Here’s what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

  • sneakyninjapants@sh.itjust.works
    1631·
    7 months ago

    Telegram’s server side software is closed source, owned and ran by them exclusively so they really have no room to talk. WhatsApp doesn’t even have OSS clients so they’re even worse in that regard

    • rollerbang@lemmy.world
      44·
      7 months ago

      Isn’t it that Telegram doesn’t claim to be super secure, apart from possibly their encryption on mobile?

      This doesn’t prevent them from uncovering other possible plots in supposedly secure platforms.

  • DaseinPickle@leminal.space
    1013·
    7 months ago

    Maybe he should focus on adding e2e encryption to the default chats and group chats instead of spreading FUD.

  • shrugal@lemm.ee
    981·
    7 months ago

    It’s hard to overstate what a nothing-burger this article really is! Let me break it down:

    • Signal got $3 million from the Open Technology Fund at some point in its development
    • Some anonymous source alleges that the OTF’s ultimate goal is to promote US foreign interests
    • The current chairman of the board Katherine Maher worked at the National Democratic Institute and Wikipedia before
    • The same anonymous source says she was recruited because of connections to the OTF
    • She has at some point voiced the opinion that a completely free internet without regulation just reproduces existing power structures, and that balancing regulation and 1st amendment rights is a tough problem
    • Signal doesn’t have reproducible builds on iOS (it absolutely does on Android btw)
    • Some people feel like Signal chats come up more often than they should in court cases and media reports

    That’s it, that’s the whole story. That’s the reason why the Telegram guy of all people thinks you should be careful, and better use his chat service instead, and the Twitter guy agrees.

    I mean, reproducible builds on iOS would be nice, but that platform has much bigger problems from a privacy/security/sovereignty/freedom standpoint anyway. And the rest is just nothing turned up to 11.

    • Eager Eagle@lemmy.worldEnglish
      501·
      7 months ago

      tl;dr “Signal might be untrustworthy because the tech came from a State-sponsored project and the current chairman acknowledges that Wikipedia has a white and Western bias.”

      just wait until they find out pretty much all tech we have can be traced back to government-funded research.

      • 9488fcea02a9@sh.itjust.works
        141·
        7 months ago

        Did you know the early early internet researchers were part of a clandestine government organization known as ARPANET??? The entire TCP/IP stack is just a state-sponsored backdoor into your life!!!

        WAKE UP SHEEPLE!!!

        • refalo@programming.dev
          7·
          7 months ago

          yea just wait until they find out why the first digital computer was made:

          ENIAC was designed by John Mauchly and J. Presper Eckert to calculate artillery firing tables for the United States Army’s Ballistic Research Laboratory (which later became a part of the Army Research Laboratory). However, its first program was a study of the feasibility of the thermonuclear weapon.

  • electric_nan@lemmy.ml
    774·
    7 months ago

    Looks like a push to discredit Signal right now. While I know Signal isn’t perfect, I do like it and I haven’t seen anything that is better (on the whole). The 3rd “emoji-point” is quite an accusation, and I would love to see any evidence of this kind of thing, that didn’t result from the cops unlocking a defendants phone, or having infiltrated a chat.

    • MajorHavoc@programming.dev
      13·
      7 months ago

      While I know Signal isn’t perfect, I do like it and I haven’t seen anything that is better (on the whole).

      Agreed. But it is worth mentioning that XMPP with OMEMO seems to be the current gold standard - runs almost everywhere, tons of available (free) servers, secure end to end messages, and fully auditable public source code.

      • electric_nan@lemmy.ml
        61·
        7 months ago

        I have used xmpp a lot, but I can’t really recommend it to friends and family as a secure messenger. There are too many compatibility issues between clients and servers. If your friend is on a client or server that doesn’t support the same encryption protocols, then you can’t have a secure chat. Basically there is too much user knowledge and effort required at this time, for xmpp to be a good, secure, general use chat. I very much look forward to this changing. I also really like Matrix, but it is still a bit rough around the edges as of my last check.

        • SLfgb@feddit.nl
          3·
          7 months ago

          I use xmpp all the time. Biggest hurdle for certain fam/friends using xmpp has been certain android builds (samsung) and ios interfering with timely notifications. User knowlege is not a problem as I can recommend the apps that are compatible encryption protocols with mine.

