this post was submitted on 07 Feb 2025
383 points (99.0% liked)

Technology

62063 readers
4543 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
383
Time to get serious with E2E encrypted messaging (techcrunch.com)
submitted 4 days ago by Morys@lemmy.ml to c/technology@lemmy.world
121 comments fedilink hide all child comments
 

I currently use Telegram for my friends and family, but have reluctantly come to the conclusion that the UK Government is either reaching agreement for backdoors with messaging services, or is trying its hardest to.

I'm also on Element/Matrix. Before I try to get my contacts to join me on there, should I be aware of any privacy issues or is that a good place to head?

top 50 comments
sorted by: hot top controversial new old
[–] Andromxda@lemmy.dbzer0.com 58 points 3 days ago* (last edited 3 days ago) (1 children)

I currently use Telegram for my friends and family

Telegram is probably the worst thing you could use, it doesn't encrypt messages by default and they are stored on Telegram's servers, so they can read them at any time.

I'm also on Element/Matrix. Before I try to get my contacts to join me on there, should I be aware of any privacy issues

Yes, Matrix leaks a bunch of metadata and doesn't have post-quantum encryption.

The best option is to use Signal. It uses end-to-end encryption by default for everything: Normal chats, group chats, voice and video calls and even stories. Messages are only stored on their servers (in encrypted format, so they can't access them) until you receive them, after which they are promptly deleted and only stored on your device. And Signal has much better metadata protection than Matrix. The UX is also much better and less confusing, making onboarding new users much easier.

[–] cmhe@lemmy.world 8 points 3 days ago (4 children)

But you should also be aware that Signal does not federate, so the company can be bought. They have control over all accounts and the servers, without easy way to migrate away again. So it might just be another trap.

Try to use federated services (like matrix), they are more robust against hostile take overs.

[–] TokyoMonsterTrucker@lemmy.dbzer0.com 9 points 2 days ago (5 children)

This is such a bad take it seems like deliberate misinformation.

Signal is open-source software maintained by a non-profit. User data is not stored on Signal servers, they have no way to access messages as they are stored and encrypted on your phone. If the Signal Foundation were revealed as bad actors then the open-source code could be forked to a new project.

Feel free to fully evaluate their code here: https://github.com/signalapp

load more comments (5 replies)
[–] Andromxda@lemmy.dbzer0.com 17 points 3 days ago (1 children)

so the company can be bought

The company (Signal Messenger LLC) is fully owned by Signal Foundation, a 501(c)3 non profit organization.

Try to use federated services

I generally like this idea, and I also use federated services for things like social media, that's why we're having a discussion here on Lemmy. But it introduces some issues with private messaging, like lack of reliability, which sucks if you want to use Matrix as your primary messenger, as well as metadata leaks. Federation is not always the answer, and in my opinion definitely not when it comes private and secure messaging.

they are more robust against hostile take overs

Probably around 80-90% of Matrix users are on the matrix.org homeserver, so it's absolutely not as decentralized and resilient as you think it is.

load more comments (1 replies)
[–] JOMusic@lemmy.ml 9 points 3 days ago* (last edited 3 days ago) (6 children)

At least (to my knowledge) the Signal messages are decrypted on the client end, so buying the company doesn't give them automatic access to messages.

Having said that, I'm sure a hostile new owner could update the app to decrypt and then send the messages as plaintext to the servers if they wanted..

load more comments (6 replies)
[–] MangoCats@feddit.it 5 points 3 days ago* (last edited 3 days ago) (1 children)

Shortcut question: What's a workable federated e2ee solution that's available today? Quantum secure? Metadata secure?

[–] cmhe@lemmy.world 1 points 2 days ago (1 children)

Matrix?

IMO the whole "metadata insecurity" stuff about Matrix is over exaggerated. Also Matrix is improving there.

If metadata security is really that important, you could try Tox or similar P2P chats.

[–] MangoCats@feddit.it 1 points 2 days ago

I actually tried Tox - maybe 8 years ago now... the real problem with it, or anything similar, is that you need both ends of every conversation to take the trouble to set it up. It was pretty easy to setup, IMO, but... as an example, in 2005 I had an engineer co-worker ask me about "that Linux thing" when I got around to telling him that pretty much everything he used on a daily basis was available in Linux, just under different names than he was used to in Windows "Oh, you mean I'd have to learn different names for Word and Excel and Outlook?" "Uh, yeah." "Oh, that's more trouble than I think I want, I'll just stick with what I know."

[–] circuitfarmer@lemmy.sdf.org 101 points 4 days ago

Telegram is the worst kind of "secure" messaging in that it gives you a false sense of security while not really being secure.

[–] rottingleaf@lemmy.world 108 points 4 days ago

Telegram is the least secure thing there is. Not only it's complete zero effort security, it's also much above zero effort to advertise itself as almost secure. Not a good combination as you know.

[–] vrighter@discuss.tchncs.de 23 points 3 days ago

telegram is not encrypted e2e

[–] Ulrich@feddit.org 73 points 4 days ago (18 children)

The biggest issue with Matrix is that the server collects ALL the metadata. If that's your server, that's fine. If thats the default matrix.org server that almost everyone uses, you might as well be using WhatsApp. Same thing goes if any of those people are conversing with people on your server, as they will store all redundant metadata on their server as well.

Signal is easier to use, more private, and faster.

[–] fangleone2526@lemmy.world 27 points 4 days ago (12 children)

Signal requires a phone number on setup.

Also, matrix has bridges, which alone make it worthwhile for me. They, of course, don't help privacy, but they are so so nice for convenience.

