Here’s what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

  • smileyhead
    link
    fedilink
    arrow-up
    108
    arrow-down
    6
    ·
    7 months ago

    Telegram: There are backdoors in Signal encryption!

    Also Telegram: not encrypted

    • dsemy@lemm.ee
      link
      fedilink
      English
      arrow-up
      23
      arrow-down
      10
      ·
      7 months ago

      Telegram secret chats are e2e encrypted though

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        40
        arrow-down
        1
        ·
        7 months ago

        Secret chats only. With their own, in-house encryption, that, if I remember correctly, the apps don’t use according to the specifications.

        Maybe I’m mixing up mtproto 1 and 2 with that second part, though.

        • dsemy@lemm.ee
          link
          fedilink
          English
          arrow-up
          5
          ·
          7 months ago

          I don’t mind in-house encryption (the Signal protocol didn’t just appear out of nowhere either), however the latter part is worrying.

          In any case, I personally don’t trust Signal or Telegram.

            • dsemy@lemm.ee
              link
              fedilink
              English
              arrow-up
              5
              ·
              7 months ago

              Molly still depends on Signal’s centralized servers.

              Best solution I know of currently is SimpleX, though Veilid (and VeilidChat by extension) also seem promising, though it might take a while for those to be usable.

              • Possibly linux@lemmy.zip
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                From a cryptographic and usability perspective Signal still has a few benefits. However Simplex is promising.

            • toastal@lemmy.ml
              link
              fedilink
              arrow-up
              3
              ·
              7 months ago

              The best is to not trust the centralized server of either of these platforms. Set up your own XMPP server & gives these the boot.

                • toastal@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  7 months ago

                  XMPP is battle-tested* and thriving*

                  I don’t think you know how many commercial use cases are relying on XMPP, nor how much the community has been working on updates. Older technologies tend to have maturity is spec but also in implementations where the servers are robust & already at the point of optimization over chasing features. We see this with how little specs it takes to run a server & have Conversation forks on Android have some of the best battery life & data plan usage in the chat space. The network is massively decentralized too… unlike Matrix where almost everyone is on Matrix.org or a server provided/hosted by Matrix.org giving them all the metadata.

                • SLfgb@feddit.nl
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  7 months ago

                  The Signal servers it connects to run proprietary or unauditable software, no?

                  • Possibly linux@lemmy.zip
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    7 months ago

                    All server side software is proprietary as you don’t control it. With that being said having a centralized design isn’t great but Signal is well known and pretty well proven.

                    There are other messagers but don’t though Signal out so quickly.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        7
        arrow-down
        2
        ·
        7 months ago

        But extremely hard to use to the point that nobody uses them. I send a secret chat to someone and they write me back in the unencrypted chat.

        It shouldn’t be possible to send anything unencrypted

        • efstajas@lemmy.world
          link
          fedilink
          arrow-up
          3
          arrow-down
          5
          ·
          edit-2
          7 months ago

          Tbf not all the chats being E2E encrypted is a UX compromise. It makes Telegram a lot nicer to use across devices and allows just accessing your messages from anywhere without needing your phone to be on. Plus no need to back up chats etc. because they’re all just on the server. As opposed to secret chats, which of course are bound to one particular device and can only be accessed from there.

          I’m all for E2E by default but I must say I actually like the idea of having a choice in this particular case.

          • delirious_owl@discuss.online
            link
            fedilink
            arrow-up
            2
            ·
            7 months ago

            There’s no reason for secret chsts to not be stored on the server and to not be synced to all your devices. We’ve had double ratchet for a while. Telegram rolling their own crypto is dumb for many reasons

            • efstajas@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              7 months ago

              Correct me if I’m wrong, but even with double ratchet, retrieving and decrypting the message history is tricky / impossible, no? Afaik signal does allow you to receive new messages on multiple “linked devices”, but a new linked device doesn’t have access to any messaging history.

                • efstajas@lemmy.world
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  7 months ago

                  From a privacy POV, sure, not trying to argue that. Just saying that Telegram does have a bunch of features like that that wouldn’t really work if all chats were always E2E encrypted, so there’s a reason that it’s opt-in. Whether it’s a good one or not is up to you to decide for yourself.

                  Though I definitely think that Telegram could do a much better job explaining the trade-off, especially in a world where many major messengers are always e2e encrypted, and people somewhat expect it to be the default.

    • Fushuan [he/him]@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      It’s encrypted though?

      You are trusting their server security and them as a company, sure, but it is encrypted against the server for sure.

      It’s not as good as ir could be but that’s no reason to spread misinformation.