Hello, thank you for reading my message. I am concerned because I saw an article on Telegram that raised some concerns about server security. The article in question is this one: Telegram: View @PrivacyNotACrime
Well, it turns out that they claim that Simplex servers are not secure or reliable and that they can be manipulated or intercepted by intelligence agencies. They say that after an investigation, they recommend hosting our messages on a self-hosted server and offer instructions for installing the server.
They also shared a website (this one: https://simplex-directory.asriyan.me) to search for self-hosted servers by other people or groups, but the main recommendation is not to use Simplex servers.
Now comes my question: is it necessary to change the default servers that come configured in the Simplex app? What risks are there if I continue to use Simplex servers if the messages are supposed to be end-to-end encrypted? What is the possibility that a malicious actor could find a vulnerability in Simplex servers and exploit it to access our data?
In any case, even if a malicious actor gained access to the servers, they wouldn’t be able to find anything, right?
Thank you very much in advance for clarifying my questions.
Telegram is surely one of the worst instant messaging apps in more ways than one.
I don’t know if SimpleX has problems with unsecured servers or other issues; others will have more information on that, but one thing is certain: before you worry about SimpleX, worry about Telegram.
The entire point of E2EE is that you don’t have to trust the servers with your messages’ confidentiality or integrity. The servers could have a public no-auth root SSH service running and as long as the E2EE is solid your message contents’ confidentiality and integrity will be unaffected. At worst, availability and privacy of metadata would be affected, not the integrity of any messages as is implied by “they can be manipulated”. I haven’t looked into the SimpleX E2EE much so I’m not saying it is “solid” in this way, but it seems dishonest to focus any vulnerabilities of the servers instead of flaws in the E2EE while claiming vulnerability to being “manipulated or intercepted by intelligence agencies” as you summarized the article as stating. Also particularly rich coming from Telegram, a system where you do need to place significant trust in the servers with your message security, because there is no E2EE by default.
Thank you. Now I have a clearer understanding of the issue. Thank you for taking the time to respond.
Yes, the truth is that, like WhatsApp, Telegram does not seem to be reliable since it does not have EE2E enabled by default, which is illogical in the year 2025.
read the “article”, outright disinformation. their argument is completely speculative and they present no evidence whatsoever, the only point with any merit is that SimpleX relies on providers known to cooperate with US intelligence agencies (e.g. Akamai, Linode), however if SimpleX’s design philosophy is secure as they claim then that it doesn’t matter, their providers cannot access the contents of messages or metadata associated with them..
the author also incorrectly asserts that SimpleX has never had a third party audit, that is completely off-base–just look at their website ffs. i would leave that channel and never take advice from clowns who base their advice solely off of shoulds and coulds.
I really like the channel, it is run by human rights activists. However, that article caught my attention because it raised doubts in my mind about SimpleX. I think at the end of the article they mention that an audit was carried out by a company I am not familiar with. Thank you for responding.
The first section about honey pot and silent collection of data reek of traditional Russian projection. Telegram is the poorly E2EE solution amassing user data that for some weird reason manages to stay afloat without ever disclosing it’s financials. Only a Russian intelligence OP would operate like this.
SimpleX’s infrastructure could facilitate backdoor access for intelligence agencies.
Yeah that requires defeating the always on E2EE.
tracking connections, IPs
Yeah this is a legitimate issue with how SimpleX is marketed as a metadata resistant application. But it’s closer to incompetence and marketing fluff than malice.
The absence of independent audits
Passed audits are poor metric for assessing security. Failed audits are decent metric to direct dev time.
opaque funding
Not an indicator of anything malicious if the tech actively protects the user, which it in terms of content-privacy, does.
some noting reliance on single providers like Linode (owned by Akamai)
Nope, there’s two vendors, runonflux, and Akamai. Not saying that’s enough for a decentralized system, but I’m not a fan of factual inaccuracies. SimpleX handles Tor with much higher grace than Telegram, which requires buying a burner, a pre-paid SIM, and a lot of careful OPSEC to not deanonymize your TG account.
users express inability to fully trust the platform’s privacy assertions due to potential third-party access to encrypted data.
That’s hilarious. Default metadata-privacy of SimpleX should be criticized but these morons are not that nuanced in their assessments.
