It’s Time for Furries to Stop Using Telegram
2024-5-15 00:26:41 Author: soatok.blog(查看原文) 阅读量:18 收藏

I have been a begrudging user of Telegram for years simply because that’s what all the other furries use, despite their cryptography being legendarily bad.

When I signed up, I held my nose and expressed my discontent at Telegram by selecting a username that’s a dig at MTProto’s inherent insecurity against chosen ciphertext attacks: IND_CCA3_Insecure.

I wrote about Furries and Telegram before, and included some basic privacy recommendations. As I said there: Telegram is not a private messenger. You shouldn’t think of it as one.

Recent Developments

Telegram and Elon Muck have recently begun attacking Signal and trying to paint it as insecure.

Matthew Green has a Twitter thread (lol) about it, but you can also read a copy here (archive 1, archive 2, PDF).

First things first, Signal Protocol, the cryptography behind Signal (also used in WhatsApp and several other messengers) is open source and has been intensively reviewed by cryptographers. When it comes to cryptography, this is pretty much the gold standard. 2/

— Matthew Green (@matthew_d_green) May 12, 2024

Signal’s client code is also open source. You can download it right now and examine the code and crypto libraries. Even if you don’t want to do that, many experts have. This doesn’t mean there’s never going to be a bug: but it means lots of eyes. https://t.co/w5AxQoQeRF

— Matthew Green (@matthew_d_green) May 12, 2024

When Telegram launched, they had terrible and insecure cryptography. Worse: it was only available if you manually turned it on for each chat. I assumed (naively) this was a growing pain and eventually they’d follow everyone else and add default end-to-end encryption. They didn’t.

— Matthew Green (@matthew_d_green) May 12, 2024

One concern with open source code is that even if you review the open code, you don’t know that this code was used to build the app you download from the App Store. “Reproducible builds” let you build the code on your own computer and compare it to the downloaded code.

— Matthew Green (@matthew_d_green) May 12, 2024

Et cetera.

This is shitty, and exacerbates a growing problem on Telegram: The prevalence of crypto-bros and fascist groups using it to organize.

Why Signal is Better for Furries

First, Signal has sticker packs now. If you want to use mine, here you go.

For years, the main draw for furries to Telegram over Signal was sticker packs. This is a solved problem.

Second, you can setup a username and keep your phone number private. You don’t need to give your phone number to strangers anymore!

(This used to be everyone’s criticism of Signal, but the introduction of usernames made it moot.)

Finally, it’s trivial for Americans to setup a second Signal account using Twilio or Google Voice, so you can compartmentalize your furry posting from the phone number your coworkers or family is likely to know.

(Note: I cannot speak to how to deal with technology outside of America, because I have never lived outside America for any significant length of time and do not know your laws. If this is relevant to you, ask someone in your country to help figure out how to navigate technological and political issues pertinent to your country; I am not local to you and have no fucking clue.)

The last two considerations were really what stopped furries (or queer people in general, really) from using Signal.

Why Signal?

There are two broadly-known private messaging apps that use state-of-the-art cryptography to ensure your messages are private, and one of them is owned by Meta (a.k.a., Facebook, which owns WhatsApp). So Signal is the only real option in my book.

That being said, Cwtch certainly looks like it may be promising in the near future. However, I have not studied its cryptography in depth yet. Neither has it been independently audited to my knowledge.

It’s worth pointing out that the lead developer of Cwtch is wrote a book titled Queer Privacy, so she’s overwhelmingly more likely to be receptive to the threat models faced by the furry community (which is overwhelmingly LGBTQ+).

For the sake of expedience, today, Signal is a “yes” and Cwtch is a hopeful “maybe”.

How I Setup a Second Signal Account

I own a Samsung S23, which means I can’t just use the vanilla Android tutorials for setting up a second profile on my device. Instead, I had to use the “Secure Folder” feature. The Freedom of the Press Foundation has more guidance worth considering.

If you don’t own a Samsung phone, you don’t need to bother with this “Secure Folder” feature (as the links above will tell you). You can just set up a work profile and get the same result! You probably also can’t access the same feature, since that’s a Samsung exclusive idiom. Don’t sweat it.

I don’t know anything about Apple products, so I can’t help you there, but there’s probably a way to set it up for yourself too. (If not, maybe consider this a good reason to stop giving abusive corporations like Apple money?)

The other piece of the puzzle you need is a second phone number. Google Voice is one way to acquire one; the other is to setup a Twilio account. There are plenty of guides online for doing that.

(Luckily, I’ve had one of these for several years, so I just used that.)

Why does Signal require a phone number?

The historical reason is that Signal was a replacement for text messaging (a.k.a., SMS). That’s probably still the official reason (though they don’t support SMS anymore).

From what I understand, the Signal development team has always been much more concerned about privacy for people that own mobile phones, but not computers, than they were concerned about the privacy of people that own computers, but not mobile phones.

After all, if you pick a random less privileged person, especially homeless or from a poor country, they’re overwhelmingly more likely to have a mobile phone than a computer. This doesn’t scratch the itch of people who would prefer to use PGP, but it does prioritize the least privileged people’s use case.

Their workflow, therefore, optimized for people that own a phone number. And so, needing a phone number to sign up wasn’t ever a problem they worried about for the people they were most interested in protecting.

Fortunately, using Signal doesn’t immediately reveal your phone number to anyone you want to chat with, ever since they introduced usernames. You still need one to register.

Tell Your Friends

I understand that the network effect is real. But it’s high time furries jettisoned Telegram as a community.

Meme: Friendship ended with Telegram, now Signal is my best friend
Lazy edit of the “Friendship Ended” meme

Finally, Signal is developed and operated by a non-profit. You should consider donating to them so that we can bring private messaging to the masses.

Addendum (2024-05-15)

I’ve been asked by several people about my opinions on other platforms and protocols.

Specifically, Matrix. I do not trust the Matrix developers to develop or implement a secure protocol for private messaging.

I don’t have an informed opinion about Signal forks (Session, Molly, etc.). Generally, I don’t review cryptography software for FOSS maximalists with skewed threat models unless I’m being paid to do so, and that hasn’t happened yet.


文章来源: https://soatok.blog/2024/05/14/its-time-for-furries-to-stop-using-telegram/
如有侵权请联系:admin#unsafe.sh