rentry (Article EN)
Jan 12, 2026
(IC: This page was taken @ Jan 12, 2026 without includet links. PLS. Visit THE WEBSITE)
(IC: Credit by SimplifiedPrivacy /
@SimplifiedPrivacy.com )
SECURITY AUDIT - ENCRYPTED MESSAGING 2025-2026
Canal Telegram - Chat Privacy & Cyber
Groupe SimpleX - Alternative privacy-first of Telegram
Date: January 11, 2026
Scope: 7 Messengers (Signal, Element, SimpleX, Session, Telegram, Olvid, XMPP)
Methodology: Technical analysis, public audits, CVE databases, architecture, jurisdiction
EXECUTIVE SUMMARY
App Score Verdict
SimpleX 92/100 â Best absolute anonymity + PQKE
Olvid 87/100 â Best for France + ANSSI certified
Signal 85/100 â Gold standard, limited decentralization
Element 78/100 â Good federation, open-source
Session 76/100 â Improving (PFS 2025), Sybil risk
XMPP 74/100 â Robust protocol, client-dependent
Telegram 42/100 â NOT recommended (weak MTProto, Kremlin)
1. ENCRYPTION & CRYPTOGRAPHY
Signal
Protocol: Signal Protocol (Double Ratchet, X3DH, Curve25519)
E2EE: â Default all messages
Forward Secrecy (PFS): â Yes (per-message key rotation)
Post-Quantum: â No (on roadmap)
Vulnerabilities: None critical (audits 2016-2024 validated protocol)
Verdict: A+ (industry standard)
Element/Matrix
Protocol: Olm/Megolm (Double Ratchet)
E2EE: â Optional per room (default enabled)
Forward Secrecy: â Yes (1:1 Olm, group Megolm with limitations)
Megolm weakness: Group history decryptable if session compromised (NCC audit 2016)
Post-Quantum: In development (MLS protocol)
Verdict: A- (good but group chat limitations identified)
SimpleX
Protocol: SMP + X3DH + Double Ratchet + PQKE (continuous)
E2EE: â Yes + metadata encrypted
Forward Secrecy: â Double-layer (outer + inner encryption)
Post-Quantum: â ML-KEM continuous (regular key exchange)
Vulnerabilities: 2 medium (X3DH implementation, 2022 Trail of Bits) - fixed
Verdict: A+ (advanced, PQKE today)
Session
Protocol: Session Protocol (modified Signal initially)
E2EE: â Yes
Forward Secrecy: â ABSENT until v2 (2025 release now live)
Post-Quantum: â ML-KEM implemented (2025)
Critical issue: PFS removed 2021, now restored in v2 Protocol
Verdict: B (PFS issue resolved, new protocol active)
Telegram
Protocol: MTProto 2.0 (proprietary, bespoke)
E2EE: â Not default (optional "secret chats" only)
Server encryption: â TLS client-server (NOT E2EE)
Vulnerabilities: 4 discovered (Royal Holloway/ETH Zurich 2016-2024)
Message alteration (trivial)
Plaintext recovery (medium, millions of messages required)
MITM attack possible (rare, extremely difficult)
Verdict: C (proprietary, flaws documented, E2EE optional)
Olvid
Protocol: Proprietary (AES-256 + HMAC-SHA-256)
E2EE: â Yes default + metadata
Forward Secrecy: â Yes (temporary keys per message)
Post-Quantum: â No (but ANSSI researching)
Audits: ANSSI CSPN certified 2x (2021, 2024) - no exploitable vulnerabilities
Verdict: A (French government certified, proven architecture)
XMPP + OMEMO
Protocol: OMEMO XEP-0384 (Double Ratchet, X3DH)
E2EE: â Optional (client-dependent)
Forward Secrecy: â Weak (spec: only when both parties online)
Vulnerabilities: None critical (2015-2016 protocol stable)
Verdict: A (solid protocol, implementation variable)
2. METADATA & PRIVACY
Collection Overview
App IP logging Timestamps Social graph Contacts Notes
Signal Partial (calls) â Server logs â Yes (phone required) â E2EE client Sealed Sender hides sender
Element â Server logs â Yes â Yes (JID visible) â E2EE client Federation = potential leak
SimpleX â Queue rotation â Minimal â NONE (no global ID) â E2EE client Best social graph protection
Session Partial (onion routing) â Yes â Random ID partial â E2EE client Service Nodes know prev/next IPs
Telegram â All IPs collected â All â Fully centralized â Not E2EE SORM Russia access possible
Olvid â Rotation P2P â Minimal â No global ID â E2EE Hybrid P2P optimal
XMPP â Server logs â Yes â JID visible â E2EE client Depends on server operator
3. IDENTIFIERS & ANONYMITY
Signal
Required: Phone number (mandatory, no alternative)
Deanonymization: Yes (number = identifier)
Risk: Social graph exposed, problematic for activists
Mitigation: Burner SIM, Tor VPN (theoretical)
Element
Required: No (username@server)
Deanonymization: No (JID can be anonymous)
Risk: Server = centralized point
Mitigation: Self-host Matrix server
SimpleX
Required: NONE
Deanonymization: â None (no global ID)
Feature: Incognito mode = different ID per contact
