Been using Telegram for a long time. I don't trust it any more than I do with WhatsApp (therefore, Facebook), however it is well done and thought out, has a real desktop client with a real desktop UI toolkit and enough of my contacts are on it already, therefore it's the best compromise to me. I greatly dislike Signal's UI when I tried it out and I've read about some weird decisions lately (that "using a PIN? uploading to cloud" debacle some time ago). I also believe it shouldn't require a phone number if its focus is privacy and security. Matrix would be my go to in concept, but its userbase is even smaller. At the same time, alas, I am forced to keep using WhatsApp because "everyone" is on it, and if you aren't, you're going to miss out, be it parents school chats, work groups, less tech-savvy friends, parents..
For people that are not aware: There's a Telegram FOSS [1] fork which contains all kinds of fixes; and additionally is Google Services and tracking free, which means it will run on AOSP and LineageOS without any burden of push services.
> being FOSS just in the client side, IMO changes little in comparsion with WhatsApp.
There are efforts implementing mtproto servers that are compatible with the Telegram codebase like telegramd [1] or madelineproto [2] in case you want to host your own server.
But, if decentralization is your main focus (interpreting your statement); you probably want to switch to a Matrix-based client anyways.
I like Telegram FOSS because it doesn't rely on google's infrastructure to run. That's good enough for me given I already made the questionable decision to run a chat client with a home-baked security protocol ;)
On Telegram, login on a new device and you can see your all messages automatically. On Signal, you seems to need to perform it manually, and your history will lost forever if you phone are lost or broken.
I think the first kind of "backup" is what most people would expect, because it is convenient. But to provide this convenience, it can't be full E2E, so Telegram supports secret chat when you need max security if you are willing to sacrifice convenience.
You can get the same convenience with the Signal/Whatsapp E2E type of app. All you need additionally is to keep a passphrase stored somewhere. As long as you do that you can have automatic backups that allow you to setup a new device without access to the old one and get all your history back, without losing the E2E encryption benefits by having unencrypted backups on a server somewhere. Signal UX for this is poor though.
Nothing prevents Telegram from not implementing that architecture and reading every single group message and non-secret chat. Telegram is sketchy in many ways, I wouldn't trust that easily.
Because the founder is Russian and Russophobia is very strong in the USA and Western Europe.
People find other reasons for this (“they made their own crypto”, “marketing says secure but it isn’t by default”) but the core of the argument is that Pavel Durov is Russian and he’s not trusted. If it had been Elon Musk who had created it- I have little doubt that it would be the hottest thing on the market.
I'm facing the same problems. All the people in my (real life) social circle are using WhatsApp. All of my friends are calling me crazy that I don't have Instagram, so talking about alternative messaging apps is probably not going to work. I think this is true for most people in the western culture. I value my privacy, but the struggle is to big for me.
Maybe an open-source protocol, like how e-mail works, could be a solution for this problem. That you can choose your messaging apps and that they can interfere with each other, like email clients.
There already are IM protocols. The problem is that companies prefer to create walled gardens. Even if a protocol were to take off, what usually happens is that one company leverages the protocol to gain traction, spends enough resources to build a really great user experience, and once they’ve amassed a big enough percentage of users, they toss the protocol and use something proprietary. You’d need the protocol to have at least two popular clients so that the user base is split between them. That might prevent one from dropping support for the protocol.
Thanks for your comment. I quickly searched for the IM protocols and there are plenty of open-source projects with promising functionalities.
I think that the mindset of the majority of the people is the source of this problem. Most of the people I speak to don't care about their privacy. They say that they have nothing to hide and that's a valid statement. The problem is that we don't get to choose. If someone wants to share all of their personal information it's their choice, but to not share your personal information seems almost impossible. Social standards expect that you have WhatsApp and LinkedIn and such.
I'm really shocked that people these days don't even ask for phone numbers. They ask for Instagram. I don't have it and do feel like I'm "missing out" on updates from friends. But then it reminds me how much I hated Facebook before I quit. These days my WhatsApp bio says "text me on Telegram" and usually my WhatsApp is not running on the background.
Signal requires phone number in order not to store your contact list on their servers. Instead of id's/email addresses/nicknames they are using your phone contact list. IMHO that's better for privacy.
That depends on what you want with privacy. If you'd want to chat anonymously, having to use your real phone number is a bummer. At least in my country, it's getting harder and harder to get a SIM-card that is not tied to your name.
The alternative is getting a burner SIM-card. Though, that will become harder once more prepaid providers require your ID.
Signal appear to have been making efforts to switch unique identifier to an arbitrary ID, I believe this is a move towards removing the phone number requirement. I can't say for sure.
I know their infra codebase pretty well as I've worked on it for projects unrelated to Signal/Open Whisper Systems. Unfortunately their public Github is usually ~3 months behind their running infra and often released much later than the equivalent functionality in the clients hits the public.
> Signal appear to have been making efforts to switch unique identifier to an arbitrary ID, I believe this is a move towards removing the phone number requirement. I can't say for sure.
> Our goal with PINs is to enable non-phone # based addressing. Since that will mean your Signal contacts can't live in your address book anymore, they're Signal's responsibility. Every other messenger does this by storing them in plaintext, but that's not private, so we built SVR.
Thanks for that. I had a quick look through their blog but couldn't find anything to reference.
It's been a few months since I worked with their codebase but at the time it relied on Intel SGX for the contact storage Enclave, which is now considered compromised[0]. Additionally, if you wanted to run your own, the requirements to get licensed to use the Enclave are non-trivial.
Opinions are my own, I represent no one, etc, etc.
Yeah I think that's still true. That said, as I understand it, the enclave is used as "proof" that they're running the server-side code they say they do (which should be protecting the data), not the data itself. I could definitely be wrong there though.
> Signal requires phone number in order not to store your contact list on their servers.
That does not make sense. There is no relation between 'using phone number as id' and 'storing contact list on servers'. E-mail and same other communication protocols also do not use phone numbers and do not store contact list on servers.
Yes but do they offer the same experience? Signal figured out that you probably have a list of contacts that you want to talk to. If they use mobile numbers as identifiers then they don't have to keep the contact list - it's already there on your phone. IMHO it's a good compromise.
I'm not an advocate for Signal, but I totally get this approach.
That's very reasonable then. It's not a deal breaking issue especially so moving from or compared to less trustworthy entities already having your phone number (e.g. WhatsApp), but it had left me wondering, I thought it was used in the most part for authentication.
