-
Notifications
You must be signed in to change notification settings - Fork 0
/
messengers.html
69 lines (56 loc) · 4.26 KB
/
messengers.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<!DOCTYPE html>
<html lang=en>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'self'; script-src 'self'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'">
<meta name="referrer" content="no-referrer">
<link rel="stylesheet" type="text/css" href="styles.css">
<title>Messengers | Madaidan's Insecurities</title>
</head>
<body>
<h1>Messengers</h1>
<p class="date"><em><time datetime="2022-03-06">Last edited: March 6th, 2022</time></em></p>
<h2 id="telegram"><a href="#telegram">Telegram</a></h2>
<p>
<a href="https://telegram.org/">Telegram</a> is <a href="https://telegram.org/faq#q-why-not-just-make-all-chats-secret">not end-to-end encrypted by default</a> which allows the
Telegram server to see all of your messages unless you use a "Secret Chat". Telegram uses <a href="https://core.telegram.org/mtproto">custom, unaudited encryption</a>, and the first
version of MTProto had <a href="https://eprint.iacr.org/2015/1177.pdf">severe security issues</a>, although these were fixed with MTProto 2.0. However, Telegram still uses strange
cryptographic primitives, such as AES-IGE, for "performance", although they use it in a way that they <a href="https://core.telegram.org/techfaq#q-do-you-use-ige-ige-is-broken">aren't
affected by its known security issues</a>. Telegram has also been criticised by well-known cryptographers, such as <a href="https://news.ycombinator.com/item?id=6913456">Moxie
Marlinspike</a>, <a href="https://twitter.com/matthew_d_green/status/726428912968982529">Matthew Green</a> and <a
href="https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/">Filippo Valsorda</a>. <br>
<br>
Telegram has <a href="https://telegram.org/crypto_contest">held crypto cracking contests</a>, but these <a href="https://www.schneier.com/crypto-gram/archives/1998/1215.html#contests">
were</a> <a href="https://archive.vn/SIl9M">rigged</a>. Although the <a href="https://telegram.org/apps#source-code">clients are open source</a>, the server is not, so self-hosting
is not a possibility. The creators of Telegram have also <a href="https://twitter.com/durov/status/872891017418113024">spread unfounded misinformation</a> about competing
apps before. <br>
<br>
Telegram, along with most other messengers, leak significant <a href="https://en.wikipedia.org/wiki/Metadata">metadata</a> about your messages, even if the message itself was end-to-end
encrypted.
</p>
<h2 id="silence"><a href="#silence">Silence</a></h2>
<p>
<a href="https://silence.im">Silence</a> is dead and the only commits for a long time <a href="https://git.silence.dev/Silence/Silence-Android/-/commits/master">have been translations</a>,
not code updates.
</p>
<h2 id="wire"><a href="#wire">Wire</a></h2>
<p>
<a href="https://wire.com/en/">Wire</a> <a href="https://www.vice.com/en_us/article/gvzw5x/secure-messaging-app-wire-stores-everyone-youve-ever-contacted-in-plain-text">stores all metadata
unencrypted on their servers</a>, although <a href="https://github.com/wireapp/wire/issues/214">there are plans to correct this</a>. Unlike Telegram, however, <a
href="https://wire.com/en/security/#audits">Wire has been audited</a>, and its server code is <a href="https://github.com/wireapp/wire-server">fully open source</a>, allowing it to be self-hosted.
</p>
<h2 id="conclusion"><a href="#conclusion">Conclusion</a></h2>
<p>
Use <a href="https://www.signal.org/">Signal</a>. It <a href="https://www.signal.org/docs/">uses the gold standard of encryption</a>, <a href="https://signal.org/blog/sealed-sender/">conceals
metadata well</a>, <a href="https://signal.org/bigbrother/eastern-virginia-grand-jury/">has a great track record</a>, is recommended by countless experts in the field and more. Most other
messengers are subpar.
</p>
<p class="p-final">
<a href="index.html" class="back">Go back</a>
</p>
<button class="dark-mode-toggle">🌓</button>
<script type="text/javascript" src="toggle.js"></script>
</body>
</html>