Matrix is definitely slow though, and a grand majority of the clients are heavy terrible buggy electron apps. There are a few good ones ( nheko and the new beeper clients ), but even they have some rough edges.

I still use matrix all the time and love it.

If max privacy was the goal I think simplex looks wonderful. No required info for sign up, no way for them to possibly collect any metadata ( because there are no identifiers sent over internet for anyone at all ), E2EE, and decentralized.

[–] Ulrich@feddit.org 25 points 4 days ago* (last edited 4 days ago) (2 children)

Signal requires a phone number on setup.

It is dumb and annoying and inconvenient but doesn't affect its use or privacy.

I do agree that SimpleX seems like the best chat option.

[–] fangleone2526@lemmy.world 12 points 4 days ago (10 children)

It affects its use for me definitely. I don't want to have a phone number. At all.

load more comments (10 replies)
[–] AnotherDirtyAnglo@lemmy.ca 9 points 3 days ago (2 children)

It creates a cost for spammers. They have to have an account with a Telco, which isn't free, which in a lot of countries comes with some sort of National ID to register. That's the reason.

load more comments (2 replies)
[–] mac@lemm.ee 13 points 4 days ago (2 children)

Sure but it allows VOIP numbers. I'm using a jmp.chat number with it just fine.

load more comments (2 replies)
load more comments (10 replies)
load more comments (17 replies)
[–] guaraguaito@lemmy.blahaj.zone 31 points 4 days ago (15 children)

I’ve honestly found signal better than matrix.

Matrix is just not there yet in terms of features UI etc and is less private than signal because it collects way more metadata and stuff. I know the idea of federation is cool, but Signal works better for the privacy aspect.

load more comments (15 replies)
[–] helloyanis@jlai.lu 7 points 3 days ago (3 children)

The most privacy focused messaging app I know is SimpleX Chat, it has no user IDs, is FOSS, e2e encrypted with an option to use TOR, give it a try!

load more comments (3 replies)
[–] Xanza@lemm.ee 17 points 4 days ago* (last edited 4 days ago) (1 children)

I currently use Telegram for my friends and family, but have reluctantly come to the conclusion that the UK Government is either reaching agreement for backdoors with messaging services, or is trying its hardest to.

Unless you start an encrypted chat, Telegram chats are not E2E.

I’m also on Element/Matrix. Before I try to get my contacts to join me on there, should I be aware of any privacy issues or is that a good place to head?

Host your own Matrix node, and then you don't have to worry about prying eyes. Realistically, instead of worrying about the protocol, worry about the content of the text. Use PGP to encrypt your own text and send it over clearnet. Who cares at that point.

[–] ITGuyLevi@programming.dev 11 points 4 days ago

Definitely host your own node! It's trivial for a server admin to add a hidden bot to every chat and while it's still E2EE, an unknown party could still have a copy and key to read it.

Really good talk from DEFCON 32 about the service "Anom" by Joseph Cox (sorry for the lack of a link, at lunch, on mobile and about to get back to work).

[–] mox@lemmy.sdf.org 19 points 4 days ago* (last edited 4 days ago) (9 children)

Matrix is good for private general messaging. The fact that it's decentralised means it can also withstand things like government-ordered shutdowns or back doors, since there is no central point that controls the whole network.

Two things to be aware of:

  • Some non-message bits (e.g. room topic text and membership) have not yet been moved to the encrypted channel, so those could be read by the administrator of a homeserver that participates in your chat room. Since most people care primarily about keeping the message content private, this is an acceptable trade-off to get all the things that Matrix offers.
  • The upcoming Matrix 2.0 features and design choices simplify the UI and fix some occasional errors. It might be worth waiting until this stuff officially lands in the client apps before bringing your contacts to Matrix, for a better experience all around.
load more comments (9 replies)
[–] lahabi_era@lemmy.ml 4 points 3 days ago (1 children)

hello beautiful people of lemmy I'm excited to make my first comment in here

so I wanted to ask: considering that WhatsApp is a big threat to privacy and even worse because of google and iOS backups, how big of an improvement would it be not using it and using the secret chat option in telegram instead? That would solve the issue wouldn't it? As far as I know the concern is with normal non encrypted conversations and the groups channels and all those.

I would love to use signal with everyone but where I live it seems that there is 0 worries about the topic so I only use it with my more "international" people. The most I can get is probably to use telegram E2EE.

[–] asudox@lemmy.asudox.dev 9 points 3 days ago* (last edited 3 days ago)

Hello and welcome to the Fediverse.

Telegram's secret chat's encryption algorithm is made by Telegram themselves, which is already a red flag. You generally don't want to roll out your own encryption algorithm if you aren't cryptographers, which Telegram people aren't. Their MTProto is also not proven, so you'd rather not want to use it.

Here's a blog entry about their MTProto: https://web.archive.org/web/20180420061726/http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-maths/

[–] Korhaka@sopuli.xyz 11 points 4 days ago (3 children)

I think at this point it would be funnier to just use something obviously unsecure like discord but share your public key with the other user and then send encrypted text.

[–] oldfart@lemm.ee 6 points 3 days ago

We went full circle to the early 2000s, slapping PGP on top of public messaging platforms!

load more comments (2 replies)
[–] thann@lemmy.dbzer0.com 9 points 4 days ago (1 children)

No proprietary software can truley provide secure messaging

[–] ricdeh@lemmy.world 13 points 4 days ago (1 children)

Matrix is not proprietary. The protocol is FOSS, Synapse server is FOSS, Dendrite server is FOSS, there are FOSS clients, Element is FOSS too afaik.

load more comments (1 replies)
load more comments
view more: next ›