDIT: eyeing an IPO https://www.techopedia.com/news/telegram-eyes-ipo-as-it-aims-to-become-profitable-in-2025) A lot of things seem to be coinciding with him slinging mud about his competitors.
well, this is concerning to hear. i had no idea signal was funded by the US state
It is an eye raiser, but it is also somewhat of a red herring. Tor is a very solid privacy browser that started as a government project; not sure if they are still funded today. Nothing is ever going to be a perfect solution (cat and mouse game), but it does strike me that Telegram is more concerned about features than it is about privacy.
oh damn, didn’t know about tor’s history either! thank you for the relief. faith restored cautiously
Wait till you hear where the Tor money comes from. Funding is not a direct cause of issues.
just learned through another reply, thank you for putting my mind more at ease brothers 🤝
Telegram: There are backdoors in Signal encryption!
Also Telegram: not encrypted
It’s encrypted though?
You are trusting their server security and them as a company, sure, but it is encrypted against the server for sure.
It’s not as good as ir could be but that’s no reason to spread misinformation.
Telegram secret chats are e2e encrypted though
But for some reason they don’t develop features for e2ee like the other chats. Perhaps it’s just hard
But extremely hard to use to the point that nobody uses them. I send a secret chat to someone and they write me back in the unencrypted chat.
It shouldn’t be possible to send anything unencrypted
Tbf not all the chats being E2E encrypted is a UX compromise. It makes Telegram a lot nicer to use across devices and allows just accessing your messages from anywhere without needing your phone to be on. Plus no need to back up chats etc. because they’re all just on the server. As opposed to secret chats, which of course are bound to one particular device and can only be accessed from there.
I’m all for E2E by default but I must say I actually like the idea of having a choice in this particular case.
There’s no reason for secret chsts to not be stored on the server and to not be synced to all your devices. We’ve had double ratchet for a while. Telegram rolling their own crypto is dumb for many reasons
Correct me if I’m wrong, but even with double ratchet, retrieving and decrypting the message history is tricky / impossible, no? Afaik signal does allow you to receive new messages on multiple “linked devices”, but a new linked device doesn’t have access to any messaging history.
That behavior would be a major improvement to telegram
From a privacy POV, sure, not trying to argue that. Just saying that Telegram does have a bunch of features like that that wouldn’t really work if all chats were always E2E encrypted, so there’s a reason that it’s opt-in. Whether it’s a good one or not is up to you to decide for yourself.
Though I definitely think that Telegram could do a much better job explaining the trade-off, especially in a world where many major messengers are always e2e encrypted, and people somewhat expect it to be the default.
Secret chats only. With their own, in-house encryption, that, if I remember correctly, the apps don’t use according to the specifications.
Maybe I’m mixing up mtproto 1 and 2 with that second part, though.
I don’t mind in-house encryption (the Signal protocol didn’t just appear out of nowhere either), however the latter part is worrying.
In any case, I personally don’t trust Signal or Telegram.
What do you trust? It seems like something like Molly is the best for compatibility and security.
Molly is just Signal with a different name and on more depositories
And no proprietary software or dependencies
The Signal servers it connects to run proprietary or unauditable software, no?
The best is to not trust the centralized server of either of these platforms. Set up your own XMPP server & gives these the boot.
No thanks. XMPP is old and dead
XMPP is battle-tested* and thriving*
I don’t think you know how many commercial use cases are relying on XMPP, nor how much the community has been working on updates. Older technologies tend to have maturity is spec but also in implementations where the servers are robust & already at the point of optimization over chasing features. We see this with how little specs it takes to run a server & have Conversation forks on Android have some of the best battery life & data plan usage in the chat space. The network is massively decentralized too… unlike Matrix where almost everyone is on Matrix.org or a server provided/hosted by Matrix.org giving them all the metadata.
Molly still depends on Signal’s centralized servers.
Best solution I know of currently is SimpleX, though Veilid (and VeilidChat by extension) also seem promising, though it might take a while for those to be usable.
AND only available on mobile.
AND 1-on-1 chats only, no e2ee for group chats available at all.
Saw someone post that City Journal article on mastodon a couple days ago and I’m amazed that so few people picked that the City Journal and the article’s author are basically puppets of the Manhattan Institute, a conservative think tank. I know most people aren’t tuned to look out for think tank propaganda but it came off as really obviously FUD-y and unsubstantiated.
The kettle calls the pot black…
Is telegram not providing reproduce builds?
Telegram isn’t encrypting chats (only secret chats).
As far as reproducible builds telegram has got instructions and caveats or excuses around builds for the same issues signal does: https://core.telegram.org/reproducible-builds#reproducible-builds-for-ios
Both easily make Android reproducible builds. This Twitter message is a rock being thrown in a glass house, knowing most people who consume Twitter like it’s a firehose, won’t swallow the nuance of the details.
I don’t even, not to complete lengths.
I don’t know about reproducible builds, but Telegram has a slew of other problems. For example, they advertise that your messages are “heavily encrypted”, but this feature is restricted to secret chats which is NOT the default method of communication and they use their own weird-ass algorhythm called ProtoMT instead of one of many existing algorhythms which have been audited and verified. Not to mention you need to give them your phone number to use the app.
You don’t need a backdoor in signal to bypass its encryption.
All you need is to exploit the phone and wait for them to open or use signal.
If you think your phone is safe from the NSA or similar services, I got some bad news for you.
I’m 100% secure, I have Nord VPN
This comment sponsored by NordVPN
I forgot to post an affiliate link and explain how routing all your internet traffic though one company equals security
All you need is to exploit the phone and wait for them to open or use signal.
Physical access is root access. But just because you can’t make something NSA-proof dosen’t mean you can’t make it bloody difficult to break into.
There’s been enough zero day remote exploits that there’s bound to be more.
Pretty sure there’s more than 1 about receiving an SMS and the payload rooting the phone and you not even knowing it happened. At least 1 but I think 2 or more.
Something about a malicious image also rooting a phone.
It goes on and on and phones don’t always get security updates.
You can do your best, but then longer you use a given phone the higher the risk. That’s why people switch out phones frequently when doing shady or important shit
That works for every IM.
It’d almost like… phones aren’t secure.
This is also just a few days after Durov published Nazi dogwhistles in the latest Telegram update blog post.
mostly because he got interviewed by tucker carlson, he said he has also given interview to a liberal reporter so as to show he is neutral and everyone has right to free speech
Where’s the interview with the liberal reporter, lol?
Haven’t seen it published in his channel either
Dammit… Thank you for sharing this.
Why all the emojis? Why can’t people just write an article?
It’s like a memetic form of neoteny, “the retention of juvenile traits into adulthood.”
I’m waiting for the day when a politician responds to a motion on the floor with “bruh.”
It seems like you’re passionate about emojis
he is maybe flexing the “custom emojis” feature of telegram, see original post
Let’s all just be adults and start using Matrix
Go read the GitHub issue. The main difficulty in implementing reproducible builds is the code signing Apple requires as well as other tweaks Apple makes to modify the binary from what the dev submits to what gets downloaded from the App Store. Note that Android already has reproducible builds. Also the reason the GitHub issue was closed wasn’t “refusal” to implement the feature, they wanted to move the discussion to their forums.
How does Telegram ensure reproducible builds for iOS? Or is Dorsey lying
Who knows how apple decides to do anything? There may be some really stupid arbitrary reason apple modifies signal but not telegram just because apple insists on being difficult. If you don’t trust apple don’t use an iPhone and just download it on android.
that’s not a fantastic answer to my question…