So I’m in a somewhat unfortunate situation. My circle of friends doesn’t want to switch to another messenger and we are currently stuck on the worst possible platform for security: Telegram.

The problem is that it is very hard to convince anyone to switch, if they are all perfectly fine and like Telegram. I mean I can get why they like it: The UX and UI of Telegram are amazing and there are well functioning clients available for any platform. It has more features and gimmicks than any other messenger I know BUT it lacks one mayor thing: E2EE. And that’s mostly what I care about. The second problem is that I was the person who recommended the switch to Telegram right after WhatsApp was bought by Facebook. I know, that was a bad recommendation, but back then I didn’t know shit about privacy or why E2EE mattered. I was just like “Hey, it’s not by Facebook, so it must be better”. And now everyone I know is there and won’t leave.

If - in the hypothetical situation of me setting an ultimatum and deleting my Telegram after that - I wanted to make them switch somewhere else: What messenger would that be? Currently I’m mostly thinking Signal. I know it’s not perfect either, it is centralized, and the servers are in the US, but it has a bigger user base already than most of its competitors like Threema or Matrix/Element and it is very easy to set up and use. I’m already a user of Signal, Threema, Matrix, WhatsApp and Telegram (every platform for some contacts, but most of them on Telegram sadly), so having yet another option is not a problem for me, as well as getting rid of one is also no problem. I’d love to delete both Telegram and WhatsApp in this move.

So, in conclusion, what I need is a messenger that has all or most of the following:

  • best possible security (E2EE is minimum)
  • easy to use (no complicated setup, simple UI)
  • already has some users (not too niche)
  • cross-platform and multi-device (should run on Android, iOS and Windows/Web)
  • some flashy dumb features like stickers and so on to keep them entertained

My choice would be Signal. But I am unsure if that is the best choice or if I should just wait a bit and see what all of the new EU laws about messengers and gatekeepers bring to the game and if anything chances with that.

      • ArbiterXero@lemmy.world
        link
        fedilink
        arrow-up
        15
        ·
        1 year ago

        Is it?

        You can run and connect to your own signal server, separate from the world if you wanted to…

        Interoperability with other messengers Vs privacy are separate requirements and use cases.

        • jabberati@social.anoxinon.de
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          1 year ago

          @ArbiterXero Exactly, if you use any other provider other than the normal Signal server, you’re separate from the rest. You have no other choice to agree on all policy decisions (e.g. requirement for a phone number on registration) or loose all your contacts there. This is separate concern from privacy, but to protect against enshittification and the like, interoperability and compliance with internet standards is absolutely crucial. Let’s not promote the usage walled garden apps.

      • shortwavesurfer@monero.town
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I personally dont have much experience with XMPP. From what i understand you have to roll your own encryption or everything is plaintext. Matrix encrypts but has major UI/UX issues around key management that make it a PITA to use.

        • jabberati@social.anoxinon.de
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          @shortwavesurfer What do you mean by ‘you have to roll your own encryption’? The switcher for encryption looks like this, the default is set to OMEMO which is the XMPP implementation of the Signal encryption protocol.

          • shortwavesurfer@monero.town
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Isn’t there several options besides OMEMO? If everyone sticks with default that would be alright. If there are other options that could get complicated.

            • jabberati@social.anoxinon.de
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              @shortwavesurfer In my experience normal users never touch the defaults. My friends all use OMEMO when messaging me, especially since the OpenPGP option would require you to generate a public and private key yada yada…

              • shortwavesurfer@monero.town
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Isnt conversations an XMPP client? I feel like i have heard good things about it. My two big gripes with matrix is the key management and i cant auto delete conversations. I make wonderful use of signals “disappearing message” feature.

    • Dsklnsadog@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      18
      ·
      1 year ago

      Yeah but… Thet are not E2E encrypted by default. That shows how little they care about privacy.

      The worst thing about Telegram is the false sensation of security and privacy it gives to unaware people (most of them).

    • quaff@lemmy.ca
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      I never understood these arguments for Telegram. Sure, it does have more features. It’s not better in terms of usability and cross platform support though. I use Signal desktop everyday. It’s a great experience. Cross platform… The only platform Signal doesn’t support is Web. Which… if there are mobile apps and desktop apps. Web is an insecure redundant need IMO. For the argument that web is good for scenarios where you can’t install desktop apps: I would flip the question to… why would you give a platform you have 0 control, permission to access your secure & private messaging? It just comes down to threat modelling. Telegram is neither secure, nor private. It shouldn’t even be in the same conversation unless talking about FB Messenger, messaging on Instagram or DMing on Twitter/X.

