Comment by godelski
2 years ago
This is fantastic! I also love that there is the QR code generator. It'll make connecting easier.
I hope moving forward we can have multiple usernames and profiles. This would greatly increase privacy since we may have different identities in different social groups. Even on HN a lot of us have multiple personas. I find one of the big challenges is actually handling these different identities as most software only assumes you have one. Though it seems to be common on social media like twitter or instagram. But bitwarden still doesn't know how to differentiate microsoft logins lol
Edit: I'd love in the future to also see things like self destructing or one time links. I don't think these should be hard to implement, especially if one can have multiple usernames. Certainly a limit like 3 would be fine with the numbers, right? Personally I wouldn't be upset if multiple names became a premium feature but I'd strongly prefer if it wasn't. I get that signal still needs money (https://news.ycombinator.com/item?id=39446053)
> But bitwarden still doesn't know how to differentiate microsoft logins
To be fair to Bitwarden even Microsoft doesn't know how to differentiate between multiple Microsoft logins. As of at least a year ago, you can technically have different logins with the same username/email identifier, and different login prompts will behave differently.
Also nice to mention that some of those are connected and some are not. For example I have a personal account (that I did not create but appeared magically at some point; it behaves as totally separate), a work account (main work tenant) and three guest work tenants that share the password, but don't share the 2fa. For some apps you chose the tenant, but not for all.
Oh yeah it was more a joke than anything. Microsoft is just creating such a shitty environment. I can be logging in from my company portal where they know the identifier yet I still have to add @company.com. I mean I got one for my job, for my university, for conferences (CMT), and I swear I'm forgetting 30 others that I only use once in a blue moon.
They also are real shady with yubikeys. You can't set them as default but you can set "security key." So the process ends up being it assuming you want to use Hello (which breaks my Outlook... wtf), clicking use another device, security key, clicking next, then finally typing in your credentials. The next part makes me real suspicious since all the other dialogues go to the next page without clicking next. Why just this page? It's some weird dark pattern bs.
I'd call it malicious, but I think maliciousness requires intent. A chicken running around with its head cut off isn't really malicious if it runs into you.
You can use these “features” to hijack accounts too ;)
I’d call them bugs, but they’ve been reported and didn’t get fixed.
indeed, with an incoming Teams meeting invite, it should be determinable from the sender's context which account should work on the meeting. Instead there is 2 minutes of waiting, and what seems like pot luck with the account.
Telegram has had all of these features for a while… too bad it isn't as secure as signal or it'd be perfect, since it's also written in a real GUI toolkit and present in distribution repositories.
I do wonder how telegram and signal are planning to finance it long term. Telegram is adding absurd paid features like exclusive animations, which won't earn nearly enough to cover the costs.
I wonder where signal is about keeping the servers up, since they hate federation so much.
Telegram and Signal solves very different types of privacy issues.
Telegram is good, as you mention, to be relatively private in groups/chats/channels without a need to expose neither your phone nor even a nickname (unless you live in autocratic countries — will come to this later).
But it comes with costs. First, their p2p communication is not e2e encrypted by default. Not to say that all comments/group chats are not encrypted too, unlike let’s say WA.
Second, Telegram API. It gives too much information. You can do a lot with it: read history, track changes of usernames, etc. For example, it is quite easy to obtain an internal user ID and there are black market services and databases where they promise to connect that ID with phone number if that account ever had privacy settings switched off in the past.
Claimed that they kind of scrape all accounts and pair ID for those where privacy settings set poorly. Even if you change it later — your internal ID and that scrape will state forever.
Third, Telegram was funded by Russian government since Durov had issues with SEC. He raised money from different Russian state-owned banks like VTB, issued bonds which are traded in Saint-Petersburg stock exchange, and even take some money directly from Russian government though a Qatar proxy-company. Not to say, that there are cases when TG was involved in criminal charges against people (the most famous one is story with Ryanair plane being forced to land in Minsk to arrest Lukashenko’s critique) and it was never directly addressed and explained by company how exactly those people was caught and how company protect against “SIM card replacement” cases (Signal at least inform me everytime my peer logged to new device).
Selecting between Signal with AFAIK no known cases of charges in dictatorship countries like Russia, funded by non-profitable charity, and TG without default e2e encryption, public API and Russian-state funding, is quite obvious for me.
It was also banned and blocked in Russia for several years. It was only unbanned when they agreed to cooperate with security services.
https://en.wikipedia.org/wiki/Blocking_of_Telegram_in_Russia
1 reply →
I didn't know a lot of this. I thought Telegram was mostly funded through Durov's Bitcoin and VK money? It feels strange that he'd be so "in bed" with the Russian govt when the whole reason he left was because of his staunch opposition to taking down Navalny's VK page. But I haven't done extensive reading on this.
2 replies →
Dictatorship exists in varous forms. Russia has democracy though in bad shape. There various flavours of democracy. But what about total dictatorship in China has no opposition and many countries with theocratic monarchy.
4 replies →
Don’t worry, telegram is now gatekeeping certain privacy settings behind the premium subscription like it’s 2003.
They also make it difficult to hide your pseudo identity from your phone contacts. I’ve had all the “discover contacts” settings turned off, and simply reinstalling the app caused people to be given my username without my consent. Settings somehow magically switched themselves back on and I couldn’t turn them off until after the damage was done.
There was no confirmation prompt. Pretty sure this happened to me more than once.
