Thus, this is not a particularly strong point, as Signal could only hand over encrypted data to the US Government 11 11 11 Remember that we are still ignoring the quantum computer issue. However, the data that Signal servers store (users’ phone numbers and devices) or have access to (encrypted messages to be delivered) is encrypted. Threema also advertises that its servers are in Switzerland, so it does not fall under the CLOUD Act, which entitles US authorities to access data from US IT service providers (even if the data is not stored in the US). However, it guarantees higher anonymity than Signal, as Threema does not require a phone number or an email address to set it up (Signal requires a phone number). ), while Signal and Telegram are, and has lower security guarantees than Signal (it does not guarantee forward secrecy when the server is corrupted, but only against external eavesdroppers). Its business model relies on monthly/yearly subscriptions for some advanced features, such as Threema.Work, Threema.Broadcast, Threema.Gateway, and Threema.Education. I did not include it in the discussion for two reasons: it is not free (requires a one-time payment of 3 $ 10 10 10 This is a symbolic payment, as it is not enough to allow Threema to survive. Threema is a messaging app developed by a Swiss company, and it comes up often when discussing secure messaging in Switzerland. Further Remarks and Threema What about anonymity? No infrastructure is in place to prevent Telegram from exploiting its potential access to messages that are not E2E encrypted to increase its revenue through, for example, targeted advertisement. However, such a business model combined with the lower security guarantees of the app could more easily be turned against Telegram’s users themselves. At the time of writing, Telegram has been downloaded 500M+ times from the Google Play Store, while Signal 50M+ times., thus needs more people to maintain the service). One way to get insight is to check how many times the apps were downloaded. The need for a stable income stream is perfectly understandable (Telegram has way more users than Signal 9 9 9 Estimating users of an app is quite hard. The announcement explicitly committed to do it in a non-intrusive and ethical way, not to exploit users’ data, and to keep current features free of charge. However, Telegram recently announced that it will start generating revenue from advertisement in public one-to-many channels. This is good, as it implies that neither of them have a reason to monetize their users. Until last month, both Signal and Telegram were committed to be non-profit organizations, surviving on donations. Telegram keeps encrypted backups of users’ chats if they are not E2E encrypted, and it does it responsibly (access to one server does not allow to recover messages, cf. Whenever a user starts using Signal on a new device, the chat history is synced from another of the user’s devices 6 6 6 In fact, Signal does not stors backups of users’ chats on servers, but only locally on users’ devices. Signal handles this by allowing the server to keep an (encrypted) list of all current users and devices. Hence, if a phone is lost, the content of Telegram’s Secret Chats is lost.įor the same reason such chats cannot be accessed from the web application. For this reason in our thread model we have to assume that both Signal and Telegram might be secretly backing up messages, even if in real life they are not. Telegram claims that E2E encryption cannot be extended to group chats for backup reasons: to keep the highest level of security, messages from Secret Chats are not stored after delivery 5 5 5 This is good! However, as we will see when discussing the open sourceness of the projects, we have no way to verify what really happens on the server side.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |