- If you value features, then Telegram is surely ahead of Whatsapp in almost every aspect.
- If you value the encryption, I would trust Whatsapp more than Telegram. Telegram did some strange stuff with their custom cryptography invented by "rockstar mathematicians".
- If you value not giving metadata to the US / to Facebook, then don't go with Whatsapp.
- On the other hand, if you value having less metadata stored, then Whatsapp is probably ahead of Telegram.
If you value privacy, then both aren't good. They both put usability and features before privacy. Telegram was once branded as "the private messenger", but later rebranded as "the fast messenger". Now it says "a new era of messaging" on their website.
Telegram causes tons of metadata. All conversations and contacts are stored on their servers, which is closed source. Their multidevice system is built in a way that you will get access to all historic conversations if you manage to add a new device to the account (e.g. through SS7). Many of their latest feature (like games, payment, etc) cause a lot of additional metadata, some of which can be retrieved by third parties (e.g. by the game developers).
I'm biased (full disclaimer: I work for Threema), but if you value privacy, then go for a messenger like Threema, where the first priority is always privacy (e.g. no phone number required, no metadata or log storage, decentralized groups, and end-to-end encrypted decentralized profile pictures, the latter being something that no other mobile messenger does as far as I know). It has a clear business model and the protocol can be verified (even though the app is not open source).
Besides that biased suggestion, you might also be well off with something like Signal, although they're based in the US (secret court gag orders possible) and require you to give them your phone number (metadata).
Why does Threema not use the Signal Protocol? Lack of an open source protocol makes it a non start for most uses of this. The protocol can not really be "verified" in any real sense. You can check that you can decrypt the message with nacl. All this doesn't show anything about a lack of bugs or backdoors.
Google and Facebook both decided to use the Signal protocol. Why should we trust a small company to do this correctly the first time? Without even being able to check what they are doing?
There is an open source re-implementation of the Threema protocol obtained by reverse engineering: https://github.com/blizzard4591/openMittsu There is also an (incomplete) implementation in Go: https://github.com/o3ma/o3/ Note that Threema does not disallow reverse engineering in their terms of service.
The fact that OpenMittsu can properly encrypt and decrypt messages that are compatible with the Threema apps should be proof that the implementation is correct. Also, since Threema is financed by selling the app with no external investors, there should be more incentive to stick to their promises than to cheat on their privacy-sensitive users.
And even if the apps and the server were open source, unfortunately it would still not be possible to verify that the version on Google Play / iTunes is the same as the published source code. I'm not aware of a way to create reproducible builds on these app stores either.
My personal opinion: They had a good start, but it's still a bit unclear how they will make money since the app is free. There are multiple investors that will want to see a return on investment someday. Also, there are again some privacy tradeoffs to improve usability, e.g. the fact that a list of all your conversation partners is stored on the server until you delete your account. Finally, the servers run on Amazon (Ireland) and all development happens in the EU, so I doubt that Swiss jurisdiction is really applicable. But I'm biased :)
Telegram is not connected to Facebook while Whatsapp is. This makes Whatsapp a no-go for many people, me being one of them. While Telegram's "Russian roots" seem to cause others to doubt about its trustworthiness I don't see this as a problem. From what I gather, Pavel Durov (the man behind Telegram, former founder of VKontakte) is not on friendly terms with the current Russian regime so it would take a rather elaborate conspiracy theory to have him collude with the Kremlin.
Apart from that Telegram is fast, reliable and flexible and it treats Linux as a first-class citizen - maybe partly due to its Russian roots?
So, Telegram. Before it came around I used my own XMPP-server with diverse clients but Telegram has the advantage of being much more accessible to those less computer-savvy. I still have this server and can switch back to it any time I want but for now I'm happy with Telegram.
> So, Telegram. Before it came around I used my own XMPP-server with diverse clients but Telegram has the advantage of being much more accessible to those less computer-savvy.
Is this still true now that we have <https://conversations.im/>? Most people use messengers only on their phones, anyway.
It is. My father loathes mobile devices (or rather the stranglehold they seem to have on some people) but he has no qualms against using a PC. I converse with him daily through Telegram. My mother uses Telegram as well, on both her mobile as well as a tablet and her PC.
