The State of Secure Communications: Benchmarking Signal, WhatsApp, and Anonymity Networks

Abstract

In the third decade of the twenty-first century, the integrity of digital communication has transcended technical curiosity to become a cornerstone of civil liberty, corporate security, and geopolitical stability. As the volume of data transmitted globally expands exponentially, so too does the sophistication of adversarial actors ranging from state-sponsored intelligence agencies to commercial surveillance firms and cybercriminal syndicates. This research report provides an exhaustive technical analysis of the current landscape of encrypted communications, dissecting the architectural choices, cryptographic primitives, and operational security models of leading platforms: Signal, WhatsApp, Telegram, X (formerly Twitter), and Proton Mail. Furthermore, it examines the infrastructure of anonymity networks, specifically the Tor network and consumer Virtual Private Networks (VPNs) such as NordVPN, Surfshark, and Proton VPN. Through a rigorous synthesis of academic security audits, technical whitepapers, and forensic analyses, this report evaluates the efficacy of end-to-end encryption (E2EE), transport layer security, and metadata obfuscation techniques. The analysis highlights a critical divergence between "trust-minimized" architectures, which rely on mathematical guarantees, and "trust-based" models, which rely on policy compliance. Special attention is paid to emerging threats, including quantum computing decryption capabilities ("Harvest Now, Decrypt Later"), deep-learning-based traffic correlation attacks, and zero-click endpoint compromises like Pegasus. The findings suggest that while cryptographic protocols have matured to near-perfection, the frontier of vulnerability has shifted to metadata retention, endpoint security, and the legal jurisdictions governing the service providers.

1. Introduction to Secure Communications Architectures

The fundamental promise of secure communication is the assurance that a message sent by one party can be read only by the intended recipient, maintaining confidentiality, integrity, and authenticity. Historically, this was attempted through various iterations of encryption, from the early days of Pretty Good Privacy (PGP) to the Off-the-Record (OTR) messaging protocols of the early 2000s. However, the modern standard for secure messaging was established with the advent of the Signal Protocol, which introduced properties such as asynchronous communication, forward secrecy, and post-compromise security to the mass market.

To understand the comparative analysis of platforms like WhatsApp, Signal, and Telegram, one must first establish the technical hierarchy of encryption layers currently in use.

1.1 Transport Layer Security vs. End-to-End Encryption

The baseline for any modern internet communication is Transport Layer Security (TLS). This protocol encrypts data as it moves between a client device (e.g., a smartphone) and a server. While TLS protects data from passive observers on the network—such as a Wi-Fi eavesdropper or an Internet Service Provider (ISP)—it terminates at the server. This means the service provider possesses the technical capability to decrypt, read, and store the data. This is the model utilized by standard email, Twitter (historically), and Telegram's "Cloud Chats".¹

In contrast, End-to-End Encryption (E2EE) ensures that encryption keys are generated and stored exclusively on the endpoint devices. The server acts merely as a blind relay, passing encrypted "blobs" of data between users without the mathematical ability to decrypt them. This "trust-minimized" model is the gold standard for privacy, as it technically precludes the provider from complying with data access warrants regarding message content. This architecture defines Signal, WhatsApp, and Telegram's "Secret Chats."

1.2 The Metadata Problem

A recurring theme in this analysis is the distinction between content privacy and metadata privacy. Metadata—data about the data—includes the identity of the sender and recipient, the time and duration of the communication, the location of the devices, and the size of the encrypted packets. As former NSA General Counsel Stewart Baker famously noted, "Metadata absolutely tells you everything about somebody's life. If you have enough metadata, you don't really need content".²

While many platforms offer robust E2EE for content, they vary wildly in their protection of metadata. Some, like Signal, employ advanced techniques like "Sealed Sender" to minimize server-side knowledge.³ Others, like WhatsApp and X, inherently rely on harvesting metadata for business intelligence or advertising, creating a "metadata mine" that remains vulnerable to legal compulsion and analysis.³

2. The Signal Ecosystem: The Apex of Cryptographic Assurance

The Signal application, developed by the non-profit Signal Technology Foundation, is widely regarded by the academic and security community as the benchmark for secure communication. Its security relies not on the obscurity of its code but on the rigorous implementation of the open-source Signal Protocol.

