Should I sign up for Telegram? As much as I have concerns about having to use my phone number to sign up and their hand-rolled encryption, I do feel a bit of FOMO not being on it...

@norm I just finished giving a lecture on how bad its encryption is. If you care abour privacy, absolutely not.

@inference @norm Which one (if any) of the messengers is considered to be secure at the moment? I signed up for Signal a while ago

@sjb @norm

The following have sound and provably secure (and reasonably private) protocols:
- Signal
- Matrix

The following also hide all metadata:
- Briar
- Session

Unless you *need* the metadata privacy, you may want to consider using messengers in the first section, because they have verify abilities to reduce the chance of a MITM.

Best one, by far, if you don't mind the phone number issue, is Signal; it's the gold standard.

@inference @norm Thanks! I saw some articles questioning certain things behind-the-scenes with Signal a few months back (can't find them now, maybe a red herring)

@sjb @norm I think you're referring to the addition of cryptocurrencies.

That's an issue of its own, but it doesn't affect the messenger use case of Signal. A lot of other protocols are based on Signal protocol, including Wire and WhatsApp.

Signal protocol gives cryptographic deniability, perfect forward secrecy via regenerating keys every message/every few messages, verifiability, and uses gold standard ciphers and authentication (AES etc), as well as using a double ratchet algorithm.

Side note: Signal is planning on switching to usernames instead of phone numbers.
@sjb @norm This software is by Cellebrite and *cannot* decrypt messages even if they are taken from your phone, unless you phone is in the unlocked state.

Signal messages are encrypted on-device.

This article has been around for a while and doesn't know what it's talking about. It's the same as saying you've broken encryption because someone left their phone unlocked and walked away.

Nothing has been broken, I assure you.

@inference @norm OK thanks that's good to know.

Yes, reading messages off the phone's screen doesn't count as breaking encryption 😀

@sjb @norm

A video on the matter:

If you do security correctly, you shouldn't have an issue.
Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!