SimpleX absolutely deserves flak for a) how it up-sells its lack of identifiers when in reality it means it doesn’t add additional identifiers, and b) that it does f*** all about protecting the user’s IP-address like Tor-based messengers like Cwtch or Ricochet do. For more on that I’d refer readers to this thread: SimpleX vs. Cwtch, who is right?
But the article OP shared isn’t the critique SimpleX deserves. It reads as way too far reaching speculation without proposals for proper solution (Signal, or Cwtch depending on threat model), promoted on Telegram which is extremely likely an FSB/SVR honeypot, or the very least, a ridiculously lucrative target for them to hack to read all those unencrypted group chats.
Given how universally disliked Telegram is in the actual privacy bubble with professional cryptographers like Matt Green, Schneier, djb, JPA, and major non-profits like ACLU, EFF, and all the other researchers and activists, the post reads like propaganda, which completely undermines the channel’s legitimacy.
Thank you very much for your response, it’s the best one yet. I also think the article is too speculative, created specifically to gain visits or followers perhaps. Of course, Telegram leaves a lot to be desired, nothing is encrypted by default, and the “Private Chat” button has been deliberately hidden.
I think your response is also very speculative, and I’m going to take the trouble to respond fairly and honestly.
The first section about honey pot and silent collection of data reek of traditional Russian projection. Telegram is the poorly E2EE solution amassing user data that for some weird reason manages to stay afloat without ever disclosing it’s financials. Only a Russian intelligence OP would operate like this.
Telegram is an app that has been gaining popularity thanks to the dissatisfaction of thousands of WhatsApp users, as it offers many more features and fewer limitations. This is no secret to anyone.
Yeah that requires defeating the always on E2EE.
You forget about metadata that stores relevant and valuable information. (Device, IP, time, date, etc.)
Yeah this is a legitimate issue with how SimpleX is marketed as a metadata resistant application. But it’s closer to incompetence and marketing fluff than malice.
In fact, SimpleX is a good application, well developed and functional, and its code is visible to anyone. However, its servers are not “free,” meaning we cannot know what happens on them. Therefore, I think it is legitimate to recommend that each person create their own server or, instead, use a community server rather than the servers offered by SimpleX.
Passed audits are poor metric for assessing security. Failed audits are decent metric to direct dev time.
Audits are great, but only if they are also done on the server side.
Not an indicator of anything malicious if the tech actively protects the user, which it in terms of content-privacy, does.
We can absolutely agree on this point, but we always need to know who is funding what in order to understand the context. For example, if it is funded by a government, we can deduce that it is not positive, right?
Nope, there’s two vendors, runonflux, and Akamai. Not saying that’s enough for a decentralized system, but I’m not a fan of factual inaccuracies. SimpleX handles Tor with much higher grace than Telegram, which requires buying a burner, a pre-paid SIM, and a lot of careful OPSEC to not deanonymize your TG acc.
We all know that SimpleX guarantees privacy much more than Telegram does. Since you mention that you don’t like inaccuracies, I must say that SimpleX does not use Tor by default.
That’s hilarious. Default metadata-privacy of SimpleX should be criticized but these morons are not that nuanced in their assessments.
SimpleX absolutely deserves flak for a) how it up-sells its lack of identifiers when in reality it means it doesn’t add additional identifiers, and b) that it does f*** all about protecting the user’s IP-address like Tor-based messengers like Cwtch or Ricochet do. For more on that I’d refer readers to this thread: SimpleX vs. Cwtch, who is right?
But the article OP shared isn’t the critique SimpleX deserves. It reads as way too far reaching speculation without proposals for proper solution (Signal, or Cwtch depending on threat model), promoted on Telegram which is extremely likely an FSB/SVR honeypot, or the very least, a ridiculously lucrative target for them to hack to read all those unencrypted group chats.
What about the Privacy Not A Crime platform?
This post from under three weeks ago: Telegram: View @PrivacyNotACrime praises Telegram and Durov’s commitment to protect users ignoring the lack of E2EE, ignoring Durov’s background in the Russian disinformation unit during his service in the army, ignoring Durov’s claimed exile being absolute horse shit: Pavel Durov Has Visited Russia More Than 50 Times Since His “Exile” in 2014
Given how universally disliked Telegram is in the actual privacy bubble with professional cryptographers like Matt Green, Schneier, djb, JPA, and major non-profits like ACLU, EFF, and all the other researchers and activists, the post reads like propaganda, which completely undermines the channel’s legitimacy.