2.1 The Double Ratchet Algorithm

The cryptographic heart of Signal is the Double Ratchet Algorithm. This mechanism addresses the limitations of static keys. In a static key system, if an attacker compromises a key, they can decrypt all past and future messages. The Double Ratchet combines two types of key management to prevent this:

1. The Diffie-Hellman Ratchet: As users exchange messages, they piggyback new public key values onto the messages. This allows both parties to constantly negotiate new shared secrets, providing post-compromise security (or "future secrecy"). If a device is compromised and later recovered (e.g., malware is removed), the protocol "heals" itself; the attacker cannot derive future keys from the stolen ones.⁵

2. The Symmetric-Key Ratchet: For every message sent within a single Diffie-Hellman session, a symmetric Key Derivation Function (KDF) advances the chain key. This provides forward secrecy. If a key is stolen today, the attacker cannot run the KDF backwards to derive the keys used for past messages.⁵

Academic audits, such as those conducted by researchers from Oxford, Queensland University, and McMaster University, have formally verified these properties, finding the protocol sound and resilient even under complex adversarial models.⁵

2.2 Post-Quantum Cryptography: The PQXDH Upgrade

The security landscape is currently shifting due to the looming threat of quantum computing. A sufficiently powerful quantum computer running Shor’s algorithm could theoretically solve the discrete logarithm problem that underpins Elliptic Curve Cryptography (ECC), the basis of the current Diffie-Hellman exchange (X25519) used in Signal.⁶ This has given rise to "Harvest Now, Decrypt Later" attacks, where adversaries store vast amounts of encrypted traffic today, waiting for the technology to break it in the future.

In response, Signal introduced the PQXDH (Post-Quantum Extended Diffie-Hellman) protocol. This is a hybrid key agreement protocol that combines the traditional elliptic curve key exchange (X25519) with a post-quantum Key Encapsulation Mechanism (KEM) known as CRYSTALS-Kyber.⁷

Technically, the handshake works as follows:

• "Bob" (the recipient) uploads a signed prekey bundle to the server that includes both his X25519 public key and a Kyber-1024 public key.⁷

• "Alice" (the sender) generates an X25519 ephemeral key pair and a Kyber ciphertext encapsulating a shared secret.

• The final shared secret used to initialize the Double Ratchet is derived from a combination of the X25519 calculation and the Kyber shared secret.⁶

This hybrid approach ensures that even if the X25519 layer is broken by a quantum computer, the session key remains secure due to the Kyber layer. Conversely, if a classical weakness is found in the newer Kyber algorithm, the X25519 layer still protects against classical computers. Formal verification of PQXDH has confirmed it maintains the deniability and forward secrecy properties of the original protocol.¹⁰

2.3 Metadata Minimization: Sealed Sender and Contact Discovery

Signal’s privacy architecture extends beyond encryption to metadata minimization. A primary innovation is the Sealed Sender technology. In traditional messaging, the server needs to know who the sender is to deliver the message. In Signal’s implementation, the sender encrypts their identity (the "sender" field) inside the encrypted envelope. The server receives a token that tells it where to send the message (the recipient) but does not cryptographically know who sent it.³ This unlinks the sender from the recipient in the server logs.

Furthermore, Signal addresses the "private contact discovery" problem. Most apps upload the user’s contact list to the server to find friends. Signal uses secure enclaves (Intel SGX) to perform this matching. The server runs the contact matching algorithm inside an encrypted memory space; the server operator (Signal) cannot see the contact lists being processed, only the encrypted output.³ This aligns with Signal’s philosophy: they cannot hand over data they do not possess. FBI training documents confirm that Signal provides minimal data to law enforcement—typically only the date of account creation and the last connection date—rendering it ineffective for metadata analysis.¹¹

2.4 Android Hardening: StrongBox and KeyStore

On the endpoint side, specifically for Android, Signal has explored integrating with StrongBox. StrongBox is an implementation of the Android Keystore system that resides in a secure hardware element (SE), distinct from the main processor and the Trusted Execution Environment (TEE).¹³

A StrongBox implementation, such as the Titan M chip on Google Pixel devices, has its own CPU, secure storage, and True Random Number Generator (TRNG). Keys generated in StrongBox never leave the secure hardware. Even if the Android kernel is compromised by root-level malware, the malware cannot extract the keys; it can only request the StrongBox to perform cryptographic operations.¹⁴ This provides a robust defense-in-depth against malware that attempts to steal long-term identity keys.