Uniqueness: Only messenger with zero identifiers design
Session
Required: Random 66-char Account ID (no phone)
Deanonymization: No (unless ID shared)
Sybil risk: Service Nodes stake-based (15k Oxen minimum)
Telegram
Required: Phone number + @username
Deanonymization: â Yes (dual identifier)
Risk: Complete social graph exposed, SORM Russia access
Olvid
Required: No identifier (invitation-based)
Deanonymization: No (optional personal ID)
Architecture: Hybrid P2P = no centralized graph
XMPP
Required: JID (username@server)
Deanonymization: Depends on server (anonymous possible)
Variability: Each implementation different
4. ARCHITECTURE & DECENTRALIZATION
App Type Servers Control Self-host
Signal Centralized 1 entity (Signal Foundation) Single â Possible but complex
Element Federated Multiple (Matrix servers) Community â Easy (Synapse)
SimpleX Decentralized 4+ relays per chat User â SMP servers
Session Decentralized 2100+ Service Nodes Stake-based â Crypto-dependent
Telegram Centralized Telegram Inc + DATAIX/GlobalNet Kremlin risk â Impossible
Olvid Hybrid P2P Proprietary relays Olvid Ltd â No
XMPP Federated Community servers Multi-admin â Yes
Decentralization risks:
Session: Sybil attacks (staking mitigates but risk exists)
Element: Federation = trust multiple servers
SimpleX: 4 servers per conversation = potential correlation
5. OPEN SOURCE & AUDITS
Signal
Code: â Open-source (client + server + libsignal)
GitHub: signal-org (publicly available)
Audits: Multiple 2016-2024 by independent researchers
Reproducibility: â Reproducible builds supported
Verdict: Excellent (maximum transparency)
Element
Code: â Full open-source (Synapse, Element Web/Mobile)
Audits: NCC Group 2016, BSI CAOS 2023-24 (zero critical)
Reproducibility: â Yes
Verdict: Excellent
SimpleX
Code: â Full open-source (AGPL3)
GitHub: simplex-chat (publicly available)
Audits: Trail of Bits 2022 (4 issues, medium/low)
Reproducibility: â Yes
Verdict: Excellent
Session
Code: â Full open-source (GitHub session-org)
Audits: Quarkslab 2021 (validated PFS absent = design choice)
Reproducibility: â Yes
Verdict: Good
Telegram
Code: â Proprietary (clients only partially open)
MTProto: Documented but no server source access
Audits: No official independent audits
Verdict: Poor (maximum opacity)
Olvid
Code: â Proprietary
Audits: â ANSSI CSPN 2x (government certification)
Transparency: Audit publicly available, source evaluated by ANSSI
Verdict: Good (certified but closed)
XMPP
Code: â Full open-source (protocol + clients)
Audits: Radically Open Security 2016
Reproducibility: â Yes (protocol-agnostic)
Verdict: Excellent
6. JURISDICTION & COMPLIANCE
Signal
Country: USA (Signal Foundation Delaware-based)
Servers: AWS/Azure (multi-cloud, variable location)
Legal obligations: US FOIA (confirms number = user + last login)
Canary warrant: â Exists (annual transparency report)
GDPR: Partially applicable
Verdict: â US dependency, data legally obtainable by authorities
Element
Country: UK (Matrix Foundation)
Servers: Self-hosted or third-party
Legal obligations: GDPR (EU applicable)
Canary warrant: None published
Verdict: Good (EU-based, GDPR compliance)
SimpleX
Country: UK (SimpleX Ltd)
Servers: User-controlled (no global data center)
Legal obligations: GDPR (architecture minimizes collection)
Data retention: None by SimpleX (user controls)
Verdict: â Optimal (GDPR-friendly, no central data)
Session
Country: Blockchain community (decentralized)
Servers: 2100+ Service Nodes (global)
Legal obligations: Multiple per node jurisdiction
Verdict: â Complex (each node = different jurisdiction)
Telegram
Country: Russia (Pavel Durov, Kremlin investors)
Servers: DATAIX/GlobalNet (SORM access possible)
Legal obligations: FSB/GRU cooperation documented
Financial: $2 billion corporate debt, opaque funding
Risk: â Russian state surveillance probable
Investigations: Important Stories + The Insider document Kremlin links
Verdict: Very poor (hostile geopolitics, SORM access, surveillance state)
Olvid
Country: France (ANSSI certified)
Servers: Proprietary relays (France/EU location)
Legal obligations: GDPR + French sovereignty
Canary warrant: N/A (P2P architecture minimizes data)
Verdict: â Excellent (French government certified)
XMPP
Country: Open standard (decentralized)
Servers: Multiple (implementation-dependent)
Legal obligations: GDPR if EU-based
Verdict: Good (depends on server choice)
7. ADVANCED FEATURES
