Signal Slams Telegram's Security

Messaging app Signal's president Meredith Whittaker criticized rival Telegram's security on Friday, saying Telegram founder Pavel Durov is "full of s---" in his claims about Signal. "Telegram is a social media platform, it's not encrypted, it's the least secure of messaging and social media services out there," Whittaker told TechCrunch in an interview. The comments come amid a war of words between Whittaker, Durov and Twitter owner Elon Musk over the security of their respective platforms. Whittaker said Durov's amplification of claims questioning Signal's security was "incredibly reckless" and "actually harms real people."

"Play your games, but don't take them into my court," Whittaker said, accusing Durov of prioritizing being "followed by a professional photographer" over getting facts right about Signal's encryption. Signal uses end-to-end encryption by default, while Telegram only offers it for "secret chats." Whittaker said many in Ukraine and Russia use Signal for "actual serious communications" while relying on Telegram's less-secure social media features. She said the "jury is in" on the platforms' comparative security and that Signal's open source code allows experts to validate its privacy claims, which have the trust of the security community.

Re:

[Anonymous Coward]

Signal will have time to comment on everyone else once their computer application doesn't constantly forget my account details requiring me to reauthenticate via my phone at which point it doesn't have access to the message I wanted to reference anyway. Complete pile of crap.

Sounds like incompetent user error.
I've been using Signal for nearly a decade. It's on my phone, and I run the desktop app. I never have that issue.
In fact, the only issue I have with Signal is that I can't run it on my goddamned non-cellular-connected tablet...because it thinks it's an Android Phone...and therefore should have a phone number associated with it...instead of allowing it to run like the desktop app where it has to be authorized from my cell phone.

Re:

[fluffernutter]

How can it be considered secure if they have your phone number?

Re: Signal, please fix your software first

[Icyfire0573]

use molly. I had the same issue

Re:

[Anonymous Coward]

This is a classic PEBKAC

real takeaway...

[dfghjk]

These comments are unprofessional and reflect someone with little education. It shows that these social media sites are run by thin-skinned, immature, poorly educated and selfish people. We knew that already, but now there isn't even a PR veneer to it.

Re:real takeaway...

[Midnight_Falcon]

Huh? Meredith Whittaker is a well educated person who in this instance is 100% right. Telegram markets a false sense of security while not having end to end encryption outside of secret chats. Signal's security model is far superior, and Telegram should not be trusted for any communication you don't want intercepted.

Re: real takeaway...

[Malc]

Iâ(TM)ve been suspicious of Telegramâ(TM)s security for a while. Russia tried to ban Telegram, but after a while gave up. It makes me think they have a backdoor.

Re:

[bill_mcgonigle]

> It makes me think they have a backdoor.

Everything is plaintext on the Telegram server - no backdoors needed.

Re:

[AmiMoJo]

Signal has its own issues though. Lack of federation and 3rd party clients being the two biggest ones. At least you don't need a working phone number to sign up now.

The protocol is okay, but not very resilient to traffic analysis.

Re:

[Midnight_Falcon]

The issues you describe in Signal are trivial compared to the huge, gaping freight-train sized hole in Telegram's security: Your messages and group chats sit plaintext in a database they control. Signal's protocol makes such a thing an impossibility.

Re:

[AmiMoJo]

My point was that we need something better then either of them.

Re:

[Midnight_Falcon]

Yes, unfortunately; it will most likely take a new generation of self-disinterested cryptopunks to spawn a new incarnation of Signal. Moxie Marlinspike wrote Signal, ended up having a bit of an inconvenient life because of it (searches at borders, harassment by federal agencies); and ended up eventually deciding to try to monetize it via the WhatsApp sale and some shenanigans at a crypto company.

Nadim Kobeissi gave up on trying-to-be-easily-accessible-to-normal-users cryptocat.

Most of the talent in c

Re:

[smooth wombat]

It shows that these social media sites are run by thin-skinned, immature, poorly educated and selfish people.

That is a fantastic description of the guy who runs Shitter. Bravo!

Re:

[Hadlock]

The real takeaway is that signal was the best end to end encrypted solution, right up until they dropped SMS support, at which point I had to stop using it. Telegram is trash garbage and everyone should shout it from the rooftops, which they are. Encryption nerds have always been rough around the edges, get used to it.

Re:

[unrtst]

... right up until they dropped SMS support, at which point I had to stop using it.

Curious... why? And what do you use instead?

Re:

[bill_mcgonigle]

> they dropped SMS support, at which point I had to stop using it

Had to?

Did your boss make you?

There are so few situations in which this might be true.

Re: real takeaway...

[Hadlock]

Ah cool, good to see the "Well, actually," crew checking in

Re:

[ceoyoyo]

If end-to-end encryption is important to you why were you using SMS, and why in the world would you stop using Signal because it stopped supporting unencrypted messaging?

Damn,,

[backslashdot]

She went hard. And she's super correct about Telegram being shitty. But one gripe with Signal is how many God-damn updates they have. They seem to pushing builds to production every time someone changes a line of code. They really take the "CD" part of CI/CD seriously. Good Lord. Are people independently checking this stuff for backdoors?

Re:

[ddtmm]

There's a problem with a lot of updates? It's not like you have to install them yourself. Devices update apps automatically I would never know an app has been updated unless there was a UI change. I'd rather get security updates as soon as possible.

Re:

[bill_mcgonigle]

The concern he pointed out was third-party auditing of a fast-moving target.

It's a fair point; perhaps not as concerning as the prior Chairman of the Board of Signal Foundation having /deep/ Intelligence Community ties.

As far as we know Signal is secure but was that yesterday's build or Tuesday's build?

If we're suspicious and a national emergency happens and a new build comes out ... then what.

We should learn from the xz penetration.

Re: Damn,,

[retchdog]

did signal stop doing reproducible builds? or are you making shit up? (honest question; for all i know, maybe it's both?)

https://signal.org/blog/reprod... [signal.org]

Re:

[smooth wombat]

I'd rather my software not get borked because an install was forced on me. I'll update when I feel like it, if ever. It's bad enough software companies insist every update changes the UI or removes features. Having to deal with a mangled piece of software is even worse.

The first thing I do is turn off updates or, in the case of Firefox, tell it to piss off when it autistically shrieks there's a newer version available because the option to never be harassed is no longer available (see above).

Re: Damn,,

[retchdog]

https://signal.org/blog/reprod... [signal.org]

though it would be hilarious if, after setting up a reproducible build system, no one bothered to actually check the build.

Re:

[unrtst]

But one gripe with Signal is how many God-damn updates they have.

Yes! But I wouldn't mind them if they didn't forcefully deprecate the previous version and halt its ability to communicate.

FWIW, I'm specifically referring to the desktop client for Linux. When a new version comes out in the middle of the day, it suddenly stops working and displays a banner saying it's outdated and must be updated in order to sent messages.

If the messaging API changes in a non-backward-compatible way, then of course they would need to force updates so everyone could continue messaging (or s

security showdown

[NettaBottoms]

Having used Signal for some time, the assurance of its end-to-end encryption has been a real comfort. But I also get why some might prefer Telegram for its social media features. Reading about it reminded me of an essay example I stumbled upon on this website [papersowl.com] about social media and fake news. Security is so crucial in today's digital age, especially with the spread of misinformation.