When WhatsApp updated its privacy policy to allow it to share its users’ data with Facebook, which bought WhatsApp in 2014, users began abandoning the platform for Telegram and Signal.
While this update doesn’t affect EU and UK users, those in the US, Australia, Asia, etc. will be forced to agree to this new data sharing or lose access to WhatsApp on February 8.
Telegram reported that 25 million people joined its service in just 72 hours, bringing its total active users to half a billion.
Signal has also seen a huge boost in numbers. After Elon Musk tweeted “Use Signal” – which Edward Snowden retweeted – the app has seen a huge boost in new users as well, becoming the number one downloaded app on iOS.
Snowden went further, claiming “I use it every day and I’m not dead yet.”
But for those who are considering leaving WhatsApp, what is the better choice: Signal or Telegram? Our recent research into secure messaging apps is conclusive: Signal has better privacy and security features out of the box than Telegram does.
Signal vs. Telegram
In order to assess the privacy and security aspects of Signal and Telegram, we looked at the various technical aspects of these secure messaging apps.
Here are the results:
| Signal | Telegram | |
| Platforms | Windows, Android, iOS, macOS, Linux | Windows, Android, iOS, macOS, Linux |
| Default security? | Secure by default | Not secure by default |
| Transfer protocols | Https/SIP over WebSockets | Https/SIP over WebSockets |
| Encryption used | Signal protocol (X3DH + Double ratchet + AES-256) | MTProto 2.0 (AES-256, AES IGE IV 256) |
| Keys-Exchange & Cryptographic primitives | Pre-keys + Curve25519, HMAC-SHA256 | Persistent shared key generated via DH, KDF, Double SHA-256 |
As you can see, both platforms are matched in most aspects, with the biggest variety in the encryption they use and their keys exchange and cryptographic primitives. These platforms used variations of RSA and AES for encryption and key hashes – which are some of the most secure encryption algorithms available today.
But the biggest reason that Signal beats Telegram is that Telegram is not secure by default.
To be fair: this is not to say that Telegram as a product lacks security in any major way, but rather that Telegram doesn’t provide its important features out of the box.
This feature is the crucial end-to-end encryption that, bizarrely, WhatsApp uses by default. In end-to-end encryption, only the sender and the receiver is able to view the messages. Without end-to-end encryption, the messaging app server that sits between the sender and receiver might be able to read the messages.
Another important note: Telegram’s Secret Chat (end-to-end encryption) feature only works for direct messages between two people. There’s no end-to-end encryption for group chats, which means that an attacker (or law enforcement) would be able to read your group messages. Because Signal is secure by default, all of their chats — direct and group — are end-to-end encrypted.
This means that, if the user is using the app out of the box, without changing the settings, they’d still have more protections on WhatsApp than they would on Telegram. This is bad, of course, since one study showed that roughly 5% of people changed their settings in a given app, while the other 95% kept the default settings.
While we can’t be sure how that number looks for Telegram specifically, we also have to assume that most people are not as privacy- and security-minded as we’d all like. Telegram has at least 500 million active users now, and its end-to-end encrypted messages feature, called Secret Chat, is most likely glossed over by most of its users.
Signal and Telegram’s history of vulnerabilities
There are of course many good reasons why people should be abandoning WhatsApp for more secure messaging apps. One of those reasons is that WhatsApp has had many more critical vulnerabilities than either Signal or Telegram.
For example, there’s the time when attackers were able to install Israeli spyware on a target’s phone by simply calling them through WhatsApp.
While not as bad, Signal has had its fair share of problems too: it was victim to a rather complex attack where someone could listen in on your surroundings by making a sort of ghost call – calling you through Signal and then pressing mute without the call being seen, to eavesdrop on your conversations.
Telegram for its part had a vulnerability where attackers could replace audio and image files sent on its platform.
And that’s not to mention access to these apps for the government which, depending on where you are in the world, could be a problem. In Hong Kong, a Telegram bug was reportedly exploited by the Chinese government to leak users’ phone numbers. German researchers also discovered that WhatsApp, Signal and Telegram were exposing users’ personal data via contact discovery.
But let’s be level-headed here: every single app or program or website you’re using will have its vulnerabilities or bugs, and that’s an inescapable fact.
However, the major takeaway here is this:
- Signal and Telegram, as alternatives to WhatsApp, will both have various vulnerabilities
- If you have end-to-end encryption, those vulnerabilities can be mitigated
- All else being equal, because most people are likely to keep the default settings, most people will be better off with Signal
- Signal has secure (end-to-end encrypted) group chats, and Telegram doesn’t
Of course, if you’re more of a Telegram person than a Signal person, this is easily fixable: use only Secret Chats on Telegram (but give up on having secure group chats).
On iOS, simply open the profile of the user you want to contact. Tap on ‘…’, then “Start Secret Chat.” For Android, you should tap on the pencil icon on the bottom right, then select “Secret chat.” Unfortunately, you’ll have to do this on a conversation-by-conversation basis.
What makes you say Telegram is not end-to-end secure by default? Are you talking about secret vs non secret messages? Both are end to end secure, just the latter is also stored in the cloud.
I’m sorry to say, but you’ve been misled. Telegram chats are not end-to-end encrypted by default and is no more secure than Facebook messenger, Slack or Discord. Telegram is of course convenient due to having messages logged on the server, which is why people like it. Combined with the really large group support, it’s easy to see why people like it.
Telegram has always been super misleading about encryption and security, but once you find the right FAQ they admit it https://core.telegram.org/techfaq#q-how-does-end-to-end-encryption-work-in-mtproto
This unfortunate, sleazy tendency to miscommunicate core functionality is reason enough not to trust Telegram.
Telegram secret chats are nonsense compared to what Signal (or WhatsApp) offer by default. Telegram secret chats are one-to-one only, and have no support for desktop. Everything Signal does is Secret https://tsf.telegram.org/manuals/e2ee-simple
Anyone who understands software usability gets that Secret Chats will go unused when they matter the most. This is hostility towards users, since vulnerable populations, like Iranian opposition that relies on Telegram.
I’d only bother with secret chats if it was something that I could get in big trouble for being caught sending. Arrested trouble rather than angry wife trouble. So just use secret chats for those conversations you have with your drug dealer or terrorist network.
With that argument you’re back at “why change anything, let’s just use Facebook Messenger”
You don’t know how seemingly harmless chatter could be used against you.
As an user in China where internet is controlled strictly, I am very satisfied with Telegram because you can add friends by username instead of phone number, and the Proxy feature is really useful which can help you to use it instead of using VPN.
(My opinion is not very relevant to your article, but I just want to share it. If in the West, Signal App is indeed better. You can evade the information collection of Big Tech.)
I believe Telegram is the most restrictive speech app against conservatives I have ever seen. I watched 3 conservative channels disappear before my very eyes. Yet, people posted lists of antifa’s. I’m staying away.