There’s plenty of nice XMPP clients for desktop, though. I do agree, however, that there is a void to be filled by an XMPP client with good discovery.
The latency and battery problems everyone was blaming are solved now. The missing piece is this:
A way to provide XMPP service for any address, in particular gmail addresses, without both touching any DNS config and without any support from whoever controls the domain (RIP Google Talk).
Basically from UX perspective:
1) User downloads an app (mobile or desktop).
2) User confirms email address via either email confirmation (it’s good enough for SSL, so…) or OAuth flow
3) That’s it.
4) Bonus: For OAuth flow user has prepopulated address book.
Behind the scenes at step 2 a unique ID is associated with the email address. Then other clients resolve this via something, DHT, blockchain, whatever.
This introduces some trusted oracle that assists in discovery, but keeps everything else decentralized.
Build this and it can certainly compete with Telegrams of this world.
Unfortunately, I don’t think Keybase can be compatible by itself with email or phone № proofs. Perhaps if they explicitly add support for oracles, that would be cool.
Gah. I enclosed it in <> explicitly to avoid the dot becoming part of the URL. Guess that HN doesn't know about the convention of using <> as URL delimiters.
To my mind Telegram is a nice example of how to do things right. It's fast (in all senses), it's reliable and generally pleasant to use. It can be secure if you want it to :)
Not that WhatsApp is slow or not reliable. I can't formulate it but still I do like Telegram more. All the above is just my overall impression.
-------------
Speaking of security I'd like to admit that I'm not a terrorist or a serial killer so maybe I'm a bit out of this problem. I agree that it's generally bad to spy on regular citizens but at the same time it's obviously even worse to have negotiations regarding terroristic acts or other ways to commit a crime.
Personally I'm almost O.K. with government spying on me unless it tries to sell me goods and services =)
Or tries to put words you don't even remember into context, or new administration chases you for your older ideas and puts you on a list. Good for you living in centuries-stable country.
> I agree that it's generally bad to spy on regular citizens but at the same time it's obviously even worse to have negotiations regarding terroristic acts or other ways to commit a crime.
The thing that makes me use Telegram more than Whatapp are the desktop clients[1] and the flawless desktop-mobile integration. Works better than any other chat platform out there, IMHO.
If you want your data to end up managed by the US you can use WhatsApp, if you want it to end up in Russia you can use Telegram. They are very similar in features, but I'm not a fan of Telegram storing all the conversation in their server.
They are ignorant to the point that I simply can't understand. Durov is in 'fuck you and die sooner' relation with russian goverment, but people still claim that Telegram is under their control. Right now we are at risk of losing Telegram if he will not provide server location info to FSB in few weeks, and it seems Durov is ready to lose russian market completely to protect it from these guys.
I actually trust whatsapp way less, simply because it has NO problems with russian special forces, which became very high-tech last years. This alone is a big red flag today.
>Right now we are at risk of losing Telegram if he will not provide server location info to FSB in few weeks, and it seems Durov is ready to lose russian market completely to protect it from these guys
Do you believe that whatsapp is not storing your messages now ? They said they are not doing it to begin with but there are good reasons that they might be doing this. Fb and whatsapp have shared enough information to be fined by an EU court this week for 100 million euros. Although 've to agree that data with US is better than Russia.
Regarding "fined by the EU". They obviously transferred WhatsApp data to Facebook and vice versa.
But I don't think that they necessarily store all of your WhatsApp messages somewhere in the cloud. Otherwise they could provide a similar easy, device independent solution like Telegram - instead of using the smartphone as a general pipe for all of the messages. So yeah...maybe they do and maybe they just don't want to tell us - but for now I am pretty confident that they would provide their user base with some kind of storing back end advantages.
Telegram and Russia are not connected. Any quick look at the history of the app and Durov the founder will tell you that vs whatever bias you most likely hold.
That was more of a theoretical issue. And while some have named it a backdoor, the consensus among infosec experts (which I'm not) seems to be that it was a defensible and even sensible tradeoff of usability vs privacy (for the intended audience). If you want more privacy and less usability, use Signal.
Honest comment. As a neutral (UK), it's a tough call as to which country I'd prefer in this scenario.
In terms of data, I imagine the US to be just as bad if not much worse (my prejudice) than Russia.
