Try the mud puddle test: log into your account on a new device using the password recovery flow. Can you see your old messages?
If the answer is yes then law enforcement can too.
https://www.forbes.com/sites/anthonykosner/2012/08/05/how-se...
I am null at cryptography but thie following does not sound too bad as a default tbh. And I think it is misleading to focus solely on e2ee and not mention the distributed aspect.
https://telegram.org/faq#q-do-you-process-data-requests
To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.
Thanks to this structure, we can ensure that no single government or block of like-minded countries can intrude on people's privacy and freedom of expression.
Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.
To this day, we have disclosed 0 bytes of user data to third parties, including governments.
Yes: End-to-end encryption is technically quite difficult, but politically and legally feasible (at least currently, at least in most countries).
Simply not cooperating with law enforcement is technically moderately difficult, but politically and legally impossible.
Between a difficult and an impossible option, the rational decision is to pick the difficult one.
Is there a nice solution for multiparty (n >= 3) end-to-end encryption?
Have the room owner create an AES 256 key, send it to all Party members via 1:1 e2ee, encrypt room messages with that AES key.
this is pretty much what Matrix does, if I understand correctly.
Additionally the key is regularly updated to provide some degree of perfect forward secrecy and avoid encrypting for people who left the group chat
this is pretty much what Matrix does, if I understand correctly.
I think it has senders encrypt messages with each room member's public key, rather than a single shared key. (At least, that's what the behavior I've seen suggests to me.)
Here's the spec, in case you want to comb through it:
https://spec.matrix.org/v1.11/client-server-api/#end-to-end-...
When creating a Megolm session in a room, clients must share the corresponding session key using Olm with the intended recipients, so that they can decrypt future messages encrypted using this session. An m.room_key event is used to do this. Clients must also handle m.room_key events sent by other devices in order to decrypt their messages.
https://spec.matrix.org/v1.11/client-server-api/#mmegolmv1ae...
OLM is the public key encryption scheme, similar to the Signal Protocol. It is used to exchange room_key messages, but not the room messages itself.
MEGOLM as linked in the specification: https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/me...
This kills the forward secrecy.
IIRC Signal just has each group member send each group message to each recipient with the standard pair-wise encryption keys. It's the message's headers that lets the recipient know it's intended for the group and not the 1:1 group.
simplex.chat
The entire platform is a joke. It pretends to have no identifiers and heavily markets queues (a programming technique) as a solution to privacy problem.
You ask the authors how they solved the problem of server needing to know to which client connection an incoming ciphertext needs to be forwarded, and they'll run to the hills.
They're lying by omission about their security, and misleading about what constitutes as a permanent identifier.
That you don't like the design is well known. But this is not the reason to lie.
You understand the design quite well, from our past conversations, you simply don't like the fact that we don't recognise user IP address as a permanent user identifier on the protocol level. It is indeed a transport identifier, not a protocol-level identifier that all other messaging networks have for the users (in addition to transport identifiers).
Message routing protocol has anonymous pairwise identifiers for the connections between users (graph edges), but it has no user identifiers - messaging servers have no concept of a user, and no user accounts.
Also, recently we added a second step in message routing that protects both user IP addresses and transport sessions: https://simplex.chat/blog/20240604-simplex-chat-v5.8-private...
In general, if you want to meaningfully engage in the design criticism, I would be happy too, and it will help, but simply spitting out hate online because you don't like something or somebody, is not a constructive approach – you undermine your own reputation and you also mislead people.
You ask the authors how they solved the problem of server needing to know to which client connection an incoming ciphertext needs to be forwarded, and they'll run to the hills
This is very precisely documented, and this design was recently audited by Trail of Bits (in July 2024), we are about to publish their report. So either you didn't understand, or your are lying.
They're lying by omission about their security, and misleading about what constitutes as a permanent identifier.
You would have to substantiate this claim, as otherwise it is slander. We are not lying about anything, by omission or otherwise. You, on another hand, are lying here.
That you are spiteful for some reason is not a good enough reason.
Factually, at this point SimpleX Chat is one of the most private and secure messengers, see the comparisons of e2e encryption properties in SimpleX Chat and other messengers: https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum...
MLS scales best for large n, but WhatsApp/Signal or Matrix do pretty well for < 1k people
A possible implementation using existing infrastructure where at least the client is open: modify the messaging client so that when it receives multiple pvt connections it routes every incoming message to all connected members. Now if you have say 10 users that want group encrypted chats, have one of them run the modded client too so that any user connecting to a pvt chat with that client will essentially enter a room with other users. Of course this requires trust between members, and adding another encryption layer on all clients might turn out necessary so that you don't need to worry about the carrier telling the truth (all p2p connections encrypted, etc)..
Arguably WhatsApp's protocol scales reasonably well (nice description in this survey paper: [1]), at least well enough for maximum WhatsApp group sizes (times up to four devices per participant).
Indeed. Even being charitable and assuming that they're not lying (they say elsewhere that they've shared zero bytes with law enforcement, despite this being demonstrably false), in reality if say, they were to arrest the founder in an EU country (France, perhaps), all they need to do is threaten him with twenty years in prison and I'm sure he'll gladly give up the keys from all the different locations they supposedly have.
You can coherently argue that encryption doesn't matter, but you can't reasonably argue that Telegram is a serious encrypted messaging app (it's not an encrypted messaging app at all for group chats), which is the point of the article. The general attitude among practitioners in the field is: if you have to reason about how the operator will handle legal threats, you shouldn't bother reasoning about the messenger at all.
if you have to reason about how the operator will handle legal threats, you shouldn't bother reasoning about the messenger at all.
That's true.
You need to run your own platform people. XMPP is plenty simple, plenty powerful, and plenty safe -- and even your metadata is in your control.
Just self host. There's no excuse in 2024.
Wake up people!
Why should the arrest of someone else affect YOU?
"You need to run your own platform people." What problem does this solve?
I'm someone who's been on the business end of a subpoena for a platform I ran, and narcing on my friends under threat of being held in contempt is perhaps the worst feeling I'm doomed to live with.
"XMPP is ..." not the solution I'd recommend, even with something like OMEMO. Is it on by default? Can you force it to be turned on? The answer to both of those is, as it turns out, "no," which makes it less than useful. (This is notwithstanding several other issues OMEMO has.)
The answer to both of those is, as it turns out, "no"
This is not true, it depends on the client. Conversations has OMEMO enabled per default.
I don't see any practical difference between "it depends" and "no" here.
This is like saying we shouldn't use TCP/IP because it's not encrypted. How it actually works is that encryption is enforced by the application - indeed the only place you can reasonably enforce it. See for example the gradual phasing out of HTTP in browsers by various means.
What this means in practice is that you shouldn't focus on whether XMPP (or Matrix, or whatever) protocols are encrypted, but whether the applications enforce it. Just as there are many web browsers to choose from, there are many messaging apps. Use (and recommend) apps that enforce encryption if that's what you want.
I'm not sure I agree, particularly given that there's some incentive for us to get our relatives using these messenger protocols and clients. The Web made it work because everyone came together and gathered consensus (well, modulo some details) that enforcing HTTPS is, ultimately, a good idea given the context.
So far, I'm not seeing that same consensus from the XSF and client vendors. If the capital investment can be made to encourage that same culture, the comparison can perhaps be a little closer.
The consensus comes from the people using the clients, not from the standards bodies. It's the same for HTTPs, where the users (in this case the server admins) decided it would be a good idea to use encryption.
There are even apps like Quicksy which have a more familiar onboarding experience using the mobile phone number as the username, while still being federated with other standard compliant servers. There is little reason to use walled garden apps like Signal these days.
Note in particular that the Ethernet connection to xmpp.ru/jabber.ru's server was physically intercepted by German law enforcement (or whatever-you-think-they're-actually-enforcing enforcement), allowing them to issue fraudulent certificates through Let's Encrypt and snoop on all traffic. This was only noticed when the enforcement forgot to renew the certificate. https://news.ycombinator.com/item?id=37961166
Sadly, you still have to pipe all messages through Apple’s notification API if you want notifications on iOS
Metadata? Yes. The plaintext of the messages is not piped through the notification API.
https://www.medianama.com/2023/12/223-signal-push-notificati...
You're assuming end-to-end encryption doesn't exist, and that the only way to be safe is to have someone close to you self-hosting.
Self-hosting is terrible in that it gives Mike, the unbeknownst creepy tech guy in the group 100% control over the metadata of their close ones. Who talks to whom, when etc. It's much better to either get rid of that with Tor-only p2p architecture (you'll lose offline-messaging), or to outsource hosting to some organization that doesn't have interest in your metadata.
The privacy concern Green made was confidentiality of messages. There is none for Telegram, and Telegram should have moderated content for illegal stuff because of that. They made a decision to become a social media platform like Facebook, but they also chose not to co-operate with the law. Durov was asked to stop digging his hole deeper back in 2013, and now he's reaping what he sow.
> Just self host. There's no excuse in 2024.
May I remind you what the average person is like with this recently famous reddit post:
If you want self hosting to happen, with things like Matrix, and so on, the hard truth is that it has to not be easy for someone who can program, but trivial for someone who says "wow, can you hack into <x>" if they see you use a terminal
As if it were that simple. Where are you going to host that self-hosted instance? What protections against law enforcement inspections do you have? What protections against curious/nefarious hackers? How are you going to convince every single person you interact with to use it?
Gung-ho evangelists rarely convert like a reasonable take on the subject does
Telegram can be forced to give up data
That's all you need to know. Matrix and Signal can't be forced in any way.
The admins of Matrix instances sure can be forced to give up data. The metadata is not encrypted, and many rooms are not either.
Metadata is indeed an open issue on Matrix. I believe addressing it is on their to-do list.
Many rooms are not encrypted because they are public rooms, where there would be no point in it. Encryption has been the default for quite a while now.
I believe addressing it is on their to-do list.
I doubt that it's very high on that list, as the problem seems a very hard. Very hard as in that do we even know it's possible? "Metadata" includes a lot of stuff, but basically the originator, the destination and the timing of the messages and participants of a room are all quite difficult to hide in a federated system.
I do believe there is a plan for getting rid of the association of one user in multiple rooms, but that's but a small bit of metadata. I think it is part of the puzzle for supporting changing homeservers.
I was referring to the metadata that are typical complaints about Matrix, like usernames and reactions.
"Metadata" includes a lot of stuff, but basically the originator, the destination and the timing of the messages
Indeed. AFAIK, sender/recipient correlation cannot actually be protected at the software level, because packet switched networking necessarily reveals it. The common way I'm aware of to mitigate this problem is at the network level, by trying to avoid common routes that would allow monitoring many users' traffic from any one place.
Concretely, that might mean having everyone use Tor (which some folks suggest already) or going fully peer-to-peer (which some messengers do already, and Matrix has been experimenting with).
Signal tries to improve the situation with Sealed Sender, but I'm pretty confident that can't protect against the Signal servers being compromised, nor against network monitoring. When trying to think of how it's useful at all, the only thing that comes to mind is that it might strengthen the Signal Foundation's position when a government demands logs. (And if that is why they implemented it, I suppose they must be keeping logs, at least for a short period.)
Related:
https://www.ndss-symposium.org/ndss-paper/improving-signals-...
With Telegram, even the data can be accessed. Also: https://news.ycombinator.com/item?id=41351227
To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions.
This is utter bullshit I debunked back in 2021.
https://security.stackexchange.com/questions/238562/how-does...
In practice also didn't work, only one government was needed to arrest the guy. And now all they need is a hammer or some pliers. No need for multiple governments to coordinate.
Well I'm sure France isn't taking Durov to some black site at this point. But since there's no such thing as distributed computation of single AES block operation, each server must by definition have access to the server's SQL-database key, and that key can be confiscated from which ever node is interacting with the database. Last I heard the servers in EU were in Netherlands, so if needed, perhaps the authorities there will handle it after court proceedings.
I wonder if this is practically relevant at all.
Given that users can access their messages without interaction with people at Telegram, automatic aggregation of the cloud data for single end points is in place.
In consequence the data can be accessed from a single jurisdiction anyways.
Wouldn’t being forced to give up the password and logging in be a violation of the 5th amendment, at least in the US? I think it’s a mixed bag of rulings right now, but it seems like it would make sense for it to fall that way at the end of the day.
even if you have a password in Telegram as a second factor, Telegram can bypass it anyways; and the user isn't even asked
That’s Telegram's CEO saying how he and his employees were “persuaded and pressured” by US FBI agents to integrate open-source libraries into Telegram (1).. There are a lot of questions to ask, like if the open-source libraries are indeed compromised, among other things. I take it as this arrest was the final straw to pressure him to give up and hand over some “needed” data, as all the accusations I read are laughable. Instagram is full of human trafficking and minor exploitation, drug dealers, and worse. The same goes with other social media, and I don’t see Elon or Zuck getting arrested. I am confident that this arrest is to obtain specific information, and after that, he will be released, or spend 20 years if he doesn’t comply.
Or he's trained in the art of lying
"At St. Petersburg State University, Mr. Durov studied linguistics. In lieu of military service, he trained in propaganda, studying Sun Tzu, Genghis Khan and Napoleon, and he learned to make posters aimed at influencing foreign soldiers."
https://www.nytimes.com/2014/12/03/technology/once-celebrate...
You really think the FBI would casually go to Durov and start telling him which libraries to deploy in his software.
This "They're trying to influence me that means its working" 5D-chess is the most stupid way to assess security of anything.
There's nothing to backdoor because it's already backdoored:
Code does not lie about what it does. And Telegram clients' code doesn't lie it doesn't end-to-end encrypt data it outputs to Telegram's servers. That's the backdoor. It's there. Right in front of you. With a big flashing neon light says backdoor. It's so obvious I can't even write a paper about it because no journal or conference wouldn't accept me stating the fucking obvious.
I am wondering if there was any incident that disproved the “we have disclosed 0 bytes of user data to third parties, including governments.” statement.
Maybe hijack the key and message before it gets distributed. Or just get after the pieces themselves if they are from Chinese or Russian authorities. Or just threaten to close the local data center if they do not collect the pieces from elsewhere, see if they can be convinced to hand over what they have, regardless where they put it.
We can be null in cryptography, but handing over both the secret and the key to this secret to the very same person is quite a trustful step, even when they say 'I promise I will not peek or let others peek, pinky promise!' - with an 'except if we have to or if we change our mind' in the small prints or between the lines.
https://www.spiegel.de/netzwelt/apps/telegram-gibt-nutzerdat...
Translated: Contrary to what has been publicly stated so far, the operators of the messenger app Telegram have released user data to the Federal Criminal Police Office (BKA) in several cases.
https://torrentfreak.com/telegram-discloses-user-details-of-...
Telegram has complied with an order from the High Court in Delhi by sharing user details of copyright-infringing users with rightsholders.
Anyways just some examples in which their structure doesn't matter. In the end, user data is still given away. It's also why e2ee should be the sole focus. Everything else is "trust me bro it's safe" levels of security.
Splitting stuff between multiple companies doesn't really protect anyone if the boss of all companies is held hostage.
Also
To this day, we have disclosed 0 bytes of user data to third parties, including governments.
Didn't they conclude an agreement with Russian gvt in 2021?
The problem with this approach is that it relies on governments accepting your legal arguments. You can say "no, these are separate legal entities and each one requires a court order from a different country" all you want, but you also need to get the courts themselves to agree to that fact.
I do wonder if this would hold up though, if telegram stored each character of your chat in a different country, would a single country not be able to force them to hand over the data and either fine them or force them to stop operating if they wouldn't share the full chat? It seems like a loophole but I don't know what the precedent is.
The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.
Or the CEO and owner, staring down the barrel of a very long time in prison, obtains the keys from his employees and provides them to the authorities.
Would he do this? To me, it matters little how much I trust someone and believe in their mental fortitude. I could instead rely on mathematical proofs to keep secrets, which have proven to be far better at it than corporations.
Problem with this claim is that it's hardly verifiable. Telegram's backend is closed source, and the only thing you can be sure of is that their backend sees every message in plaintext.
Clearly the investigating authorities are not buying that argument because, well, it's completely absurd. Both technically and legally, Telegram are in control of those keys, regardless of where they are hosted.
