> Telegram was so well-planned from scratch
Uhm what? It's 2023 and they still don't do e2e encryption by default. Building a chat application without e2ee is orders of magnitude easier than with. And let's not talk about MTProto…
> Telegram was so well-planned from scratch
Uhm what? It's 2023 and they still don't do e2e encryption by default. Building a chat application without e2ee is orders of magnitude easier than with. And let's not talk about MTProto…
because there's real usability tradeoffs. Signal's local encryption means there's no history sharing on new devices and essentially loss of the data should you ever lose the device/key, and that for many people is a deal breaker.
It doesn't help that the non-security aspects of Signal are garbage. I have several years of data in my phone that I want to backup, but it's a painful process because Ihave to export every media file manually and then transfer it over to an SD card. My phone is low on internal storage space, but Signal won't let you choose where exported media get saved to, so I have to play Towers of Hanoi shuttling media files in and out of my limited vacant space and then deleting them in Signal after they've been safely copied to the SD card.
The app is full of tiny annoyances like this. For sending photos there are some editing/cropping tools - a fun and somewhat useful innovation, but while the crop handles work from the corners of an image they don't work properly from the sides. I was a busy evangelist for the product in its early days, now I hate using it.
> Signal's local encryption means there's no history sharing on new devices and essentially loss of the data should you ever lose the device/key
To be clear, Signal now allows secure backups to the cloud. If you don't use a strong password, and much as the public won't, it's not perfect but they maximize the security. (And you can always choose to not use the backup.)
Do they? On Android all it does is backup to another directory on my phone.
Hmmm ... looking around, isn't the following implemented?
https://signal.org/blog/secure-value-recovery/
(It's also relevant to the OP.)
SVR doesn't do full backups (yet?)
> To be clear, Signal now allows secure backups to the cloud.
No, it doesn’t, at least on iOS. There is no backup option on iOS. The only way to retain information when using a new device is to have the old device close by and transfer it by running Signal on both of them. Anyone who loses their device or does not have it with them when getting and setting up a new device will lose all the messages from the older/previous device.
Oh, does it work for desktop?
I know only enough about crypto to be dangerous, but it's never been clear to me why that's such a hard technical limitation. my password manager is very easy to set up on a new device if I have another authenticated device on hand. if not, it's still not too onerous to set up the first sync. why wouldn't the same approach work for signal?
Indeed it's possible, though judging by the release dates, it's not trivial to do right:
- Apple implemented iMessage E2EE sync across devices back in 2011. But be careful not to save your chat keys in iCloud backups (local backups are fine), unless you enable E2EE for iCloud backups as well, which is an option rolled out in 2023.
- WhatsApp appears to have rolled out a form of E2EE device sync in 2023 as well. WhatsApp Web complicates the question of how secure is the E2EE though.
It does, if you set up Signal Desktop it involves scanning a QR code. It doesn't sync old messages, theoretically they could do that over a local network transfer.
You could reimplement all the rest in a couple of weekends, is that what you're trying to say? Only e2e is real work, the rest is easy?
It's not just content inside messages, Signal actually knows nothing. The metadata about your user, your contacts, every group, and who is in a group, or who sent a message, all encrypted. The only thing Signal knows about a user is when they registered and their last login time.
Telegram just stores everything on their servers in Dubai, in the clear.
> The only thing Signal knows about a user is when they registered and their last login time.
Really? Why do I need to provide a phone number in order to register for the username test?
Well yes, obviously your phone number since it's how they handle accounts. Their argument is that it makes you the owner of your social graph because it uses the existing contact list on your device.
https://signal.org/bigbrother/cd-california-grand-jury/
Because your account is currently your phone number, so if they want to open the service to a limited number of power users, it makes sense to restrict it to folks who already are signal users, IMO.
As I understand it, the phone number requirement won't be going away - it's just the requirement to share it with your contacts that they're abolishing.
Seems like the right level of tradeoff to prevent abuse and enabling privacy, did you have a different expectation in terms of balance?
No, that's perfectly fine for me too, just wanted to be accurate and manage expectations :)
(In fact, I do still expect public phone numbers to be the "default", i.e. encouraged, experience, because of its viral properties. This is also fine by me, as I want Signal to be used by as many people as possible.)
You don't see any conflict between that and the claim "The only thing Signal knows about a user is when they registered and their last login time"?
Not at all, a user is a phone number.
Do you have a recommendation on how they would prevent fraud and abuse w/o using a phone number while also maintaining the same level of low friction?
What fraud and abuse? They can prevent fraud and abuse by doing anything, including by doing nothing, because those aren't concepts that apply to their product.
Spam is one kind of abuse.
So? What's the threat model? How does having phone numbers help?
You're making assertions about what Signal needs, and you're doing it without knowing their threat model.
s/user/phone number/
Signal claims to know nothing. However, for a few years now users' contact lists are uploaded to Signal's servers with the notoriously insecure Intel Secure Enclave being the only protection. It is likely that a state actor has access to that, which is already highly desirable information for mass surveillance.
Is it really?
I once worked for a company that happened to find itself in possession of a nearly complete social graph of one of the rich countries. The goal of the project was a different one, that graph was a kind of side effect. The graph was never actually used, but the company did have it.
Producing the graph was neither difficult nor expensive. I believe the complete project cost only a little over €1M.
If you want to gather data like that, you can do it without any expensive intelligence operations or attacks. You can spend a million on writing a desirable free smartphone app that needs contact permissions and another few hundred thousand on promoting the app, then sit back while the data is uploaded to your servers. To me that appraoch sounds a lot simpler and cheaper than breaking into Signal, Intel/SGX or a DC hoster.
I suggest that attacking anyone to get their contact data isn't really desirable.
> the notoriously insecure Intel Secure Enclave being the only protection
While I share your concerns about Intel SGX, your statement is not exactly true: SGX is only meant as an additional measure to secure insecure PINs.
I worked for a while at a company in this space. The chat part really is as easy as it looks. Any competent programmer absolutely could implement it in a couple of weekends. Hell, we used the hardest parts as interview questions.
Now making it into an actually viable business is very hard (I'm not sure we ever managed it), but the hard parts aren't the technical side of implementing a chat app.
Ummm, your message-at-rest inside a Telegram server remains ... unencrypted and is accessible by LEO.
That is, when you power of a Telegram server.
This is not what I said. Only because one thing is "orders of magnitude easier" than another (note the comparative), this doesn't mean it is easy and/or can be done in a weekend.
E2E makes all the other stuff more difficult.
Right. GP didn't say more difficult though, but "multiple order of magnitude", which is to say, at least 100 times more difficult.
Ten per cent more difficult, OK. But ten thousand per cent?
There are different sides to security.
Telegram openly does not have e2e by default.
What it also didn't have that I think Signal at some point had was:
- a bug that sent photos(?) to persons without you asking
- a rather nasty vulnerability that let people send you a message and pwn your desktop environment
For some reason a large subset of HN is like E2E or nothing. But I remind folks that except in very particular cases, all email is available to one email provider or the other.
Same goes for banking etc. But for some reason according to HN my postcard level communication with my family demands I use a system with a tenth of the usability of Telegram.