3. WhatsApp: The Paradox of Ubiquity and Surveillance

WhatsApp, acquired by Meta (Facebook), represents the largest deployment of the Signal Protocol in history. With billions of users, it has normalized E2EE. However, its implementation exists within a data-harvesting business model, creating a complex security profile.

3.1 Protocol Implementation and Metadata Retention

Technically, WhatsApp uses the same Signal Protocol for message contents as the Signal app.¹⁶ Messages are encrypted on the device, and Meta cannot decrypt them. However, unlike Signal, WhatsApp does not employ Sealed Sender. Meta servers know exactly who is messaging whom, at what time, and from what location.¹⁷

This metadata is extremely granular. FBI documents reveal that WhatsApp can provide "Pen Register" data, which captures source and destination information for every message in near real-time (every 15 minutes).¹¹ Additionally, WhatsApp collects device info, battery levels, signal strength, and mobile network data.⁴ For a user whose threat model involves government surveillance of associations (who they know) rather than content (what they say), WhatsApp is significantly less secure than Signal.

3.2 The Backup Vulnerability and E2EEB

For years, WhatsApp’s security Achilles' heel was its backup mechanism. Chats backed up to Google Drive (Android) or iCloud (iOS) were stored using keys managed by Google or Apple. This meant that while the transmission was secure, the archives were accessible to third parties via subpoenas to the cloud providers.³

To close this gap, WhatsApp introduced End-to-End Encrypted Backups (E2EEB). This optional feature encrypts the backup blob with a random 64-digit key. This key is stored in a Hardware Security Module (HSM) vault, known as the Backup Key Vault. The user can access this vault using a password or the 64-digit key itself. The HSMs are programmed to enforce rate-limiting on password attempts, preventing brute-force attacks.³ While this implementation is technically sound and robust, it is not enabled by default, leaving the vast majority of the user base vulnerable to cloud backup extraction.

3.3 Key Transparency: The Auditable Key Directory (AKD)

A sophisticated attack vector against E2EE is the Man-in-the-Middle (MitM) attack, where a malicious server presents a fake public key to the sender, intercepting the message, decrypting it, and re-encrypting it for the recipient. To detect this, users traditionally had to manually compare "Safety Numbers" or QR codes.

WhatsApp has deployed a system called Key Transparency, based on the Auditable Key Directory (AKD) protocol (specifically a variant called Parakeet/SEEMless).¹⁹ This system publishes a cryptographic log (a Merkle Tree) of all public key changes. This log is append-only and immutable. When a user's client requests a public key for a recipient, it also checks proofs from this directory to ensure the key matches what the directory claims, and that the directory hasn't been tampered with.²¹

Third-party auditors, such as Cloudflare, monitor this directory to ensure Meta is not presenting different views of the directory to different users (split-view attacks).²² This provides an automated, cryptographic guarantee that the conversation is not being intercepted, significantly raising the difficulty for targeted surveillance.

4. Telegram: A Hybrid Architecture and Cryptographic Unorthodoxy

Telegram is frequently cited in the media as an "encrypted messenger," but from a technical perspective, it functions more like a cloud-synced social network with optional encryption features.

4.1 MTProto 2.0 vs. Standard TLS

Telegram does not use the Signal Protocol. Instead, it uses a custom protocol called MTProto 2.0. Cryptographers generally discourage "rolling your own crypto" because proprietary protocols lack the extensive vetting of standards like TLS 1.3.

MTProto 2.0 utilizes a combination of 256-bit AES (in Infinite Garble Extension, or IGE, mode), RSA-2048, and Diffie-Hellman key exchange.²³ Early versions (MTProto 1.0) had theoretical vulnerabilities related to IND-CCA (Indistinguishability under Chosen Ciphertext Attack) security, which prompted the update to 2.0.¹

Academic analysis of MTProto 2.0 by researchers at Royal Holloway and ETH Zurich found that while the protocol is generally sound and does not have immediate critical breaks, it falls short of the rigorous guarantees provided by TLS 1.3.²⁴ Specifically, they identified issues with the malleability of message sequences, theoretically allowing an attacker to reorder messages.¹ While not a complete break, it highlights the risks of non-standard cryptography.