All applications that claim to protect user privacy should be scrutinized, without exception, in order to promote proper development and alleviate community concerns. No messaging application is perfect, and criticism is always positive when it comes to privacy.
Telegram is far from being a honeypot, given that it claims to disclose users’ personal data if the authorities present a valid court order. I don’t know of any honeypot that responds to requests from authorities (note the irony).
Seriously, though, Telegram has removed thousands of Russian news channels, as well as groups that support Russia, which contradicts the claim that the Russian government is behind Telegram (a claim you make only because the app’s creator, Pavel Durov, is a Russian citizen).
Regarding the statement made by the Telegram channel PrivacyNotACrime (see Telegram: View @PrivacyNotACrime ), I must say that it is partially correct. Telegram was originally created as a refuge for users concerned about their privacy, and this application responds correctly by protecting user data from authoritarian governments. That cannot be disputed. However, things have changed, and Telegram has begun to be used by many cybercriminals to commit criminal activities (extortion, scams, fraud, pornography, malware distribution, phishing, etc.).
As a result, governments began to get angry and arrested Durov, demanding that he hand over users’ personal data (phone numbers and IP addresses) when presented with a valid court order. They were really pressuring Durov to stop ignoring (valid) requests from authorities. He had no way out, because the next step would be to leave the European markets, and that measure would leave him with no choice but to shut down Telegram in a few years, given that the application was not sustainable.
In summary: This article does not appear to be intended to promote Telegram or discredit SimpleX. It simply warns that, for security reasons, users should not use SimpleX’s default servers and should use community servers instead. It also recommends using Matrix as an alternative, a free and open-source application that has been proven to guarantee the anonymity of all conversations.
Finally: After reviewing the Telegram channel Privacy Not A Crime 🗽 – Telegram , it appears to be a legitimate channel. I have taken the time to review most of its posts and must say that it only provides useful information. I have not seen anything that is “rubbish,” so I recommend it as a reliable source of information.
At least WhatsApp does opportunistic E2EE on all of its content. Hard to say whether it’s trustworthy when proprietary SW is hard to inspect. Telegram doesn’t get a free pass with it’s ridiculously bad opt-in E2EE implementation that trails hundreds of miles behind Signal in terms of its security.
Yeah obviously. Telegram and SimpleX both have access to metadata. Telegram collects much, much more, including with whom you enable E2EE. The only thing in favor of Telegram is, it doesn’t claim to protect metadata. SimpleX claims to have zero identifiers but by default, it doesn’t do anything about masking user’s IP-address from the server.
Nope sorry. The server is code not run by you, run on device not owned by you. The client rarely if ever validates what the server runs. Only thing that can do that is stuff like remote attestation via proprietary tech like Intel’s SGX.
The bottom line is this. When the client is verifiably doing what it’s supposed to against its threat model, that is
Content protection:
E2EE against passive snooping and
Public key fingerprints against active MITM
Metadata protection
Tor to mask IP, geolocation
Traffic Flow Confidentiality to mask quantity/schedule
There’s very little to nothing the server can infer. For high end security you get rid of (de)centralized server and switch to P2P architecture to hide social graph like how many peers does this identifier have. But when possible, it’s the job of the client to protect against the server in any and every way it can.
The funding isn’t indicative of anything in a trustless system. It doesn’t matter even if it would be the head of NSA that’s funding Signal. Money doesn’t magically turn into underhanded code. Even in banana dictatorships where part of the intelligence establishment obfuscation is to confuse each party about the end goals by supporting each side. Of course if it comes with strings attached its a bit different but proper E2EE apps are written from ideological standpoint.
Yeah I know that full well, I’ve expressed that criticism in the SimpleX vs Cwtch thread extremely clearly.
They have zero excuses not to end-to-end encrypt every 1:1 chat across all devices, and every reasonably large group, say 1000 members. Signal can do it, so can Telegram.
It’s not about complying with the law. It’s about how easy it is for the company to hand out everything when they comply with the law. Signal also complies to every single court order, yielding 100% of data they have of the user, which is
Doesn’t change the fact it’s not E2EE and is amassing all groups’ communications making them easy to access via backdoor or by hacking the server.
which contradicts the claim that the Russian government is behind Telegram (a claim you make only because the app’s creator, Pavel Durov, is a Russian citizen).