It’s not encrypted by default, and even if it were encrypted, you should never trust any connected device with anything important. That being said, Telegram is hands down the best communication platform right now. It is feature-rich, with features implemented years ago that are only now being added to other platforms. It has normal chatting/video calls, groups, channels, and unlimited storage in theory, all for free. I just hope it doesn’t go downhill after what happened these last days because there’s no proper replacement that fulfills all Telegram features at once.
What's in Telegram that you don't see in Signal? Honest question, I only use Signal rather than Telegram.
Signal has probably the worst UX of any messaging app. It also used to require sharing phone numbers to add contacts, which imo is already a privacy violation.
Telegram is fast, responsive, gets frequent updates, has great group chat, tons of animated emojis, works flawlessly on all desktop and mobile platforms, has great support for media, bots, and a great API, allows edits and deleting messages for all users, and I really like the sync despite it not being e2e.
Telegram consumes up to 50% of battery charge on iOS, with practically zero daily usage, all energy saving settings enabled, and a single followed channel, whether or not I force close the app or reinstall it. I gave up on trying to make it work, merely installing the fucking app ensures my phone is dead in the morning.
That absolutely does not happen to me. I have it installed and don't use it (at all) and my battery life is fine.
I have group of 15 friends using it and it barely uses 2% of battery while using it. Either you are just spreading misinformation or you should check your phone for custom wires added by the bad guys.
13 people on iOSes, iPhones from 11s to 15 Pro; 2 Androids.
That sounds like a bug in your OS. Like, even if the app were doing something crazy, it shouldn’t eat that much memory.
Signal also allows edits and deletions.
I haven't used Signal in a while, so I probably misremember some of what it supported. I just looked it up though and Signal's delete feature seems to leave a "This message was deleted" placeholder like what Facebook Messenger does, which looks a bit annoying to me (https://support.signal.org/hc/en-us/articles/360050426432-De...). Telegram just directly removes the message for everyone.
But with the benefit that it prevents situations where responses to the deleted message appear to have a completely different context and meaning.
the "message was deleted" can also be deleted, leaving nothing. :)
allows edits and deleting messages for all users
And it has those little features like masked text and what not, features wise, telegram is just the best. I didn’t use Signal for a long time, you can’t edit the messages there!?
Yes, you can.
Yeah you can?
It also used to require sharing phone numbers to add contacts, which imo is already a privacy violation.
https://signal.org/blog/phone-number-privacy-usernames/
Signal doesn't require sharing of phone numbers
Signal doesn't require sharing of phone numbers
It does require a phone number to create an account. That’s the reason I do not consider it being private because at least in Germany a phone number can only be activated by using a personal ID card which it is connected to.
Private and anonymous are two very different things
Signal has probably the worst UX of any messaging app
Really? I don't see any real difference between the UX of WhatsApp and Signal for example. And they're really on-par feature wise.
The only things in your list that are not available on Signal are "tons of animated emojis" and "bots". Recently they also introduced usernames to keep your phone number private. And Signal have had all the other things for a few years now, and with actual security.
With just 30 staff
It also used to require sharing phone numbers to add contacts
It no longer doesn't. It took them a while because you can't just slap features like that. It's not a string in a database like with Telegram.
Telegram has great UX because you can build things fast and easy when you don't have to give two shits about the security side of things. You can cover that part with grass-roots marketing department and volunteering shills.
You’re also not stuck with the official client and all of its decisions like with Signal. In addition to the official Qt and Swift/Cocoa Telegram clients, you can find third party clients written in WinUI and GTK as well as a CLI client, which gives users the choice to use the one that fits their wants/needs best.
I use both on desktop for different people and the desktop Signal client doesn’t hold up well in comparison. In some ways it feels more clunky than the iMessage ancestor iChat did 20 years ago.
This is one of those questions where it's hard to answer but it's obvious once you use it.
What's the difference between a fiat and a ferrari? What's the difference between CentOS and Linux Mint? What's the difference between a macdonalds and a michelin burger?
I have friends and groups on both platforms. On Signal, I'm basically just sending messages (and only unimportant one, like, when are we meeting. Sending media mostly sucks so I generally only have very dry chats on Signal).
Whereas on Telegram, I'm having fun. In fact it's so versatile, that my wife and I use it as a collaborative note-taking system, archiver, cvs, live shopping list, news app (currently browsing hackernews from telegram), etc. We basically have our whole life organised via Telegram. I lose count of all the features I use effortlessly on a daily basis, and only realise it when I find myself on another app. This is despite the fact that both Signal and whatsapp have since tried to copy some of these features, because they do so badly. A simple example that comes to mind: editing messages. It took years for whatsapp to be able to edit a message (I still remember the old asterisk etiquette to indicate you were issuing a correction to a previous message). Now you can, but it's horrible ux; I think you long press and then there's a button next to copy which opens a menu where you find a pencil which means edit, or sth like that. In telegram I don't even remember how you do it, because it's so intuitive that I don't have to.
Perhaps that's why I find the whole "Telegram encryption" discussion baffling to be honest. For me, it's just one of Telegram's many extra features you can use. You don't have to use it, but it's there if you want to. I don't feel like Telegram has ever tried to mislead its users that it's raison d'etre is for it to be a secret platform only useful if you're a terrorist (like the UK government seems to want to portray it recently).
I get the point about "encryption by default", but this doesn't come for free, there are usability sacrifices that come with it, and not everyone cares for it. Insisting that not having encryption by default marrs the whole app sounds similar to me saying not having a particular set of emojis set as the default marrs the whole app. It feels disingenuous somehow.
I second the point about the difference. Can’t tell why, but signal and whatsapp feel just awful ui/ux-wise. And that’s not a habit thing, I’ve used whatsapp before telegram (and still it was unideal). Telegram knows UX-fu and how to grow without being the only player on the board.
I think it's mainly Telegram's native feel (and it is native on every platform it supports afaik). It's even in little trivial things like the rubber band effect on Apple's platforms, then in how smooth the loading of missing stuff from the network is, and finally it's in the design: Telegram is slick.
All those little things combined and when you switch from Telegram to Signal or WhatsApp it feels like going a couple of decades back, or something like that.
Honestly I don't know how much I can trust Telegram and its founder Pavel Durov (I probably shouldn't), but in terms of the quality of software it's unmatched.
Perhaps that's why I find the whole "Telegram encryption" discussion baffling to be honest. For me, it's just one of Telegram's many extra features you can use. You don't have to use it, but it's there if you want to. Well, as soon as you crate all e2ee chat most features are gone for this chat. It doesn’t even sync on multiple devices. And e2ee is not available for group chats.
It’s more like they implemented it to check a box …
Honest question - is Linux Mint the Ferrari of linix?
What's in Telegram that you don't see in Signal?
The first feature that comes to mind for me is being able to use multiple devices. Signal only allows using it with one phone. If you add a second device, the first one stops working. You can use a computer and a phone, but not multiple phones. Telegram supports this without any issues. I still struggle to understand this limitation.
It’s easy for telegram to support this since it’s not e2ee. When you create a so called private chat on telegram, this chat is also only available on the device you created it on.
It’s easy for telegram to support this since it’s not e2ee.
E2EE is not important to me. Continuity of chats and lack of friction in accessing them is important to me.
When you create a so called private chat on telegram, this chat is also only available on the device you created it on.
Signal is able to do this with my phone and my computer. The one-phone limit seems arbitrary.
User base, large groups (I think the max is 200k members), channels, bots to automate work, animated stickers, video messages (not the calls one), and video/voice calls within the group (not sure if Signal has that), file storage and file sharing, multiple devices without worrying about losing messages -and you might mention the security part and that’s ok, I want the accessibility, if I want security I will look somewhere else- among other features. Those are on top of my head.
People.
Cross-device message history for me. I can go back to my very first message sent. Signal to this day sucks for message history.
Signal doesn't provide a web app, unlike Telegram.
The worst UX you can provide. Clumsy, slowly switching views, search worse than on WhatsApp, stickers like from 2005, no formatting, no bot API (of course there are few "hacked" ones implementations, but is it really the way?), margin and padding bloated UI.
# No smooth animations - that's makes Telegram stand out from everything else here, but maybe not everyone is happy when 6-core phones can deliver something more than 60fps in 2024...
That's what I remember and yes - mostly those are probably easy to fix UI/UX features/bugs, but even being open-source - they aren't.
For me, that I can just do apt install telegram-desktop
Good desktop client.
Telegram is great for large groups. It's better to compare Telegram to Reddit than Signal.
Signal is excellent for tiny groups of known participants. I prefer it over anything else for this use case. The group permissions Signal introduced a few years ago are well suited for that purpose. I've recently started running small groups on Signal with about 100 participants who mostly know each other, but not tightly. The recent addition of phone number privacy makes this feasible.
Once you start moving up in scale you really need moderation tools, and Signal doesn't do so well there. When you have thousands of people and it's open to the public you need to moderate or else bad actors will cause your valuable contributors to leave. Basic permissions like having admins who can kick people out and restricting how new members can join only gets you so far.
The issue is that in Signal there is no group as far as the server is concerned: The state of the group exists only on client devices and is updated in a totally asynchronous manner. As a consequence it is more difficult for Signal to provide such features. For example, Signal currently has no means to temporarily mute users, to remove posts from all group members, easy bots to deal with spam, granting specific users special privileges like ability to pin messages, transferable group ownership as opposed to a flat "admin" privilege, etc.
Think about the consequences of Signal's async nature with no server state: What does it mean to kick someone out? An admin sends a group update message that tells other clients to stop including that user in future messages. Try this: Have a group member just delete Signal and then re-register. Send a message to the group. They're still in the group. You get an identity has changed message. These are really only actionable with people who you know... that is, in tiny groups.
And then, the biggest strengths of Signal, which are its end to end encryption and heroic attempts to avoid giving the server metadata, are less valuable in the context of a large public group: Anyone interested in surveilling the group can simply join it, so you have to assume you're being logged anyway. Signal lacks strong identities as a design choice, so in big groups it's harder to know who you're really talking to like you know that "Joe Example, founder of Foo Project" is @Foo1988 on Telegram and @FooOfficial on X and u/0xFooMan on Reddit.
Polls
As far as I see there was no criticism targeted at anything else than the encryption part.
If telegrams encryption is so bad why is Pavel Durov under arrest?
The arrest cites that he was not cooperating with authorities to crack down on various drug illegal activities on telegram. None of the other social networks have their ceos arrested. Is it simply that telegram is the only one without backdoors for five eyes?
It seems to me the secret chat feature actually works too well?
Telegram is the comms system for the Russian military.
As hilarious as it sounds, it's at least partly true.
I heard whatsapp is better in low signal conditions, so they use both
I've also seen Discord being used on video footage from the war so I'm not surprised they'd use Whatsapp as well.
We had a client who wanted us to do a security audit and communicate the results—unpatched vulnerabilities mind you—via Discord. They could not be dissuaded.
Please could whoever downvoted this explain why? There's plenty of evidence of this. Access to Telegram would be like cracking Enigma
BBC review of reaction of Russian newspapers https://x.com/BBCSteveR/status/1827956452373438648
Read this: https://fortune.com/crypto/2024/06/27/telegram-dark-net-blac...
Telegram channels are public, unencrypted web shops for all kinds of illegal goods. I guess the French government alleges that Durov is not doing enough to stop these activities on his platform.
It doesn't necessarily have anything to do with encryption.
It indirectly has a lot to do with encryption, in that if Telegram was actually encrypted, they'd probably have no grounds on holding him in the first place.
(At least at the moment, in most countries) it's not illegal to not ship a backdoor in your end-to-end-encrypted software upon government request, but in most it is illegal to not share data you're holding in a form accessible to you when you receive a warrant for it.
Anyone can join these channels. How would encryption change anything?
If anyone can access the data, it's not encrypted in any meaningful sense.
If you have access to some data, the government can require you to share it with them. But if you can't access the data due to encryption, the government can't force you to create a backdoor to access it. At least not outside truly extraordinary situations.
Anyone can join these channels.
Doesn't mean that the server operators could. Think Mega (the new version of MegaUpload): they have these hash/fragment parts in the URL which aren't sent to the server and so you can send links around but Mega can claim they can't read anything because nobody gave them the "join" link to the data they host
But that's not what Telegram does and so they might reasonably have to implement automatic scans if there are an oddly high number of crimes being coordinated on the platform. (Sarcasm coming up:) It's really strange this would happen after they said it's for privacy nerds and then never implemented encryption for any of the useful/standard features
Joins/leaves are visible to participants. Channel owners can decide if past history is to be made accessible for new joiners.
I can give you some insight into why EU law enforcement and politicians dislike telegram. It’s not because they can’t snoop on you, it’s because Telegram fails to comply with moderation requests for channels where illegal content is shared.
We had a nice scandal of sorts here in Denmark where a bunch of young men shared pictures of young women without consent. If you’re old enough to remember those old “rate this girl” web pages from the 90ies you’ll know what the pictures were used for. Basically it was a huge database on hot girls in Denmark and where they went to school. Today around 1000 young men have that on their permanent record as Facebook worked with law enforcement to catch the criminals. Telegram doesn’t do that. This was even a little more innocent that it may sound, considering the men were at least aged similar to the women they were sharing pictures of. Disgusting and illegal, but Telegram houses far worse and refuses to deal with it.
I know a lot of tech minded people are up in arms over this, but it’s really mainly about not wanting an unmoderated social network. Not because big brother is angry, but because people use it to organise bullying, share revenge porn, sell drugs and far, far, worse. There is also political factions within the EU who rants to kill encryption (though they were severely weakened when the brits left), but the anger against SoMe platforms is much more “European”. In that we (and I say this as the EU culture in general, not as in 100% of us) tend to view the people who enable bad behaviour as being participating in that behaviour. Platforms like Facebook, Twitter, Instagram and YouTube have been sort of protected by being early movers with mass adoption. Being American companies probably helps as well considering EU / US relations. Telegram never had such advantages, and is further disadvantaged by how its almost exclusively used for crime in Western Europe.
Obviously banning the platform won’t help. There will just be another platform. But then, we’ve also been losing a drug war for 50+ years even though we can’t even keep drugs out of our prisons.
you’ll know what the pictures were used for.
Fapping on? And what's the problem with that, exactly?
It’s illegal to share pictures without consent. Especially if it’s nudes. On top of that it was the equivalent of high schoolers so much of it was 15-17 year olds. Minors.
I believe there was a public discussion on whether putting sharing of child pornography on a 15-19 year olds permanent record was the right thing to do in the context. Considering they are all similarly aged and are allowed to have sex and share nudes with consent. I can’t remember how it went, it wasn’t something I followed very closely.
Haha Facebook worked with law enforcement to catch criminals. Who works with law enforcement to catch Facebook?
The problem is that it never ends at protecting Danish women or kids, or "fighting terrorism".
I'd suggest waiting for more details from French officials, they have already said that they'll address it tomorrow. So far claims from the media sound like Durov's being prosecuted due to very little moderation on the platform, not because of E2EE.
Even so, most messages sent on Telegram are plaintext, they're encrypted only in transport layer, but Telegram's servers see them in full. Secret chats (the only E2EE chats on Telegram) are hidden away from the users, hence the original link.
Even so, most messages sent on Telegram are plaintext, they're encrypted only in transport layer, but Telegram's servers see them in full.
you contradict yourself in the same sentence
He means that the messages are only encrypted during transport, like with HTTPS.
Your browser sends a clear message over an encrypted pipe, and the server on the other side, sees this clear message.
So far claims from the media sound like Durov's being prosecuted due to very little moderation on the platform, not because of E2EE.
But that's why it's good. With all the mainstream media censoring stuff, telegram was a (good for the people) exception.
On the other hand, that's probably why they arrested him.
I don't think GP was claiming that is bad, just that his arrest has nothing to do with E2EE of private chats - at least that's the impression I also got from the media.
Is it simply that telegram is the only one without backdoors for five eyes?
Do you honestly think that any backdoor would be used for such mundane crimes? Even more so, it being in any way acknowledged that there might be a backdoor?
On that topic, it's highly likely Telegram is cooperating with Russian LE. Services and people that don't get thrown out quickly in Russia.
The arrest cites that he was not cooperating with authorities to crack down on various drug illegal activities on telegram. [...] None of the other social networks have their ceos arrested.