          • electric_nan@lemmy.ml
            2·
            7 months ago

            That’s great, and I’m happy it’s working out for you. It’s still kind of a bummer that this open protocol ends up fragmented across all those clients and severs. I’ve met other Linux enthusiasts online, connected with them via xmpp only to find we can’t encrypt our chats. Neither of us wants to give up our preferred client for various reasons, so we have a non-working situation.

            • SLfgb@feddit.nl
              2·
              7 months ago

              Hmm, I see. But isn’t there an obvious solution to this? One of you just run two different clients side-by-side?

              • electric_nan@lemmy.ml
                1·
                7 months ago

                Sure there are workarounds, but every one of them erases a bit of convenience or is at odds with the benefits of federation. Again, I think XMPP is great, but I wish it was better. As it is now, it doesn’t fully meet my needs better than Signal does.

            • SLfgb@feddit.nl
              2·
              7 months ago

              Well if only those samsung & ios users that never get my messages until I see them and tell them to open their app had phones that didn’t interfere with it running in the background / push notifications it would be working out for me even better, but that’s not an issue with the protocol or client but with OS’s being hostile to xmpp.

        • MajorHavoc@programming.dev
          3·
          7 months ago

          Agreed on all points. It’s not the best solution when I can’t get both parties into it successfully.

          That’s why I still use Signal a good bit.

    • Possibly linux@lemmy.zipEnglish
      82·
      7 months ago

      Tin hat time:

      I wonder if Russia’s trying to get everyone on Telegram because they have control over it.

      • electric_nan@lemmy.ml
        1·
        7 months ago

        This is probably just Telegram seeing an opportunity to peel some users away from Signal during a period of heightened paranoia in the West (anti-genocide organizing).

  • rivvvver@lemmy.dbzer0.com
    631·
    7 months ago

    arent telegram chats unencrypted by default?

    An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media

    source?? (i bet this ends up being a “they had full access to my unlocked phone” situation again)

    also the whole thing abt US funded encryption is the same bullshit argument ppl use against Tor all the time. it doesnt mean shit.

    this just reads like someone desperately trying to get more market share by spreading FUD

    • dsemy@lemm.eeEnglish
      154·
      7 months ago

      Telegram secret chats are e2e encrypted though

      • ReversalHatchery@beehaw.orgEnglish
        231·
        7 months ago

        Secret chats only. With their own, in-house encryption, that, if I remember correctly, the apps don’t use according to the specifications.

        Maybe I’m mixing up mtproto 1 and 2 with that second part, though.

        • dsemy@lemm.eeEnglish
          4·
          7 months ago

          I don’t mind in-house encryption (the Signal protocol didn’t just appear out of nowhere either), however the latter part is worrying.

          In any case, I personally don’t trust Signal or Telegram.

            • dsemy@lemm.eeEnglish
              2·
              7 months ago

              Molly still depends on Signal’s centralized servers.

              Best solution I know of currently is SimpleX, though Veilid (and VeilidChat by extension) also seem promising, though it might take a while for those to be usable.

              • Possibly linux@lemmy.zipEnglish
                1·
                7 months ago

                From a cryptographic and usability perspective Signal still has a few benefits. However Simplex is promising.

            • toastal@lemmy.ml
              1·
              7 months ago

              The best is to not trust the centralized server of either of these platforms. Set up your own XMPP server & gives these the boot.

                • toastal@lemmy.ml
                  1·
                  7 months ago

                  XMPP is battle-tested* and thriving*

                  I don’t think you know how many commercial use cases are relying on XMPP, nor how much the community has been working on updates. Older technologies tend to have maturity is spec but also in implementations where the servers are robust & already at the point of optimization over chasing features. We see this with how little specs it takes to run a server & have Conversation forks on Android have some of the best battery life & data plan usage in the chat space. The network is massively decentralized too… unlike Matrix where almost everyone is on Matrix.org or a server provided/hosted by Matrix.org giving them all the metadata.

      • delirious_owl@discuss.online
        1·
        7 months ago

        But extremely hard to use to the point that nobody uses them. I send a secret chat to someone and they write me back in the unencrypted chat.

        It shouldn’t be possible to send anything unencrypted

  • lemmyreader@lemmy.mlEnglish
    45·
    7 months ago

    This comes a few days after Jack Dorsey confirmed that he had left the board of Bluesky and then starting to use Tw(X)tter and calling Tw(X)tter “freedom technology”. Coincidence ?

    • Optional@lemmy.world
      1·
      7 months ago

      Why does it say Telegram, but it’s about the Twitter/Bluesky guy?

      Actually, nevermind. It’s just confusing.