Someone can school me on this if I'm wrong but I prefer Telegram as a platform and I'm ambivalent as to which country my data ends up in (given this choice).
(Editing this comment based on above: "Small correction.
With Telegram your data ends up in Germany.
They are Berlin based and against the current Russian government")
Thanks for the link, I don't doubt that. But I meant specifically on the point of data-handling. Some Russian hackers or spooks vs American hackers and the NSA, etc
The UK sucks just as bad. The current PM has just announced plans to regulate the web if they win the next election.
If all your friends/family/contacts are on Telegram, then Telegram is better. If all your friends/family/contacts are on WhatsApp then WhatsApp is better.
SMS is the only other message platform where a few of my social circle bleeds out of my preferred messaging platform (iMessage).
The best IMHO is where the people you want to talk to are.
Telegram and Whatsapp are pretty interchangeable on feature set TBH. The support for bots in Telegram is nice, but Whatsapp currently has more user share - which is crucial.
Another interchangeable from user experience is Signal. I'm seeing more growth in Signal, which is great - and I trust it more than Telegram and Whatsapp combined.
I kind of lost my trust for Signal when moxie said it was not OK[1] that a fully free and open source fork of their client (built to remove the Google Play Services depency back then) was using their servers.
I've read the discussion and I find moxie's arguments pretty weak in this matter.
As the github user mimi89999 pointed, moxie wouldn't have to support LibreSignal directly, it behaves like a normal Signal client and there would probably be no impact in his servers at all because there was a very limited number of LibreSignal users.
Ah! But what if the non-official client causes a DoS of the server....
... then write server software that isn't vulnerable.
I have to agree... mandating what client software is used is a bit disappointing from moxie... I thought the world learned this lesson from Pidgin etc.
Next he'll say he only wants to support Chrome for their website.
That's true. But once registered you can use Telegram on any device. That's not true for WhatsApp: they have app only for iPhone and you can't run it on iPad even in compatibility mode.
Telegram rolls their own non-standard crypto protocol as I understand it.
This is a bit of a no-no when it comes to security.
More importantly; chat's arent' end-to-end encrypted by default (I can't find a way to enable it in the web-app), which means the telegram-whatsapp comparison makes no sense. Whatsapp is secure, telegram is not.
Also; end-to-end encrypted chats in telegram (they call them "secret chats") won't follow you between devices. A secret chat started on one device, won't be accessible from another. This makes them far less useful, and dissuades users from using them.
Again; comparing whatsapp to telegram in terms of security is apples vs oranges.
For security and privacy, neighter is a good option. If you compare Telegram and Riot, Telegram wins hands down from a UX point of view. Riot is seriously lacking in this department, but it offers true end to end encryption with multiple devices by default, so if that matters to you, that is the best choice.
It all comes down to the author's personal preferences and concerns, but a blanket assertion that WhatsApp is not a good option from a security option is silly. WhatsApp is end-to-end encrypted with the Signal protocol by default, so the security of its message contents is top-notch.
But if the author is especially concerned about collection of metadata they should consider Signal itself, which also has a very well thought-out UX.
> Riot is seriously lacking in this department, but it offers true end to end encryption with multiple devices by default, so if that matters to you, that is the best choice.
You feel more secure is not a good point. This needs to be technical of what kind of encryption feature is used, and not trust on "pappers" of the software creator, or try to feel safe just by using your "spider senses" while using the software.
And remember: You liking or not, WhatsApp is a Facebook developed software.
RING is the only real secure chat software, with DHT, peer-to-peer discovery and encryption.
https://ring.cx/
I've been using Telegram daily for 1-2 years now, I like them both but (1) I think Telegram's UX is superior, and (2) I get why WhatsApp's desktop app works the way it does [i.e. tunnel stuff through your phone], but I don't like using it.
Define "better". If all your friends use one, then that is probably better for you. There is also functionality differences between the two (mentioned by others), which might force your hand.
That said, there are other quantifiable measures. In terms of security, Telegram has two main drawbacks:
1) it supports insecure chats - which means that for many (especially non-technical) users, they won't use the end-to-end encrypted messaging at all
2) whilst the encryption algorithms they use are standardised, the protocol they uses to transfer the messages is not well understood by the cryptographic community - and when it has been analysed, well-known flaws have been found [1].
