Here’s why you should leave WhatsApp for Signal, not Telegram
While this update doesn’t affect EU and UK users, those in the US, Australia, Asia, etc. will be forced to agree to this new data sharing or lose access to WhatsApp on February 8.
Telegram reported that 25 million people joined its service in just 72 hours, bringing its total active users to half a billion.
Signal has also seen a huge boost in numbers. After Elon Musk tweeted “Use Signal” – which Edward Snowden retweeted – the app has seen a huge boost in new users as well, becoming the number one downloaded app on iOS.
Snowden went further, claiming “I use it every day and I'm not dead yet.”
But for those who are considering leaving WhatsApp, what is the better choice: Signal or Telegram? Our recent research into secure messaging apps is conclusive: Signal has better privacy and security features out of the box than Telegram does.
Signal vs. Telegram
In order to assess the privacy and security aspects of Signal and Telegram, we looked at the various technical aspects of these secure messaging apps.
Here are the results:
|Platforms||Windows, Android, iOS, macOS, Linux||Windows, Android, iOS, macOS, Linux|
|Default security?||Secure by default||Not secure by default|
|Transfer protocols||Https/SIP over WebSockets||Https/SIP over WebSockets|
|Encryption used||Signal protocol (X3DH + Double ratchet + AES-256)||MTProto 2.0 (AES-256, AES IGE IV 256)|
|Keys-Exchange & Cryptographic primitives||Pre-keys + Curve25519, HMAC-SHA256||Persistent shared key generated via DH, KDF, Double SHA-256|
As you can see, both platforms are matched in most aspects, with the biggest variety in the encryption they use and their keys exchange and cryptographic primitives. These platforms used variations of RSA and AES for encryption and key hashes – which are some of the most secure encryption algorithms available today.
But the biggest reason that Signal beats Telegram is that Telegram is not secure by default.
To be fair: this is not to say that Telegram as a product lacks security in any major way, but rather that Telegram doesn’t provide its important features out of the box.
This feature is the crucial end-to-end encryption that, bizarrely, WhatsApp uses by default. In end-to-end encryption, only the sender and the receiver is able to view the messages. Without end-to-end encryption, the messaging app server that sits between the sender and receiver might be able to read the messages.
Another important note: Telegram's Secret Chat (end-to-end encryption) feature only works for direct messages between two people. There's no end-to-end encryption for group chats, which means that an attacker (or law enforcement) would be able to read your group messages. Because Signal is secure by default, all of their chats -- direct and group -- are end-to-end encrypted.
This means that, if the user is using the app out of the box, without changing the settings, they’d still have more protections on WhatsApp than they would on Telegram. This is bad, of course, since one study showed that roughly 5% of people changed their settings in a given app, while the other 95% kept the default settings.
While we can’t be sure how that number looks for Telegram specifically, we also have to assume that most people are not as privacy- and security-minded as we’d all like. Telegram has at least 500 million active users now, and its end-to-end encrypted messages feature, called Secret Chat, is most likely glossed over by most of its users.
Signal and Telegram’s history of vulnerabilities
There are of course many good reasons why people should be abandoning WhatsApp for more secure messaging apps. One of those reasons is that WhatsApp has had many more critical vulnerabilities than either Signal or Telegram.
For example, there’s the time when attackers were able to install Israeli spyware on a target’s phone by simply calling them through WhatsApp.
While not as bad, Signal has had its fair share of problems too: it was victim to a rather complex attack where someone could listen in on your surroundings by making a sort of ghost call – calling you through Signal and then pressing mute without the call being seen, to eavesdrop on your conversations.
Telegram for its part had a vulnerability where attackers could replace audio and image files sent on its platform.
And that’s not to mention access to these apps for the government which, depending on where you are in the world, could be a problem. In Hong Kong, a Telegram bug was reportedly exploited by the Chinese government to leak users’ phone numbers. German researchers also discovered that WhatsApp, Signal and Telegram were exposing users’ personal data via contact discovery.
But let’s be level-headed here: every single app or program or website you’re using will have its vulnerabilities or bugs, and that’s an inescapable fact.
However, the major takeaway here is this:
- Signal and Telegram, as alternatives to WhatsApp, will both have various vulnerabilities
- If you have end-to-end encryption, those vulnerabilities can be mitigated
- All else being equal, because most people are likely to keep the default settings, most people will be better off with Signal
- Signal has secure (end-to-end encrypted) group chats, and Telegram doesn't
Of course, if you’re more of a Telegram person than a Signal person, this is easily fixable: use only Secret Chats on Telegram (but give up on having secure group chats).
On iOS, simply open the profile of the user you want to contact. Tap on ‘…’, then “Start Secret Chat.” For Android, you should tap on the pencil icon on the bottom right, then select “Secret chat.” Unfortunately, you’ll have to do this on a conversation-by-conversation basis.