zlacker

I hope one day apps like Signal will be the default for everyone, not just protesters in a time of crisis.

>>matheu+(OP)
will only happen if phone manufactures ship them by default rather than the unsecure by default ones they ship atm.

Sounds crazy when I say it outloud...

>>senect+d
iMessage is end to end encrypted by default. Perhaps not as strongly, but it's a good default to begin with.

>>RL_Qui+63
Key management is still centralized and controlled by Apple, so they can still MITM communications by messing with the key exchange.

iCloud backups (enabled by default) are not end-to-end encrypted.

So while it's technically E2E, in practice you get very little protection from it because it's broken by design.

I still use iMessage because of the user experience, but let's not be fooled by their misleading E2E claims; it's all just marketing BS.

>>Nextgr+m3
If both parties disable iCloud on their phones, does Apple have any way to read messages sent via iMessage?

>>ciaran+J3
We have no idea and there’s no real way even in principle for us to know.

>>RL_Qui+63
Whenever key management is centralized, there is basically no security from the legal authority in the jurisdiction that the messaging vendor is located in. The vendor can always push you an MITM key. They can even show you the "correct" recipient key when you physically verify but use a different one for the actual message transfer and this would be a trivial easy to obfuscate switch in the program binary.

E2E with centralized key management is primarily to protect you from casual/private threats (vendor employees, snoopers in your or your recipients network) not from legal authority.

>>matheu+(OP)
It's my default and over a few years I've pretty much converted everyone in my life except my mom

>>matheu+(OP)
The Signal app experience leaves a lot to be desired compared to Telegram or Matrix.

>>technt+O8
I was about to ask about this. Signal was comparatively annoying. Can I keep using Telegram or am I postponing the inevitable? Curious.

>>matheu+(OP)
I would ditch WhatsApp in a heartbeat if Signal had a browser client.

>>technt+O8
You get voice, video, chat, stickers, files. What more do you want?

>>enrage+q9
Not in the browser, but it does have pretty decent desktop applications for most operating systems.

>>ciaran+J3
They can still pull off an MITM attack by sending the MITM’s keys (pretending to be the other user’s keys) because they control they key exchange.

It’s an active attack and can’t apply retroactively but within these constraints they can still do it.

>>themod+Y8
As far as I am aware E2E only works on mobile and I think Mac for Telegram, although there may be third-party apps that support it. As long as you use E2E then I believe it has a lot more active users and probably has received an equal amount of security validation, so you should be fine.

>>technt+O8
Does it tho? It changed a lot during the last years and for most stuff I do with my friends (videocalls, textmessages, recorded speechmessages, pictures, videos, groupstuff, desktop app) it just works fine.

>>rubatu+t9
For Signal desktop on Linux to not require that I validate my mobile device randomly to read my encrypted messages. If it used GPG then this wouldn't be a problem.

>>enrage+q9
In my opinion Desktop Clients > Browser Clients when it comes to messengers. If you have more than ten tabs open it is annoying to always have to switch tabs or break out a window. Having a desktop application that remembers where you want to save stuff people send you is a plus too.

>>atoav+na
Just make a new browser profile for your browser client. It will have its own window, and different profiles prevent windows of the same browser from being collapsed onto each other on some platforms.

>>senect+d
WhatsApp isn't installed by default AFAIK, but it is one of the first apps installed by millions, if not billions, on their phones.

In Korea, Taiwan and Japan, LINE became the de facto IM. In China, WeChat. But ain't sure if these are usually/always preinstalled in those markets.

Cheers.

>>atoav+na
If you really like having app-like websites, you can do that in Chrome by clicking "Create Shortcut" then click the box that says "Open In Window". Voila. It behaves like a native app, and you can embed it in your Windows taskbar with a favicon and everything.

Electron isn't as safe as Chromium. Last I checked it's based off a vintage build of Chromium with some very important features like the sandbox turned off (!)

>>sfifs+l8
The Signal Foundation is based in Mountain View and both Moxie Marlinspike and Brian Acton are US nationals...

What’s stopping some US government agency from forcing them to insert code that causes the Signal app to a indicate it is behaving correctly but isn’t?

