Normikoto

Should I sign up for Telegram? As much as I have concerns about having to use my phone number to sign up and their hand-rolled encryption, I do feel a bit of FOMO not being on it...

1+
inference
@norm I just finished giving a lecture on how bad its encryption is. If you care abour privacy, absolutely not.
1
Stephen Brooks 🦆
Follow

@inference @norm Which one (if any) of the messengers is considered to be secure at the moment? I signed up for Signal a while ago

· · Web · 1 · 0 · 0
inference
@sjb @norm

The following have sound and provably secure (and reasonably private) protocols:
- Signal
- Matrix
- XMPP

The following also hide all metadata:
- Briar
- Session

Unless you *need* the metadata privacy, you may want to consider using messengers in the first section, because they have verify abilities to reduce the chance of a MITM.

Best one, by far, if you don't mind the phone number issue, is Signal; it's the gold standard.
1
Stephen Brooks 🦆

@inference @norm Thanks! I saw some articles questioning certain things behind-the-scenes with Signal a few months back (can't find them now, maybe a red herring)

1
inference
@sjb @norm I think you're referring to the addition of cryptocurrencies.

That's an issue of its own, but it doesn't affect the messenger use case of Signal. A lot of other protocols are based on Signal protocol, including Wire and WhatsApp.

Signal protocol gives cryptographic deniability, perfect forward secrecy via regenerating keys every message/every few messages, verifiability, and uses gold standard ciphers and authentication (AES etc), as well as using a double ratchet algorithm.

Side note: Signal is planning on switching to usernames instead of phone numbers.
1+
Stephen Brooks 🦆

@inference @norm Sounds good. Nah it wasn't crypto, I just dug out the article that worried me:
securityaffairs.co/wordpress/1

1
inference
@sjb @norm This software is by Cellebrite and *cannot* decrypt messages even if they are taken from your phone, unless you phone is in the unlocked state.

Signal messages are encrypted on-device.

This article has been around for a while and doesn't know what it's talking about. It's the same as saying you've broken encryption because someone left their phone unlocked and walked away.

Nothing has been broken, I assure you.
1
Stephen Brooks 🦆

@inference @norm OK thanks that's good to know.

Yes, reading messages off the phone's screen doesn't count as breaking encryption 😀

1
inference
@sjb @norm

A video on the matter:
https://www.youtube.com/watch?v=GYGwd-mVwko

If you do security correctly, you shouldn't have an issue.
0
Normikoto

@[email protected] @[email protected]

Side note: Signal is planning on switching to usernames instead of phone numbers.

Awesome if they do, the phone number thin has been the biggest thing that has shied me away from Signal until now.

1
inference
@norm @sjb Yes, it's actually the most requested feature, apparently, and it's a work-in-progress.
1
inference
@norm @sjb Signal PINs were the first step in the switch, which happened in 2020. In 2021, there was talk from Signal about switching the entire process to usernames. I'm not sure how the change of CEO will affect this, but I doubt it will.

The only thing keeping me from switching to a data-only SIM and using a cheap burner feature phone for standard calls and SMS is Signal's phone number requirement.
0
Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!

Trending now

Resources

Developers

What is Mastodon?

mstdn.io

More…

v3.5.2 · Privacy policy