Now, Telegram doesn't use End-to-End encryption by default at all, does it? What I mean is: The message is encrypted on the sender's device and can only be decrypted on that and the receiver's device.
Telegram uses transport layer encryption that leaves all messages exposed to the servers an their admins. Last I checked, there was a E2E feature but every room I opened would just stop working after a while and my contacts were very confused about that. Large rooms weren't possible.
I have no idea what Meta/WhatsApp may or may not be doing but this article opens with Telegram and doesn't pick that up anymore. Makes it feel like a telegram ad.
The rest of the article may be fine but it's very lengthy and goes somewhere to show that dispite using the Signal protocol, WhatsApp cloud backups can be decrypted, I think. The Telegram ad was too irritating to give the article a fair chance, to be honest.
XMPP, Matrix and Signal are there, too.
Telegram is a much worse messenger when it comes to E2E encryption and default settings.
Underrated fact.
Also, no one knows who exactly operates Telegram and IIRC they don't even have an office. But we know Russian authorities have intense interest in it so it's hard to imagine FSB wouldn't figure out who it is and knock on their (or their relatives still in Russia) door. We know that Russian authorities previously banned Telegram, demanded encryption keys and then a bit later unbanned it saying "Pavel Durov was prepared to cooperate in combating terrorism and extremism on the platform".
They asked for info on some of their users, were told “no” and… they told Durov that “it would be a good idea if you sold this thing to someone else”.
Which he did, for decent money but probably a lot less than it was worth. He then used that money to start Telegram, at first from Berlin and later on from Dubai, from 2017 I think.
VKontakte (VK) eventually created Max, a newish IM service that the tiger-fighting shortie at the Kremlin is pushing onto Russians, while trying to limit their use of Telegram, that is or at least was the standard in Russia.
https://www.theatlantic.com/international/archive/2025/10/ru...
It would be very different if Telegram was all e2ee like Signal and with published client source code. But current state it's far more likely it's just a honeypot.
The most interesting claim is the weakness of groups (the article claims the server controls who is a group member, without cryptographically secured authorization by an existing member).
The other key points are correct to my knowledge but unsurprising to anyone knowledgeable and partially apply to Signal too (backups are a weak point, you securing/disabling them properly doesn't protect you, metadata is unprotected and sensitive, participants in the conversation might upload the chat to Meta's AI, endpoints are attackable either through WhatsApp or other apps, the general trust issue - which isn't really resolved by being open source unless someone actually checks the reproducible builds AND someone reviews the code).
I thought that claim about the backup password hash was wrong, but https://www.nccgroup.com/media/fzwdxklh/_ncc_group_whatsapp_... suggests that Meta thought that 100k iterations of PBKDF2 are a reasonable choice for the key derivation, so it might actually be accurate.
AFAIK WhatsApp backups are, by default, encrypted with a key escrowed to WhatsApp (which means that an attacker using warrants now has to subpoena both the cloud provider and whatsapp - probably the best you can get while keeping backups usable for the 99% of people who can't be expected to write down a passphrase and still have it when asked).
But IMO the reality is that WhatsApp is the most secure messenger that you can expect normal people to actually use (mostly due to market share/network effect), and the only secure-ish messenger aside from Signal, so I'd be careful with the messaging towards "normies": "Signal is a much better choice, but out of the other options, Whatsapp is by far the least bad".
Otherwise, you end up with people picking something like Telegram because "it's all bad anyways" or "I've heard Telegram is secure".
> Despite its claims, it reads users’ messages and shares them with third parties.
Note this claim. When it goes into its first smoking gun,
> WhatsApp [...] automatically backs up your entire chat history to iCloud or Google Drive
> This is what Durov meant. This is why he said ~95% of messages end up in plain text on Apple/Google servers.
This is the closest the article ever comes to proving the claim at the front. Note that nothing in this claim implies that Meta can or is reading your messages, only that it is "sharing" them with a third party, so we still haven't actually successfully justified this quote.
It then rambles over just about every security controversy WhatsApp has ever had: bugs, design flaws, etc.
Okay. Then it mentions that sometimes when you're talking to a business it's actually Meta servers on the other end of the encryption, I guess. This again seems like it doesn't really prove anything.
I am not saying none of these issues are problems, but this literal dump of AI output into Medium can't even justify its primary claim. It just keeps throwing more shit at you and hopes you've forgotten what the bold claim at the front of the article actually said was, since it isn't really true.
I do not believe Matrix is a scam, but it has almost all of these problems in some form aside from the stupid Cloud Backups issue, only its a bit more complicated. It has CVEs, generates tons of metadata and several places where homeservers could attempt to attack your privacy.
Durov's platform, meanwhile, offers very little in the way of end-to-end encryption and of course generates a ton of unencrypted metadata, so I am not sure who he's fooling. It seems like they continuously brag about Telegram not being able to solve the E2EE key management problem by pointing out that other solutions are imperfect, whereas Telegram just doesn't have one. Congratulations?
reads to me like 1.16*1^077 - which makes zero sense, what is the intended meaning?
- Cloud backups — by default, backups to iCloud/Google Drive contain plaintext messages, and E2EE backup is opt-in. Even if you enable it, a weak password collapses the effective security, and any other person in the chat with an unencrypted backup exposes the conversation.
- Metadata — who you talk to, when, how often, IP, contact graph, etc. This is the "reading your life without reading your messages" argument, and it's the part that's genuinely well-established.