And don’t say “laws”.

If your threat model includes advanced persistent threats all bets are off.

>>AtHear+z8
Same for me as well. All my friends and family have been on it for a few years now

>>rubatu+t9
Bot API

>>themod+Y8
Is Telegram at all trustworthy?

I feel like I’ve repeatedly seen on HN that they’re not a good choice for secure messaging (though I don’t remember the specifics around it).

Signal and Matrix are the two options I’ve settled on.

[Edit]: Looks like the main issues with Telegram are that it doesn't use end to end encryption by default and that they rolled their own encryption protocol that's likely not secure. They also used to leak a ton of metadata, but from searching around it looks like they may have made improvements. Either way seems like something to avoid when there are obviously better alternatives.

>>rubatu+t9
my encrypted chats saved across multiple devices

>>goneho+7f
Telegram is not E2E per default. They claim to not turn over data to authorities but I doubt that claim. Signal on the other hand is fully end to end encrypted.

>>AtHear+z8
I convinced my parents because of full resolution images.

>>themod+Y8
I switched my friends from Telegram to Signal a few months ago and it’s been great. Probably depends on the features you use most frequently, but we switched as soon as message replies were added.

>>goneho+7f
Telegram only end-to-end encrypts "secret messages", which I assume are rarely used.

>>atoav+ba
It's been a massive battery drain for me as I have no Google services. It's a known bug. You can't really turn off that drain either in favor of getting messages later.

https://github.com/signalapp/Signal-Android/issues/6898

https://github.com/signalapp/Signal-Android/issues/9194

Other apps like Threema or Telegram might delay messages sometimes, but at least they keep my device operational. If I'm punished for opting out of Google's spying, I at least want to choose the punishment.

>>enrage+q9
I would not trust any browser-based e2ee.

>>pentae+hf
You get that on Signal. I’ve got it on my phone, laptop, and tablet and I see the chats on all of them.

Do you mean message history when setting up a new device? They are working on that, but it’s not so easy to do without storing all your chats with a server side encryption key. Apparently something coming soon though.

>>AtHear+z8
Sadly, my (65 year old) mum is the only one I managed to convince to use to Signal. All my (mid-30s) friends won't budge from WhatsApp.

>>technt+ha
What does this dialog look like? I don’t recall having seen that in my Signal desktop on Linux or Mac.

>>coolsp+Le
They’re working on support for email based accounts rather than just phone numbers. This will likely open up that possibility.

I’m looking forward to it as well as my only Telegram use case is using it as a notification service for my servers. All my chats are transitioned to Signal.

>>loyukf+ic
In Korea I think the de facto IM is Kakao, LINE is only third (after FB messager) [0][1].

[0]: https://www.statista.com/statistics/898254/south-korea-most-...

[1]: https://www.quora.com/Which-is-the-most-popular-messaging-ap...

>>ViViDb+dg
It was just release on iOS, Android has had it for a while

https://support.signal.org/hc/en-us/articles/360007062012-Ne...

>>nmfish+fg
Having 'Message me on Signal' as status message on WhatsApp and not replying to non-urgent messages from Whatsapp helped to covert some of my contacts.

>>matheu+(OP)
I don't think that's a great idea until Signal stops exposing the phone number of the user to everyone else (for all the bashing that Telegram gets on cryptography, it has mechanisms to hide one's phone number and even the fact that one has a Telegram account from others).

>>goneho+7f
Telegram's homegrown crypto has been dismissed by many people (including experts). But it offers privacy features that some other messengers do not. Is Signal trustworthy considering that it exposes your phone number to everyone else in groups? With Telegram it's possible to communicate with anyone without revealing your phone number or profile picture or anything else.

>>pentae+hf
Wire has E2E synced across devices and platforms, though its client and features lag behind Telegram (it's still better than Signal on features).

>>sails+2i
On iOS, Signal has implemented a data transfer from one device to another directly. It's of no use if one loses one's device or just hands over the old device to someone else before completing the setup of the new one (people are accustomed to setup a new device from backups in the cloud, which Signal won't support).

>>atoav+na
My opinion is the opposite, because Electron is quite heavy (which is an issue for Signal Desktop at least), and because you can't use browser containers to use multiple accounts.

>>AnonC+Xi
The phone number issue is pretty overblown since it's a clear and intentional tradeoff that allows signal to retain very little metadata (leveraging local phone contacts instead of sending your social graph to their servers like everyone else). Moxie Marlinspike is the founder/co-author of the protocol and Brian Acton put in massive funding after the FB/Whatsapp fallout - not sure you can get better than that?

They're also making moves to make the phone number requirement unnecessary. What privacy features does Telegram have? It sounds like they don't even have encryption on by default and people have also dismissed their security? Why would anyone use them?

>>AnonC+Ji
Absolutely agree. I really wish Telegram would get off the phone number system, especially after the embarrassing hack in Brazil. It's not explicitly Telegram's fault, but if your primary authentication method is insecure it's at least a little bit your fault.

Phone numbers are NOT safe. I don't know why SMS MFA is even a thing, they're worse than passwords.

When you use phone numbers or SMS for security, you are putting the fate of your entire company's security on an underpaid customer service rep at Verizon.

>>AnonC+1j
Wire sends your social graph to the cloud.

Maybe this is an okay trade-off for you, but Signal's phone number as ID requirement means they can rely on the local contacts kept on your device and keep very little metadata about you on their servers.

>>technt+O8
Telegram is THE standard in messaging apps. It's basically flawless. It's extremely fast, and it works every single time. Notifications are rock solid on every platform, it doesn't hog your battery and it feels fluid to use.

Signal, Wickr, WhatsApp and others do not have this experience. They all have drawbacks and do not feel Telegram fast.

>>enrage+q9
Will only ever happen once Signal ditches their dependency on mobile phone number.

>>atoav+ba
It doesn't do Video calls for one thing.

>>atoav+na
I trust the browser security model more than the desktop app security model

>>AnonC+Ji
Given that they're working on that, that's very likely going to be the case before we've managed to get everyone to use it

>>jhoech+gk
I don't see how the two are related? They've already got a Desktop client.

>>jhoech+kk
Signal has video calls

>>0xy+4k
It may be the standard for speed, but it's not the standard for security.

>>atoav+ba
With the exception of desktop app, I agree :).

The desktop app takes several minutes to open (at least on Linux), so I find that the only way to use it is to start it at boot and always leave it open. I'm still hoping that someone may create other clients, e.g. a Pidgin backend.

The mobile apps, on the other hand, work really well. Been using them for years now, both on Android and iOS.

>>AnonC+Ji
How is that different from WhatsApp, which is the default for everyone in a lot of places?

>>0xy+Jj
Telegram should maybe just use proper encryption first.

>>jabira+am
The desktop app situation is pretty similar for all messaging apps. I don't really know any messaging application that has good, native desktop apps. Can't really include iMessage in good faith due to the platform restrictions.

>>jhoech+gk
Doesn't whatsapp also rely on the phone number as Id? Why can they have a desktop and browser client?

>>AnonC+Ji
And don't forget centralization.

>>Hamuko+fo
Telegram desktop is great and Matrix desktop apps are definitely getting there.

>>ciaran+J3
Yes, if they add a wiretapping key to one or both of your key lists, which is silent/invisible to the sender.

>>nickik+1o
And by default.

>>bgee+vg
Thanks.

>>jabira+am
When did you last try it? Startup speed of Signal-Desktop has been much improved in recent months, like, by an order of magnitude. Maybe give it another shot.

>>AnonC+bj
"Won't support" is wrong, this is explicitly on the roadmap, they've stated that multiple times. "Doesn't currently support" would be more accurate. For the technical aspects, secure cloud backups are going to be made possible with https://signal.org/blog/secure-value-recovery/.

>>AtHear+z8
Sadly, Signal neglects user experience, and as a result people around me all tend to migrate to WhatsApp.

They don't care that they are uploading their entire contact list to Facebook — "death before inconvenience".

>>hjek+oj
There are other options than Electron. Telegram's desktop app is a big factor to why I use it.

There's one big drawback though that's relevant here, and that is that it doesn't support E2E encrypted chats, those are confined to the phone app. I guess it's a security feature, I haven't looked into it too much, but I don't think it would be that difficult to share keys locally between devices you own.

>>hjek+oj
Workaround for Signal for 2 accounts: you can use the beta version, which uses a different data folder, to use two different accounts.

Obviously that'd be better to have a configurable data folder.

>>AnonC+Xi
> Telegram's homegrown crypto has been dismissed by many people (including experts).

Only the expert's opinions are of any value IMO, and I've never seen anyone showing an attack on Telegram's encryption. Telegram themselves seem to claim that it's never broken. I often see vague criticism over the fact that they use their own protocol, but never anything more detailed than that.

https://core.telegram.org/techfaq#q-i-39m-a-security-expert-...

>>0xy+4k
Telegram by far has the best user experience, yes.

>>technt+O8
It's just a fact that Telegram has more features. Every few weeks I get a notification with a long list of features, it's a more rich experience. My main favourite thing is just that gifs show up bigger.

Muted chat, chat groups, draw on photos, stickers on photos, quiz / polls, dice rolls.

Signal does cover the basics well through (GIFs, voice messages, video, photo, replies) and it has a clean interface.

>>nickik+1o
Can someone explain to me why MtProto is not considered proper encryption? Genuinely asking, not challenging.

At least since version 2.0 it seems it's using AES encryption: https://core.telegram.org/mtproto/description

>>lorenz+9s
It opens pretty quickly for me, but almost every time it wants to be re-linked to a mobile device.

Signal is really annoying with all the things it wants me to do. Re-linking a mobile device. Re-entering a PIN/password for no reason other than to prove that I still know the password.

And when I'm finally logged in it shows me a completely useless selection of mostly obsolete contacts.

>>jwr+8v
Honestly I don't really understand this. I'm a longtime signal user who installed whatsapp recently (family group I had to join) and.. It feels more or less the same to me. Maybe it's because I haven't allowed any unnecessary permissions, but I don't see much functionality that's different. Statuses maybe?

>>Hamuko+fo
Skype has always worked for me. Unfortunately it's not secure.

>>partyb+xz
> Muted chat, chat groups, draw on photos, stickers on photos,

Signal has all of these

> quiz / polls, dice rolls.

Not these, as far as I know.

>>Abishe+Ci
Nobody gave a shit about my status to contact me elswhwere. People just open the existing conversation and never see it anyway. And most don't care, or want to switch.

Whatsapp is THE messaging standard in my country. Hell, even our politicans use it for communication. "Apping" is even used by news outlets to describe communication by Whatsapp.

We used to have SMS and MSN. Now it's either Whatsapp or Messenger. Depending only on the fact if you have the others phone number or not.

>>smiche+hB
By chat groups I mean chat folders. You can put some chats into a folder to organise them. Clearly every chat app has group chats.

>>smiche+hB
Also lacks proper fast and memory efficient desktop client, good cloud backups, settings for almost everything (traffic usage/space/visuals), programmable bots. And I'm not saying about some features that for example I use a lot, like "Channels" (Almost always for news, but with ability to offline access to linked websites). Anyway: you just have to test for yourself how comfortably fast their software is on both desktop/mobile platforms. Tho sure I like Signal very much, it's just not a product for "average human" for now.

>>Vinnl+Rk
The Desktop Client is only functional when you "pair" it to your phone client.

>>jhoech+gk
E2E in a browser client is always questionable, I doubt Signal is ever going to add one.

>>fauige+VA
I usually hear nothing but complaints about Skype.

>>sorenj+Kx
GP here. I agree. I believe there’s a stigma against Telegram. There was one security issue with the MProto version 1 several years ago, which was reported (given a bounty too, IIRC) and fixed. I don’t recall any other issue being reported after that.

>>Hamuko+0o
GP here. It’s no different from WhatsApp in this sense. But WhatsApp is even worse because it shares communication metadata with Facebook (though message content is end to end encrypted).

