Why is the messenger app Signal widely considered by experts to be more secure than Telegram?

The messenger app Signal received the highest rating on the Electronic Frontier Foundation's ' Most Secure Messenger List ,' and is officially used as a communication tool between U.S. senators due to its safety. However, Elon Musk and others are skeptical of the safety of Signal, and together with the messenger app Telegram , they are running a campaign to deny the safety of Signal.

Telegram has launched a pretty intense campaign to malign Signal as insecure, with assistance from Elon Musk. The goal seems to be to get activists to switch away from encrypted Signal to mostly-unencrypted Telegram. I want to talk about this a bit. 1/

— Matthew Green (@matthew_d_green) May 12, 2024

This incident began on May 7, 2024, when the foreign media outlet City Journal pointed out that 'Signal's chairman of the board, Catherine Maher, was a former U.S. government- backed subversion agent and is opposed to a free and open Internet, which may put Signal at risk.'

EXCLUSIVE: NPR CEO Katherine Maher is chairman of the board for Signal messaging app. But her history as a US-backed regime change operative and her opposition to a 'free and open' internet have led some critics to fear that Signal may be compromised. https://t.co/CotU0BbQYk

— Christopher F. Rufo ⚔️ (@realchrisrufo) May 6, 2024

In response to this criticism, Musk criticized, 'Signal has known vulnerabilities that have not been addressed. In addition, Musk's post is accompanied by a community note that says, 'Signal is appropriately addressing known vulnerabilities and has indicated its status of response .'

There are known vulnerabilities with Signal that are not being addressed. Seems odd…

— Elon Musk (@elonmusk) May 6, 2024

In addition, Twitter (now X) founder Jack Dorsey also commented on the article, saying he 'didn't know' about it.

did not know this https://t.co/J2pXKSrRJE

— jack (@jack) May 7, 2024

Furthermore, Telegram, with the cooperation of Musk and others, is running a campaign to denounce Signal as insecure. In fact, Telegram CEO Pavel Durov is promoting 'Telegram is more secure than Signal,' and Matthew Green of Johns Hopkins University said the purpose is 'to get activists to switch from encrypted Signal to Telegram, which has little encryption.'

Pavel Durov, the CEO of Telegram, has recently been making a big conspiracy push to promote Telegram as more secure than Signal. This is like promoting ketchup as better for your car than synthetic motor oil. Telegram isn't a secure messenger, full stop. That's a choice Durov… pic.twitter.com/mDV1Ipdb2b

— Matthew Green (@matthew_d_green) May 12, 2024

According to Green, the open source Signal protocol has been thoroughly reviewed by cryptographers and is the gold standard in the industry.

First things first, Signal Protocol, the cryptography behind Signal (also used in WhatsApp and several other messengers) is open source and has been intensively reviewed by cryptographers. When it comes to cryptography, this is pretty much the gold standard. 2/

— Matthew Green (@matthew_d_green) May 12, 2024

On the other hand, Telegram does not encrypt conversations end-to-end by default unless you manually initiate an encrypted 'secret chat', meaning all data is visible on Telegram servers and is often subject to investigation by intelligence agencies.

Telegram by contrast does not encrypt conversations end-to-end by default. Unless you manually start an encrypted “Secret Chat”, all of your data is visible on the Telegram server. Given who uses Telegram, this server is probably a magnet for intelligence services. 3/

— Matthew Green (@matthew_d_green) May 12, 2024

However, Durov criticized that 'Telegram has a reproducible build, whereas Signal does not.'

I want to switch away from that and briefly address a specific point Durov makes in his post. He claims that Signal doesn't have reproducible builds and Telegram does. As I said, this is extremely silly because Telegram is unencrypted anyway, but it's worth addressing. pic.twitter.com/KXnbKQW9qe

— Matthew Green (@matthew_d_green) May 12, 2024

In response to this criticism, Green said, 'Because Signal is developed as an open source app, it is difficult to review the source code for the iOS version, which uses FairPlay encryption.' He also pointed out, 'Telegram has introduced a way to forcibly reproduce the iOS build, but this requires a jailbroken iPhone, and the app cannot be verified in its entirety, and some files remain encrypted and cannot be viewed, which is terrible.'

I want to give Telegram credit because they've tried to “hack” a solution for repro builds on iOS. But reading it shows how bad it is: you need a jailbroken (old) iPhone. And at the end you still can't verify the whole app. Some files stay encrypted. https://t.co/vjzWDgTx4L pic.twitter.com/WxC5q38MjS

— Matthew Green (@matthew_d_green) May 12, 2024

'Because of the nature of Telegram, I don't think it's actually secret, even in secret chat mode,' Green said.

I don't really care which messenger you use. I just want you to understand the stakes. If you use Telegram, we experts cannot even begin to guarantee that your communications are confidential. In fact at this point I assume they are not, even in Secret Chats mode.

— Matthew Green (@matthew_d_green) May 12, 2024

Signal CEO Meredith Whitaker countered Musk's claims by pointing out that Signal uses encryption to keep data from falling into the hands of anyone other than those intended, that the protocols used by Signal are the gold standard in the industry, that Signal regularly undergoes professional audits, and that every update is scrutinized by a large community of information security researchers, so any malicious changes that could affect the security of the binaries are immediately detected.

'Because we're a nonprofit, we have no incentive to advertise bullshit in order to be acquired at a high price. Even if someone were to acquire Signal, we would reinvest the money in mission-aligned purposes under Section 501(C)(3) of the Internal Revenue Code ,' Whitaker said.