I don’t have definitive proof of Telegram’s affiliation with the government. The way Russian intelligence works, is there’s never a paper trail about these things. Even when there is a paper trail, they use old school type writers, you can’t hack what isn’t digital Kremlin security agency to buy typewriters 'to avoid leaks' - BBC News
But anyone wishing to protect their users comms against Russian hacking teams like
would understand the importance of E2EE against this, especially given that you already know about the feature, which TG does. Instead TG deployed E2EE just enough to allow the useful fools https://tsf.telegram.org/ it has weaponized, (or that its using as a plausible deniability to hide the Russian troll army shilling it) who can then use it as an argument in online debates.
Russia is a mafia state, where you rise at the grace of the leader who is a God. And when you’re in, you’re never out.
Durov isn’t a bastion of privacy. He built his wealth by building a copy-cat Facebook that spies on its users, earning the nickname Mark Zuckerberg of Russia. That was bad even before the state stole the company from him. But social media has been in decline for over a decade now, instant messaging social media is stealing the focus, and Durov knows this. Telegram is built on that blood money, and it’s just another social media that looks like a messaging app.
Funny how it has a privacy focus from start, yet 12 years later it still lacks by-default E2EE. I gave them the benefit of the doubt back in 2013, but it didn’t take too long before the endless list of issues with Telegram’s encryption started floating, such as
And after a few years it was clear Telegram had zero intention of delivering on its security promises.
The CSAM problem of TG was allowed to fester for over a decade, which allowed TG to collect kompromata on which of their users were into that horrible shit.
One must wonder if he then thought his “move fast, yolo security“ was the right choice. Had he deployed ubiquitous E2EE he wouldn’t have been in that mess. But it’s good that they’re now forced to handle the CSAM problem.
The fact it isn’t extremely critical of Telegram and all of it’s insane problems, poor cryptographic protocol history, continued lack of ubiquitous E2EE, lies about exile, ties to Russian propaganda units is clear enough indication it’s either incompetent or malicious.
Which is bad advice. The way to ensure metadata privacy is to switch to Tor immediately after installation. There’s a way to harden your setup, but since that doesn’t extend to your peers, it’s not ideal design. Tor-only messengers are much better since it’s auto-configured to never route traffic outside Tor.
TG OTOH can not be made secure for it’s groups because the SW fundamentally lacks the server-side key exchange infrastructure.
Ok you have absolutely no idea what anonymity means. Matrix does not mask your IP or geolocation by default. It’s not anonymous. It can be used in such way when carefully configured, but saying “it has been proved to guarantee anonymity of all conversations“ is an insane stretch. There’s no guarantees for anonymity in the first place, since even Tor, the king of anonymity solutions according to GCHQ/NSA, is vulnerable to traffic confirmation attacks.
Also, a broken clock doesn’t get a free pass when it’s right twice a day. The channel’s authors clearly lack competence when they upsell Telegram and ignore all these issues.
I have not seen anything that is “rubbish,”
The rationale it sells Telegram is that rubbish and that alone is enough.
You joining the forum 20 hours ago to throw single random lazy video essay by WingĂĄrdh, and then immediately move to defend this post calls into question your affiliation and motives. This reeks of damage control.
I will respond to you again as objectively as possible:
About EE2E, it’s true that Telegram doesn’t have it by default in all chats (only in “secret chats”), and that’s a weakness compared to Signal, which applies it everywhere. But Telegram prioritizes features such as massive groups (up to 200,000 members) and cloud synchronization, which complicate universal E2EE without compromising usability. Signal is great for extreme privacy, but Telegram doesn’t claim to be just a secure messenger; it’s more of a hybrid social network. Furthermore, its implementation in secret chats uses MTProto 2.0, which has been audited and improved since 2013.
About metadata, yes, Telegram collects more than Signal (IP, device, timestamps, username history), but it is not disproportionately “much, much more.” Its privacy policy (updated in 2024 after Durov’s arrest) states that it only stores this information temporarily (up to 12 months) and only shares it with valid court orders for serious crimes. Signal delivers the minimum (log timestamps and last connection), but Telegram does not store non-secret chat content on servers in an accessible form without a key. SimpleX is better at anonymity by default, but as you say, it does not mask IP without Tor. No app is perfect, it depends on the threat model.