4.2 The "Cloud Chat" Default

The most critical distinction is that Telegram "Cloud Chats" (the default for private messages and the only option for group chats) are not end-to-end encrypted.²⁵ They are encrypted between the client and the server (Client-Server encryption), but the server holds the decryption keys. This allows Telegram to offer seamless multi-device synchronization and server-side search.

However, this means Telegram possesses the technical capability to access user data. If compelled by a court in a jurisdiction where they have infrastructure, or if their servers are compromised, all historical Cloud Chats are vulnerable. FBI data indicates that while Telegram is historically non-cooperative, they do not offer the mathematical impossibility of access that Signal does.¹¹

4.3 Secret Chats: The E2EE Option

Telegram does offer E2EE via "Secret Chats." These chats use the MTProto 2.0 protocol end-to-end. Keys are generated on the devices and ephemeral images are visualized for key verification.²³ However, Secret Chats have significant usability friction: they are not backed up, they do not sync across devices (a Secret Chat started on a phone is invisible on the desktop), and they are not available for group conversations.²⁵ Consequently, they represent a minority of actual usage on the platform.

5. X (Twitter): The Illusion of Security

Under new management, X (formerly Twitter) launched encrypted Direct Messages (DMs) to compete in the secure messaging space. However, the implementation has drawn sharp criticism from the cryptographic community.

5.1 The "Juicebox" Protocol and Key Management

X's encryption system is built on a protocol named Juicebox.²⁶ The critical flaw identified by cryptographers like Matthew Green is the key management architecture. In a robust E2EE system, private keys never leave the device. In X's implementation, the private keys are encrypted and stored on X's servers to facilitate multi-device access.²⁶

These key bundles are protected by a user PIN. If X were using Hardware Security Modules (HSMs) to enforce rate-limiting on PIN guesses (like WhatsApp's E2EE backups), this might be acceptable. However, analysis suggests the "Juicebox" implementation relies on software-based enforcement.² This means an insider at X, or an attacker who compromises the server, could bypass the rate limits and brute-force the PINs to decrypt the private keys.

5.2 Lack of Forward Secrecy

Furthermore, the X implementation lacks forward secrecy.²⁶ The protocol appears to use static key pairs for encryption. If a user’s private key is ever compromised (via the PIN brute-force method described above), the attacker can decrypt all historical messages sent to that user. This is a regression compared to the Signal Protocol's Double Ratchet, which rotates keys with every message. Additionally, X explicitly states they do not encrypt metadata, leaving social graphs fully exposed.²

6. Proton Mail: Asynchronous Encryption and the PGP Legacy

Proton Mail operates in a different paradigm: asynchronous email based on the OpenPGP standard.

6.1 Zero-Access Encryption Architecture

Proton Mail employs Zero-Access Encryption. When an email is sent between two Proton users, it is end-to-end encrypted using PGP; the server sees only ciphertext.²⁷ However, when a non-Proton user emails a Proton user, the email travels over standard SMTP (secured by TLS) to Proton's servers. Upon arrival, Proton's server immediately encrypts the message with the user's public key.²⁸

While this means the message is secure at rest (Proton cannot read stored emails), there is a split-second window upon receipt where the message is in plaintext in Proton's RAM before encryption. This distinguishes it from the strict E2EE of Signal, but it offers a massive improvement over providers like Gmail which retain full access to data for advertising and AI training.

6.2 The French Climate Activist Case: Limits of Swiss Privacy

The limitations of this model were highlighted in 2021 regarding a French climate activist. French police, via Europol, requested data from Swiss authorities. Because Proton is a Swiss company, they were legally bound to comply with a valid Swiss court order.²⁹

While Proton could not provide message content (due to Zero-Access encryption), the court ordered them to begin logging IP addresses for the specific target account. This metadata allowed police to identify and arrest the activist.³⁰ This incident underscores a critical lesson: encrypted services protect content, but unless the user connects via a VPN or Tor, their IP address remains a piece of metadata that the service provider can be compelled to log.

7. The Anonymity Layer: The Tor Network

For users where anonymity (hiding who is communicating) is as critical as confidentiality, the Tor network is the essential tool.