- Pen register / FBI — the claim that WhatsApp uniquely delivers near-real-time metadata (~every 15 min) to law enforcement.
- Group chat membership integrity — a server-level adversary can inject a member into a group; messages stay encrypted but get delivered to the injected party. Endpoint compromise (Pegasus / CVE-2019-3568) — encryption is irrelevant if the device is owned.
- Closed source, Meta AI, business accounts — content can leave the E2EE envelope in those flows.
Nothing really new here, and as everyone else is pointing out Telegram might be worse.
I made a longer reply that discusses why I think this article is bad on top of the fact that the writing is absolutely fucking horrid, but a single person could theoretically pump out hundreds of these per day if they wanted, so having a nuanced critique for each of these is going to be pretty hard.
There's only one solution, and that is flagging and removing all AI generated articles. Fullstop.
And again, it's a practical issue anyways. You can have Claude generate hundreds of these. I've already personally seen multiple blogs where there are multiple fully written long articles being posted per day. These even occasionally make it to Hacker News. Did the person who generated these actually read them? Probably not.
Most importantly, it is unacceptable to pass off AI generated prose or images as if it is human expression. It's one thing with code where the primary point of it is to be executed, but I have zero interest in people who can't formulate their own thoughts into writing. I don't see how it is any better to submit AI generated articles to Hacker News than it is to respond to people with AI generated comments.
Humans aren't infallible, but the point of content isn't the content, it is the ideas, and the ideas are valuable because of the work put into them. AI slop articles are a serious problem because they superficially look like something where a lot of effort is put in, as the models will happily make bold claims and justify them into the ground no matter how untrue or unjustified those claims are. There is a feasible future where AI generated content is also valuable because of the effort put into them. It certainly happens on occasion today. It just isn't what we're seeing here right now on Hacker News. And because many people here (certainly myself included from time to time) often skim the articles or sometimes don't even actually read them, it is important that the community put some effort into weeding out slop content, AI or human, that fails to justify its claims. The rising tide of AI generated crap is making this task harder and more annoying.
This isn't something I'm ever going to relent on, either. So I will have to leave it up to HN to decide if they would rather ban us all for complaining or come to reasonable senses and agree that there is no sustainable way to allow blatantly AI-generated content onto the front page. I don't view this as an ultimatum so much as just an observation extrapolating off of what we're seeing today: nobody has really made me feel there is any compelling point to allowing AI generated crap on here. If anything the further it gets the less supported arguments in favor of it are seeming justified.
The explosion in quality from better models is always around the bend.
The exact way in which the models are fucked up seems to depend on circumstances, but I think right now one thing I've noticed out of the latest versions of Claude Opus is that it really really likes to use the word "honest" in its summaries. "What Remains (The "Honest" Part)". I figured this was maybe something to do with it just repeating the system prompts but no. It turns out the word "honest" does appear in some fragments of system prompts in Cluade Code, but it doesn't appear to be anywhere where it would've been in the context of my recent runs.
I think this is a tuning issue and that eventually, someone will figure out a good way to prevent models from getting skewed this way.
Still, the bad prose quality is not really the biggest issue. In fact, it's kind of handy that the prose quality is shit because it makes it easier to tell when someone just doesn't seem to care about what they're writing. If the prose quality was really good, yet the amount of effort put in was the same, we would be having an even worse problem right now.
The world is bigger than Claude and an oversimplified worldview.
If you haven't even read good quality AI written articles, you have either been wilfully blind to them or you have a bigger problem, because you surely haven't avoided them.
What are our options today to chat with WhatsApp users without using their app?
I have been building it, piece by piece. Some pieces have been recently featured (last week) in trusted security publications:
Safecloud: https://www.helpnetsecurity.com/2026/06/19/safecloud-browser...
Safebox and Safebots are coming too: https://safebots.ai/about
You won’t need to take anyone’s word for it. And in fact, end-to-end encryption will become unnecessary.
What does attestation have to do with this? Attestation means not giving me root to my own device. No thanks.
We need something universal, like email, but better engineered.
As for the client — the app store on iOS doesn’t allow reproducible builds.
Telegram tried something close for years, which is how I know they care: https://core.telegram.org/reproducible-builds
But it doesn’t matter because the metadata is equally important and useful to get you. And anyway, end-to-end encryption can be banned, or compromised by a new app update, or secretly removed via a backdoor for some, if you pressure one guy (eg @durov in France, or his team every time they pass through an airport). Read this article — it was my response to Moxie Marlinspike (of Signal fame) years ago when he was skeptical of decentralization:
https://community.intercoin.app/t/web3-moxie-signal-telegram...
> In transit. Between two online devices. With no cloud backup. With no business accounts. With no Meta AI features. With no linked devices. With no law enforcement warrant for metadata.
> Under every other condition — which is how most people actually use WhatsApp — the story changes dramatically.
Smells a lot like slop so I'll pass, no thanks.
Then for some reason WhatsApp has far more critical no-click or 1-click exploits than Telegram, which has 30 global employees? Huh? There's several thousand working on WhatsApp. Telegram has more features, too. WhatsApp has less surface area, more employees, more exploits.
A bit like how there's much more malware for Windows than there is for Linux
I suspect that smaller teams are, on average, more likely than larger ones to write secure software.
Avoid.