You say that funding doesn’t matter in trustless systems, but then you imply that Telegram is a Russian honeypot created by Durov. That’s contradictory. There is no definitive evidence of ties to the Kremlin; Durov fled Russia in 2014 after refusing to hand over VK data, and his arrest in France in 2024 for not cooperating with moderation shows that he resists government pressure, not that he is a puppet. Russia blocked him in 2018, and he has publicly criticized Putin. Telegram has deleted pro-Russian and anti-Ukrainian channels alike, not just Russian ones.
Signal delivers the bare minimum, yes, but so does Telegram, only metadata for suspected terrorists or CSAM, as it updated its policy in 2024. In other words, it doesn’t “give everything away” because it doesn’t have access to E2EE content. If it were a honeypot, why block Russian propaganda channels? And the CSAM problem is serious on any large platform. Telegram ignored it too much, but after the arrest, they have improved the moderation of groups and channels.
To conclude, I must say that the links you provide are from 2014-2023, and Telegram has made many patches since then. It is not “insecure by design.” Granted, it is not encrypted by default, but it is not backdoored. Compared to WhatsApp (which is completely proprietary), Telegram is more transparent, so I don’t understand why you mention WhatsApp and its fake encryption.
Recommending community servers on SimpleX is not “bad advice”; it reduces dependence on central servers. Matrix does not “guarantee anonymity” by default (it needs configuration), but it is open-source and federated, which is better than Telegram.
Telegram isn’t perfect or the “gold standard,” but it’s also not a Russian decoy or “junk.” It’s useful for following celebrities, presidents, news channels, etc. If your threat model is high, use Signal or Cwtch. But accusations without solid evidence sound like paranoia. I’m not a Russian citizen, nor do I support Russia or Telegram. I just felt that someone had to respond in a more fair and objective manner.
PS: I’m not here to “control damage,” I’m just a user who sees the value of Telegram and wants to balance the discussion.
You’re in a privacy focused forum, three guesses if anyone here cares about massive groups when even groups of three can not have E2EE in Telegram.
cloud synchronization, which complicate universal E2EE without compromising usability
Cloud synchronization refers to syncing the group chat in my desktop client with my phone client. This is what Signal does trivially, with group sizes up to 1000 members. Just because Telegram developers are incompetent doesn’t mean it can’t be done.
It’s still using AES-IGE. It’s still not post-quantum. It’s still meaningless if the encryption happens between you and the eavesdropper, i.e. the service provider. Doing damage control over incremental improvements in the protocol when the massive underlying issues have remained unaddressed for over a decade, is silly and revealing.
It’s collecting literally everything there is to collect. Who said, what, to whom, when, and it has your phone number and IP address. It knows the group members, who read the message, when. It hoards all that data to its servers. It knows with whom you enable E2EE, when you talk to that person using the secret chat, and how long the messages are.
Yeah if it’s an FSB front I’m sure Russian intelligence is really, really interested in following a policy. Same goes if said intelligence establishment exfiltrates data from the server.
Meaningless. That’s not the concern here at all.
but Telegram does not store non-secret chat content on servers in an accessible form without a key
I think what you’re referring to, is the Telegram’s infamous “we store keys distributed under multiple jurisdictions“ which I’ve debunked in extreme detail here https://security.stackexchange.com/a/238610 five years ago.
No app is perfect, it depends on the threat model.
The way this actually works is, you divide messaging systems into buckets depending on their fundamental architecture. And based on that architecture alone, you determine what kind of security properties it can have, and what it can’t have. Also, that architectural limitation defines what kind of features the system can and can’t have.
Telegram sits in a bucket called native client talking to a centralized server (i.e. star topology), running on networked TCB. The relevant properties are
The hardware remains connected to Internet majority of the time
The keys and plaintexts sit on the device.
The features you get with this are the some of the broadest, the security you get is the narrowest.
But inside the buckets sits a bunch of other apps, and Signal is among those. The difference between Telegram and Signal is the cryptographic innovation, what the protocol can do. Signal is the trailblazer, Telegram does fuck all, focusing on damage control by useful fools, like you and your posts.