Because if you want to operate in any country, you're either cooperating with the authorities or you'll get shut down or arrested. Hiding evidence you have is not tolerated anywhere.
https://www.zdnet.com/article/russia-unbans-telegram/
and even eventually ended to become a major propaganda tool for the Russian army.
Would you say that it's possible that the answer to the article's question is:
- Telegram is not encrypted from Putin's perspective
- Telegram is encrypted from everyone else's perspective
Dont forget UAE, they also get full access, Durov couldnt live there if they didnt.
If telegrams encryption is so bad why is Pavel Durov under arrest?
He's under arrest precisely because it is bad enough that Telegram is in a position to share data with law enforcement, but it chooses not to.
Or maybe he is sharing with the other guys.
Possibly so, but I doubt that that's why he's currently being held.
It's probably not enough for French authorities to know that some other country's equivalent is getting a copy of all messages and metadata when they want it themselves.
Do you think he doesn't cooperate with Russian authorities?
I am pretty sure he does not, given all I know about him, his brother and the way Telegram is being developed.
The arrest was about the expected removal of illegal and harmful content in groups, that masses see, so no enryption involved. Did you not read the news - AND the blog - in full?....
If telegrams encryption is so bad why is Pavel Durov under arrest?
Because it was so bad he had access to all that content, and because he had access to it, he should have moderated it, and because he didn't he's now arrested.
Is it simply that telegram is the only one without backdoors for five eyes?
Telegram doesn't have a backdoor. Its open source client can be used to verify it leaks every group message, and every desktop message you ever send, to the service provider without ever applying secret-chat grade encryption
It seems to me the secret chat feature actually works too well?
Well, Signal can be used to verify its end-to-end encryption is actually used everywhere, but nobody's calling for arresting Moxie or Meredith. So maybe playing 5D-chess over the news isn't working, unless you're here just to amplify this ridiculously fallacious line of thinking.
The difference between telegram and others is that in telegram you can type "<city> drugs" to global search and find groups with drug dealers and buyers near you instantly. I don't think his arrest has anything to do with the level of encryption at all.
Personally I find Telegram kind of refreshing in nowadays internet landscape where everything is so sanitized. You can discover all kinds of niches you never knew existed.
The worst thing is that almost every non-techie who uses Telegram thinks Telegram in general is e2ee.
Not a single person I know who uses Telegram cares about or thinks of it as e2ee. Whether "techie" or "non-techie" (whatever the definition of that is). People use it because it has a nice interface, was one of the first to have good "sticker" message support (yes, a lot of people care about that kind of stuff), and of course because of the good old network effect.
It's only on HN I ever see people set up Telegram as some supposed uber-secure private app for Tor users and then demolish that strawman gleefully.
You could also ask about whether they think it's private. And if they say yes, ask them what it means. Does it mean only sender and intended recipients can read the message, or is it fine if the service has someone check the content. Would they agree on the notion "it's OK my nudes I send to my SO are up for grabs for anyone who hacks Telegram's servers", or do they think should Telegram plug this gaping hole.
Also, people tend to state they have nothing to hide, when they feel they have nothing to fight with. But I can't count the number of times I've seen a stranger next to me on a bus cover their chat the second I sit next to them. Me, a complete random person with no interest in their life is a threat to them.
And if they say yes, ask them what it means
I just did it to gather anecdotal evidence and the answer was, the founder is in jail to protect their privacy.
So they take theatrics over logical evaluation of the situation. Cool. Tell them Durov could have locked himself out of their data and spared himself the trip to behind bars.
Durov is in jail because he is not doing moderation of public chat channels, as far as has been shared. It has exactly nothing to do with encryption or privacy, in both directions (that is, it doesn't in the slightest prove that Telegram doesn't share private data with various states; and E2EE of private chats would not have done one iota to keep him out of jail).
You probably don't use Telegram channels much. There are some drug and prostitution related channels you can search for but they disappear rather quickly or are totally empty.
Christo Grozev shared screenshots of a few CSAM channels yesterday, but if you search for them, they do not seem to exist.
Telegram clearly does less pre-moderation than Facebook, but they are smaller and have less computing and they do not seem to rely on the masses of Nigerian moderators that work for 5$/day as Facebook does.
Why is he in jail anyway? Certainly he's not a pedo drug dealing terrorist… So there is another reason. As to what that is, we can only speculate.
My speculation is that he set a too high price to share the private data with france or USA.
You may try sitting near a completely open-space developer and watch what they are doing, and see the 10x performance drop on average, while there was zero privacy on screen at all times. It helps to realize that people not always behave logically (we have lots of group instincts legacy) and it doesn’t always work as a proper argument.
Do you read other news sites that mention Telegram or is this an N=1 situation?
Today, on the same topic, another tech site which generally gets a lot of things right (but whoever is responsible for writing about Telegram, or maybe their internal KB, is consistently wrong and doesn't care about feedback) wrote that it is an encrypted chats service: https://tweakers.net/nieuws/225750/ceo-en-oprichter-telegram... ("versleutelde-chatdienst" means that for those fact checking at home)
Do you read other news sites that mention Telegram
The average person I know that uses Telegram ("non-techie" as GP comment put it) certainly doesn't. People join telegram because it has a group they want to join, or via word-of-mouth of a friend recommending it. Normal people don't read tech news, and if they do they don't give it much weight.
Maybe that sucks, maybe they'd be better off somehow if they did, but the reality is that most people live in a different universe from those of us who care about e2ee security or read tech news with interest.
For the past few weeks I've been using Telegram to create my own cool sticker and when talking with people in whatsapp (eughh) I find myself having trouble finding the words my telegram stickers would mean
Telegram is mostly used by people in the US for drug deals and chatting with people in Eastern Europe, so it's very common to believe it's a secure messenger.
Anecdotal evidence, so take this with a grain of salt - I work with a bunch of people from Ukraine and almost all of them exclusively use Telegram to keep up with the news and family back home. From talking to them for a while, it's mostly because it's free, has excellent support for sync across multiple devices (including audio, video and other media), has support for proxies to circumvent any kind of blocking, public channels for news updates.
Honestly it would be better if Telegram dropped the facade of having E2EE. It's generally very low on the priority list of most people anyway, as much as it would hurt anyone reading this, but that's the truth. People are not using it for secure messaging, but for a better UX and reliability.
EDIT: Telegram does require a phone number to sign up.
doesn't require any personal identifier
Do they still not require ID when you buy a SIM card in Ukraine?
Actually I was wrong. Just checked and Telegram does require a phone number to sign up. I haven't used it myself much, but was relaying the general reasons why regular people use it.
You need it to register, but afaik it's not shown to anyone in any way.
You can just grab any prepaid SIM and use it if that's your style
Yeah but the server can correlate it to all messages sent by you, and law enforcement can link server logs to your real identity thrpugh your telco.
Those who need to dissociate with a number have anonymous sim cards in abundance. Costs around $2-5 a piece when ordered in bulk.
That said, such high-tech operation is just a geeks fantasy about spies. When you cross the line where it becomes reality, you’re either a very big name with a sudden drug/rape history or a subject for waterboarding which is the most effective cryptoanalysis tool invented.
While this is a well-trodden stereotype, and it certainly has merit, not all crimes are Snowden-level crimes against the state. Felonies such as embezzlement, fraud and trafficking are often investigated by exposing the digital trail. Law enforcement most definitely do pull those records with a subpoena. It's often one of the first things done (pull all banking and phone records) and is often a key ingredient in a successful conviction.
Yes, burner sims definitely help evade investigations, but they are harder to get nowadays, depending on jurisdiction. For instance you can't pay cash for a SIM in North America. It has to be a credit card or a bank transfer and that's a form of ID.
If I'm not mistaken you can buy a special 888 number which works only for telegram from telegram
Yep but you still need to have it staying activated and on whenever you need to activate the telegram app on a device.
I was using telegram for one single usage, which was a group organizing local meetups events for expats. When I switched smartphone I really didn't want to install an app just for one group and would have preferred using telegram web to consult it occasionnally. Every time I tried logging in on a computer/smartphone it told me to validate the login from telegram on my original, now wiped clean, smartphone. I just gave up.
You need it to register, but afaik it's not shown to anyone in any way.
Then why is a phone number needed to register? If PII is "not shown to anyone in any way" then it should be completely unecessary to provide it to the service. Do not let that particular wool be pulled over your eyes.
yes, you can just get a prepaid SIM virtually anywhere. though there is an option to add your ID for security purposes
Ideally they should really use something like jami. https://jami.net/
I’d guess (not gonna test it but it feels reasonable) that “almost every non-techie” has a very vague idea of what e2ee even is, so it’s not clear where the worst part comes from. Pretty sure the best ideas they have about security are from hacker movies best case on average.
not everybody understands that "encrypted" =/= "end-to-end encrypted".
the perceived secure nature of telegram has been memorialized in mainstream rap, courtesy kendrick lamar in 2017 (https://genius.com/11665524).
100% this. most people do not realize that all those non-secrete messages from private chats and group chats are stored in database that people at telegram has access to.
Because Telegram is E2EE, but only in Secret Chats: https://telegram.org/faq#secret-chats
Amplified by journalists, and most frustratingly to me even some techies that just can't be bothered to properly examine all available facts despite their technical capabilities to examine them.
BS. Vast majority of non-tech users do not, for a simple reason that they can't know it even if they cared, and they do not. Even tech users can't be bothered to read links to the faq on tg site.
There is so much misinformation around telegram that alone made me trust it more (if a known liar tries to discredit something, it increases chances of it being good--it is about comments here on HN).
Only the secret chat is e2e encrypted. All the other chat options are not. I think calls are also not encrypted since they appear in the normal chat history not in the e2e chat.
Obviously if your phone is compromised your e2ee chat is not safe.
Obviously if your phone is compromised your e2ee chat is not safe.
Pretty much, a lot of people think that seeing E2EE means everything is safe, which I believe gives a false sense of security. You can have your phone compromised (especially when I know your phone number, Signal I’m looking at you) or be subject to other means of attacks, exposing everything. I would rather know that this app is not secure so I don’t share anything important, while keeping secure communication to other means.
Stealing someone's phone number wouldn't give you any Signal data, as all the messages have perfect forward secrecy, though, right? And all contacts would see an alert that your security number had changed. Not completely foolproof, and I would like Signal to use something other than phone numbers for accounts, but it's pretty good.
Knowing someone's phone number is enough to potentially compromise it. Sophisticated methods can involve zero-click attacks, where just sending you an SMS that you won’t even see can lead to a compromised device. You can check how Tucker got his Signal conversation exposed.
Matrix is far better in terms of security than Signal, but Matrix is far behind compared to Telegram features.
You seem to be living on this weird balance of having no threat model. This is what your post implies
1. Signal is bad and insecure because registering user account requires giving a phone number. 2. Matrix is better, it fixes this by registering with emails (although emails also have zero click vulnerabilities) 3. Telegram is better than Matrix, it's more usable (even though it also requires a phone number like Signal)
So pick a lane, is requiring a phone-number a litmus-test for you or not. Is zero-click vulnerability something that needs to be addressed? How do you deal with malicious contacts or people in public groups sending zero-click links?
It isn’t about me picking a lane; I’m just stating things as they are. If you want a feature-rich chat and social app that has a user base too, but you don’t care much about security, go for Telegram. Although some might argue that chats aren’t encrypted, no one known has gotten in trouble because Telegram handed over their data. However, you should never rely on that and don’t trust any cloud-based service in general. Knowing that in advance makes it better so you treat it as you would any social media.
If you want security on the other hand but with fewer features and a smaller user base, go with Matrix. You don’t need an email, by the way; it’s optional (1).
Signal is just in the middle, lacking Telegram's features and Matrix's security, resulting in a weird abomination that I would never recommend to anyone. For a normal non-techie person, I would say go with Telegram, and if you care about security, use Matrix. Recommending Signal might give a false sense of security.
(1) https://ems-docs.element.io/books/element-support/page/creat....
no one known has gotten in trouble because Telegram handed over their data
The correct solution to sleeping with an axe struck on the roof above your bed isn't to not worry about it because axes coming loose on their own aren't a common occurrence. Telegram has no business in peoples' personal lives and it shouldn't be collecting that data.
Plus the risk of massive data breach is insane. I'm not sure if you know about the Finnish Vastaamo Psychotherapy hack, when thousands of patients' personal lives were published in the dark web https://en.wikipedia.org/wiki/Vastaamo_data_breach These victims are under constant extortion about that data getting spread even further. Now imagine that with close to one billion users. There is a LOT that people share on these platforms, how they unload to their close ones. Durov has no right to keep this amount of data sitting on some random server, especially given the authors' poor track record of security design.
you should never rely on that and don’t trust any cloud-based service in general
This should be the take-away before the breach happens. But surely you agree Telegram is doing horrible job being transparent about its security, it's implying it's heavily encrypted, which laypeople assume means what end-to-end encrypted messaging provides.
Recommending Signal might give a false sense of security.
Again, pick a lane. If you think zero click attacks of Signal are an issue but they magically disappear from Matrix clients, say so. They don't.
Decentralized system doesn't help with metadata. It's just spreading it to even more systems, every server people indiscriminately choose get a copy of groups' communication metadata, yay.
Your buddy self-hosts for you and your peers, now you have an individual with personal interest to take a peek at their peers' metadata. Not good.
There's very little a decentralized messaging platform offers other than baked-in resilience in case the company goes down. You can self-host the service.
But Signal is backed by Signal Foundation and really rich people like Brian Acton have helped it get the organization on a solid foundation. There's nothing that implies its going down.
From my PoV, I bin Element together with Signal, both provide content privacy, but no strong metadata privacy. For that you go with Cwtch, Briar, OnionShare, Ricochet Next.
Telegram is in the don't use for anything that isn't comparable to public Twitter, and since Telegram inevitably leads to misusing it, it's dangerous and bad tool. It was built to aggregate user data, and it will inevitably do that, because the masses generally don't prioritize privacy. Telegram monetizing user data is constantly one business decision away. And people using it are on borrowed time. We're not in disagreement about how it should be used, but people don't take that warning seriously, and when (not if, but when) shit hits the fan, it'll be like nothing anyone has ever seen before.
That's a good point. I looked into using Matrix before I switched to Signal, but the user experience just in creating an account was pretty abysmal, at least at the time. As I was recommending it to non-tech people, I ended up going with Signal.
but the user experience just in creating an account was pretty abysmal
I agree it was, probably better now, but for the average person, it’s too much to “process” compared to just adding your phone number and signing up.
One does not need to keep the SIM card with the phone number required for registration in the phone.
Also telegram has an additional password option if you want to login which avoids phone number hijack. Also if you hijack an account the secret chats don’t appear. They are bounded to the device.
There's also an option in the settings that translates into taking over a phone number on a separate device isn't enough, you also need to enter the pin. (Not on by default though.)
You can have your phone compromised (especially when I know your phone number, Signal I’m looking at you) or be subject to other means of attacks, exposing everything.
Knowing someone's phone number doesn't automatically let you compromise their device. This is such a ridiculous argument.
I would rather know that this app is not secure so I don’t share anything important, while keeping secure communication to other means.
This is nirvana fallacy. It's essentially saying "We should not talk about Telegram lying about its security, when in reality nothing is 100% secure". Yeah, nothing is, there's always an attack. That doesn't contribute anything of interest to the topic, it just tries to kill the criticism. And I'm saying this as someone who has worked on this exact topic for ten years: https://github.com/maqp/tfc
Knowing someone's phone number doesn't automatically
One way or another, phone numbers are like home addresses in the digital world. Once exposed, it’s just a matter of time and resources dedicated to that. Not to mention, sometimes it’s just needed to cross over the identity, that’s it.
This is a nirvana fallacy. It's essentially saying
I didn’t say that. As I mentioned in the other comment to you, some or a lot of people just don’t care about security, and as long as this info is known, it should be treated just like any social media.
Great project with TFC, I never heard of it, but it looks interesting. I would definitely give it a try! I have a question though: does your project require a phone number? If not, why? And would you recommend Signal to anyone who is after security, privacy, and anonymity?
If not, why?
