Here’s what he said in a post on his telegram channel:
🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷
🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕🦺
🕵️♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡
🕵️♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤
🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪
Original post: https://t.me/durov/274
Telegram’s server side software is closed source, owned and ran by them exclusively so they really have no room to talk. WhatsApp doesn’t even have OSS clients so they’re even worse in that regard
exactly, they (Telegram) don’t need to put sketchy code in the clients when most messages are not E2E encrypted and they control the servers lol
and run* by them
It’s hard to overstate what a nothing-burger this article really is! Let me break it down:
- Signal got $3 million from the Open Technology Fund at some point in its development
- Some anonymous source alleges that the OTF’s ultimate goal is to promote US foreign interests
- The current chairman of the board Katherine Maher worked at the National Democratic Institute and Wikipedia before
- The same anonymous source says she was recruited because of connections to the OTF
- She has at some point voiced the opinion that a completely free internet without regulation just reproduces existing power structures, and that balancing regulation and 1st amendment rights is a tough problem
- Signal doesn’t have reproducible builds on iOS (it absolutely does on Android btw)
- Some people feel like Signal chats come up more often than they should in court cases and media reports
That’s it, that’s the whole story. That’s the reason why the Telegram guy of all people thinks you should be careful, and better use his chat service instead, and the Twitter guy agrees.
I mean, reproducible builds on iOS would be nice, but that platform has much bigger problems from a privacy/security/sovereignty/freedom standpoint anyway. And the rest is just nothing turned up to 11.
tl;dr “Signal might be untrustworthy because the tech came from a State-sponsored project and the current chairman acknowledges that Wikipedia has a white and Western bias.”
just wait until they find out pretty much all tech we have can be traced back to government-funded research.
Did you know the early early internet researchers were part of a clandestine government organization known as ARPANET??? The entire TCP/IP stack is just a state-sponsored backdoor into your life!!!
WAKE UP SHEEPLE!!!
Lol telegram calling signal insecure is too funny.
Isn’t it that Telegram doesn’t claim to be super secure, apart from possibly their encryption on mobile?
This doesn’t prevent them from uncovering other possible plots in supposedly secure platforms.
Looks like a push to discredit Signal right now. While I know Signal isn’t perfect, I do like it and I haven’t seen anything that is better (on the whole). The 3rd “emoji-point” is quite an accusation, and I would love to see any evidence of this kind of thing, that didn’t result from the cops unlocking a defendants phone, or having infiltrated a chat.
The 3rd emoji is just bs. Then again, most of his post is bs
arent telegram chats unencrypted by default?
An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media
source?? (i bet this ends up being a “they had full access to my unlocked phone” situation again)
also the whole thing abt US funded encryption is the same bullshit argument ppl use against Tor all the time. it doesnt mean shit.
this just reads like someone desperately trying to get more market share by spreading FUD
“an alarming number of important people” is the source. That’s more than enough, right?
im gonna assume ur joking. its hard to tell sarcasm on the internet.
obviously i would like an actual source like at least one of those “important” ppl talking abt what happened to them
😂. Of course I’m joking. That claim is bullshit. Hey I know a guy who sold a bridge, and he’s wealthy now. Source: trust me, he told me.
arent telegram chats unencrypted by default?
Encryption is always there. Problem is, some people refer to anything “not e2e encrypted” as “unencrypted” for some reason.
And it infuriates me to no end. It’s one thing to trust them and their servers and it’s another thing altogether to send actual plaintext data around the net, that’s crazy and it’s what people are implying.
For the record, until WhatsApp implemented e2e their messages were indeed fucking plaintext, and it took a while before they were pressured into e2e. It helps for them that their platform is very mobile based vs telegram, where the service is more server based. Telegram did have enough time to implement a server based e2e 0 knowledge encryption protocol though, it’s not really rocket science at this point.
Telegram did have enough time to implement a server based e2e 0 knowledge encryption protocol though, it’s not really rocket science at this point.
What do you mean by server based e2e? From what I get, most people’s complain is that Telegram doesn’t support e2e in group chats, and that is what seems to be close to rocket science in my opinion. Also Telegram is historically filled with ever growing group chats, which means quite serious implications for server requirements from what I understand.
Tegram stores all the conversation in their servers, since you don’t need to be connected in the phone or have the phone witchednon if you want to chat in the pc, or in another phone. This means that the authority is the server. WhatsApp it’s not like that, if you delete a shared photo after a while it will be cached out and you will lost access to it, meaning that they don’t store that stuff. The same thing happens with WhatsApp desktop or web, they stay in an infinite loading icon until you twitch on the phone or sometimes even unlock it.
This means that whatever telegram develops must not only keep the group chat encrypted in the server, but any valid client of a user must be able to decipher the content, so every client must somehow have the key to unlock the content. One way of doing it would be for every client of a single user to generate keys (which I’m sure they already do) and reform a key exchange between them, to share that way a single shared key, which is what identifies your account. Then toy could use that shared key to decipher the group chat shared key which telegram can store on their server or do whatever is done in those cases, I’m not that well versed.
The problem here lies in what happens when you delete and/or logout of all the accounts, currently you can login into the server again, because telegram has all the info required, but if they store the “shared key” then it’s all moot, I guess they could store a user identifying key pair, with the private key encrypted with a password, so that it can be accessed from wherever. They should as always offer MFA and passkey alternatives to be able to identify as yourself every time you want to log into a new client, without requiring the password and so on.
This is some roughly designed idea I just had that should theoretically work, but I’m sure that there’s more elegant ways to go about this.
