
WhatsApp Will Never Be Secure - eitland
https://telegra.ph/Why-WhatsApp-Will-Never-Be-Secure-05-15
======
pentaphobe
I really want to like Telegram (it's certainly a handy gateway to my attempts
at getting people off Facebook Messenger) but this article seems pretty
misleading & reads like a marketing grab

_Disclaimer: This thread is mostly based off of a sporadic interest in this
space, not necessarily up-to-date research of counterpoints_

A few observations in no particular order:

\- Telegram use their own proprietary encryption algorithm which has had some
questions raised in the crypto community

\- Telegram appear to do a fair bit of hand-waving re. distinguishing their
end-to-end "secure" messaging vs. the default (and more convenient) group and
non-secret messages - which are encrypted differently, and cloud-archived
similarly to what the article describes WhatsApp doing.

    
    
      - Not that there's necessarily a satisfactory alternative, but a privacy-first solution would ideally be more overt
    

\- Article never mentions Signal (either the protocol, or the competing
application) which have undergone significant peer review, but does refer to
Telegram as distinguishing itself through open source and open process.

\- One can't help but question the motive of a crypto-first app which doesn't
follow crypto best practice, or at least speak candidly about their attempts
to iteratively improve this.

\- Telegram seem to be making moves towards an increasingly "social media
messenger" space - does this run at odds with privacy-first? (my guess would
be it does)

\---

Some links:

\- [Is Telegram Secure? (security stack
exchange)]([https://security.stackexchange.com/questions/49782/is-
telegr...](https://security.stackexchange.com/questions/49782/is-telegram-
secure))

\- [white paper analysis of Telegram's
crypto]([https://eprint.iacr.org/2015/1177.pdf](https://eprint.iacr.org/2015/1177.pdf))

\- [Signal's Moxie Marlinspike on Telegram's
founder]([https://techcrunch.com/2017/09/18/signal-moxie-
marlinspike-t...](https://techcrunch.com/2017/09/18/signal-moxie-marlinspike-
techcrunch-disrupt-sf-2017-telegram/))

EDIT: formatting

~~~
TheChaplain
I use Telegram and so does my friends despite I (primarily) know about the
questionable security.

And the reasons are very simple: Because it's packed with features and it's
user interface is so extremely well done it simply outclasses any other option
in those regards.

Second, our normal level of communication simply does not require perfect
security. Being on Telegram or as a group on a bus being overheard by everyone
would make no difference. No one of us cares because it doesn't matter.

I talk to my family and spouse over "normal" Telegram, and it's the same thing
there. When we need to talk about intimate things we do so eye-to-eye, and
even if it would become public I believe audience would find TV soap operas
more exciting.

What I am saying our choices are dictated by convenience and enjoyment.
Signal, Riot and Wire provides none of those compared to Telegram.

~~~
siproprio
Don't forget about the native (i.e., not electron based), fast, cross-
platform, desktop app.

Unlike other platforms, you don't need to have your phone on and connected all
the time to use it.

------
warp_factor
The best approximation of security in this space should be an open-
implementation of an open-source protocol that can be easily audited.

As far as I know, the only app that fits this requirement with a minimum
viable community such that it can be used day to day is Signal.

~~~
abeppu
Real questions, which will sound like a conspiracy theory:

\- Is being open source, and some eager and independent security researchers
having done an audit enough to convince you (or some other well-informed part
on the thread) that no clever flaws are intentionally in the source?

\- Do the funding or institutions which support the development of a piece of
tech change the answer to the above question? E.g. I've been encouraged to
avoid Signal b/c it was created partly with US State Dept funding (via the
Open Technology Fund). The main point made during that conversation was that
the US supports projects like Signal and Tor as a means of supporting
dissidents in other countries. But a side implication was that it may be naive
to rely on tools (indirectly) provided by the state to avoid surveillance by
the state.

~~~
warp_factor
The way I view this, funding can definitely raise suspicion. But The open
sourcing of the protocols should help to remove those suspicions.

------
mimixco
First lesson taught at IBM for mainframe programmers: _" There is no such
thing as computer security, only the appearance of security."_