So saying no app is perfect misses the point. Obviously no app is perfect as none can guarantee endpoint security. That’s where the buckets with varying levels of routing and hardware isolation come into play, from decentralized to p2p architecture, onion routing, and from HSMs to airgaps to split TCB architecture for endpoint security.
But the nirvana fallacy is just rhetorical tactics on your behalf. It’s enough the app is as good as it can be, and Signal sits at the top of its bucket (Telegram at the bottom).
Telegram is not a trustless system. It’s not end-to-end encrypted by default, and never end-to-end encrypted for desktop chats or group chats. It matters a LOT who’s running the server that has access to all my group chats. With Signal, I don’t care if it’s Keith Alexander himself, the native client on my phone protects the content before it hits Alexanders’ server rack.
There doesn’t need to be. Kremlin can hack the server all the same.
And yet he returned to Russia over 50 times. That’s once every 2.4 months. Hell, I don’t see my friends that often. He’s not actually running for his life from Putin.
He was arrested for not addressing the child porn infestation that plagued his social media platform for a decade. You know, the platform that was never end-to-end encrypted and that he had full access to scan.
If he’s such a dissident, why isn’t he locking himself and Russian state hackers from Telegram users’ data? Literally ALL other vendors marketing their messaging apps as encrypted do that.
The distinction is, Telegram has access to everything. Not complying with court order with everything requested is considered obstruction of justice. That’s completely different from Signal that’s giving everything it has, which is basically nothing.
I asked fellow computer science students if they use TG secret chats. Out of 109 votes, 11% said yes, 38% said no, 39% said they didn’t even know what it was, 12% said show me the results. Now, these are students who study computer privacy, security and cryptography as part of their degree. If 89% of Telegram users in this field use secret chats, how do you think a bunch of humanists will do? Telegram isn’t releasing statistics, but I suspect the percentage of their claimed 800M users using secret chats <0.05%.
Why so little? The 1:1 secret chats can not be continued on desktop, so eventually you’ll just stop using them, because either you, or your peer just can’t be arsed with unlocking the phone for every single reply.
This is an ingenious backdoor. Telegram remains end-to-end encrypted on paper and in BS internet posts like yours, but in practice it’s never there. It’s like the new running shoes you bought. One day you’ll use them. But that day never comes.
Also 0% of Telegram’s group chats between fellow dissidents etc. is end-to-end encrypted. And if you try to establish an E2EE conversation with each member of the group, Telegram will be able to observe the metadata of when you talk to each other, and that’s very interesting information in of itself. Metadata is enough to make kill-decisions Ex-NSA Chief: 'We Kill People Based on Metadata' - ABC News
How else do you think Telegram is going to inspire confidence? It’s not about the propaganda channels, you can always spin up new ones. It’s about misleading people into trusting the platform so that you can spy on their conversations to single out dissidents. Then you can build parallel constructions to hide the fact you used Telegram to find the initial clue, and arrest or black bag them.
This comes up every time I bring up them. “The cryptographic papers are too old for them to matter“ The reason the papers exist in the first place, is because Durov hired is nepo-bro Nikolai with no credentials in cryptography to YOLO in his idea of a secure protocol. This problem persists. Telegram has no cryptographers working on improving the protocol. With Signal you don’t have to go a month back to see they pushed the boundaries of secure messaging protocol design with sparse post quantum ratchets Signal >> Blog
The improvements do not matter because the end-to-end encryption is again, not there. Telegram leaks all group messages to the server. It doesn’t matter if they dumped SHA-1 in favor of SHA-256. That’s a single library call change, when Telegram requires a complete protocol overhaul to be safe.
If Signal had a backdoor, it would allow the service provider to read messages.
Telegram isn’t E2EE, so the service provider can read messages.
Same thing. You playing word games is really, really revealing. Telegram is not backdoored, it’s front-doored. But since people like you give an impression Telegram is very privacy-focused, people who don’t know any better can’t tell what lack of E2EE means. Telegram advertises itself as heavily encrypted, and the docs say its using MTProto everywhere, and that it’s E2EE is called MTProto, so a reasonable man would say “that means everything is E2EE“, but the reality is, Telegram calls both the secure and the insecure protocol MTProto. That’s so beyond irresponsible it’s aching on active malice.
so I don’t understand why you mention WhatsApp and its fake encryption.