7.1 Onion Routing Mechanics

Tor (The Onion Router) works by wrapping data in multiple layers of encryption—like an onion. The client selects a path through three random nodes: the Guard, the Middle, and the Exit node.³²

1. Guard: Knows the user's IP but not the destination.

2. Middle: Knows the Guard and Exit but neither the user nor the destination.

3. Exit: Knows the destination but not the user.

This separation of knowledge is designed to prevent traffic analysis.

7.2 The KAX17 Threat and Malicious Relays

The network relies on volunteer-operated nodes, creating a vulnerability: malicious operators. Research by security analyst Nusenu identified a persistent threat actor dubbed KAX17. At its peak in 2020-2021, KAX17 controlled over 27% of the Tor network's exit capacity.³³

By controlling a significant fraction of nodes, KAX17 could attempt Man-in-the-Middle (MitM) attacks on unencrypted HTTP traffic leaving the exit nodes (SSL stripping) or perform traffic correlation attacks. If an entity controls both the Guard and the Exit node for a specific circuit, they can correlate the timing and volume of packets entering and leaving the network, effectively de-anonymizing the user.³⁵

7.3 Deep Learning and Flow Correlation

Academic research in 2024-2025 has demonstrated the efficacy of Deep Learning in these correlation attacks. Systems like DeepCoFFEA and SUMo use neural networks to match traffic patterns even in the presence of "padding" (dummy traffic) introduced by Tor to confuse observers.³⁵ These studies suggest that while Tor is robust against local observers, it is vulnerable to global passive adversaries (like major ISPs or state intelligence agencies) who have visibility into large swaths of internet traffic.

8. Network Tunneling: Virtual Private Networks (VPNs)

VPNs serve as a simplified tunnel, hiding the user's IP from the destination and the ISP.

8.1 WireGuard vs. OpenVPN

The industry has largely shifted to WireGuard, a modern protocol that is significantly leaner and faster than the legacy OpenVPN. WireGuard uses state-of-the-art cryptography (ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange) and consists of only ~4,000 lines of code, compared to OpenVPN's ~400,000.³⁷ This reduced attack surface makes it easier to audit. NordVPN (via NordLynx), Surfshark, and Proton VPN have all adopted WireGuard.

8.2 RAM-Only Server Architecture

To mitigate the risk of physical server seizures, top-tier providers (NordVPN, ExpressVPN, Surfshark) have moved to RAM-only infrastructure.³⁹ These servers run without hard drives. The operating system and software are loaded into Volatile Random Access Memory (RAM) at boot time. If the server is physically seized or power is cut, the data instantly vanishes.

This was validated in the ExpressVPN Turkey Case, where Turkish authorities seized an ExpressVPN server investigating the assassination of the Russian ambassador. They found no logs, proving the architecture's efficacy.⁴¹

8.3 Jurisdictional Analysis

Legal jurisdiction determines the "blast radius" of data requests.

• Panama (NordVPN): Outside the 5/9/14 Eyes alliances. No mandatory data retention laws.⁴⁰

• Switzerland (Proton VPN): Strong privacy laws (FADP), outside EU/EEA, but cooperates on high-level criminal requests.⁴³

• British Virgin Islands (ExpressVPN/Surfshark): Autonomous legal system, requires local court orders, generally resistant to foreign subpoenas.⁴⁴

9. The Maginot Line: Endpoint Security and the Pegasus Threat

The strongest encryption in transit is rendered useless if the endpoint device is compromised. This is the domain of "Zero-Click" spyware.

9.1 Zero-Click Exploits: The Pegasus Mechanism

Pegasus, developed by NSO Group, and Graphite, by Paragon, represent military-grade spyware sold to governments. They utilize zero-click exploits, meaning the victim requires no interaction (no link clicking) to be infected.

A prominent vector is the JBIG2 vulnerability (CVE-2021-30860) in iOS. The exploit involved sending a malicious PDF (via iMessage or WhatsApp). The PDF contained a JBIG2 image stream. The exploit crafted the image data to overflow the buffer in the image parser. Crucially, the attackers used the compression segments to create a logic gate circuit inside the memory of the parser—effectively building a virtual computer out of the logic gates of the compression algorithm—to execute arbitrary code.⁴⁵

Once running, Pegasus hooks into the kernel, gaining root access. It can then read Signal/WhatsApp messages from the screen or memory before they are encrypted, bypassing the Signal Protocol entirely.⁴⁶

9.2 Android vs. iOS Hardening

While both platforms are vulnerable, Android devices running GrapheneOS or using Signal with StrongBox integration offer higher resistance. However, stock Android often lags in patch updates compared to iOS. Samsung has introduced "Auto Blocker" to prevent side-loading, but this does not stop zero-day exploits in system apps.⁴⁸ The only effective defense against Pegasus for high-risk targets is Lockdown Mode on iOS (which disables complex features like JBIG2 parsing) or frequent device reboots (as the infection is often non-persistent in memory).⁴⁹

10. Comparative Analysis and Recommendations

Based on the technical audit, we can categorize the platforms by security tier.