It’s work for sure to implement all of this in a secure way, provided that you have to somehow merge everything that already exists into the new encryption model, make everyone create a password and yada yada while making sure that it’s as seamless as possible for users. However, I feel like it’s been quite a while and that if they did not do it already, theybjist won’t, we either trust them with our data or search for an alternative, and sadly there’s no alternative that has all the fuzz right now.
Sorry I have a hard time understanding the gist of your text. I don’t think it’s viable to be upset about what happens with access that was already acquired previously because that very fact already poses a bigger threat (which might have more to do with the nature of conversations vs how the platform works).
I wasn’t talking about situations with compromised accounts, I was talking about legitimate accounts that were created in a typical way being converted to a zero knowledge encryption method, I was aknowledging that it’s hard doing that conversion when a user might have several clients logged on (2 phones, 6 computers…).
My point was that if they have not put any motivation in the transition, they never will because the bigger the userbase, the harder for them to manage the transition. Also, I find that sad because they should have invested more effort in that instead of all the features we are getting, but whatever.
If you found the technical terms confusing, public/private keys are some sort of asymmetric “passwords” used in cryptography that secure messages, and shared keys would be symmetrical passwords. The theory between key exchanges and all around those protocols are taught in introductory courses to cryptography in bachelors and masters, and I’m sorry to say that I don’t have the energy to explain more but feel free to read about the terms if you feel like it.
If you however found it confusing because I write like crap, I’m sorry for potentially offending you with the above paragraph and I’ll blame my phone keyboard about it :)
No that’s not what I didn’t understand. The problem itself as you described it seems either a non-issue or something very few people (who’s already using telegram for some time) would care about. I don’t understand the scenario that would pose a problem for the user. The moment some account legitimately gains access to some chat is probably what should trouble you instead.
Go read the GitHub issue. The main difficulty in implementing reproducible builds is the code signing Apple requires as well as other tweaks Apple makes to modify the binary from what the dev submits to what gets downloaded from the App Store. Note that Android already has reproducible builds. Also the reason the GitHub issue was closed wasn’t “refusal” to implement the feature, they wanted to move the discussion to their forums.
How does Telegram ensure reproducible builds for iOS? Or is Dorsey lying
Who knows how apple decides to do anything? There may be some really stupid arbitrary reason apple modifies signal but not telegram just because apple insists on being difficult. If you don’t trust apple don’t use an iPhone and just download it on android.
that’s not a fantastic answer to my question…
Why all the emojis? Why can’t people just write an article?
he is maybe flexing the “custom emojis” feature of telegram, see original post
It’s like a memetic form of neoteny, “the retention of juvenile traits into adulthood.”
I’m waiting for the day when a politician responds to a motion on the floor with “bruh.”
It seems like you’re passionate about emojis
You don’t need a backdoor in signal to bypass its encryption.
All you need is to exploit the phone and wait for them to open or use signal.
If you think your phone is safe from the NSA or similar services, I got some bad news for you.
All you need is to exploit the phone and wait for them to open or use signal.
Physical access is root access. But just because you can’t make something NSA-proof dosen’t mean you can’t make it bloody difficult to break into.
There’s been enough zero day remote exploits that there’s bound to be more.
Pretty sure there’s more than 1 about receiving an SMS and the payload rooting the phone and you not even knowing it happened. At least 1 but I think 2 or more.
Something about a malicious image also rooting a phone.
It goes on and on and phones don’t always get security updates.
You can do your best, but then longer you use a given phone the higher the risk. That’s why people switch out phones frequently when doing shady or important shit
This comes a few days after Jack Dorsey confirmed that he had left the board of Bluesky and then starting to use Tw(X)tter and calling Tw(X)tter “freedom technology”. Coincidence ?
Why does it say Telegram, but it’s about the Twitter/Bluesky guy?
Actually, nevermind. It’s just confusing.
I don’t care about dorsey or whatever, but a lot of privacy advocates don’t consider signal secure, drew devault for example. I’m def among them, you should not trust any centralized US-hosted service.
I’m all for Jami, and XMPP.
I don’t think i care what Jack Dorsey says that isn’t backed up independently. Even if he’s right i just don’t trust him.
You shouldn’t need to trust open source, it should be independently verifiable. Unfortunately that’s not possible with either signal or telegram, as there’s no way to tell what server code they’re running.
I’m wondering if Dorsey has any stakes in Telegram’s crypto bullshit…
Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github.
Not true. Signal has a very similar client verification process to Telegram’s, described here. The lack of an iOS reproducible build is an Apple limitation / nuisance.
It’s very complicated, the 2nd jailbroken device is necessary because there’s no other way to download the .ipa, but even if you manage to do that and bit-for-bit reproduce the .ipa you downloaded from source, there’s no way to know if the App Store is sending every user the same .ipa or if your other, non-jailbroken iPhone downloaded a backdoored one.
Telegram docs even acknowledge these limitations.
Ultimately, this client verification is not the selling point Telegram’s founder makes it sound like, since most messages are not E2EE and the server code is closed.
One is open source and you can check the code while the other is not completely open source and uses proprietary encryption. That’s right, proprietary encryption.
You can verify builds on android. That’s just an iphone problem.
Use Grapheneos if you need good security and privacy
I logged into Telegram today to this update from Durov. It reads like a bunch of hogwash from someone who is hiding something. They are eyeing investor funding soon, right? (EDIT: eyeing an IPO https://www.techopedia.com/news/telegram-eyes-ipo-as-it-aims-to-become-profitable-in-2025) A lot of things seem to be coinciding with him slinging mud about his competitors.