Please don’t ever compare Telegram with Signal.
i've been using Telegram on and off since 2015 or so, and i've never shared my contacts. never! re-installing Telegram has never changed that setting.
The real problem with cellphones is that a lot of privacy-threatening issues are literally one fat finger away. And clearly, that's a feature, not a bug. That's why I prefer to work and message on my laptop anyway.
but again, Telegram has been, in many practical ways, much more privacy-oriented than all the other messengers, exactly because you don't have to share your phone number to participate in groups and chats.
> telegram is now gatekeeping certain privacy settings behind the premium subscription
Such as?
10 replies →
Come on signal until today had no way to keep the phone number private. Which is the topic here.
2 replies →
I don't get why people who are so paranoid about someone associating their Telegram handle with their phone number simply don't go and grab a burner SIM at Tesco.
I mean I'm all down with the idea of tech companies respecting our privacy. But here we are, complaining that corporations that are at least trying (and that are operating at a loss since their conception for our convenience) aren't giving us "Snowden hiding in Russia" level of security out of the box, for free, just because we deserve it. All while we could easily implement it ourselves for like $8 and with no online trace whatsoever.
It's like, Tails Linux exists, but FUCK GOOGLE for forcing me to Ctrl+Shift+Delete in Chrome if I want to erase a cookie. I'm so significant and certainly not a criminal, why do they hate me so much??
11 replies →
Telegram isn't a messaging service. It's a social network with a messenger UI. Quite ingenious, if you'd ask me, but a social network and a private messenger can't really be reconciled into a single product.
What would you classify Signal as, with its stickers, cryptocurrency (MobileCoin), etc.?
2 replies →
You're in luck because Signal had a whole blog post about long term financing a couple months ago.
https://signal.org/blog/signal-is-expensive/
Good reminder that need to make a new donation.
1 reply →
Why do you say that Telegram isn't as secure as signal?
I’m not who you replied to, but I agree with his sentiment about signal being superior to telegram in terms of security (or more specifically, privacy).
For me, there’s two big reasons for this:
Signal chats are E2E at all times, while Telegram is only E2E when you explicitly create a “secret chat” with whoever you’re conversing with. I don’t fault Telegram too much for this, because they still provide the option to use E2E for everything, but Signal gets brownie points in my book because they just do it by default without getting in the way of the User.
Secondly, as far as I know, Telegram uses their own in house encryption techniques as opposed to industry standards. I am not at all knowledgeable about encryption or cryptography— I only know what’s required of me in my job (basically the bare minimum), and so I don’t actually know whether this is anything of serious concern. It could very well be that Telegram’s encryption techniques are just as effective as the established norms, but I do see the general consensus trending towards “roll your own encryption = bad, use established norms = good”, which is primarily what I am basing my opinion on here.
To further detract from my own point, it actually seems like Telegram might be using “established norms” for encryption nowadays anyways [1], although I couldn’t really tell from the brief description I read on Wikipedia.
Overall, I think Telegram is perceived as being less secure than Signal primarily because of the reputation Telegram has for implementing their own in house encryption techniques, even if they don’t use those techniques anymore— their name has become associated with their known history of using ad hoc encryption.
[1]: https://en.m.wikipedia.org/wiki/Telegram_(software)#Architec...
1 reply →
Chats are not e2e encrypted by default, they are just encrypted in transit. However this allows chats to be synced across many devices, so it is very very convenient.
Telegram has e2e encrypted chats but only on mobile and not on desktop for some reason.
2 replies →
Matrix might interest you, but it doesnt solve telephone numbers (i think)
I don't want to be too dismissive of Matrix, but I also see these types of comments as understanding what problem Signal is actually addressing: security for the masses. There's no way I'm getting my grandma on Matrix and you're delusional if you think she can setup a server. But it isn't hard to get my grandma on Signal and that's a much better security feature than federation or even not having phone numbers. If I want extreme security, you're right that there are better tools. But my threat model isn't trying to avoid nation state actors, it's mostly about avoiding mass surveillance, surveillance capitalism, and probably most importantly: sending a message to the gov to fuck off with all this spying. At the end of the day, there's no other app that's even close to fulfilling those needs.
I didn't realize my comment rose to the top. When I had written this I had also written this comment[0] which was the grandchild of the top comment at the time. It has a bit more details on my thoughts/reservations of federation. tldr is mostly about avoiding centralization. This remains an open problem and I think it is far too easily dismissed. But federation isn't solving the problems people want it to if it's federated like email and web browsers. That's just mostly centralization with all the headaches of federation.
And to anyone complaining about lack of federation, what's stopping you from running your own Signal server? Sure, it won't connect to the official channel, but is that a roadblock? Even Matrix started with one server. This is a serious question, is there something preventing this? Because if the major problem with Signal is lack of federation, I don't see why this is not solvable building off of Signal and not needing to create a completely different program. Who knows, if it becomes successful why wouldn't Signal allow a bridge or why can't apps like Molly allow access to both the official and federated networks?
[0] https://news.ycombinator.com/item?id=39446183
Oh, I agree completely with everything in the top paragraph, and I certainly have seen a natural trend towards central nodes/relays in all the federated networks I can think of. I think the appeal is that for the average user its about as good security as anything else available, and it has the option to work off the centralized network.
> There's no way I'm getting my grandma on Matrix
Why ? Have you tried ?
3 replies →