WhatsApp’s encryption has a backdoor with 0.1% probability. Telegram’s encryption is verifiably missing. I’m all for transparency and if Telegram said on front page “WE CAN READ EVERY GROUP MESSAGE YOU SEND“, I’d have zero issues pointing to that. But instead it says “Heavily Encrypted“. What do you think people think that means; client-server encryption, or end-to-end encryption. Telegram’s transparency is non-existent. Practically all of my friends have been absolutely flabbergasted when I’ve told them WhatsApp is actually more secure than Telegram. Telegram has been up and arms about WhatsApp since Durov’s age old posts, but the reality is, WA has at most equal probability of your messages being read by the service provider. With Telegram it’s 100%.
Which is a non-issue. You want content and metadata privacy from server. One you do with E2EE, one you do with Tor. Since SimpleX jumps to SimpleX servers running as Onion Services when you enable Tor, it doesn’t matter who runs the server when the server can’t tell who’s connecting to it and what’s being said.
Not even configuring Tor for Matrix guarantees anything. But yes, Element over Matrix is better than Telegram as it doesn’t require phone number, can route via Tor, and is nowdays properly E2EE.
Telegram is so bad recommending it here should be forbidden.
It doesn’t matter if it is. Its servers are one chain of zero-day exploits away from leaking 800M users’ private life to Russian intelligence. I ask you to acknowledge this in your response.
There’s zero evidence to show Durov is a bastion of freedom fighting. Every single other vendor of private messaging has deployed ubiquitous E2EE. All I’ve seen over the past decade is people like you defending that terrible mistake. Why are you not against Durov compromising the users’ privacy? Who the F has time to defend random tech bros and their shitty apps? Your behavior only pours into the paranoia.
Yeah for a random fanboy who registers conveniently right after my post, you sure have every single damage control argument I’ve seen over the past decade on Reddit, nailed.
This seems like a battle to see who is more right. There’s no need for that, friends. We all know that WhatsApp and Telegram are crap and don’t respect user privacy (and never have). There’s no reason to argue about this.
You insist that I am a defender of Telegram, and that is not true. I agree with almost everything you say, but the topic of conversation has strayed.
We’re not here to discuss which messaging app is better or worse. I’m not against Signal or SimpleX, on the contrary, I recommend them. I’m just saying that every app is different. Telegram is definitely not focused on security or privacy, but that’s not the problem because, as I mentioned, Telegram’s novelty lies in its features, its groups, its channels, and the possibility of doing a lot of things that aren’t possible on WhatsApp, at least not yet.
I don’t recommend using Telegram if what you’re looking for is a little security and privacy. Is that what you wanted to hear? I’m not a fanatic about anything or anyone.
Telegram isn’t “full of features”. It has one feature, 1:1 chats on mobile with your buddies, provided everyone uses the secret chat, all the time. Everything else is basically spyware, because it boils down to this:
THE USERS ARE NOT MAKING AN INFORMED DECISION ABOUT SHARING THEIR MESSAGES WITH TELEGRAM.
They are not aware Telegram’s “Heavily Encrypted” means same exact same encryption model as Facebook messenger: Opt-in E2EE, everything else leaks to person titled “The Mark Zuckerberg of something”. Average Joe reasons with what they hear on the news and repeated on social media: “Facebook bad, Telegram say Facebook and Whatsapp bad, therefore Telegram better“, they don’t say “Hmm ok no double ratchet i.e. break-in key recovery, no PQ-security, no ubiquitous E2EE, world renowned professional cryptographers agree TG sucks, hmm…“.
Ok so in other words, it doesn’t offer even little security or privacy. Why are you bothering to register an account to come and defend it on **privacyguides.**net ? If you’re so balanced in your reasoning, why are you not condemning the threat model communicated so poorly it’s basically lying by omission? Why are you disregarding my ask to acknowledge the massive risk a data breach at Telegram’s server farms, hoarding tens of billions of messages, would have? Why isn’t, at this point I’m going to assume, your Telegram group, being openly critical about Telegram to communicate its threat model with the nuance you seem to agree it needs?
There is another important question: if a SimpleX server goes offline, what happens to the connections established over that server?
Can they be moved to a new server or do they need to be reestablished?
That’s a good question. If the server remains disconnected, the application will choose another one. This is the behavior I have observed. However, I cannot comment on privacy issues in this case.