        • quaff@lemmy.ca
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          1 year ago

          That’s not my experience. I use it on macOS. My messages are always synced. Super fast and runs smooth.

            • quaff@lemmy.ca
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              Most people I chat with on Signal uses desktop too, I’ve never heard complaints. Most of my contacts use it now. There were hiccups in the earlier months but now it’s smooth and works great.

              I use Telegram every now and then. It’s has some nice features. But it’s not secure. The reason the messages “sync” fast there… is because it’s all plain text and on the server. For everyone to read. This is an undisputable fact about Telegram. The nature of the large channels you mentioned requires this insecure mode of storing chat histories, so that everyone can access. Where as with Signal, everything is E2EE. Except a tiny bit of metadata. Telegram everything is unencrypted until you use secret chats. Again. Different threat models. You can’t really compare it to Signal. It’s more akin to FB messenger. Which is not secure. Or private.

              Messages being deleted for everyone is a pretty common feature across all the platforms now. I’m not sure what you’re getting at. Arguably, chat history being stored plain text is much more a privacy nightmare (it’s literally the reason people want E2EE) than anything else.

                • quaff@lemmy.ca
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  1 year ago

                  I’m getting at the fact that most platforms do stupid shit like “this message might not be deleted if the receiver already saw it” like WhatsApp does and/or replacing messages with placeholders saying “this message was deleted”. Telegram can be plain-text and can have a lot of issues but it guarantees that stuff is actually removed without trying to bullshit you like other do.

                  There’s absolutely 0 guarantee that what you’ve “deleted” is deleted. On any platform really. But what you can rely on is the fact that the E2EE is there to make sure things are only readable by whoever the messages were intended for (barring being hacked and compromised keys etc). The message can say whatever it wants, doesn’t mean a lot if you can’t trust the source. Again, we’re just talking about different threat models. With Telegram, it’s not meant for secure and private communication. It has a different audience. And to push Telegram as a private or secure communication, you’re actively doing the public a disservice.

                  If we assume that your privacy / security is broken (because it is) I might as well use the platform that provides the best desktop and mobile experience with fast syncs, ability to disable animations, have real desktop apps and not electron shit.

                  If you can’t trust even open source technology that you can review and build yourself. And trust renowned cryptographers reviews of this technology… then why are you in a privacy community telling people their experiences aren’t true to what they’re telling you?

            • Skeletonek@lemmy.zip
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              I really don’t know what you are talking about. I’m using it on Linux and it runs great. Comparing Signal to Discord, as both are electron apps, Discord is pure shit, Signal works really well. It takes a couple seconds to load but it’s still faster than Discord for me.

              I would prefer if it would use other cross-platform framework like Flutter or Qt, but you can’t have everything. It’s better to have electron app, than don’t havy any.

  • Dsklnsadog@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    28
    ·
    1 year ago

    The only answer for what you are looking is Signal (user base). The next thing would be Whatsapp, so … Signal… Just signal.

  • Zak@lemmy.world
    link
    fedilink
    arrow-up
    25
    ·
    1 year ago

    I want the answer to be Matrix. I think decentralization and federation are important to the future of internet services to avoid single points of failure, and Matrix seems to take E2EE seriously. So far, I’ve found Matrix to be slow and unreliable, with some of my private conversations having as many messages “unable to decrypt” as successfully delivered.

    So the answer isn’t Matrix yet, though I hope it will be in the future. The answer, as most comments have already said is Signal.

    • EngineerGaming@feddit.nl
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      For me, answer was XMPP. It does the same thing as Matrix, but is far easier to set up and is far less bloated.

  • TheFool@infosec.pub
    link
    fedilink
    arrow-up
    13
    ·
    1 year ago

    Easiest seems to me just enabling E2EE in telegram since it’s there. Asking to use secret chats seems easier than asking to switch plattforms

  • quaff@lemmy.ca
    link
    fedilink
    arrow-up
    12
    ·
    1 year ago

    FB Messenger and Instagram Messenger would be the worst for privacy… But Telegram is basically just FB Messenger with nicer UX features.

    There’s a couple of platforms that have better privacy and security (debatable) features than Signal, but Signal is more widely adopted amongst the E2EE Messengers.

  • Danileonis @lemmy.ml
    link
    fedilink
    arrow-up
    9
    ·
    edit-2
    1 year ago

    SimpleX Chat > Matrix > others

    Btw it’s very difficult to change something in the routine, many people have your same issue; where I live WhatsApp is a fucking authority…

  • Sha'ul@lemmy.ca
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    I think the only choice is Signal for practical purposes. There is no creating accounts, no scanning ID’s, no invite link to chat. If they already know your number, there’s nothing they need for you to contct you on Signal.