>>smiche+NA
I'm not using Signal as heavily as I was in the past (due to the fact that they dropped support for Chromeos), but issues that I personally was annoyed by:

- message delivery was not very reliable when your connection is poor and intermittent (think wifi in the underground between stations)

- when you need to resend a message in a group, you need to tap "retry" once for every recipient in the group

Issues that my friends complained about, justifying their non-use of Signal:

- you cannot create links to allow people to join groups (obviously this is a nonstarter, without first allowing people to be in groups pseudonymously)

>>fauige+MA
I think you need to open it at least every other month or so, otherwise it loses the pairing. I've never had to relink a desktop instance under any other circumstances.

You can turn off the PIN reminders in Settings → Privacy.

>>lorenz+BR
>You can turn off the PIN reminders in Settings → Privacy.

Ah, that's good to know. Thanks!

>>AnonC+Ji
I disagree. Telegram addresses a different issue from Signal. I see signal as a tool to message people you already know and/or trust, but you do not want a third party to be able to listen in. At the point, it doesn't matter if the other party knows my number or not.

Telegram on the other hand is better for issues like this, where large numbers of people need to communicate anonymously without prying eyes.

They're addressing the same issue for different markets. That's all it is.

>>input_+ag
Telegram secret chats allow self-destruct timers and remote retraction of messages.

>>jhoech+LF
Right, and they could do the same for the web client, so I don't see how the phone number requirement would prevent them from creating one.

>>fauige+MA
I feel like I'm constantly re-linking machines. I have 4 computers I use regularly, so it's a hassle. I can't say for sure if it's been a month since I last opened the app-- maybe a week or two, sure.

>>RL_Qui+63
Regardless of its security features it's Apple device only which is a deal breaker.

>>atoav+na
I don't know if many people here don't know about the feature, but most browsers support pinning of tabs makes this relatively easy (especially in combination with Alt+<number> for switching to tab <number> from the left-hand side): https://support.mozilla.org/en-US/kb/pinned-tabs-keep-favori...

>>lorenz+9s
Interesting, it does indeed start in seconds instead of minutes now. That’s great!

I also see that the other issues I noticed previously (high latency when typing, “compose key” not working) have now been fixed as well.

>>0xy+Jj
> especially after the embarrassing hack in Brazil

What happened?

>>jobigo+Ko
Browser WhatsApp works through a connection to the phone, and not directly to servers. If your phone is off, Web WhatsApp doesn't work.

>>jwr+8v
Signal cares so much about UX that they're starting to agitate security/privacy diehards. They've implemented features like stickers and message reactions that the diehard community calls "useless". And they recently implemented PINs with the intention of storing your encrypted profile and settings for easy recovery on a new device.

I applaud the direction they've taken. These are the kinds of features that will acquire and retain a broader user base.

>>atoav+na
our even worse if you browser is closed and you have to open it and load 30+ tabs just to send a message on signal

>>AnonC+Ji
The hardcore anarchists have been using cash burners from day 1. But I'm seeing more people in the "concerned citizen" category taking this route too.

>>whiske+Ln1
I recently stopped using Signal over the PIN thing. I do not want them to store my data on their servers, but they won't let me opt out.

>>xerxes+0A
By default its not e2e encrypted and if you want to use e2e you lose lots of capability. That is simply not acceptable in a modern messenger.

>>ViViDb+gg
It looks like a yellow notification that says you need to re-link your mobile device, and in order to do so you have to take a picture of a QR code from your mobile device.

>>nickik+RH2
Speaking as someone who regularly uses private chats, what capability?

>>matheu+ie1
Numerous Brazilian judges and politicians had their Telegrams hacked via SIM hijacking.

>>0xy+Ug3
Secret chats are tied to one single device, which may be ok for some people. The bigger disadvantage is that you cannot have group chats that are end to end encrypted. Only person to person chats are allowed as secret chats.

>>jwr+8v
Actually WhatsApp only uploads numbers. Ironically, Signal is contemplating uploading your full address book to their cloud for “easy recovery”. Which is a nightmare if they follow through with it.

>>0xy+Ug3
- Group Chat

- Multi Device

Seems to me that are some of the most useful things about modern chat.

Also, why not just use a chat app that is save by default. The whole concept of private chat is insane to me.