After I updated my WhatsApp status announcing that I’m switching over to Signal, quite a lot of my friends reached out to me asking the reason to choose Signal over Telegram. This blog is to sum up those reasons.
But, before we start, we need to make a few things clear to make sure we’re all on the same page.
What is a client-side code?
A client-side code, or simply a client in the scope of this blog is a piece of software that runs on the user’s device (Your mobile or desktop, for example)
What is a server-side code?
Pretty much self-explanatory at this point, it is a piece of software that processes the messages sent by the client. This processing includes, among other tasks, forwarding the messages to the proper recipient and storing the message if the recipient is offline.
A software is said to be open-sourced when the set of instructions that make up that software are publicly available for everyone to read. This inspires trust as software-developers can view the code and verify what the software does to your data.
How Do Our Messages Get Passed Around Over The Internet
At a very broad level, when you send a message to your friend using an end-to-end encrypted messenger, the message/media is first encrypted locally on your device using an encryption key. This encrypted message is sent to your WiFi router (if you’re connected to one) which sends it to the Internet Service Provider (ISP) and it is then passed to the messaging server. From this point on, the message finds its way to the receiver’s device following the same path in reverse order.
The process is way more complicated but, for the purpose of simplicity this is what we’re going to assume.
The term has been tossed around a lot lately so, it’s important we make it clear what it actually means. End-To-End Encryption (E2EE) is a mechanism of modifying messages in such a way that only the communicating parties can read them. It prevents anyone in between from reading the messages including the local WiFi administrators, Internet Service Provider (ISP) and even the messaging service provider (Signal or Telegram, in this case). A message can only be decrypted using the decryption key that only the recipient has access to.
Although, any data transferred over HTTPS is also encrypted, it is not considered E2EE because data remain encrypted only between your device and the server. Therefore, the HTTPS data can be read by the messaging service provider. Know more about HTTPS and its working here.
With these terms in mind, let me explain why I chose Signal over Telegram.
The Default Settings
Privacy is above everything on my list and Telegram conversations are not End-To-End Encrypted by default. One may choose to start a “Secret Chat” which is Telegram’s way of saying E2EE, I do not expect non-privacy aware users like our grandparents to click some additional buttons and tweak some settings to make the conversation more secure.
State Of The Open Source
Both, Telegram and Signal have open-sourced their client-side code but, Signal has gone a step further and open-sourced their server-side code as well. This gives us insights into how the messages are handled once they arrive at the server.
One might argue that once the message is encrypted with a state-of-the-art encryption algorithm, it really doesn’t matter how it is processed as it cannot be read by server without the decryption key (discussed above) and yes this argument holds its ground, I’d still prefer an open-sourced server as it shows that the organization has a vested interest in their user’s privacy.
Double Ratchet Algorithm (DRA)
This one’s a little complicated but being a security enthusiast, I got a real kick out of this one. In essence, Signal’s encryption scheme focuses a lot on the derivation of encryption key (discussed above) and its regular update. This ensures that even if the keys of a client are somehow compromised, not all of its messages become readable to the attacker. In fact, in case of a hypothetical compromise, all the past messages will remain unaffected and only a few messages after the attack will become readable to the attacker.
To achieve this, a new key is shared between two communicating parties after every set of round trip messages. The old key is deleted from the device once all the messages encrypted using it are delivered and decrypted. Signal calls this process its Double Ratchet Algorithms (DRA).
It is in great contrast to Telegram’s MTProto 2.0 that assumes a safe key exchange and does not cover a self-healing mechanism for compromised keys in its threat model.
Sources Of Income
While Signal runs purely on donations which protects any influence of powerful share-holders and their personal interests, Telegram’s co-founder, through a post on his public channel on Telegram, announced a two-fold plans on 23rd December, 2020 to get more income.
The first is to introduce premium features for paid customers. Most of the features will (hopefully) remain free, more demanding features will be available to paid users only.
The second plan is more disturbing and includes advertisement. Yes, the very thing that turned once-innocent Facebook into the monstrosity that it is today. The plan is to show ads on public channels (large group chats accessible to everyone to join).
These were the reasons why I believe Signal is the clear winner over the feature-rich Telegram. You might choose to disagree and that okay. It’s the difference of opinions that brings different ideas to fruition and prevents one open-source project to hold monopoly in the market.