Because that's the trade-off you make when you want high entropy unique usernames to prevent enumeration attacks. They become long and random. There's still a "phone number". It just looks something like 4sci35xrhp2d45gbm3qpta7ogfedonuw2mucmc36jxemucd7fmgzj3ad. You know that string and you can make a computer somewhere in the world accept some GET requests. Who knows if Flask, or whatever is part of the stack, has zero-click vulnerabilities.
And yes obviously I would recommend Signal to anyone who wants content privacy. Since Signal offers only narrow by-policy metadata privacy (unless you're on burner hardware), I'd ask them if they wanted metadata privacy, and if so, I'd point them to the direction of Cwtch https://cwtch.im/. I wouldn't recommend TFC unless endpoint compromise was part of their threat model. It's complicated and nuanced in the deep end of the pool.
Not only that. If they want to intercept e2e chats it's possible with a MITM attack, that if you control the server it's not a difficult thing to do. Of course the users if they check the keys they see they are different, but practically no one does that.
And I think WhatsApp probably does it, otherwise why the authorities never complied that WhatsApp did not let them see the conversations?
And I think WhatsApp probably does it
Rule of thumb: never trust anything Facebook. I’m sure sending your messages through mail is more secure and private than WhatsApp these days.
WhatsApp has defaulted to aggressively storing allegedly "E2EE" conversations without any form of encryption in Google Drive (freely) for years. And it would seem they are also currently in possession of the keys to decrypt them when you restore such backups from another device without the key stored on it (that lately cannot be extracted without exploits or root access anyway). Facebook/Meta has often expressed their love for the practice of client-side scanning or parallelly sending data to their servers, but it doesn't seem the case for WhatsApp yet, so what measures they take to remain compliant with the ever-increasing surveillance practices remains to speculation. For a somewhat educated user that knows to opt-out of online backups every time it's prompted by the application, I'd say it's probably safer than normal Telegram chats, but very far from flawless.
Calls seem tm be e2e encrypted: https://core.telegram.org/api/end-to-end/video-calls
No idea how secure the encryption is, but calling someone on Telegram is safer than sending texts.
Too bad I can't send a secure text from my Telegram desktop client. Lucky for me, there's Signal.
Depends on who your adversary is and how much you trust their protocol (some weird homegrown thing with clever/questionable cryptographic choices, the last time I checked) and implementation. Your texts don't generally run through Telegram's infrastructure, for example.
Only 1-1 calls are encrypted, voice chats (group calls) are not
Does Telegram support E2E on anything other than Android and iOS? Last time I checked it was not available for desktop.
Obviously if your phone is compromised your e2ee chat is not safe.
Yes, and that's where the 'practical' argument pops up. With all the E2EE buzz, is it really helping in the scenarios where it's supposed to work the best?
This thread gives an overview on why Signal and other apps are not really practical: https://x.com/Pinboard/status/1474096410383421452
The broader problem of ephemeral or spur of the moment protest activity leaving a permanent data trail that can be forensically analyzed and target individuals many years after the fact is unsolved and poses a serious risk to dissent. But E2E is not the solution to it.
I feel like Moxie and a lot of end-to-end encryption purists fall into the same intellectual tarpit as the cryptocurrency people, which is that it should be possible to design technical systems that require zero trust, and that the benefits of these designs are self-evident
Are there any pointers for work to try to make metadata private (I.e encrypted)?
I was recently very curious about this question and asked similar ones here:
https://news.ycombinator.com/item?id=41267877
https://news.ycombinator.com/item?id=41270863
On a side note, I was just recommending Telegram as alternative to WhatsApp (but I did mention that we need to enable Private chats for E2E). It is definitely not an ideal UX.
Why didn't you recommend signal?
Signal lost all credibility with their cryptobro bullshit
That's not how credibility and trust works
Well you hating on a feature you don't have to use doesn't affect my opinion about the well thought out security design around the rest of the application. I have zero sympathy for the distributed Ponzi scheme that is cryptocurrency, but nothing in Signal has gotten worse with the feature.
How would you feel if they add ai, Blockchain and nft features?
Only among people who pay attention to cryptobro bullshit. They remain the gold standard among cryptography engineers.
Is Session's also good? They had this cryptobro stuff from the beginning so I never paid attention despite their claims that security is on par with Signal and the like (probably not the SGX and sealed sender bits, but the message contents encryption). Nobody ever talks about it but yesterday they apparently got a million users. Makes me wonder whether to start paying attention
But telegram also launched a cryptocurrency: toncoin
So why recommend telegram over signal?
I don't care for crypto bullshit, and I was not too happy to hear that Signal joined that party, but it turns out you don't run into this as a Signal user if you are not specifically looking into it.
I don't believe they lost any credibility with this, I thing people don't know about it for the most part, or don't care for the majority of the remaining part.
Signal really needs a good bot support... that's the only thing keeping me on telegram.
I am recommending both. The problem is that Signal (which I use along with the other messaging apps) is that it is not feature rich as the other 2 and Signal is not popular so ppl download it just to interact with one person (Me) whereas Telegram has more user base.
As mentioned in a comment to one of your posts, the GNUnet people have probably gone the furthest in the quest to obfuscate metadata. Unfortunately, to this day no usable messenger application has come out of this, partially because GNUnet has largely been a research project.
As for applications in use today that address the metadata problem, have a look at Signal's Sealed Sender feature: https://signal.org/blog/sealed-sender/
As for recommending Telegram for secure messages, I side with the sibling comments ("Don't").
Since you seem to focus on decentralized protocols, I should add: In practice, while we all like federated and p2p apps for the freedoms & this warm fuzzy feeling they provide us with, by default they tend to have a much greater attack surface when it comes to metadata. This is because, compared to a centralized approach, metadata is openly available to far more parties. As a result, 3-letter agencies often won't even need a warrant to get their hands on the metadata: They can simply run traffic analysis and/or participate in the network themselves.
I know a bit about this topic.
For metadata you first want to remove the obvious identifiers, phone numbers, names. You'd want to use something like anonymous@jabbim.pl for your IM account.
Next, you'd want to eliminate the IP-addresses from server, so you'd want to connect exclusively through Tor. So you'd set the IM client proxy settings to SOCKS5 localhost:9150 and run Tor client to force your client to connect that way. This is error-prone and stupid but let's roll with it for a second.
Now jabbim.pl won't be able to know who you are, but unless you registered your XMPP account without Tor Browser, you're SoL, they already know your IP.
A better strategy is to use a Tor Onion Service based XMPP server, say 4sci35xrhp2d45gbm3qpta7ogfedonuw2mucmc36jxemucd7fmgzj3ad.onion (not a real one), and you'd register to it via IM client. Now you can't connect to the domain without Tor, so misconfiguring can't really hurt.
So that covers name and IP. We'll assume the content was already end-to-end encypted so that leaks no data.
Next, we want to hide the social graph, and that requires getting rid of the server. After all, a server requires you to always route your messages through it and the service can see this account talks to this account, then to these ten accounts, and ten minutes later, those ten accounts talk to ten accounts. That sounds like a command structure.
So for that you want to get rid of the server entirely, which means going peer-to-peer. Stuff like Tox isn't Tor-only so you shouldn't use them.
For Tor-only p2p messaging, there's a few options
https://cwtch.im/ by Sarah Jamie Lewis (great, really usable, beautiful)
https://briarproject.org/ (almost as great, lots of interesting features like forums and blogs inside Tor)
https://onionshare.org/ by Micah Lee. Also has chats between user and hoster
https://github.com/maqp/tfc by yours truly, crude UX but the security is unparalleled.
On a side note, I was just recommending Telegram as alternative to WhatsApp
Don't. Telegram and WhatsApp both leak meatadata, but WhatsApp is always end-to-end encrypted. Telegram is practically never end-to-end encrypted. I'd use WhatsApp over Telegram any day. But given that unlike WhatsApp, Signal is open source so you know the encryption works as advertised, it's the best everyday platform. The metadata free ones I listed above are for people in more precarious situations, but I'm sure a whistleblower is mostly safe when contacting journalists over Signal. Dissidents and activists might find Cwtch the best option however.
I was just recommending Telegram as alternative to WhatsApp
If you care about privacy and security, please don't. Defaults matter, and private chats are effectively unusable for anyone using more than one device or needing group chats. And that's not even considering their strange home-baked cryptography.
Telegram offers end-to-end encryption in the same way that McDonalds offers salads.
yes. in that if you want it it's there, but nobody's forcing it on you if you just want a burger.
Oh, I must have missed this. Please tell me how to enable secret chats for groups. And my desktop chats. Also I'd like to turn on the setting for defaulting to secret chats whenever I open a new one. Oh? I can't. Sounds like it's not there if I want it, after all. Good thing they didn't force it to me though /s
You can’t have secret chats for groups.
For desktop secret chats you may use Unigram client (although it’s hard for me to justify a potentially non-mobile secret chat).
The rest is trivial and isn’t that hard unless you contact hundreds of new people a day. In that case, I’d already thought of using ahk automation or a full-blown telethon bot.
Sounds like I should stick to Signal that got this right from the get-go.
apt install signal
Error: Unable to find the package signal
$ sudo apt install telegram
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package telegram
Also
$ sudo apt install signal-desktop-beta
[sudo] password for :
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
signal-desktop-beta is already the newest version (7.22.0~beta.1).
0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded.
So, yeah.
It's called telegram-desktop -_-'
apt install signal-desktop-beta
Very nice. Too bad it doesn't exist. Making up package names doesn't magically bring them into existence.
So, yeah.
Expired from the day before, but with a fresh date sticker on it?
I love the comparison, stealing it.
Technically but not practically.
Overly chilled?
Via a touchscreen? :P
In opposition to something French?
Let's stop repeating this word "moderate" when what we're talking about is censorship.
Moderation is what happens here on HN: Admins have some policies to keep the conversation on track, users voluntarily submit to them.
Censorship is when a third party uses coercion to force admins to submit to them and remove posts against their will.
Durov has been arrested for refusing to implement censorship, not for anything concerning moderation.
Moderation is what happens here on HN: Admins have some policies to keep the conversation on track, users voluntarily submit to them.
What do you mean by users voluntarily submitting to these policies? This distinction seems key in your argument, but I don't see what alternatives to submitting I have here, making it involuntary, right?
No, you miss the point.
If HN decided to ban all posts about Donald Trump that is moderation. Users voluntarily submit to this policy by participating in the site, and if they do not, they will be banned.
If the State of California required that all web sites run from their state are REQUIRED to ban all posts about Donald Trump, that is censorship.
Moderation is "your house, your rules" while censorship is someone else imposing their rules in your house.
Do you see what I'm saying? When France is talking about "moderation" of Telegram, what they actually mean is censorship.
A pedantic point, which typically argues around the real point. When somebody egregiously violates norms of public discourse with rabble-rousing, slander, deliberate lies and obfuscation, it's reasonable to limit their message's reach with some rules. When they continue despite warnings, then something more has to be done.
Call it what you like; this all had a history and a progression. Not arbitrary or unfair.
I don't know how much you have used Telegram, but it's ridden with absolutely vile stuff.
You open the "Telegram nearby" feature anywhere and it's full of people selling drugs and scams. When I mistyped something in the search bar I ended up in some ISIS propaganda channel (which was straight up calling for violence/terrorism). All of this on unencrypted public groups/channels ofc (I'm pretty sure it's the same with CP, although I'm afraid to check for obvious reasons).
I think there is a line between "protecting free speech" and being complicit in crime. This line has been crossed by Telegram.
it's not specific to anything but humans, which are ridden with vile stuff.
just turn off any discovery and suggestion features
I use it a lot, and I run some large groups on it. I don't see any of that stuff, I've never gone looking for it, and I'm not even sure how to look for it. Can you tell me some examples of what to search for to see what you're talking about?
is removal of CSAM moderation or censorship?
It depends on whether the parties to the communication want that or not.
So let's say a few child molesters create a chat service and use it to send the worst, most horrible child pornography amongst themselves. Removing it is censorship, not moderation.
Look, I'm not trying argue for legalization of child pornography here. That is illegal contraband, full stop. The intent of my comment is to say "let's just call it what it is"
I think the overwhelming consensus is that child pornography is so horrible that mere possession of it must be CENSORED.
I'm not arguing that censorship is always wrong. For instance, I don't want to see public billboards of graphic sex or violence. I think it's good that we censor that, so that we aren't forced to look at things like that when we don't want to.
What is bothering me is that proponents of censorship, and especially certain proponents of it who want to use it as a tool to suppress ideas they don't like, have recently started using the word "moderation" in order to sneak their plans into policy without raising objections. The reason is because when we hear the word "censorship" we immediately think, "Whoa, hold on there, censorship is very harsh, let's take a hard look and make sure this is serious enough that resorting to censorship is justified and appropriate", whereas when we hear the word "moderation" we think, "Of course, we all appreciate someone deleting the spam and trolls who annoy us", and we're less likely to think critically about exactly what kind of expression is being legally prohibited.
Censorship is when a third party uses coercion to force admins to submit to them and remove posts against their will
What a weird hill to die on, given the whole context of this situation.
Do you see public recruitment of people into terrorist cells as a freedom of speech? Do you see publicly selling drugs as a freedom of speech? It isn't about censorship at all, it's about actual *illegal* activity.
Now it's up to Durov and his lawyers to prove that Telegram actually dealt with that. So far France doesn't seem convinced.
Terrorist recruitment and selling drugs is conduct, and whoever engaging in that illegal conduct can, and should, be prosecuted.
The problem I have is with requiring the chat service to police that or making its operators liable for the illegal conduct of its users.
It shouldn't be up to Durov to prove he did or didn't do anything, it's up to France to prove that he or his company actively participated such conduct. And no, people using the service to engage in the illegal acts isn't nearly enough, any more than Google's CEO should be liable for a drug dealer using Maps to navigate to the drug deal location, or Venmo should be liable for the buyer paying the seller with it.
The reason it's worth defending this "hill" is because allowing governments to use censorship as a convenient means of solving these problems always leads to more control and restrictions that infringe on the legitimate rights of everyone.
I understand the appeal of these tactics. Since we know that terrorist groups operating abroad will use chat services to incite locals to commit violence, it's tempting to search the chat service and stop that from happening by censoring the communication, preventing the radicalization. Since we know that drug sellers organize the sale of the contraband using the chat app, it's tempting to search the chat app and censor that speech, thus preventing the buyer from learning where to meet the seller. Or wait for enough speech to cross the line into conduct and then arrest them for it. Sounds great. If it would work, I'd support it.
The problem is that it won't work, and the only way to "fix it" will be to push more and more and more surveillance and control. It's already being pushed. Look at this chat control nonsense. Do you support that?
So what I'm saying, is let's just recognize that it's a basic human right for people to communicate freely and that operators of communication services shouldn't be held liable for the actions of their users.
The only difference between "moderation" and "censorship" is whether you like the policy or not.
No, it's definitely not. Moderation means I can run my group how I want, you can run your group how you want, and others can decide if they want to participate in either of our groups or start their own groups.
Censorship is when someone else dictates how we can run our respective groups.
Yes but let's also be clear that some forms of speech censorship are widely and broadly supported in public, 'town square' or broadcast media situations. Things like child porn, personal threats, calling for or organizing violence, hate speech, etc. Laws and social acceptance of this kind of censorship, of course, differ in different regions.
Hacker news may 'moderate' illegal content on this website, but they don't have a choice in the matter, US or State authorities will shut them down if they do not, so it's technically censorship. Your view on whether this is good or bad will depend on many factors, one of which may be how you view the legal structure of your government, which is substantially different in France, the US, or Dubai (where Telegram is located).
As is mentioned in the article, Telegram is not simple a 'secure messaging app'. They are also serving a role similar to Facebook, Twitter, Instagram, or TikTok. They host publicly accessible channels or public group chats with thousands of members, which are all (apparently) unencrypted and accessible to the Telegram company. It may be reasonable (both legally and socially) to expect that a company which has knowledge of public, illegal speech to take steps to remove that content from their platform.
And Durov, by choosing to be a media company and not E2E encrypt all of his user's private communications, has walked right into a situation where he needs to abide by local laws moderating/censoring illegal content, everywhere.
In my opinion, Telegram is more of a social network than a messenger. There are many useful channels and in many countries, it plays an important role in sharing information. If we look at it from this point of view, e2ee does not seem very important.
We should also not forget that, in the time when all social media (Reddit, X, Instagram etc.) close their APIs, Telegram is one of the only networks that still has a free API.