    For people who I have their number, I will never ever acknowledge any other option than Signal because confused people don’t end up making any choice. Only if they talk about servers and networks, then I will teach them network security. I say SimpleX F-Droid is king of them all, but for random people, I only mention Signal/Molly.

    For the record, I will say that I am more willing to currently use Whatsapp than ever use Telegram. I can’t speak to the cool features with Telegram because I hate it too much to register my number with them.

      • Marc@feddit.deOP
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I know, but their server doesn’t. And since everyone uses it without the secret chats feature, they could read every message we exchange.

    • Marc@feddit.deOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I don’t think WhatsApp is a good option. Their clients are not Open Source, so it’s unknown if they really implement all the privacy features of the Signal client. Also, Facebook and WhatsApp are known to collect every single bit of Metadata they can get, it’s really bad. I wouldn’t touch it again, under any circumstances. I’m glad that nobody I know uses it, at least inside my circle of friends. Some still use it for outside connections or family members.

  • Hot Saucerman@lemmy.ml
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    1 year ago

    Actually, I don’t know why I had forgotten this already.

    Link: DEF CON 31 - The Internals of Veilid, a New Decentralized Application Framework - DilDog, Medus4

    Veilid. I watched this DEF CON presentation on it. I remember asking myself “How would this differ from Matrix and why do we need a competing standard?”

    But actually, after watching, I do realize that in certain ways it seems more elegant and decentralized than even Matrix. It’s really more focused for general application development, but that means chat can be developed on the framework.

    So maybe put this on your radar as well while it’s being developed. It certainly has jumped to my attention after watching this video.

    https://veilid.com/

  • ReversalHatchery@beehaw.org
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    Telegram is absolutely not the worst one. Those are whatsapp, facebook messenger, and viber. Telegram is not good, but I think it’s an acceptable compromise

      • ReversalHatchery@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        fb messenger has a hidden e2ee feature that probably nobody uses, like with telegram, that’s at most feature parity, not a pro compared to telegram. But then since fb apps are closed source and heavily obfuscated, you can’t check for messenger nor whatsapp whether it actually does what it says.

        That was about trust in the available encryption and how the app handles your messages. So far I fail to see how fb messenger is better than telegram.

        But that’s not the only relevant aspect in privacy. It’s also important what else the app is doing, and whether there are alternative clients if you don’t trust the official one. This is the reason why I won’t ever accept facebook solutions being described as private options. I’d be surprised if any of facebook’s apps wouldn’t be doing everything in their power to collect every kind of information the OS provides to it, while the telegram client is not exactly fixated on harvesting everything.
        Telegram has much less tracking components in the app, but if even that amount bothers you, telegram foss from f-droid is absolutely clean. You’ll never get anywhere near with facebook services.

        And then also don’t forget that whatsapp somehow regularly has vulnerabilities that allow arbitrary code execution on your phone by an attacker. I don’t remember the last time there was such a problem with telegram, but probably is was many years ago, if it all.

          • ReversalHatchery@beehaw.org
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            but Signal occasionally stops publishing their source code for months at a time,

            I did not tell about Signal. Never made them a good example.
            I believe their tech is cryptographically sound, but they are doing things with their app and the service too that I don’t like, to put it that way. I want to switch from telegram, but signal is not an option to me as a primary messenger for several reasons.

            so what messengers are even left at that point.

            Simplex, Matrix, Telegram. Or there’s Molly too, but it inherits some of the problems of Signal.

            WhatsApp and Telegram are harvesting the exact same information (phone number, IP address, location, and shitty metrics like “how often did you click the new chat button this week”).

            Are you sure whatsapp does not collect anything more than that? And if so, why?

            Unlike Telegram, WhatsApp doesn’t put ads into their product.

            I haven’t seen any ads so far, and I don’t pay for telegram. Yes there are channels that I follow.

            I don’t know where this idea comes from that the WhatsApp client is somehow uploading a copy of your entire phone to Facebook,

            That is obviously not possible without root access, unless someone snoops in a rootkit for your system through a specially cradted whatsapp voice call.

            WhatsApp is better than Telegram and many other messengers because it’s using good encryption.

            Hopefully they are doing that for every message, and hopefully they refrain from analyzing screen content or typing stats for “a better advertisement experience”.
            And last but not least, hopefully they are not bundling such components that inspect the app memory contents, and neither do allow other processes to do that through them, unlike signal does. (Alternative source: drew devault’s take on the same problem (too, but it also covers more)). Oh wait, it does make use of google play services… what a pity

            Telegram releases plenty of vulnerable software but they don’t seem to get much media attention.

            I call bullshit. That article is about the telegram proxy server, which is not even official Telegram software, it is made by a dude in their free time.
            So far that is one zero software released by telegram, definitely nowhere near plenty.
            Are there that many known vulnerabilities in the clients too?
            Maybe you’re right and I just haven’t heard of them, but then please point to CVEs or something that demonstrates them. And don’t come with the issues of MtProto 1.0, that was ages ago and irrelevant today.

            Whatsapp is only more private compared to facebook’s other, less secure messenger.

            Did facebook employees just raid lemmy or what the fuck is happening in this post?

              • ReversalHatchery@beehaw.org
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                Why are you sure that they are?

                Because it’s being developed by facebook, the company that does not fail to use any chance to mine you for your data.

                In the same vein: how do you know Simplex, Matrix, and Telegram don’t do the same thing? Have you audited their entire source code?

                Those apps are open source. Yes, I have looked into them on occasions. Telegram’s mobile app has problems, which are fixed by telegram foss.
                The official Matrix app has opt-in tracking, but whatever.
                I’m also quite sure that if they would be doing something actually shady in the background, it would be known at least in the privacy community.

                I see your next argument being “open source is actually less secure”

                Every time I open the app I get told to buy Telegram Premium or whatever it’s called. Probably because I don’t get channels so I don’t see any ads.

                That has never happened to me.

                If they would do something like that, that’d become international news and basically kill their platform.

                I fail to see how. facebook does not care about fines, and whatsapp users don’t care about privacy.

                Firebase is how you get notifications to a phone without draining the battery in the process.

                UnifiedPush, if your service cares about privacy. By the way, the Matrix app supports it.

                About as many as for WhatsApp: 0

                Highly doubt that. Since whatsapp has got e2ee, every year (2017, 2018, 2019, 2020) whatsapp has serious vulnerabilities, not in the encryption, worse: allowing arbitrary code to be executed on your phone by technically any other whatsapp user.
                From the nature of these vulnerabilities it seems very suspicious, as it’s always the worst kind of security breach (RCE), and when one gets fixed, somehow there’s other of the same kind the next time researches look for it. Oh and these vulnerabilities are always in components that are hosted by binary code, which is harder to reverse engineer even without obfuscation.

                Yes, they link your account to your Facebook account

                You admit that, then why do you claim it to be a private messaging service?

                but if you care about privacy you don’t have a Facebook account

                That does not matter. The point is that facebook is looking in your data, including who you know, and how frequently do you talk to them, but also how often and when are you online. If they can’t your it into a facebook account, who cares? They just make you a shadow profile, like it has been their tradition for many years.
                But also, almost everyone had a facebook account at one point in time.

                Earlier you asked why would they track you? Here I ask why wouldn’t they use all the tracking code they have already developed for the other facebook apps?

                Telegram […] is better than Signal at the very least

                Sorry, where did I say that? Probably I was unclear. Encryption wise signal is absolutely better, but all things considered the transparency of the client software and it being clean of programming libraries doing shady things is more important to me. What good is good encryption if it can be nullified? It would be ok if they would be working on it, but instead of that, as drew devault said, they are going to war to justify including google services, and that attitude does not help to trust them more.
                And as I said, there are also other problems, including that you can’t log in on multiple devices is a deal breaker for me, and that I have had telegram for many years, but for the better part of it I’m determined to not register to any more services with a phone number.

                even Meta gives you the courtesy of encrypting your messages

                How the fucking hell? Through the just as obscure option in messenger as in telegram to have an e2ee chat?
                Oh, no, you mean whatsapp, which still can’t be verified if it does not do anything with the cleartext messages before encryption, or after decryption on the other side. I see that you don’t trust telegram, and I agree that they have problems, but trusting facebook’s maybe-privacy that they will handle your data correctly when you have no way to check it is not better either. Who cares about e2ee when each of the ends cannot be trusted either. It is just privacy theater.

    • nIi7WJVZwktT4Ze@fost.hu
      link
      fedilink
      magyar
      arrow-up
      1
      ·
      1 year ago

      Do you have any info on Viber being a bad service privacy-wise? It’s a lesser-known messenger that prides itself on its privacy policy but I can’t find any info on it being the case or not.

      • ReversalHatchery@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Check this analysis from 3 days ago.
        7 different tracking components, from 4 different companies, including facebook.

        I don’t think it should pride itself on anything related to privacy.

        It also has quite a few hard to explain permissions.