Feature Signal Element SimpleX Session Telegram Olvid XMPP
Disappearing messages â â â â â â â
Identity verification (QR) â â â â â â â
Screenshot protection â â â â â â â
Sealed Sender â â â â â â â
Encrypted backup â â â â â â â
Audio/video calls â â â (beta) â â â â
Groups â â â â â â â
Channels/Communities â â â â â â â
8. VULNERABILITIES & INCIDENTS
Signal
History: Vulnerability disclosure established 2019, no critical found since
Responsiveness: â Excellent (0-7 days patches)
Bug bounty: â Active (HackerOne)
Element
2016: NCC Group found unknown key-share attack (Megolm group)
2023: BSI audit - 3 low severity, zero critical
Responsiveness: â Good (1-2 weeks)
Bug bounty: â Active
SimpleX
2022: Trail of Bits - 2 medium, 2 low severity
X3DH KDF issue (fixed)
Rare exploitation (high difficulty required)
Status: 3 of 4 issues fixed in v4.2
Responsiveness: â Fast
Session
2021: Quarkslab validated PFS absent = intentional design
2025: PFS + Post-quantum ML-KEM now implemented
Responsiveness: â Good
Telegram
2016-2024: 4 cryptographic vulnerabilities (Royal Holloway)
Message alteration
Plaintext recovery
MITM attack (rare)
2025: No documented patches
Responsiveness: ? (non-transparent)
Verdict: â Poor transparency
Olvid
2021: 1 homonym issue (resolved)
2024: ANSSI recertification - no vulnerabilities
Responsiveness: â Excellent (French certification)
XMPP
History: Very few (protocol 2015+ stable)
Responsiveness: â Good (active community)
9. USAGE PROFILES & RECOMMENDATIONS
General User (standard security)
Recommendation: Signal or Element
Signal: Perfect balance security/usability, proven protocol
Element: More control, open-source, federation
Avoid: Telegram (no default E2EE)
Activist/Whistleblower
Recommendation: SimpleX or Olvid
SimpleX: Zero identifiers, encrypted metadata, PQKE
Olvid: ANSSI certified, P2P architecture, no social graph history
Avoid: Signal (phone required), Telegram (Kremlin surveillance)
Enterprise/Government
Recommendation: Olvid or Element (self-hosted)
Olvid: ANSSI certified, France compliant
Element: Self-host Synapse, full control, GDPR
Paranoid/High-threat
Recommendation: SimpleX + Tor + air-gap
Metadata encryption, zero ID, continuous PQKE
Self-host SMP servers
Hybrid multi-app (SimpleX + Olvid redundancy)
Maximum privacy-conscious
Recommendation: SimpleX > Session > Element (self-hosted)
SimpleX: No global ID, queue rotation
Session: Random ID, decentralized (minus Sybil risk)
Element: Federated = reduced trust vs Signal
10. CONCLUSION & FINAL SCORES
Ranking by Primary Use
SimpleX (92/100): Best absolute anonymity + PQKE, for demanding users
Olvid (87/100): ANSSI certified, recommended France/Government
Signal (85/100): Balanced gold standard, phone number risk
Element (78/100): Excellent federation, implementation-dependent
Session (76/100): Decentralized but Sybil risk, PFS now in v2
XMPP (74/100): Solid protocol, client-dependent
Telegram (42/100): â Not recommended (weak MTProto, Kremlin, optional E2EE)
Geopolitical Recommendations
Europe/France: Olvid (certified), Element (self-host), SimpleX
USA: Signal (metadata risk), SimpleX, Element
Hostile regions: SimpleX + Tor, Olvid + VPN
Critical activists: SimpleX only
Key Audit Findings 2025-2026
â Signal Protocol = gold standard (audits validate protocol + implementation)
â SimpleX = anonymity innovation + PQKE, for early adopters
â Olvid = French certification = government assurance
â Element = good but federation metadata = leakage
â Session = improving (PFS 2025, PQKE) with Sybil risk
â Telegram = Kremlin surveillance documented, weak MTProto
â XMPP = implementation variable, client-dependent
Full Report:
Canal Telegram - Chat Privacy & Cyber
Groupe SimpleX - Alternative privacy-first of Telegram
Sources:
SOURCES - AUDIT SĂCURITĂ MESSAGERIES 2026
Rapports d'Audit & Cryptographie
Signal
Signal Protocol Specification: https://signal.org/docs/specifications/
libsignal Documentation: https:/...
Pub: 11 Jan 2026 01:03
+++
SECURITY AUDIT - ENCRYPTED MESSAGING 2025-2026
Canal Telegram - Chat Privacy & Cyber
Groupe SimpleX - Alternative privacy-first of Telegram
Date: January 11, 2026
Scope: 7 Messengers (Signal...
This morning I woke up to the horrible news that my channel had been deleted by YouTube due to infringements on "Spam and deceptive practices". After 16 hours, I got it back. Here is the story.
Please sign up for my mailing list on substack: 