That's the dangerous part. It's a messaging app that took in the function of a social media platform. It did so without robust security features like end-to-end encryption yet it advertised itself as heavily encrypted. Like Green stated in his blog post, users expect that to mean only recipient can read what you say, i.e. end-to-end encryption.
Telegram would be fine if it advertised itself as a public square of the internet, like Twitter does. Instead, it lures people into false sense of security for DMs and small group chats, which is what Green's post and thus this thread is ultimately about.
Free API doesn't mean anything until they fix what's broken, i.e. provide meaningful security for cases where there's reasonable expectation of it.
It did so without robust security features like end-to-end encryption yet it advertised itself as heavily encrypted.
Telegram has E2E encryption, but only in Secret Chats: https://telegram.org/faq#secret-chats
Most of its content is not E2E encrypted, especially channels.
a social media platform. It did so without robust security features like end-to-end encryption
Most social media platforms doesn't support e2ee.
Some chat apps do support e2ee but also requires a god damn phone number to login (yeah so does telegram), this makes "encryption" useless because authorities just ask the teleco to hand out the login SMS code.
The author of this article makes the point that social media is its key feature, but they still advertise Telegram as an encrypted messenger. So your messages to friends will be on Telegram, they're there for the social network, and they will be unencrypted because they don't support E2EE for group chats and deliberately hide the "secret chats" function.
It's a messaging app that took in the function of a social media platform. It did so without robust security features like end-to-end encryption yet it advertised itself as heavily encrypted.
Do you want to say that social networks must implement E2E? Personally I think it is a good idea, but existing social networks and dating apps do not implement it so Telegram is not obliged to do it as well.
As for promises of security, everybody misleads users. Take Apple. They advertise that cloud backups are encrypted, but what they don't like to mention is that by default they store the encryption keys in the same cloud, and even if the user opts into "advanced" encryption, the contact list and calendar are still not E2E encrypted under silly excuse (see the table at [1]). If you care about privacy and security you probably should never use iCloud in the first place because it is not fully E2E encrypted. Also note, that Apple doesn't even mention E2E in user interface and instead uses misleading terms like "standard encryption".
This is not fair. Apple doesn't do E2E cloud backups by default and nobody cares, phone companies do not encrypt anything, Cloudflare has disabled Encrypted Client Hello [2], but every time someone mentions Telegram, they are blamed for not having E2E chats by default. It looks like the bar is set different for Telegram compared to other companies.
[1] https://support.apple.com/en-us/102651
[2] https://developers.cloudflare.com/ssl/edge-certificates/ech/
It looks like the bar is set different for Telegram compared to other companies.
I too find it disingenuous. Many people here support a monopoly and privacy nightmare like WhatsApp but somehow, a closed-box implementation of E2EE is automatically better than an app with a proven track record of not selling the user data.
Most "normal" people use messaging app and social medias DM interchangeably.
For instance 2 days ago my partner wanted to show me a message her friend sent, went to whatsapp and couldn't find it then realized said friend had used instagram DM for that. Most people don't care enough.
The free API is amazing I have so many little helper bots that help me automated my life. It's easy better easier and more feature rich than twilio or slack. I made my own stock management bot that ate a screener spreadsheet I upload in the chat and tell me if I should sell my stocks.
There is even that freqtrade bot that runs on telegram, even RSS bots. It really is amazing. So easy to use for chat ops.
I don't know what else you would use the API for.
What is your definition of a social network?
One of the biggest privacy problems in messaging is the availability of loads of meta-data — essentially data about who uses the service, who they talk to, and when they do that talking. […] the same problem exists with virtually every other social media network and private messenger.
Is this true for Signal too? I thought it wasn’t.
> Is this true for Signal too? I thought it wasn’t.
It is, because you cannot use Signal without giving them your mobile phone number, and from that point onward they (and anyone they might be sharing data with) know the who/what/when, and more. My gut feeling, notwithstanding any apologist and their weak arguments, is that the design choice is exactly about the who/what/when because it's mandatory despite being entirely unnecessary from a technical perspective.
How does it follow that Signal knowing a phone number means they know who the identity that phone number represents is communicating with?
Every Signal account is represented by the phone number the user provided in order to receive their SMS activation code, and messages are not sent directly between users' clients/apps but relayed through Signal's systems.
Your original assertion "signal knows who is talking to whom" does not follow from "Signal relays the data".
Avoiding any metadata leaks without generating tons of cover traffic (to frustrate timing correlation attacks) is very hard.
Signal does indeed use an architecture (at least for chats with contacts, or optionally everyone when you enable the "sealed sender" option that makes you a bit more prone to receiving spam) where Signal doesn't know who's sending a given message from a given IP address, and only which account it's destined for.
But any entity in position to globally correlate traffic flows into and out of Signal's servers can just make correlations like "whenever Alice, as identified by her phone's IP, sends traffic to Signal, Bob seems to be getting a push notification from Apple or Google, and then his phone connects to Signal, so I think they're talking".
How accurate does the timing need to be? I imagine there must be many Bobs getting notifications around the same time. Also, if I use Signal behind a VPN is it still known that I’m talking to the Signal servers?
But any entity in position to globally correlate traffic
Also, Signal relies on AWS, which could also perform such an attack it seems.
I would recommend reading these resources:
The Internet Is Broken: https://secushare.org/broken-internet
The Hitchhiker’s Guide to Online Anonymity: https://anonymousplanet.org/guide.html
Pointers to more resources: https://discuss.grapheneos.org/d/15005-books-or-sources-on-p...
Thanks for the blog post, now I finally have a good resource I can point people to next time they claim Telegramm is secure.
I am not specifically calling out Telegram for this, since the same problem [with metadata] exists with virtually every other social media network and private messenger.
Notably, Signal offers a feature called Sealed Sender[0]. While it doesn't solve the metadata problem entirely, it does at least reduce it a bit.
Sealed sender doesn't really solve the metadata problem at all:
* https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1...
Generally you need something like TOR to hide who is talking to who.
Interesting, I feared Sealed Sender might be susceptible to statistical analysis (hence my phrasing "reduce it a bit") but it's worse than I expected ("Signal could link sealed sender users in as few as 5 message"). Thanks for the link!
As for TOR, that wouldn't really help much, would it, given that the described attack is at the application level of Signal. Or are you talking about not using Signal altogether?
Yeah, I used TOR as a general example. Briar uses TOR for example to hide the connections between users.
Some other options
https://cwtch.im/ (has better UX and security than Briar) https://onionshare.org/ chat feature
Also https://github.com/maqp/tfc by yours truly if you need hardware-enforced endpoint security for your keys.
Related presentation from Network and Distributed System Security Symposium:
Thanks, that was a very nice & accessible talk!
With Matrix, you can use your own (or trusted) server. Doesn't it solve the problem with the metadata? At least when two trusted servers interact.
This is part of what I love about Mastodon: if you PM someone, very often you're talking between two random servers and odds are good that the admin is a friend of a friend. No dragnet statistical analysis stuff, just friends running some software that normal people can also use. Distributed systems at their best
I don't know why people get hung up on Telegram's encryption. Maybe they're trying to make it be something it isn't.
Is Discord end to end encrypted, is IRC? Nope, does it make them useless? Again no.
Same with Telegram, it's a chat tool where you can select your audience and have a good UX with native bot support. (like Discord and IRC).
That's what I want, nothing more.
If I want to plan a coup, I'd use something else of course.
It's because Telegram is marketing itself as a secure messaging app, and because journalists continuously present it as such while discussing the arrest of its CEO.
I've only heard telegram presented as a messenger for criminals in western media.
For some, that would be a pretty big testament for security. What is the app used by people that are facing the power of law enforcement? If it can withstand that, it must be secure.
But drug dealers get arrested all the time…
because on their front page in giant font they call themselves private and secure and outright say “heavily encrypted”.
it’s their own fault. a better question might be:
why do they keep over and over crying when people call them out for endangering their users? it’s super odd.
Exactly this. It is all about how they market themselves. If they had promoted themselves as a social media-ish platform, nobody would be causing a fuss about their encryption.
Neither discord, nor any of the popular IRC clients (HexChat, WeeChat, mIRC) even mention the word security or privacy to promote their products.
Moreover, as Mathew Green mentioned in his blog post, there are many instances where Telegram (or Pavel Durov) has gone out of his way to attack the encryption offered by Signal and WhatsApp. If he were pitting his messenger against discord, why would he be worried about Signal or WhatsApp?
I am amazed at the low quality comments here. Encryption really doesn’t matter as much as the trust of the app here. Any malicious app author can 100% secure encrypt everything in wire and yet leak 100% of your data to some state actor. Anything you type into the chat box is only encrypted by the app after you type and probably storing it in the clear in some local SQLite db. It gives them a whole bunch of options to mess with that plain text data. Even if the app source code is published as you don’t know if they backdoored it before they submitted to App Store.
malicious app author can 100% secure encrypt everything in wire and yet leak 100% of your data
Um, surely you understand the difference between piping random-looking bytes uselessly to whoever and having a readable copy of all data readily available to whoever hacks the system or applies for a sysadmin role? Or are you making the assumption that people use a closed-source client and the server can push malicious code?
Even if the app source code is published as you don’t know if they backdoored it before they submitted to App Store.
Doesn't work if you have third parties also working with the system or forking the code to work with it. It gets noticed. Your concept of "e2ee can be 100% leaked anyway" only works if you don't know what code you're running. You need to trust the community in general to uncover issues you've overlooked (in the code or build process) but that's not the same as not having encryption at all. You can't audit the servers but you can audit the client code.
You need to trust the community in general to uncover issues
My point is that this community could just be your friendly CIA operatives running the show with a veneer of open source. Also this “community” has no liability unlike the closed platform companies.
Encryption really doesn’t matter as much as the trust of the app here. Any malicious app author can 100% secure encrypt everything in wire and yet leak 100% of your data to some state actor.
This is exactly the problem with Telegram. Telegram defaults to client-server encryption for everything, and you can't enable end-to-end encryption for anything on desktop, or group chats ever. Only 1:1 chats and calls on mobile have end-to-end encryption. Client-server encryption is exactly the "100% secure encrypt in wire". When that data arrives to the server, it's no longer encrypted, and Telegram can do whatever it wants with that data, including leaking it to some state actor (like FSB/SVR).
Anything you type into the chat box is only encrypted by the app after you type and probably storing it in the clear in some local SQLite db.
If endpoint security is of concern, your options with networked TCBs are quite limited. Are you sure the malware doesn't have a chance to escalate its privileges and read messages in clear from RAM?
It gives them a whole bunch of options to mess with that plain text data.
I'm looking forward to hearing about how you managed to fix this. Should we implement memory as eFuses (https://en.wikipedia.org/wiki/EFuse) to prevent editing logs? What if the user wants to delete his messages?
Even if the app source code is published as you don’t know if they backdoored it before they submitted to App Store.
E.g. with Signal android, you can pull off the APK from the device, and compare its hash against the client that was reproducibly built from the source code you have in your possession. Been there done that https://imgur.com/a/wXYVuWG
I am amazed at the low quality comments here.
Too bad you're not exactly improving them with your nonsense.
The malicious app need not be the messaging app either. It could be your keyboard.
Telegram basically have "trust me bro" security.
Even worse than Apple. They at least have some e2ee options.
Reads like a hit piece on Telegram from a crypto expert who couldn't be bothered to explain in more than one paragraph why the app he is calling not an encrypted app (according to how he personally thinks everyone refers to when talking about encryption) actually uses some encryption technology that he's not exactly sure of but suspects is insecure.
TLDR: 99.95% of messages on Telegram stored as plain text on their servers and only encrypted between client and telegram server. End-to-end encryption only working for 1on1 chats, not available half of their clients and have terrible UX.
All this is just wrong. I wonder why HN likes throwing up wrong information about Telegram as fact. Is taking up 5 mins to proof these claims that hard?
99.95% of messages on Telegram stored as plain text on their servers and only encrypted between client and telegram server.
Wrong and OP doesn't even mention plain text. The non-E2EE client-server data is stored encrypted sparsed out in various servers to different countries. https://telegram.org/privacy#3-3-1-cloud-chats
End-to-end encryption only working for 1on1 chats, not available half of their clients and have terrible UX.
Wrong again. I actually recently checked this for myself their official clients on Android and Linux desktop have support for MTProto 2.0. Feel free to check if other OS don't support this feature. The only clients I know where this is not enabled are the web clients.
The non-E2EE client-server data is stored encrypted sparsed out in various servers to different countries.
Yet all this data available to any person connecting to Telegram API endpoints. It's really doesn't matter how they distributed storage look like underneath if there is point where everything available as plain text.
Also this is just "trust me bro" encryption. You cant check any of it.
Wrong again. I actually recently checked this for myself their official clients on Android and Linux desktop have support for MTProto 2.0.
E2EE in telegram is burdensome to use. It's just fact for anyone who actually used it daily.
Also many desktop versions only gained E2EE capabilities relatively recently.
He specifically explains what people think an encrypted app is:
Many systems use encryption in some way or another. However, when we talk about encryption in the context of modern private messaging services, the word typically has a very specific meaning: it refers to the use of default end-to-end encryption to protect users’ message content. When used in an industry-standard way, this feature ensures that every message will be encrypted using encryption keys that are only known to the communicating parties, and not to the service provider. From your perspective as a user, an “encrypted messenger” ensures that each time you start a conversation, your messages will only be readable by the folks you intend to speak with.
So and encrypted messaging app means to people the security that an end-to-end encrypted app provides.
He then explains how Telegram is not end-to-end encrypted.
* No end-to-end encryption by default
* No end-to-end encryption for groups, not even small groups.
To add, there's no end-to-end encryption for desktop chats either. And no end-to-end encrypted cross-platform chats either.
Your post reads like dollar-store damage control team post that didn't even read the article they're trying to discredit.
Double that. The entire article reads to me as handpicked and manipulative.
Fascinating. I might have missed it, but I don't think the author mentioned the possibility of steganography. Just code the encrypted text such that it resembles a normal conversation.
Would you use an image for this? Is there a clever way to do this with text?
You could use an image. But you could use text as well. E.g. you could agree on a code phrase to be said when some "dirty deed done dirt cheap" has been completed. Or you could encode a binary string by alternating British English spellings with American English Spellings: e.g. "color" means 0, "colour" means 1; "gray" means 0, "grey" means 1, etc etc. and then just use those alternate spellings in a normal conversation.
The problem with codes is you have to remember them. And then you'll need a massive lookup-table. People don't want to have chats based on limited vocabulary.
This is why we have modern encryption. It converts the most beautiful poem in the world to complete noise and back with no loss of meaning. It allows sending images, books, videos -- culture, without spycraft that requires hours of learning. It's also more secure, given that humans aren't nearly as good at coming up with randomness and a computer's hardware RNG.
Steganography is pointless given that encrypted and metadata protected communication is ubiquitously available to those who need it. Steganography is a niche you read about in your first year of studying the world of privacy and what you completely forget because nobody has time for spycraft when there's life to be lived. The novelty wears out faster than you can imagine.
The author claims that everyone refers to Telegram as an encrypted messenger, but he only provides a single example to support that. I quickly checked Google News and couldn't find any media on the first page that did the same. It feels like a manipulation.
UPDATE: anyone who downvote, I invite to check for themselves.
Just a few known media:
1. https://www.aljazeera.com/amp/news/2024/8/25/telegram-messag...
2. https://www.washingtonpost.com/technology/2024/08/25/durov-t...
3. https://www.businessinsider.com/telegram-ceo-pavel-durov-arr...
4. https://www.theguardian.com/media/article/2024/aug/24/telegr...
However, indeed, I‘ve seen a few media that call it encrypted. This include France24, POLITICO, and The Times.
Just today, every French newspaper and hundreds around the world. Two examples:
https://www.thetimes.com/world/europe/article/pavel-durov-te... “Chief executive of the encrypted messaging app reportedly detained at an airport near Paris over alleged failure to stop criminal activity on the platform”
https://www.tf1info.fr/high-tech/telegram-qui-est-pavel-duro... (one of the largest French newspaper) “Qui est Pavel Durov, le fondateur de la messagerie cryptée Telegram arrêté samedi en France ?”
It’s called handpicking
Subjectively and qualitatively, roughly half of all news articles on Telegram I read contain the word "encrypted" or at least "secure" somewhere.
Telegram is not Signal, it is a waaay better Discord
Still not indexable, referencable, or freely readable
It's a walled-garden system which is fine for private chats between groups of friends, but Discord is increasingly being used as a place to report bugs and share information. Telegram furthermore requires signing up with a phone number which Discord did not (now, often, you need to for participating when an admin of a community aka gild aka misnomer "server" turned on that requirement)
https://xkcd.com/979/ This comic will not be understood by gamers growing up today... (Except in many cases someone posted a solution or nudged DenverCoder9 in the right direction at least; with Discord, Slack, or Telegram you'd simply never find the thread in a search engine to begin with.)
Discord is increasingly being used as a place to report bugs and share information.
So is telegram. I'm in numerous groups with developers of linux distros and other apps. Many developers uses telegram's channels to post updates about their works.
I guess you meant to say Discord is worse Telegram that was created earlier. Though obviously many groups features got into telegram somewhat at the same time as Discord gain traction.
Does anyone have any reason to believe that Telegram's E2EE doesn't have a backdoor? Because if not, then I fail to see why it matters whether the E2EE even exists in the first place.
Telegram clients are open source. Anyone can verify that the client does the end-to-end encryption correctly.
Telegram has had its own history of really weird issues with its encryption protocol, like the IGE, 2^64 complexity pre-computation attacks, IND-CCA vulnerability and whatever the hell this was https://words.filippo.io/dispatches/telegram-ecdh/
But these are not the big issues here. The issues Green's blog post highlighted were
* Telegram doesn't default to end-to-end encryption.
* It makes enabling end-to-end encryption unnecessarily hard
* It has no end-to-end encryption for groups
Those matter gazillion times more than e.g. a slightly older primitive would.
End-to-end encryption matters because Telegram is not just a social media or Twitter wall. It's used for purposes that deserve privacy, and Telegram isn't providing.
Reason to believe is that all their apps are open source and have reproducible builds:
https://core.telegram.org/reproducible-builds
Their custom encryption is questionable, but since it open source someone would find out by now if there was obvious backdoors.
Pavel did mention that investigation agencies tried to lure Telegram developers to use certain open source libraries.
It's no wonder why WhatsApp and other apps don't face much heat from the government, they're already with the government.
It is weirdly fascinating that this question has to be answered on a semi-regular basis. I am not sure if it is more of an insight into humans, ephemeral nature of software or concern that something major has changed.
I think it’s helpful because, as the author says, Telegram put effort into making you think it’s secure and Signal isn’t. As someone who's not close to this, it’s handy to have regular reminders.
It's an unfortunate reminder in that propaganda sometimes works very well.
Or it's just nerds who are stupid and don't understand what matters in real world security for most people.
The fact that you can create a huge group and channels without sharing your phone and contacts is what made Telegram big.
You couldn't do that on WhatsApp until a few months ago. And it has been on Telegram for years. Why Hong Kong protesters used Telegram and not Whatsapp? read this: https://x.com/Pinboard/status/1474096410383421452
The fact that Telegram is massively used in both Ukraine and Russia shows that its model cannot be ignored.
Am I the only one who uses Telegram mainly for p2p e2ee audio calls? It's great for that.
I use it for friends, family and partner, videocalls and normal chat.
Sure, it may not be on the same level as Signal when it comes to security but it simply is leagues above others in terms of usability, stability and bells&whistles. It's like comparing a Ford Zephyr with a Volvo EX30.
I agree, but I wouldn’t compare Signal to a Zephyr. Classic cars have that charm and magic. I would say Signal is more like a Honda Civic; its users are loud and annoying, and yet it’s mediocre in all categories. :)
I thought this was going to be just a big "NO." like the are we X yet? pages.
The article is still complying with Betteridge's law of headlines, though :)
It probably didn't want to get detained in France.
It's not e2e encrypted, so what? It's something the majority of users does not need, and that doesn't increase security that much given their downsides.
Of course for Telegram is much more convenient to not have end2end encryption. Given that they store everything on their servers, it means years of chat history that probably weights Gb for each user, contrary to what WhatsApp/Signal do, of course if 10 million people send eachother the same meme it's stupid to have 10 million copies of the same images on their servers just because it is end2end encrypted. They probably have a store where they index each media with its hash and avoid to have multiple copies, that is fine. This is the reason Telegram can offer you to have all your messages, including medias that can be up to 1Gb each, stored on a cloud for free.
As I user I prefer Telegram just because it's the only app that works perfectly synchronized among multiple devices (Android, Linux, macOS) with good quality native clients, without wasting space on my phone for data.
By the way, end2end encryption it's not that safe as they claim. Sure, the conversation can not be intercepted, however:
- you can put a backdoor on endpoints, that is compromise the user phone (something they do)
- you can make a MITM attack on the server (don't know if they do that, but technically possible)
- you can access the data that is backed up on other platforms (i.e. WhatsApp makes by default backups on Google Drive or Apple iCloud, trough which you can access all the conversations in clear text).
It's not e2e encrypted, so what? It's something the majority of users does not need, and that doesn't increase security that much given their downsides.
Privacy is a human right. Everyone needs it. And Telegram advertises itself as an encrypted messenger. For every non-expert, that means end-to-end encryption. Only me and recipient can read the message. Users expect Telegram to be more secure than WhatsApp. Telegram claims its more secure than WhatsApp, and Telegram has attacked WhatsApp over its security. WhatsApp is always end-to-end encrypted, Telegram is not. So don't go putting words into peoples mouths.
Given that they store everything on their servers, it means years of chat history that probably weights Gb for each user
It could be stored there with client-side encryption, Telegram doesn't need to have access to that data. Also who says chats that are ephemeral in nature need to be forever accessible. I save what I need from Signal or Telegram.
This is the reason Telegram can offer you to have all your messages, including medias that can be up to 1Gb each, stored on a cloud for free.
It's not free. It comes with the price of your human right to privacy. You should get a job at Facebook with this marketing pitch.
As I user I prefer Telegram just because it's the only app that works perfectly synchronized among multiple devices
It doesn't sync secret chats at all with multiple devices, not even desktop. Signal does.
good quality native clients
Your script is seven years old https://signal.org/blog/standalone-signal-desktop/
You can put a backdoor on endpoints, that is compromise the user phone (something they do)
Nirvana fallacy. Why is Telegram offering secret chats if all endpoints are compromised? If they're not always compromised, then it should offer end-to-end encryption for everything, always. Like Signal, Whatsapp, Wire, Threema, iMessage, Cwtch, Briar, Element, Session...
you can make a MITM attack on the server
Which is why every messaging app worth its salt offers safety numbers https://support.signal.org/hc/en-us/articles/360007060632-Wh...
Even telegram has them, although their initial implementation of babby's first QR-code was a joke. How do you compare over the phone shades of a color matrix?
https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSUnBRB...
you can access the data that is backed up on other platform
Oh, that would be horrible. Good thing Telegram doesn't have its data backed up in cloud, no wait, sorry, it does. ~Everything you ever do with the app is permanently stored in an ecosystem built by the Mark Zuckerberg of Russia, and his PhD in geometry bro Nikolai.
Shill harder.
By the way, end2end encryption it's not that safe as they claim. Sure, the conversation can not be intercepted, however: [...]
- you can make a MITM attack on the server (don't know if they do that, but technically possible)
No it's not technically possible, by its very definition. The fundamental principle behind E2EE is that the server can be malicious or compromised all you want, but this does not impact message confidentiality or integrity.
This is such an old topic. Every time something related to the Telegram happens, somebody starts a discussion about how it's not an e2e-by-default. But the reality is nobody cares. And considering this, it's ridiculous now that Durov is detained on the accusations of being responsible for all kinds of information that's being spread in non e2e-by-default messenger.
He's not in fact detained because information is being spread, he's detained for actively refusing to cooperate with law enforcement.
that gives a better explanation on why telegram is safer in real world settings than whastapp or other popular messengers: https://x.com/Pinboard/status/1474096410383421452
Seems to hang on some loading screen overlay. If it fits in a toot, care to just copy it here and save people a click?
Something that might be interesting in this topic - forked version [0] of telegram client made during protests in Belarus in 2020 (and appears to be actively maintained to this day). Can't vouch for it, but found it interesting.
That GitHub account is… interesting.
Simple question denotes whether its encrypted.....
Does cloud server store the message and key.....
If answer is yes, ITS NOT FULLY ENCRYPTED!
Sounds contrary right?
If key and message is on server any LEO org can get it....for it to be fully encrypted cloud server should never store the keys....
So how many services claiming encryption have this flaw? All....
Why do you think Telegram has shell companies to avoid gov subpeonas?
Because it knows that its encryption is faulty to real world LEO and laws as it stores the keys on the cloud which means its can be subpoenaed for those keys and messages.
So how many services claiming encryption have this flaw? All....
Telegram is actually one of the only apps I've seen to defend their super-duper secure storage of keys online. All lies of course.
The overwhelming majority of secure messaging apps have no way to recover user data if you drop your phone in the ocean. This includes Signal, Wire, Threema, Session, Element, iMessage etc.
One of the biggest privacy problems in messaging is the availability of loads of meta-data — essentially data about who uses the service, who they talk to, and when they do that talking.
I am not specifically calling out Telegram for this, since the same problem exists with virtually every other social media network and private messenger.
In fact, https://simplex.chat/ is the only messenger with the least amount of metadata.
This snake oil is spreading like [Herpes] Simplex .
Again, the company lies about queues (a programming technique) being a privacy feature.
The application can not get rid of the metadata of server knowing which IPs are conversing, unless the clients explicitly connect to the service via Tor. The server must always know from which connection to which connection it routes packets. It's not a network hub, it's a switch, after all.
https://cwtch.im/ and https://briarproject.org/ route everything through Tor always, and they don't have server in the middle, which means there is no centralized authority to collect metadata. It's light years ahead of what Simplex pretends to offer.
Perhaps the French authorities have some taste in UI/UX. They're going to keep him in jail until telegram is no longer painful to use.
There's a long list of things I dislike about Telegram, but UI/UX is really not on it.
at the end of the day, if you run it on an iPhone, it's iOS that renders the text, and apple is routinely subpoenaed
No, it is not.
I remember having this same conversation on here nearly a decade ago. I stopped using Telegram then.
This article discusses a well known point about telegram. But only to techies. Vast majority of users are misled by journalists many of whom have degrees in social "science", political "science" etc. It doesn't say you need encryption that's for each person to decide perhaps for each conversation. It's need to be an educated choice.
Though it's old hat better to recycle this often so many know.
Is Telegram really an encrypted messaging app?
If is is encrypted, then it aids terrorists and can be banned. So it is encrypted, whatever the technological details. It's a political decision.
For me Telegram is more like an uncensored Twitter slash blog platform. I use it to check out public channels for updates and that's about it. For private communication, I use Whatsapp. So, lack of e2e by default is not an issue for me at all.
One of the biggest, more significant as well as successful Internet-scale cons of the last decades that I can think of, apparently perfectly executed too.
Prime example of Betteridge's law of headlines.
The worst is that Telegram Secret Chats are limited in functionalities, compared to the normal ones, for no reasons. Stickers set don’t work, for exemple, and that’s one of the main feature of Telegram chats.
not being a criminal is really good, I don't have to worry about any of these stuff
Well yes, but actually no.
Same thing with proton mail. I have never understood the "Trust me bro we encrypt it" business model. If it's not your key on your client machine it's not encrypted.
you don't use telegram for encryption
you use it because you can use disposable phone number
nobody ever cares about encryption, it's a false flag
people care about no footprints
that's exactly why it was used to create civil unrest in Iran
https://www.wsj.com/articles/iranians-turn-to-telegram-app-a...
This is actually great blogpost since too many people tend to believe that Telegram is somehow more secure and private then alternatives on market.
Also it's not like Telegram dont have censorship. During last 3-4 years there was many cases where Durov blocked bots and channels that belong to protests and opposition in Russia, marked them as "fake" or just plain removed with no trace.
So it's just another case where some rich guy try to sell his own platform as some "freedom of speech" one even though it's just censored to his liking.
Of course not. The genius of Durov was in discovering that users don't really need e2ee and all the drawbacks that come with it, and that promising them that the app has really strong encryption is good enough even without actual encryption.
Well of course, but this is a feature of Telegram. It's the only messaging app where messages are stored on the cloud. This of course has security implications, but also allows you to have a big number of chats without wasting your device memory like WhatsApp does, or having to delete old conversations, and allows you to access your chats from any device. By the way you can also set a password to log in from another device (two factor authentication, also on WhatsApp now you have this option).
To me it's a good tradeoff, of course I wouldn't use Telegram for anything illegal or suspect.
But that's literally the entire point of this article. That is, in this day and age, when people talk about "secure messaging apps" they are usually implying end-to-end encryption, which Telegram most certainly is not for the vast majority of usages.
Also, iMessage is very secure...but then all your stuff is backed up on iCloud servers unless you specifically disable it. That includes all your iCloud encryption keys and plaintext messages.
Worse, iPhones immediately start backing up to iCloud when set up for a new user - the only way to keep your network passwords and all manner of other stuff from hitting iCloud servers is to set the phone up with no network connection or even a SIM card installed.
Did I mention there's no longer a SIM slot, so you can't even control that?
And that iPhones by default if they detect a 'weak' wifi network will switch to cellular, so you can't connect the phone to a sandboxed wifi network?
You shouldn't have to put your phone in a faraday cage to keep it from uploading plaintext versions of your private communications and network passwords.
iCLoud can be disabled by MDM profile installed by Apple Configurator at setup.
Can I enroll my personal iPhone in MDM myself? And if I can have MDM with just my personal phone, do I need to buy some kind of subscription for it from Apple? Or pay some third-party?
I thought MDM was only for enterprise businesses and schools and universities, but I may very well be mistaken about that.
Apple supplies a free application for managing MDM.
https://support.apple.com/guide/apple-configurator-mac/welco...
This saved me one time when I was gifted an Apple TV without a remote.
No way to add a WiFi profile, thus no way to use an iPhone as a remote. No ethernet available either.
Configured a WiFi profile, uploaded to the Apple TV and could finalize the setup.
It’s quite a powerful too for initial setup.
^^^ Highly recommend this. If you are technical enough, a family managed Apple Configuration is more than enough to protect for most situations and from most threat actors.
If you're threat actor has the resource to break that, get a CC or a good lawyer on retainer I guess.
MDM profiles are just XML files. They can be created with any text editor and distributed to the phone by email or web server. Apple provides the free "Apple Configurator" app in the MacOS app store. There are also websites and/or OSS tools to generate profiles, e.g. https://github.com/ProfileCreator/ProfileCreator.
Looks like an easy task, even your granny can do it.
It does require a few clicks and passcode entry, https://support.apple.com/en-us/102400
Why do you need a Mac and an additional software for this? This is clearly made for corporate users and not for ordinary people.
Mac is not needed, https://news.ycombinator.com/item?id=41351559
After an MDM profile is created by someone technical, it can be emailed to the non-technical user and installed with a few clicks and passcode confirmation.
That is the correct default. Every day users are far more likely to accidentally lose their data than to run into government snooping.
If that is the correct default then why Telegram is blamed for having non-E2E chats by default? Maybe they also care about users who can accidentally lose their conversations. When Apple does it, it is good, but when Telegram or TikTok do the same, it is bad and not secure.
because telegram and it’s users heavily insinuate it’s comparable to Signal rather than Tiktok.
right on their front page in giant font they declare “private” and “secure” when they’re neither. it’s telegram’s own fault they receive this criticism repeatedly—and they strangely constantly complain every time they’re publicly spanked and taken to task. theyre heavily insinuating (i call it it lying) to their users and then over and over crying because they get called out.
if they don’t want to be called out then they should quit insinuating those things, it’s dangerous af. they know they’re lying though, obviously they won’t stop. but omg i wish their users would run fast and run far—it’s like watching an abused person who keeps going back to their abusive partner “oh they mean well”… pffft, no, they really dont.
Because Apple is not in the business of hosting public discussion forums.
There is no crime in implementing or not of different encryption schemes.
It might be the correct default, but it doesn't make it secure (makes it insecure actually).
Are these stored encrypted or in the clear? If the latter, please cite your source.
They are stored encrypted but whether Apple has the key depends on whether you've turned on "Advanced Data Protection" (aka "I don't expect Apple to bail me out when I lose access to all my devices"). The table in this support article details the treatment of various data categories under the two options:
https://support.apple.com/en-us/102651
The default for many categories is that your keys are in iCloud so Apple can recover them for you. With Advanced turned on, the keys are only on your personal devices. A few categories, like the keychain, are always only on your devices.
Specifically, see Note 3: "If you use both iCloud Backup and Messages in iCloud, your backup includes a copy of the Messages in iCloud encryption key to help you recover your data." Under normal protection, Apple has the key to your backups, but with Advanced they don't.
And even "advanced" protection is not advanced enough to protect your calendar and contact list from the government (under silly excuse that Apple uses standard protocols for those data).
Luckily, microwave ovens make easy Faraday cages.
15 seconds on low, then 120 seconds on high.
Oh, you meant... oh.
Apple devices are also always gossiping about which devices are where
Which is one of the best features. I wouldn’t mind having an option to disable it, but then you also don’t get the advantage of others’ phones finding your device.
iMessage only encrypted messages in RSA 1280, why do you think it is very secure?..
Well summed-up. Its crazy how efficient theese things are at working together to strip users of any agency or control, across many different domains.
laf every image you take on an iphone is sent to apple server regardless of it being in icloud or not.
Many companies in the industry mislead users about encryption and just try to use it as a buzzword to attract customers. Take Apple, as example. Apple cloud backups are not E2E encrypted by default (like Telegram chats), and even if you opt into E2E encryption, contact list and calendar won't be E2E encrypted anyway [1].
Yet, Apple tries to create an image that iPhone is a "secure" device, but if you use iCloud, they can give your contact list to government any time they want.
Apple by default doesn't use E2E for cloud backups, and Telegram doesn't use E2E for chats by default. So Telegram has comparable level of security to that of the leaders of the industry.
[1] https://support.apple.com/en-us/102651
This is such a misrepresentation. Telegram could at-will feed the cloud-2FA password to password hashing function like Argon2 to derive a client-side encryption key. Everything could be backed up to the cloud in encrypted state only you can access. Do they do that? No.
So it's not as much as trade-off, as it is half-assed security design.
Telegram currently has very intuitive and snappy search, even in very active groups with years of content. That's because the heavy lifting is done by the server. Think that'd still be possible if there was no way for the server to process the data?
PCs and phones been fast enough to have snappy search on text data for years now.
Is "grep" not snappy enough for you?
Not at all. Try searching 500/1000 sources (maximum number of conversations any free/premium user can be part of), each with potentially millions of messages, and providing the results in under a second.
AFAIK telegram dont have any super-advanced search features neither it instantly return you results for all these years. Also if you search less common terms it's usually take longer than less than second.
And if you just run client on device without a lot of this history cached search wouldn't be anywhere as fast as you expect. So I pretty sure there no server-side magic there, but instead very good UX.
Also I can tell for certain that with right index grepping tons of JSONs can be very effective on any modern devices.
But to run local search you need to download the conversations to device first which might require lot of (expensive) traffic.
Grep is inefficient search engine, because it needs to scan through whole content (and Telegram uses search indexes). Also, grep cannot deal with words forms and inflections (you type "foot" and you also want to find "feet"). Inflections are not very important in English, but you need to deal with them in other languages where the word can have many forms.
I'm not trying to claim Telegram uses grep or whatever. My point is even very active chats on telegram generate somewhat small amount of text data and I dont believe that searching through it require massive complex search engine with super-fast backend.
I basically participate in hundreds of chats and message history doesn't take 10 of GBs. And I also know that search in history of such chats isn't so snappy on older Android phone.
Yeah, try searching anything older than a year, the amazing snappy search grinds to halt. Meanwhile I'm storing years worth of stuff on Signal with no issues, and it searches ridiculously fast offline with no seconds long pause for buffering.
Yeah Telegram search is not in a state where anyone should be proud of it.
So interesting. I just did a search for mentions of someone I know in multiple Telegram groups and channels, and got all the results, going back 5 years, instantly. And these groups and channels have millions of messages. All media is also perpetually available (unless deliberately deleted), and take a couple seconds to load. I don't see any other platform having that kind of convenience.
I'll have you know they had maths PhDs design their security, sir. Eight of them!
Yeah, it's a bit of a joke.
Yeah, put a geometrician* to do the job of a cryptographer. This is what you get.
* I'm being serious, Nikolai Durov's PhD dissertation title was "New Approach to Arakelov Geometry"
https://bonndoc.ulb.uni-bonn.de/xmlui/handle/20.500.11811/31...
https://arxiv.org/pdf/0704.2030
Advanced math is actually more difficult (in my opinion) than programming languages.
Cryptography is nightmare magic math that cares about the color of the pencil you write it with.
It's not enough you know how to design a cipher that is actually secure, you need to know how to implement it so that the calculator you run it on consumes exactly the right amount of time, and in some cases power, per operation.
Then you need to know how to use the primitives together, their modes of operation, and then you get to business, designing protocols. And 10% of your code is calling the libraries that handle all that stuff above, 90% is key management.
There's a good amount of misuse resistant libraries available, but Nikolai was too proud to not look into how the experts do this, and he failed even with trivial stuff: He went with SHA-1 instead of SHA-256. He didn't implement proper fingerprints. His protocol wasn't IND-CCA secure. He went with weird AES-IGE instead of AES-GCM which is best practice. He used the weird nonces with the FF-DH, instead of going with more robust stuff like x25519.
One thing you learn early in academia, is that expertise is very narrow. I bet he knows a lot about geometry. Maybe even quite a bit about math in general. But it's clear he doesn't know enough to design cryptographic protocols. The cobbler should have stuck to his last.
EDIT, to add, the real work with cryptographic protocols starts with designing everyday things that seem easy on the paper, with cryptographic assurance. Take group management that the server isn't controlling.
For Telegram it's a few boolean flags for admin status and then it's down to writing the code that removes the user from the group and prevents them from fetching group's messages.
For Signal it's a 58 page whitepaper on the design of how that is done properly https://eprint.iacr.org/2019/1416.pdf
This is ultimately what separates the good from the bad, figuring out how to accomplish things with cryptography that first seem almost impossible to do.
Sure, but cryptography is its own subfield of advanced math (and also a bunch of more CS and UX based implementation challenges like avoiding side channels).
Apple could also use E2E for their cloud backups by default, but they don't (and if you enable E2E, it doesn't apply to contact list and calendar backup anyway). Why do you demand more from Telegram than from Apple or Google?
Besides Slack and Discord and Teams and whatever the heck Google has these days and iMessage and...
I think you mean it's the only messaging app that purports to have a focus on security where messages are stored in the cloud, which is true, but also sus. There's a reason why none of the others are doing it that way, and Telegram isn't really claiming to have solved a technical hurdle that the E2E apps didn't, it's just claiming that you can trust them more than you can trust the major messaging apps.
Maybe you can and maybe you can't, the point is that you can't know that they're actually a safer choice than any of the other cloud providers.
Matrix also keeps your message on the server. Except you can run your own server. And the messages are end to end encrypted. And you can keep a proper backup of the keys.
Granted it can be clunky at times, but the properties are there and decentralised end to end encrypted messaging is quite and incredible thing. (Yes, Matrix nerds, it's not messaging per se it's really state replication, I know :))
My Matrix messages are, I presume, not encrypted, because every device I have prompts me to sign this device's keys with the keys of another device (which doesn't exist) and the option to reset the encryption keys and lose access to old messages doesn't work either (it just crashes Element).
You can enable it on a per chat basis.
All PM rooms are E2EE by default.
As you alluded to, Matrix has really horrible UX. Telegram is meant to be easy for the many to use: finding content in chats or even globally across public channels for example is intuitive and snappy because their server does the heavy lifting. That's a huge sell for many, myself included.
Well, ux aside, he disproves that you can't have synced messages with e2ee
Doesn’t Matrix replicate all chat metadata to any linked federated servers?
All the cool kids in the block eliminated the need to trust the provider decades ago. PGP: 33 years ago, OTR 20 years ago, Signal 14 years ago.
You have to trust the provider with signal; they are fiercely anti-third party clients, control the network and have released version of the code that are not tracked by sources- in extreme cases we’re aware of years old code being in there (mobile coin for example).
Signal evangelicalism needs to halt, you mean the Whisper protocol.
You have to trust the platform with the metadata, but the actual E2E encryption of the messages is something you can personally verify if you cared to.
You can’t know what’s running on your client. Reproducible builds aren’t reproducible, open source was not followed (there was code in the client that was not present in the repos).
So, yes, trust is needed.
No serious project wants to collaborate with a bunch of hobbyist projects who may or may not keep their code up-to-date. Years ago, the Matrix ecosystem was a prime example of even basic features like end-to-end encryption being in many cases missing.
Having a single client gives you insane boost to security agility over decentralized alternatives.
Feel free to strive towards functional decentralized ecosystem that feels as good to use, then switching will be a no-brainer.
I don't completely agree. I am perfectly fine with there being multiple options for various use cases. Signal has its place. So does Telegram for that matter. Even Whatsapp..
That said, what I would love to see ( and likely won't at this point ) is the world where pidgin could exist again, because everyone is using some form of sensible standards that could be used.. right now it is mostly proprietary secret mess of things.
And don't get me started on convincing anyone in group to moving from one ecosystem to another. Fuck, I just want email for chat that is not owned by one org.. Is it really so much to ask ( it is rhetorical, I know the hurdles are there and only some deal with human nature )?
So do all the others with the exception of something like IRC.
Not really. WhatsApp only keep them temporarily (and E2EE!) until they're delivered to each device. Signal too. Telegram keeps everything for all time. Which is kinda handy too I have to say.
Of course you can send your backup to Google for WhatsApp and signal but that's optional. You can keep it locally too. And it's encrypted too. With WhatsApp you can even choose to keep the key locally only.
WhatsApp? The closed source app that AFAIK has never been externally audited, owned by one of the most privacy-disrespecting corporations in the world? You say I can trust it wholeheartedly as long as I don't upload backups to the cloud?
The founder departing Meta on very bad terms is quite a signal to me:
https://www.forbes.com/sites/parmyolson/2018/09/26/exclusive...
I 100% trust they implement the signal protocol as they claim. I am also similarly sure that they ALSO have a sidechannel for everything.
I think a high definition photo taken on a recent phone takes up an awful lot more device memory than a "big number of chats"
Yeah, but Whatsapp chats tend to be full of those... and videos.
Whatsapp automatically resizes them (in standard settings)
But it still gets big.
(On Android), if you don't care about the (old) WhatsApp media, just delete it from your phone. It's all just loose files in `/storage/android/data/com.whatsapp` (or thereabouts). The text content of the chats will remain available.
Instagram. FB Messenger. Skype. LINE. KakaoTalk. Discord. Slack. Teams. iMessage.
Google talk/Hangouts/Google Chat/Duo/Allo/Meet/another Meet/etc. Counts as one
Unreal. Please share how you came to this world view.
Wrong, Matrix does it too, but fully e2ee.
No it doesn't, because it is possible withh e2ee as well
You never know what may suddenly become illegal.
Is it technically possible for them to see it: yes
Does Telegram let them see it: I don't think so. That seems to be the core issue around Durov being arrested.
They probably should implement E2EE for everything. Then they will have a good excuse not to cooperate, because they simply don't have the data.
Telegram is the only messaging app that I know of which brought attention to the fact that your messages go through Google/Apple notification APIs, which seems like it would utterly defeat any privacy advantage offered by E2EE
Why? I think Google suggests that you send the payload encrypted through the notification. Google then only knows which app to send the message to, they don't know from whom the message originates (only "a Telegram server") nor what the content is.
Also, you could just send a notification instructing the app to fetch a new message from your server.
From the docs:
Encryption for data messages
The Android Transport Layer (see FCM architecture) uses point-to-point encryption. Depending on your needs, you may decide to add end-to-end encryption to data messages. FCM does not provide an end-to-end solution. However, there are external solutions available such as Capillary or DTLS.
https://firebase.google.com/docs/cloud-messaging/concept-opt...
Assuming an adversarial relationship, what sort of metadata could Google capture simply knowing which app was sending the notifications and who was receiving them?
Aren’t notifications enqueued on the server side, implying sender info is inscrutable? I’m curious what mechanism you’d propose to gather any valuable metadata given a sufficient volume of encrypted notifications.
Schneier mentioned this late in 2023:
https://www.schneier.com/blog/archives/2023/12/spying-throug...
"A Telegram server used FCM to send a message of size X to the device owned by individual Y at this timestamp and this IP address".
Nothing else.
If the text appears on your screen I'm pretty sure there are ways for Google to capture it. I don't need to know how android's API works, knowing it probably just makes one blind to the big picture. You have to trust your OS/phone maker not to do a MITM.
Yes, but Google cannot be compelled to turn over data they don't actually have on their servers because the users encrypted it before it arrived with keys Google don't control.
Signal could modify the application so a remote flag in the Play store binaries could be triggered to exfiltrate data as well. But the key distinction is the normal path of Signal gives them absolutely nothing they can tell anyone other then the bits they've put in the disclosure reports (namely: date and time an account ID used Signal I believe).
I think parent's point is, if data appears on sceen, the OS in theory can capture it and send to Google servers as screenshots or OCR'd text.
Yes, that likely is the GP's point, but it's not really relevant to the discussion going on in this thread. Certainly Google could "backdoor" its OS in that way, but they have little motivation to do so (and a lot to lose if they were to do so and were found out). Their recent move to make their location history / timeline product an on-device-only feature because they don't want to have to respond to law enforcement requests for user location data would seem to suggest they really would prefer to not have this sort of data.
At any rate, the discussion going on here is about how Durov has been arrested because Telegram refuses to respond to law enforcement requests, when they do have the ability to do so; and if they were to actually implement E2EE by default (and for group chats), Durov would likely not be in trouble, since Telegram would be unable to provide anything when requested.
I suspect that isn’t the motivation. GDPR says that you have to give users choices about data stored like this (including right to be forgotten, how it’s processed and used and so on), and this becomes a technical, legal and commercial nightmare very quickly. The easier route is just to get rid of it if you can.
This saves Google money (it likely wasn’t that useful to sell to advertisers), makes legal compliance a lot easier and de-risks them from very large fines.
I suspect that the EU lawmakers didn’t think about second order effects like making it harder for law enforcement to access this data in scenarios like this.
This claim is what really makes me skeptical of Telegram's privacy story. Their assertion is completely incorrect. (Source: have implemented end to end encrypted payload delivery over APNs / GCM.)
And if they are so off base on this, they must either be incompetent or liars. Neither of which builds trust.
I’m old enough to remember when Signal first implemented cross-device sync using a Chrome plugin.
I’d rather developers issue cautionary warnings than give a false sense of perfect security
And yet Telegram doesn't allow to have e2ee chats on a Linux desktop or phone. You must rely on Google/Apple.
Most of Telegram clients except initial mobile apps was actually open source projects that was choosen by company to become "offcial" ones.
They just dont implement E2EE since almost no one uses it on Telegram.
The app can decrypt the notification before it's displayed.
I don't think the plaintext is required to be part of the API call
Certainly not because then Telegram would lose alot of its functionality that makes it great. One thing that I really enjoy about Telegram is that I can have it open and synched across many independent devices. Telegram also has e2e as an option on some clients which cant be synched
You can sync messages across many independent devices despite e2ee.
Matrix has been doing that for years
Even whatsapp does it now
Does it? Last time I used WhatsApp I could not use it on my desktop without scanning a QR code each time and keeping the phone nearby.
You need to scan the QR code only the first time using the desktop app.
Can you use the desktop app without the phone present? For example, if the phone is turned off.
I have heard you can, for about 2 weeks. Then the phone must be at least become active.
Does Matrix encryption scale? Telegram rooms have a huge number of participants. Also last time I looked into this, Matrix encryption was also an opt in.
In Matrix all PM rooms are E2EE by default.
For public rooms however, it doesn't really make sense to enable E2EE.
Many people seem to think that Telegram tries to be a Signal or Matrix replacement. I dont think Telegram tries to be any of that. If anything you can compare it to Discord, except much better.
To enable synched e2e conversations accross many devices you also need to synch private keys, which is a security nightmare.
Either sync private keys or the messages itself.
Why would it be a security nightmare? In contrast to not even supporting e2ee in the first place?
The UAE requires decryption keys as part of their Telco regulations.
If Telegram can operate in the UAE without VPN (and it can), then at the very least the UAE MoI has access.
They (and their shadow firms like G42 and G42's shadow firms) were always a major buyer for offensive capabilities at GITEX.
On that note, NEVER bring your personal phone to DEFCON/Blackhat or GITEX.
Edit: cannot reply below so answering here
Cybersecurity conferences.
DEFCON/Blackhat happen during the same week, so you have a lot of script kiddies who lack common sense trying to pwn random workloads. They almost always get caught (and charged - happens every year), but it's a headache.
GITEX is MENA and Asia's largest cybersecurity conference. You have intelligence agencies from most of the Middle East, Africa, Europe, and Asia attending, plus a lot of corporate espionage because of polticially connected MSSPs as well as massive defense tenders.
Sorry, but as someone who's completely out of the loop with these things. What's DEFCON/Blackhat or GITEX about and why shouldn't you bring your personal phone?
I'm genuinely interested.
defcon and blackhat are hacker/computer security conferences started by Jeff Moss (aka DT or Dark Tangent) in 1993 and held at the end of July or early August every year in Las Vegas.... The reason you don't bring your phone is it might get hacked
Scaremongering (unless you have old/unsupported phone). Why would anyone want to potentially burn their hundreds of thousands- worth exploit on your phone? https://zerodium.com/program.html
For the lulz
Best reason of any!
Because the attendees are high-value targets who often have elevated permissions inside the firms or governments they work in, and that's worth even more.
On a separate note, Zerodium is dead now. They're in the middle of an active fire sale, but the Zero Day market's bottom fell out now that countries are increasingly moving exploit development in-house or to vendors that can do both zero day acquisition AND exploit deployment (which Zerodium cannot do as an American company).
Also, u/reissbaker's answer is correct.
Skiddies are renowned for their rational thoughts and actions.
This is exceptionally naive. Even if he was arrested for not sharing with the French, what about for other countries? Was he arrested for not ever sharing or not sharing enough? Even if he, personally, has never shared, that doesn’t say anything about his employees who have the same access to these systems.
Your data is not private with Telegram. You are trusting Telegram. It is a trust-based app, not a cryptographically secure app.
If you trust telegram, that’s your choice, but just because a person says the right words in interviews doesn’t mean your data is safe.
You cannot be sure and yet Telegram often gets mentioned for being the only platform where states do not have easy access to user information or the ability to censor certain messages/content.
So from a broad perspective, they probably behave better than comparable services.
I think Telegram should not be trusted, but I also do not trust the alternatives, that readily share information with states. A special focus for me is that my own jurisdiction does not have access to my social media content. Other countries are secondary at first.
By who?
Simplex especially or even Signal are far better.
Following the St. Petersburg attack, the Federal Security Service (FSB), in an event that may ring somewhat familiar to many in the United States and Europe, asked Telegram for encryption keys to decode the dead attacker’s messages. Telegram said it couldn’t give the keys over because it didn’t have them. In response, Russia’s internet and media regulator said the company wasn’t complying with legal requirements. The court-ordered ban on accessing Telegram from within Russia followed shortly thereafter. Telegram did, though, enact a privacy policy in August 2018 where it could hand over terror suspects’ user information (though not encryption keys to their messages) if given a court order.
...
... Pavel Durov, Telegram’s founder, called on Russian authorities on June 4 to lift the ban. He cited ongoing Telegram efforts to significantly improve the removal of extremist propaganda from the platform in ways that don’t violate privacy, such as setting a precedent of handing encryption keys to the FSB.
https://www.atlanticcouncil.org/blogs/new-atlanticist/whats-...
This doesn't make any sense. Either the author of the article is confused, lying, or is drawing conclusions from source material that is untrue.
In the US case, there was a phone where data was encrypted at rest. Though Apple was capable of creating and signing a firmware update that would have made it easier for the FBI to brute force the password, Apple refused to do so.
In the Russian case, the FSB must have already had access to the suspect's phone because if it did not then Telegram would not be in any position to help at all.
So, the FSB must have already had access. And therefore, by having access to the phone they also had complete access to the suspect's chats in plaintext, regardless of whether or not the suspect used Telegram's private chat. There would have been no keys to ask Telegram for copies of.
Alternatively, the FSB might have had access to some other user's chats with the suspect, and wanted Telegram to turn over the suspect's full data. Telegram is 100% able to do that if they want to.
As the specific part of the article you have quoted is definitely bullshit, I suspect the rest of it is bullshit too and that despite what Roskomnadzor states in public, the real fight with Durov was over censorship.
Will they let _US_ law enforcement see it? No. Will they let Russian? Of course.
Source?
recent support. kremlin yesterday arranged big protests in moscow demanding his release. kremlin yesterday arrested the nephew of the french ambassador claim he was dealing drugs (claiming he carried a package of heroin marked with the label "for distribution in russia" as if all drug dealers put their intentions in writing) clearly to try to trade him
Source?
"Telegram is working with Russian intelligence" is a theory that's been floated in quite a few places, included Wired: https://www.wired.com/story/the-kremlin-has-entered-the-chat...
they probably share it with russian authorities. Just look now. russia is allowing protests in favour of him (they only allow protest they support) and they arrested a french citizen on fake drug charges right after
Do you have some info about Durov being arrested for not letting law enforcement see encrypted messages? The public info says he was arrested for "...lack of moderation, ...[and] failing to take steps to curb criminal uses of Telegram."
I don't see anywhere saying he's been arrested for anything to do with encryption or cooperating with investigations.
eg https://www.bbc.co.uk/news/articles/ckg2kz9kn93o but pretty much all the sources I have read say the same
AFAIK this current case has absolutely nothing to do with any form of chat features, it’s about telegram’s public channels that more or less work like reddit/twitter/any other news channels, except it refuses to censor content.
He explained in his blog why he doesn't like E2EE:
https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-by...
Why Isn’t Telegram End-to-End Encrypted by Default?
Pavel Durov August 15, 2017
All the encryption stuff is just a red herring to a larger degree. It’s not the technical access to the information that is the issue, it is that people can share and exchange information that the various regimes do not want shared that is the primary issue. They want censorship, i.e., control of thought and speech, arresting the information flow.
They know what is being said and that’s what they want to arrest, that information can be sent and received. And by “they” I mean more than just the French. That was just coincidental and pragmatic.
The French state does not operate that quickly on its own, to get an arrest warrant five minutes after he landed and execute on it immediately. That has other fingerprints all over it in my view.
Why not the "founder locked up" test? If the founder claims secure encryption, yet they are not in jail, that means there's no secure encryption because they negotiated their freedom in exchange for secret backdoors.
That isn’t applicable here. Telegram isn’t encrypted and yet they refused to comply with subpoenas. Companies whose customer data is encrypted can truthfully say that they have no way to access it for law enforcement. Telegram can’t.
Maybe in the future, creators of encrypted messaging apps will get locked up. I certainly hope not. But this case doesn’t indicate anything one way or another.
I dunno man, kinda seems like you ought to either have a right to privacy or not. Surely there's other ways to make a case, without extraordinarily abusable legal strong-arming.
Why should a wealthy person be able to legally afford encrypted communication on a secure device, when 90+% of people can't because they're poor and tech illiterate?
Does our historically unequal society need more information and rights asymmetry between rich and poor? Between privileged and marginalized?
Downloading Signal is just as easy as downloading Telegram.
As I said, tech illiterate - or as likely, legally illiterate.
It's unreasonable to expect most people to intuit the distinction you describe.
However, you don't see wealthy people communicating on insecure devices, because they have people to take care of that stuff.
I'm really not sure what you're referring to. You see lots of wealthy people communicate on insecure devices, and it's quite common for law enforcement to demand and obtain the contents of their communications. "Look at these terrible messages we subpoenaed" is a staple of white collar criminal prosecutions.
* White-collar crimes are estimated to make up only 3% of federal prosecutions.
* White-collar crime prosecutions decreased 53.5% from 2011 to 2021.
* Annual losses from white-collar crimes as of 2021 are anywhere from $426 billion to $1.7 trillion. The wide range here is due to the lack of prosecutions.
* There were 4,180 white-collar prosecutions in 2022.
* It’s estimated that up to 90% of white-collar crimes go unreported.
Etc.
- https://www.zippia.com/advice/white-collar-crime-statistics/
***
Responding by edit due to rate limit:
Guys the connection is clear if you think about it.
High-net-worth individuals use encrypted messaging apps more than the general population, without doubt.
They also have far more resources and abilities to fight a subpoena. It's all distinctively unfair and highly misleading to normal people; for very little real reason and with great potential for abuse.
You change the subject in each comment and it’s not clear how any of this relates to Telegram.
Most prisoners in the US though are state prisoners (i.e., convicted by a state court) not federal prisoners (by a large margin I think). Lots of people are convicted in a state court for example of showing up at a bank branch with fake id and trying to cash a check. I gather that would be considered a white-collar crime?
I don't understand the connection between these statistics and your claim that wealthy people don't use insecure messaging apps.
Maybe, but not a good litmus test. If it’s truly secure and the founder can’t provide information because they don’t have access to it it’s also possible they can’t build a case in most countries.
In Russia too?
Would love to see a side-by-side comparison of iMessage, Signal, WhatsApp and Telegram on this.
You already know how Signal is going to come out here, because this is something people complain incessantly about (the inconvenience of not getting transcripts when enrolling new devices).
I agree with the principle here wholeheartedly. One addendum though is I think this isn't quite the same as the mud puddle test. The idea behind the mud puddle test is if you've forgotten everything, but then manage to recover your data, then the principle must be that someone other than you has to have had access. With Signal, they intentionally refuse to sync data as an extra security step even if you have the keys, the software just refuses to do the syncing step. I'm glad they do personally and I'm not contradicting your point, just adding some notes. Just thought it worth noting.
Edit: Actually, yeah that proves your point.
This isn't fully accurate. You can backup your Signal messages on Android with an encrypted file and a key you control. So yes, just installing on a new device isn't going to give you history. I'd prefer they offer a universal structure for that backup file so we could easily switch between Android and iOS and have some way to backup your data at all on iOS (presently if anything goes wrong when setting up a new phone you lose your entire message history).
It's a bit unfortunate there isn't a mechanism to establish a key between your desktop and smart phone client that would allow message history to be synced over an E2EE connection. It's doable, but perhaps it's an intentional safety feature one can't export the messages too easily.
Here it is: https://www.securemessagingapps.com/
Matrix doesn't allow this. You need a dedicated chat key in addition.
I'm probably dumb, but why would that be proof?
I upload encrypted backups to a cloud service provider (AWS, Google Cloud). I go to another computer, download them, use a key/password to decrypt them.
Sure, I get it, you're typing in something that decrypts the data into their app. That's true of all apps including WhatsApp, etc... The only way this could really be secure is if you used a different app to the encryption that you wrote/audited such that the messaging app never has access to your password/private key. Otherwise, at some point, you're trusting their app to do what they claim.
The previous poster intentionally mentioned password recovery flow. If you can gain access without your password, than law enforcement can too. If you could only gain access with your password, you could consider your data safe.
You can't assume the negation.
If you can get access without your password then you have proven that law enforcement or the hosting company can to.
If you can't get access then you haven't proven anything. They may be securely storing your data end-to-end encrypted. Or they may just have a very strict account recovery process but the data is still on their servers in the clear.
Offhand, this sounds like a terribly insecure workflow but...
Client creates a Public Private key pair used for E2EE.
Client uses the 'account password (raw)' as part of the creation of a symmetric encryption key, and uses that to encrypt and store the SECRET key on the service's cloud.
NewClient signs in, downloads the encrypted SECRETKeyBlob and decodes using the reconstructed symmetric key based on the sign in password. Old messages can then be decoded.
-- The part that's insecure. -- If the password ever changes the SAME SECRET then needs to be stored to the cloud again, encrypted by the new key. Some padding with random data might help with this but this still sounds like a huge security loophole.
-- Worse Insecurity -- A customer's device could be shipped a compromised client which uploads the SECRET keys to requesting third parties upon sign-in. Those third parties could be large corporations or governments.
I do not see how anyone expects to use a mobile device for any serious security domain. At best average consumers can have a reasonable hope that it's safe from crooks who care about the average citizen.
You can't use your password as input to the mud puddle test.
How would an end user even know they're running that test for a closed box system? The idea is what's possible in the real world.
Note that the mud puddle test was originally described on Matt's very blog: https://blog.cryptographyengineering.com/2012/04/05/icloud-w... :)
And it only works because a corporation likely would want to offer this to its users as a convenient feature. If they were actively trying to hide this, they can rig the test and keep access to themselves.
It is true that passing the mud puddle test does not guarantee robust end-to-end encryption (there can still be backdoors reserved for company/law enforcement). But failing it definitely guarantees that there is no robust end-to-end encryption.
Indeed and this is the other thing - even if Telegram don't themselves co-operate with law enforcement, it'd be fairly easy for law enforcement to request access to the phone number from the carrier, then use it to sign into the Telegram account in question and access all of the messages.
You can set a password that’s required to authenticate a new device.
Once that’s set, after the SMS code, then (assuming you don’t have access to an existing logged in device because then you are already in…), you can either reset the password via an email confirmation _or_ you can create a new account under that phone number (with no existing history, contacts, etc).
If you set a password and no recovery email, there is no way for them to get access to your contacts or chat history barring getting them from Telegram themselves.
That's it. The article could be just that. You log back in and all your messages are there without you having to provide a secret or allow access to some specific backup? Your data just lives on the server. The only thing preventing anyone from accessing it is the goodwill of the people running the server.
Not true. Secret chats only live on a device where you started it. Regular people may not use them (their problem), but these are common for business-critical chats in my circles.
If you apply this test to things like LastPass or Bitwarden they fail too. And yet the don't keep my unencrypted passwords on their servers.
If you lose your Bitwarden master password you've lost your data. It passes the mud puddle test.
How to do that on initial account creation:
- locally create a recovery key and use it to wrap any other essential keys
- Split that or wrap that with two or more keys.
- N - 1 goes to the cloud to be used as MFA tokens on recovery.
- For the other, derive keys from normalized responses to recovery questions, use Shamir's secret sharing to pick a number of required correct responses and encrypt the Nth key.
You can recover an account without knowing your original password or having your original device.
IOW, you've made the recovery questions into alternate passwords, passwords that law enforcement is likely able to find or brute force.
Also the same with Skype "encryption". The data is "encrypted", but you receive the private key from the server upon sign-on... So, just need to change that password temporarily.
I know this is getting off-topic, but all the discussion about encryption missing an important weakness in any crypto algorithm - the human factor.
I found it interesting that countries like Singapore haven’t introduced requirements for backdoors. They are notorious for passing laws for whatever they want as the current government has a super majority and court that tends to side with the government.
Add on top Telegram is used widely in illegal drug transactions in Singapore.
What’s the reason? They just attack the human factor.
They just get invites to Telegram groups, or they bust someone and force them to handover access to their Telegram account. Set up surveillance for the delivery and boom crypto drug ring is taken down. They’ve done it again and again.
One could imagine this same technique could be used for any Telegram group or conversation.
Unfortunately if the answer is no, it does not mean law enforcement can’t
Telegram has secure calls and secure e2e private chats. All other chats are cloud-backupped. So if you have an intent of using private communication - the answer is "no", if you don't care - the answer is "yes"
Telegram has an answer to this: https://telegram.org/faq#q-do-you-process-data-requests - only Secret Chats are e2e encrypted.
As an alternative, Signal or Jami conversations are always e2e encrypted.
Unless you can prove (e.g. using your old device or a recovered signing key) that the new device is yours. In that case, if the service supports it, the new device could automatically ask your contacts to re-send the old messages using the new device's public key.
Yeah, and the only way to get government to learn about why e2ee is important is to show them that if law enforcement can get it, then so can hackers/phishers. We need as many politicians dark secrets hacked and ousted as possible. It should be a whistblower protected right codified into law to perform such hacks