Hacker News new | past | comments | ask | show | jobs | submit login

Telegram is not at all secure, the only real secure product is Signal, which is what Snowden actually recommended.



I continue harping on this point often. The usability, reliability and feature set of Signal are far behind Telegram or WhatsApp. If you want a platform that sometimes works, may be slow in delivering messages, may send false “device changed” notifications, and doesn’t allow a way to backup and restore chats (on iOS), then Signal is the one. If you don’t like any of these deficiencies, then Signal is the last thing to suggest. There’s no point using a so called “secure messenger” if it’s going to numb users to accept device change notifications without out of the band verification because the app and platform are buggy to generate those when nothing has changed. Yes, this is anecdotal, but I don’t trust that Signal promotes security or secure messaging practices.

Instead, use Matrix (with end to end encryption enabled) or Wire.


Matrix is not usable as it is:

1. Bikeshedding has lead to reduction in security agility: Any change will have to be first implemented for the protocol, then to SDKs, then to clients. This progress can take years.

2. Riot is the only client that delivers proper E2EE, majority of clients don't feature it.

3. E2EE is still not enabled by default.

4. IRC-bridges will break E2EE

5. Decentralization does break large silos and make less tempting targets, but now you have a bunch of server admins who have personal relationships with the people the content (when not end-to-end encrypted), and the metadata (always) of which they have access to.

6. Riot's key management and fingerprint verification has been a nightmare. Thankfully this is about to change.

Until all of these are are fixed, i.e.

Until all clients enforce E2EE, until the protocol design is safe enough, until client vendors are required to keep up with security, until no bridges are allowed, until fingerprints are trivial to compare, I will not, and I think no one should Matrix.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: