
Telegram Login for Websites - jfroma
https://telegram.org/blog/login
======
Goopplesoft
By building a phenomenal chat app and gradually (deliberately) building
features around it to create a complete WeChat-like ecosystem, Telegram will
probably improve people's uptake of chat-centric utilities in the markets
they're targeting.

I think the fundamental component to their success is just how snappy and
'live' their chat conversations feel. Everything including their backend perf,
chat bubble animations, etc seems to be finely tuned to make conversations
feel alive and active.

~~~
on_and_off
Interesting that the official Telegram client gets mocked a lot for how
bloated its code is.

And it absolutely is, from a 2 minutes look at their code :

\- their chat activity is 12000 lines of code :
[https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...](https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/ui/ChatActivity.java)

\- it looks like they have copy pasted tons of Android library like exoplayer
directly in their repo

It does work very well though !

I guess that they have an extremely small team (or just one persone) and it is
their first Android project.

It looks like they have acqui-hired a competing chat client (Telegram X), so
it looks like they have a solution to clean this mess.

~~~
t1o5
Curious why typecast if instanceof is checked already ? Wont the compiler know
of this already ?

    
    
      if (view instanceof ChatMessageCell) {
      .......                    
       ChatMessageCell cell = (ChatMessageCell) view;
      ....
      }

~~~
Crespyl
It's essentially just how Java works, and isn't that uncommon in statically
typed procedural languages.

The `view` variable is still a reference of the parent type (Say `MessageCell`
for now, can't be bothered to find that part in the code), and `MessageCell`
references can only do certain things.

It's possible to check what the type of the underlying object is with
`instanceof`, but that doesn't change the type of the reference.

If you want to do things that only a `ChatMessageCell` can do, you need to
make a new reference of that type.

------
newscracker
I don't use WhatsApp. I use Telegram almost always and am impressed with the
speed of development and introduction of new features. In my limited trials
with Wire and Signal, Telegram just blows them out of the water in features,
reliability and speed. I know the background about its crypto being
criticized, but until other apps catch up, I can't move to them. I've already
spent a lot of capital to push a few people to use Telegram and haven't
regretted that move from an user experience point of view.

On topic, I don't like these third party login systems much. Yes, they could
provide better security compared to what smaller websites with less competent
teams could, but associating a login with a provider also means I'm putting
more eggs in one basket, so to speak. I also don't like the privacy
implications, regardless of what Telegram states. It's sad that Mozilla
Persona didn't take off and was shelved. It seemed like the best solution for
this requirement.

~~~
dsacco
_> In my limited trials with Wire and Signal, Telegram just blows them out of
the water in features, reliability and speed._

When you say features, which ones do you mean? Do you mean the user interface?

~~~
lufte
I personally love their bot API and the option to create custom stickers.

Although not "features", having an open API for writing clients for whatever
platform I choose and the fact that their official clients are open source are
also a big plus.

~~~
corndoge
So you use an encrypted messenger, but your choice on encrypted messenger is
influenced not by the quality of the crypto implementation but rather by the
ability to add bots and custom stickers.

Why don't you just use Snapchat?

~~~
pirocks
To be fair telegram is probably better than snapchat as a messenger.

------
mtgx
But doesn't this mean you're really logging in with your phone?

It's 2018. Why are we still trusting the phone network for anything related to
authentication? Surely companies like Telegram can't use the excuse that they
didn't know how horribly insecure SMS and the phone network in general is, no?

I don't know how Telegram does it, but it keeps picking the wrong security
options. It's like a gift they have.

~~~
fwdpropaganda
No, in Telegram the phone number is used only as a sort of username. You can
login to Telegram just with a password and the 2FA token gets to you inside
the appp itself. Not SMS.

~~~
gant
If you don't have a 2FA password enabled and you're not online on another
device you _can_ login with your phone number.

------
bhnmmhmd
Thanks, but we don't want another Google knowing and keeping all our data,
even websites that we visit.

~~~
timdorr
All of your data? At best, they know the URL of any pages where this widget is
visible. Not all websites, and not even a large subset of that site's pages.

This isn't like a Facebook share widget, which is usually so ubiquitous, they
really _can_ know all the sites you visit.

~~~
rainbowmverse
That's how every now-ubiquitous thing starts. It used to be other things. Most
of them are gone now. Something will take the place of the Twitter and
Facebook buttons some day.

------
jnmandal
While this is very clever, I'm not a fan of the implementation. I wish there
was a documented oauth2 option and not just an iframe and some script. Script
seems innocuous but Im not a fan of having the iframe on my page, and its hard
to control the style. Obviously we can reverse engineer this a bit but I would
prefer to just have a more robust API w/ proper docs.

------
brwsr
> Telegram Login for Websites

Or in other words: We are ready to sell your private data now. Because that's
what actually happens when you login to another website via Telegram login.

~~~
cdancette
That's nonsense.

First, it's you who decide to use telegram to login to a website (as you would
login with Facebook / google).

Secondly, you see what informations will be shares with the website.

Lastly, there is no money involved. It's totally free to use.

~~~
dsacco
_> First, it's you who decide to use telegram to login to a website (as you
would login with Facebook / google)._

Yes, this is implicit in what the parent is saying. The point is, your data
can be shared _if_ you volunteer it by using this feature.

 _> Secondly, you see what informations will be shares with the website._

At a minimum, you are sharing the fact that your identity logged into the
application. A profile of logins associated with your identity can be built,
and a profile of how many Telegram users logged into a particular website can
also be built. Both (and particularly the latter) are valuable.

 _> Lastly, there is no money involved. It's totally free to use._

This has nothing to do with whether or not your data is actually shared or
sold with third parties.

I'm not necessarily agreeing with the parent that Telegram is going to start
selling user data, but your arguments here do nothing to diminish the fact
that they _could_ do so en masse. A graph of your logins should probably be
considered "private data."

~~~
cdancette
Of course they could sell all your data to third parties.

But it has absolutely nothing to do with this feature as the parent comment
was implying. This feature involves no selling whatsoever.

~~~
dsacco
I don’t follow what you’re arguing. It seems you’re agreeing - yes, Telegram
_could_ sell the login data.

The commenter you replied to was expressing a (snarky) hypothesis that
Telegram will sell login data. You initially said this was nonsense, but are
now saying that they could do so. That’s basically the point.

~~~
cdancette
I'm just saying that implying that this feature would mean telegram start
selling user data is nonsense. This is what the first comment was implying.

Ofc telegram can sell user data like any other company, and may be doing it
for months for all we know.

------
gant
Telegram's security is a joke. They show the first and last letter of your
password and the length (the number of asterisks they put in the middle
changes) when you sign in. Next to some pretty bad implications (do they store
the password in cleatext or just the length and two letters?) , that password
is down to about 1/5 of its original entropy. Told them a year ago, they don't
seem to care.

EDIT: Yes, Telegram uses passwords if you enable them. This is what the
questionable query looks like:
[https://i.imgur.com/BAnddlg.png](https://i.imgur.com/BAnddlg.png)

~~~
tomsmeding
They do? On which login do they show that information? I've only seen the
kind-of two-factor one where you have to enter a code sent in a text message
or with a telegram message to a different device.

~~~
gant
Took a while for me to reinstall it, this is what it looks like (just after
SMS auth):

[https://i.imgur.com/BAnddlg.png](https://i.imgur.com/BAnddlg.png)

I counted the asterisks, they do in fact reveal the length of the password.

~~~
kozlovsky
Hint is a text field that _you_ fill in when creating a new cloud password.
The hint text is generated based on password if you did not fill it yourself.

~~~
X-Istence
> The hint text is generated based on password if you did not fill it
> yourself.

That... is a problem.

------
sneak
Reminder: Telegram’s crypto is bogus, and use of this app should be
continually and consistently discouraged.

It is a car with seatbelts that don’t work; a car without any seatbelts is
better.

~~~
herbst
Are there known vulnerabilities or do you mean the missing audits and security
through obscurity approach? Because bogus in this context is a very strong
word.

~~~
sneak
It’s not end to end encrypted by default. This is the baseline standard for an
encrypted messenger in 2018.

~~~
herbst
Its not if you focus on searchability and group chatting (Stripe, Discord,
WeChat) so literally the biggest 3 players if you ignore the Facebook stack
(And Facebook hasnt mastered encryption either, plus took very long to even
try).

------
1001101
I wonder what the people who are railing about Kaspersky think about this
development.

~~~
tptacek
Sure, since you asked: It's bad. Don't use this.

------
mitchas
Would love to see this added to Firebase.

------
fwdpropaganda
EDIT: For clarity, the comment below has nothing to do with Telegram Login,
but Telegram itself.

Telegram gets a lot of hate on HN, but I have to say that of all large
messaging apps Telegram has by far the best UX. That said, I can see it slowly
turning into a walled garden. For example, in public channels (distinct from
groups, they're broadcast only) it should be possible to link to their content
from the outside. Instead if you try that they force you to download the app
to see the content. EDIT2: As someone noted you can link each individual post
on a channel, but you can't see and scroll through a list of posts as you can
from inside the app.

I wish we had a messaging app with a market as large as WhatsApp's, UX as good
as Telegram, security as good as Signal, run by an organization like Mozilla.

~~~
walterbell
_> I wish we had a messaging app with a market as large as WhatsApp's, UX as
good as Telegram, security as good as Signal, run by an organization like
Mozilla._

An open protocol is a prerequisite. There's a 2018 IETF proposal for
interoperable E2E messaging, initiated by Cisco, Google, Facebook and Wire:

Architecture: [https://datatracker.ietf.org/doc/draft-omara-mls-
architectur...](https://datatracker.ietf.org/doc/draft-omara-mls-
architecture/?include_text=1)

Protocol: [https://datatracker.ietf.org/doc/draft-barnes-mls-
protocol/?...](https://datatracker.ietf.org/doc/draft-barnes-mls-
protocol/?include_text=1)

 _" Messaging Layer Security (MLS) ... is not intended as a full instant
messaging protocol but rather is intended to be embedded in a concrete
protocol such as XMPP [RFC3920]. In addition, it does not specify a complete
wire encoding, but rather a set of abstract data structures which can then be
mapped onto a variety of concrete encodings, such as TLS [I-D.ietf-tls-tls13],
CBOR [RFC7049], and JSON [RFC7159]. Implementations which adopt compatible
encodings should be able to have some degree of interoperability at the
message level, though they may have incompatible identity/authentication
infrastructures."_

~~~
tptacek
It's not a good plan. They propose to design, _de novo_ , in an open standards
group, a cryptographic secure group messaging protocol based on a design that
has never been deployed at any scale. The underlying design is cool --- it's
basically Asynchronous Ratcheting Trees, which was presented in a paper at RWC
just a few weeks ago. That's how _de novo_ this particular "standards" effort
is: the underlying theory is just 28 days old.

Already, in the _starting point draft_ , it's been crudded up: it has
"ciphersuites", and comes with support for the NIST P-256 curve --- despite
the fact that the underlying design wants to take byte strings to curve
points, which is tricky to do on the P-curve. It will only get worse from
here. They'll figure out some reason to bolt a PAKE onto it soon enough.

Signal Protocol is exceedingly well-documented (and even before those
documents were written, it was open enough for Wire to lift the protocol
wholesale).

The IETF is bad at cryptography. Your default position should be distrust of
IETF crypto standards.

~~~
walterbell
Can Signal contribute to the IETF design, discussion and documentation?

~~~
tptacek
Since the underlying standard is really a political maneuver meant to thwart
Signal, this seems unlikely.

(I like my source on this, but can't share it; I expect to be able to this
year, though. In the meantime:

0e49002152a374d9c11251cf856a7ccf25ef9bd0db54c3e97bef2a4109dad4f0)

~~~
walterbell
Isn't Facebook (Messenger and Whatsapp) already using Signal Protocol at
scale?

~~~
tptacek
Yes.

~~~
walterbell
Why would Facebook by trying to thwart the open Signal protocol that they are
already using? In a standards discussion like IETF, wouldn't they be more
likely to specify Signal interoperability (i.e. Facebook Messenger and
WhatsApp interoperability) as a requirement on any proposed standard? That
would be good for Signal.

~~~
tptacek
1\. Facebook is a big place.

2\. Facebook's interests in the standard are not necessarily what drives the
standard; Facebook can just be along for the ride.

I think what's going to happen with this is what happens to all de novo IETF
designs other than TLS, the one that the market requires actually work: it's
going to fail. That's also the outcome that I'm hoping for.

In the meantime, if Millican wants to get together with Katriel Cohn-Gordon
and do a Facebook-only ART protocol design for Facebook Messenger, with an eye
towards replacing Signal Protocol in WhatsApp, _that_ would be a great
development. So would a Cisco-only ART messenger, or maybe even a Mozilla ART
messenger (though Mozilla's motives are the ones I trust least here).

What does not make sense is for a protocol whose service model we barely
understand even in theory to be designed from scratch in an open standards
group. The IETF motto used to be "loose consensus and working code". Now it's
"take an RWC paper, add the P-curves to it, and use it to fuck over the most
successful secure messaging protocol".

We shouldn't be cheerleading this. It's capture, not progress.

------
tcd
> our widget asks for your phone number

I'm good.