  • PotatoesFall@discuss.tchncs.deEnglish
    37·
    7 months ago

    Okay first things first Jack Dorsey is a tool

    The US government / CIA did in fact develop the protocol back in the day, with the goal of helping people in China and other countries message securely, probably with ulterior motives.

    But the protocol itself is open source, and you can use it without any affiliation with the US government.

    The claim " It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺" is therefore so stupid it almost invalidates everything else being said because the person writing is either an idiot or purposely misrepresenting the facts.

    Not having reproducible builds is definitely weird though. Does anybody have more information on that?

    • bamboo@lemmy.blahaj.zoneEnglish
      2·
      7 months ago

      Not having reproducible builds is definitely weird though. Does anybody have more information on that?

      They boast this as a feature, but on the instructions for how to do this for iOS, even Telegram admits “As things stand now, you’ll need a jailbroken device, at least 1,5 hours and approximately 90GB of free space to properly set up a virtual machine for the verification process”. Browsing the steps, it’s extremely complex, and doesn’t seem like something that is very user friendly and that you’d do weekly or monthly when a new version is released.

      On the GitHub issue linked to in the body, it’s disingenuous to claim they refused to implement this, and that the technical hurdles Apple has in place make this extremely difficult which halted progress. In the community forums where the conversation was moved to, someone pointed out that even if you were to reproduce it on a jailbroken iPhone, that there’s no way to confirm that non-jailbroken iPhones aren’t receiving a version with a backdoor.

      And even if you are using a jailbroken device exclusively and can confirm the reproducibility of the iOS app, then the risk becomes the latest available jailbroken iOS could be outdated from the real versions, and you’d have other issues with not receiving timely security updates. This same issue applies to Telegram also.

    • Steamymoomilk@sh.itjust.worksEnglish
      37·
      7 months ago

      My theory is that apple wont let the developer share there code for IOS because of “security”

      I remember an emulator (retro arch i think?) Got on ios at one point and was later removed because it showed apples file system layout. Which apples reason was “because it could be used to make malware for IOS”

      I feel like there is some similar thing with signal IOS

  • NoLifeGaming@lemmy.world
    221·
    7 months ago

    One is open source and you can check the code while the other is not completely open source and uses proprietary encryption. That’s right, proprietary encryption.

  • Eager Eagle@lemmy.worldEnglish
    221·
    7 months ago

    Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github.

    Not true. Signal has a very similar client verification process to Telegram’s, described here. The lack of an iOS reproducible build is an Apple limitation / nuisance.

    It’s very complicated, the 2nd jailbroken device is necessary because there’s no other way to download the .ipa, but even if you manage to do that and bit-for-bit reproduce the .ipa you downloaded from source, there’s no way to know if the App Store is sending every user the same .ipa or if your other, non-jailbroken iPhone downloaded a backdoored one.

    Telegram docs even acknowledge these limitations.

    Ultimately, this client verification is not the selling point Telegram’s founder makes it sound like, since most messages are not E2EE and the server code is closed.

  • kellenoffdagrid❓️@lemmy.sdf.org
    20·
    7 months ago

    Saw someone post that City Journal article on mastodon a couple days ago and I’m amazed that so few people picked up that the City Journal and the article’s author are basically puppets of the Manhattan Institute, a conservative think tank. I know most people aren’t tuned to look out for think tank propaganda but it came off as really obviously FUD-y and unsubstantiated.

        • SLfgb@feddit.nl
          3·
          7 months ago

          You still need a phone number to register an account as far as I could tell when I did the other day. You no longer need to share your number with any contacts and can set it so noone who has your number can look you up on signal. You can optionally set a unique alphanumeric ‘username’ instead to hand to people to look you up. But yea, Signal still requires you to give them and their authenticatian service (through sms code) your phone number.

            • SLfgb@feddit.nl
              2·
              7 months ago

              Yes, XMPP, a long-standing protocol that’s also not a walled garden, doesn’t require a phone number or even a phone. For android I use the Conversations client combined with Dino on computers. Currently logged in to a handful of devices synchronously. You can choose what server to make an account on; conversations.im I found to be reliable. Drawback is Signal doesn’t let you bridge to it from anywhere outside of Signal. So I have accounts on both.

      • Ferk@kbin.social
        1·
        6 months ago

        You mean “confidentiality”, not privacy.
        Just the metadata related to whether you personally, traceable to your full name and address, have a Signal account and how much you use it might be considered a privacy breach already, even if the content of the messages is confidential.