In comparison, WhatsApp also makes use of standardised encryption algorithms, but also uses the Signal protocol - which has been studied by multiple groups, with better outcomes (such as [2]). One drawback to WhatsApp is they will generally make security decisions that are primarily based around avoiding sacrificing usability - if that is a problem, then perhaps Signal[3] or Wire[4] is a better choice.
On the encryption debate, using Russian algorithms vs US (Belgian) algorithms is somewhat academic - I believe that both are considered by the wider academic community to be strong when correctly used. I don't believe there is any evidence that Telegram or WhatsApp are incorrectly using them (beyond the attack found against Telegram, which may have been fixed by now?). This is the mostly the same for considerations about data storage location - if end-to-end encryption is enabled in Telegram, they are roughly equivalent.
Certainly not if one of your main concerns is the privacy of your message content. WhatsApp uses the Signal protocol; Telegram uses its own homebrew encryption protocol that has not been well vetted.
it is circumstantial evidence. Isn't it should be a red flag if one messenger is prohibited in a country with an authoritarian regime, and the other is not?
I mean that's enough for my social messaging. If I'd need to transfer some top secret information, I would use neither of them.
Probably... but who cares? My friends are in WhatsApp and I use the app to talk to my friends. I wish I could use Telegram, but I feel so lonely there.
I am sure there are better apps there that can fulfill better your needs. There are apps with better encryption and so on. It depends for what you want it. It is hard so say what is better, it depends on the person and its needs, but at the end if your need is to talk with your firends and your friends are in Whastapp. Then whatsapp is the best for you.
This is a good point. I love telegram, but can't completely give up whatsapp because I have a few friends who just won't use telegram. I really wish they would move to telegram, but they're stubborn, and they in turn have friends who are only on whatsapp, and so on and so on.
Far from perfect in absolute security sense. That sense is not common afaik. Personally, I'm fine with that no one can read my texts, not that no one can actively make focused changes to my conversations or send fake messages from my device to decipher all previous conversations while I sleep. Non-terrorist people just want their messages mass-unreadable by automated inspection systems. Full protection against active high-tech investigations (i.e. special forces watching special you) is not on high social demand.
You can use telegram without a phone. If you want to use WhatsApp on the PC, your mobile phone must be online.
Last year I lost access to my WhatsApp profile simply because I changed country and reset my phone without transferring the number to a local number first. Support couldn't help.
This kind of situation wouldn't happen with telegram. Just login with username / password online.
Telegram has great features. It's fast, available on every platform, and the clients are open source. I've had good uptake on it among friends and family, especially with the option of easy web and desktop clients.
As others have said it's not as theoretically secure as WhatsApp or (especially) Signal. But I think it benefits from being the main product of a company that is totally focused on messaging, not on advertising (see all of Facebook and Google's messengers). The experience is great and even as they add features, they manage to keep things clean and stay out of your way, so you can ignore all the new features and just use it for simple stuff that it does really well.
That said, I haven't used WhatsApp much because I don't know many people who do. It comes down to where the people you want to talk to are, and if you can influence them to go elsewhere.
Yep, I agree. I personally like it being optional. Not end-to-end encrypted has an advantage of syncing messages to all other devices and use secret chats when privacy is more important than syncing.
Another feature I missed is ephemeral messages in secret chats: We can have messages automatically deleted after certain time (Although I wish the time settings are more fine grained).
Not really. What I missed most in Telegram was "delivered to device" status. While they claim such information wouldn't tell which of the recipient's devices received the message, I see it more as laziness on their side. They could have aimed for "delivered to any/one device" or "delivered to the default device". I personally care about whether a message was delivered (and the recipient would eventually look at their phone) or the server is down, recipient doesn't have a data connection etc. and I can try different communication methods. A "read" status is nice but the people I usually talk to tend to reply anyway.
In terms of message storage (ignoring government requests here), Telegram servers need to store them so that they can be provided to different clients/devices. For WhatsApp, OTOH, there are primary communication devices (phones) with end-to-end encryption and secondary clients that connect to the primary device to access the messages (rather than getting them from WhatsApp's servers). End-to-end encryption is available on Telegram as well but AFAIK you lose the ability to use secondary clients.