Table 1: Security Feature Comparison

10.1 Best Options for Specific User Personas

1. The High-Risk Target (Journalist, Whistleblower, Activist)

• Recommendation: Signal.

• Reasoning: It is the only platform offering PQXDH (protection against future quantum decryption), Sealed Sender (metadata minimization), and fully open-source code.

• Configuration: Enable "Registration Lock," use a VoIP number to mask the real phone number, enable "Disappearing Messages" (to clear malware-accessible history), and route traffic through Tor (via Orbot) or a trusted VPN (Mullvad/Proton) to hide IP metadata.³

2. The Privacy-Conscious Professional/Civilian

• Recommendation: WhatsApp (with caveats).

• Reasoning: The encryption protocol is robust. The Key Transparency (AKD) feature prevents Man-in-the-Middle attacks.

• Configuration: Mandatory: Enable End-to-End Encrypted Backups immediately to close the cloud storage loophole. Accept that Meta will know who you are talking to, even if they can't read what you say.³

3. The General Public / Social Groups

• Recommendation: Telegram.

• Reasoning: Superior UX for large communities.

• Warning: Treat all "Cloud Chats" as public. Never share truly sensitive credentials or incriminating data in standard Telegram chats, as the server holds the keys. For sensitive 1:1 chats, manually enable "Secret Chat".²⁵

4. Email Communication

• Recommendation: Proton Mail.

• Reasoning: Best-in-class for email, but users must understand it is not instant messaging. Use in conjunction with a VPN to prevent IP logging in the event of a Swiss court order.²⁹

11. Conclusion

The technical analysis of 2024-2025 reveals that the battle for secure communication has been won at the protocol layer but is being fought fiercely at the metadata and endpoint layers. The Signal Protocol (and its PQXDH evolution) has effectively solved the problem of data confidentiality in transit, rendering "breaking encryption" mathematically infeasible for the foreseeable future.

However, the "Trust Gap" has widened. Platforms like X and Telegram require users to trust the provider's intentions and operational security, whereas Signal and WhatsApp (with E2EE backups) rely on cryptographic proofs that minimize the need for trust.

The greatest remaining vulnerabilities are structural: the centralization of metadata (addressed only by Signal's Sealed Sender and Tor), the susceptibility of endpoint hardware to zero-click spyware (Pegasus), and the legal reach of jurisdictions over server infrastructure. For the user needing absolute security, the solution is not a single app, but a layered defense: Signal for content, Tor/VPN for network anonymity, and rigorous device hygiene to harden the endpoint against intrusion.

Works cited

1. Analysis of the Telegram Key Exchange - King's Research Portal, accessed January 29, 2026, https://kclpure.kcl.ac.uk/ws/portalfiles/portal/324396752/main.pdf

2. As X makes a 'WhatsApp-kind' security promise; Elon Musk throws a challenge; says: We welcome any, accessed January 29, 2026, https://timesofindia.indiatimes.com/technology/social/as-x-makes-a-whatsapp-kind-security-promise-elon-musk-throws-a-challenge-says-we-welcome-any-/articleshow/126372454.cms

3. Communication Privacy 2025: Signal vs WhatsApp [Complete Comparison + PGP Setup], accessed January 29, 2026, https://securhub.pl/en/blog/2025-11-23-krotki-poradnik-prywatnosci

4. Why signal over whatsapp? - Reddit, accessed January 29, 2026, https://www.reddit.com/r/signal/comments/1in6j67/why_signal_over_whatsapp/

5. Audit of Signal Protocol Finds it Secure + Trustworthy - Pindrop, accessed January 29, 2026, https://www.pindrop.com/article/audit-signal-protocol-finds-secure-trustworthy/

6. Quantum Resistance and the Signal Protocol, accessed January 29, 2026, https://signal.org/blog/pqxdh/

7. Signal >> Specifications >> The PQXDH Key Agreement Protocol, accessed January 29, 2026, https://signal.org/docs/specifications/pqxdh/

8. A Comprehensive Study of the Signal Handshake Protocol: Bundled Authenticated Key Exchange - NIST Computer Security Resource Center, accessed January 29, 2026, https://csrc.nist.gov/csrc/media/events/2025/sixth-pqc-standardization-conference/a%20comprehensive%20study%20of%20the%20signal%20handshake%20protocol%20(2).pdf

9. The PQXDH Key Agreement Protocol - Signal, accessed January 29, 2026, https://signal.org/docs/specifications/pqxdh/pqxdh.pdf

10. Formal verification of the PQXDH Post-Quantum key agreement protocol for end-to-end secure messaging | USENIX, accessed January 29, 2026, https://www.usenix.org/conference/usenixsecurity24/presentation/bhargavan

11. Here's what data the FBI can get from WhatsApp, iMessage, Signal, Telegram, and more, accessed January 29, 2026, https://www.malwarebytes.com/blog/news/2021/12/heres-what-data-the-fbi-can-get-from-whatsapp-imessage-signal-telegram-and-more

12. Reason: Secret Documents Show Which Message Apps Are the Most FBI-Proof, accessed January 29, 2026, https://jamesmadison.org/reason-secret-documents-show-which-message-apps-are-the-most-fbi-proof/

13. Android Keystore system | Security - Android Developers, accessed January 29, 2026, https://developer.android.com/privacy-and-security/keystore

14. Intel and TongxinMicro Implement StrongBox on Celadon, accessed January 29, 2026, https://www.intel.com/content/www/us/en/developer/articles/community/intel-and-tongxinmicro-implement-strongbox-celadon.html

15. KeyDroid: A Large-Scale Analysis of Secure Key Storage in Android Apps - arXiv, accessed January 29, 2026, https://arxiv.org/html/2507.07927v1

16. A security analysis comparison between Signal, WhatsApp and Telegram - ResearchGate, accessed January 29, 2026, https://www.researchgate.net/publication/367350335_A_security_analysis_comparison_between_Signal_WhatsApp_and_Telegram

17. WhatsApp vs Signal: Key Privacy Insights for Businesses - LeapXpert, accessed January 29, 2026, https://www.leapxpert.com/whatsapp-vs-signal-privacy-features-compared/

18. FBI document shows what data can be obtained from encrypted messaging apps, accessed January 29, 2026, https://therecord.media/fbi-document-shows-what-data-can-be-obtained-from-encrypted-messaging-apps

19. Strengthening WhatsApp's end-to-end encryption guarantees - Tech at Meta - Facebook, accessed January 29, 2026, https://tech.facebook.com/engineering/2023/4/strengthening-whatsapp-end-to-end-encryption-key-transparency/

20. ``If You Want to Encrypt It Really, Really Hardcore…'': User Perceptions of Key Transparency in WhatsApp, accessed January 29, 2026, https://petsymposium.org/popets/2025/popets-2025-0170.pdf

21. Deploying key transparency at WhatsApp - Engineering at Meta, accessed January 29, 2026, https://engineering.fb.com/2023/04/13/security/whatsapp-key-transparency/

22. Cloudflare helps verify the security of end-to-end encrypted messages by auditing key transparency for WhatsApp, accessed January 29, 2026, https://blog.cloudflare.com/key-transparency/

23. Signal vs Telegram in terms of protocols? - Cryptography Stack Exchange, accessed January 29, 2026, https://crypto.stackexchange.com/questions/31418/signal-vs-telegram-in-terms-of-protocols

24. New research shows cryptographic vulnerabilities on popular messaging platform, Telegram, accessed January 29, 2026, https://www.royalholloway.ac.uk/about-us/news/new-research-shows-cryptographic-vulnerabilities-on-popular-messaging-platform-telegram/

25. How Secure is Telegram Actually? - Jordan Open Source Association, accessed January 29, 2026, https://www.josa.ngo/blog/279

26. A bit more on Twitter/X's new encrypted messaging, accessed January 29, 2026, https://blog.cryptographyengineering.com/2025/06/09/a-bit-more-on-twitter-xs-new-encrypted-messaging/

27. How Safe is Proton Mail? Security Features Explained, accessed January 29, 2026, https://proton.me/mail/security

28. What is zero access encryption? - Proton, accessed January 29, 2026, https://proton.me/blog/zero-access-encryption

29. ProtonMail forced to log user's IP address after order from Swiss authorities, accessed January 29, 2026, https://www.welivesecurity.com/2021/09/07/protonmail-log-users-ip-address/

30. accessed January 29, 2026, https://cyberscoop.com/protonmail-swiss-court-ip-france/#:~:text=French%20police%20obtained%20a%20Swiss,details%20about%20the%20IP%20address.

31. ProtonMail Logs Activist's IP Address With Authorities After Swiss Court Order, accessed January 29, 2026, https://thehackernews.com/2021/09/protonmail-shares-activists-ip-address.html

32. Defending against the malicious use of the Tor network, accessed January 29, 2026, https://www.cyber.gov.au/sites/default/files/2025-03/Defending%20against%20the%20malicious%20use%20of%20the%20Tor%20network%20%28October%202021%29.pdf

33. Over 25% Of Tor Exit Relays Spied On Users' Dark Web Activities - The Hacker News, accessed January 29, 2026, https://thehackernews.com/2021/05/over-25-of-tor-exit-relays-are-spying.html

34. Was threat actor KAX17 de-anonymizing the Tor network? - Malwarebytes, accessed January 29, 2026, https://www.malwarebytes.com/blog/news/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network

35. RECTor: Robust and Efficient Correlation Attack on Tor - arXiv, accessed January 29, 2026, https://arxiv.org/html/2512.00436v1

36. Flow Correlation Attacks on Tor Onion Service Sessions with Sliding Subset Sum - University of Waterloo, accessed January 29, 2026, https://cs.uwaterloo.ca/~dbarrada/papers/lopes_ndss24.pdf

37. The Best VPNs We've Tested (January 2026) - PCMag, accessed January 29, 2026, https://www.pcmag.com/picks/the-best-vpn-services

38. NordVPN vs Proton VPN: Only One Winner in 2026 - YouTube, accessed January 29, 2026, https://www.youtube.com/watch?v=cvmeU8H6HYU

39. The Best VPNs of 2026: Reviewed by Experts I Security.org, accessed January 29, 2026, https://www.security.org/vpn/best/

40. NordVPN vs Proton VPN: Which One is Better in 2026? - Cybernews, accessed January 29, 2026, https://cybernews.com/best-vpn/nordvpn-vs-protonvpn/

41. ExpressVPN server seized in Turkey turns up no info in assassination case - Comparitech, accessed January 29, 2026, https://www.comparitech.com/blog/vpn-privacy/expressvpn-server-seized-in-turkey-verifyies-no-logs-claim/

42. ExpressVPN statement on Andrey Karlov investigation, accessed January 29, 2026, https://www.expressvpn.com/blog/expressvpn-statement-andrey-karlov-investigation/

43. ProtonVPN vs. NordVPN - Security.org, accessed January 29, 2026, https://www.security.org/vpn/protonvpn-vs-nordvpn/

44. ExpressVPN - Wikipedia, accessed January 29, 2026, https://en.wikipedia.org/wiki/ExpressVPN

45. Pegasus (spyware) - Wikipedia, accessed January 29, 2026, https://en.wikipedia.org/wiki/Pegasus_(spyware)

46. Technical Analysis of Pegasus Spyware - Lookout, accessed January 29, 2026, https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf

47. WhatsApp Patches Zero-Click Spyware Attack Vector on Android - Bitdefender, accessed January 29, 2026, https://www.bitdefender.com/en-us/blog/hotforsecurity/whatsapp-zero-click-spyware-attack-android

48. Pegasus vs Hardened Samsung? : r/AndroidQuestions - Reddit, accessed January 29, 2026, https://www.reddit.com/r/AndroidQuestions/comments/1ehcebh/pegasus_vs_hardened_samsung/

49. How to protect from Pegasus and other advanced spyware | Kaspersky official blog, accessed January 29, 2026, https://www.kaspersky.com/blog/how-to-protect-from-pegasus-spyware/43453/

50. Important clarifications regarding arrest of climate activist - Proton, accessed January 29, 2026, https://proton.me/blog/climate-activist-arrest