But...they do have a delivered status. I think it's "delivered to the servers" (probably doesn't work in "secret chats"), but it fulfils the same goal. Edit: It does work in secret chat as well
And yes, Telegram has an option (a default state actually) to store the messages on their servers, WhatsApp doesn't have that. Beyond "E2E should be on by default", I don't see how this point is for WhatsApp.
"delivered to server" is different from "delivered to device". Let's say my friend is abroad with no roaming, I have no idea whether a message was delivered to him/her or not. WhatsApp has both.
As I wrote, I think (I might be wrong though) that if you enable E2E encryption on Telegram you can no longer use additional/desktop client.
Once I read the article on messaging security, and non-standard clients were mentioned there as another serious attack vector. If you have only one client controlled by service provider, it is somewhat easier to reason about its quality. But if your peer can have any client, then your conversation is at risk, because your peer may not be hygienic enough, so exploit message may be sent to it from another contact and that will send all conversations to third party. E.g. though xmpp/otr is somewhat secure by itself, random security-unaware xmpp clients (tons of these) are a big concern.
The weakness of the chain is still defined by its weakest link. This is the case where it is maybe better to put all eggs in one basket and choose/validate entire baskets, not particular eggs.
I'm not a security expert, but that sounds reasonable imo.
It is? It looks more like the past... "MPP is an example of a federated protocol that advertises itself as a "living standard." Despite its capacity for protocol "extensions," however, it's undeniable that XMPP still largely resembles a synchronous protocol with limited support for rich media, which can't realistically be deployed on mobile devices. If XMPP is so extensible, why haven't those extensions quickly brought it up to speed with the modern world?". See https://whispersystems.org/blog/the-ecosystem-is-moving/ and disagree, deny or be sad if you want.
As for me, I use Telegram and I am happy with it! It's the best messaging app I've ever used. But it's only my opinion, you should try it and decide for yourself.
One point: Telegram has no _default_ end-to-end encryption. This, by itself, is the major selling point for Whatsapp (even if Facebook collects metadata).
I actually use Threema. However there is no call option and I haven't figured out if they plan to implement one. However the quality of voice messages is pretty good seen that every message is end2end encrypted...
WhatsApp is E2E encrypted. So even FB cannot read the messages. The encryption technology is an open source peer reviewed Signal system. Seems privacy friendly to me.
Telegram has Russian roots and their encryption system is closed sourced.
WhatsApp is owned by facebook, the telegram team is not very loyal to the government, Telegram can send huge files. Telegram has end2end encryption disabled by default and it does not work across multiple devices. (How is whatsapp here? does it even have a Desktop Client?)
Yes. WhatsApp has a desktop client (web.whatsapp.com). End 2 end still works because it goes through your phone. So if your phone is off you can't use the desktop client.
- If you value features, then Telegram is surely ahead of Whatsapp in almost every aspect.
- If you value the encryption, I would trust Whatsapp more than Telegram. Telegram did some strange stuff with their custom cryptography invented by "rockstar mathematicians".
- If you value not giving metadata to the US / to Facebook, then don't go with Whatsapp.
- On the other hand, if you value having less metadata stored, then Whatsapp is probably ahead of Telegram.
If you value privacy, then both aren't good. They both put usability and features before privacy. Telegram was once branded as "the private messenger", but later rebranded as "the fast messenger". Now it says "a new era of messaging" on their website.
Telegram causes tons of metadata. All conversations and contacts are stored on their servers, which is closed source. Their multidevice system is built in a way that you will get access to all historic conversations if you manage to add a new device to the account (e.g. through SS7). Many of their latest feature (like games, payment, etc) cause a lot of additional metadata, some of which can be retrieved by third parties (e.g. by the game developers).
I'm biased (full disclaimer: I work for Threema), but if you value privacy, then go for a messenger like Threema, where the first priority is always privacy (e.g. no phone number required, no metadata or log storage, decentralized groups, and end-to-end encrypted decentralized profile pictures, the latter being something that no other mobile messenger does as far as I know). It has a clear business model and the protocol can be verified (even though the app is not open source).
Besides that biased suggestion, you might also be well off with something like Signal, although they're based in the US (secret court gag orders possible) and require you to give them your phone number (metadata).
(Edit: Formatting)