
“Why Using WhatsApp Is Dangerous“ - elies
https://telegra.ph/Why-Using-WhatsApp-Is-Dangerous-01-30-4
======
vesinisa
He keeps referring to the video encoding vulnerability in WhatsApp as a
"backdoor". That is not supported by the source[1] he cites, which instead
refers it to as run-of-the-mill buffer overflow vulnerability. There is
massive difference here - backdoor implies something that was planted
purposefully. Extraordinary claims require extraordinary proof.

I don't think this post is fair in its assessment and seems more like an
advertisement for Telegram, which itself has its own security issues (like
lacking E2E encryption by default and terrible[2] code quality).

1: [https://www.techspot.com/news/82843-hackers-can-use-
whatsapp...](https://www.techspot.com/news/82843-hackers-can-use-whatsapp-
flaw-way-handles-video.html)

2:
[https://www.reddit.com/r/androiddev/comments/cazz4h/why_tele...](https://www.reddit.com/r/androiddev/comments/cazz4h/why_telegram_code_is_so_ugly/)

~~~
pornel
It probably isn't, but I don't think we can know whether it was on purpose or
not.

If I had to put a backdoor in something, it'd definitely be a buffer overflow.
It gives full remote code execution, it may be hard enough to find to be
NOBUS, and it has perfect plausible deniability.

~~~
vesinisa
_Never attribute to malice that which can be adequately explained by
stupidity._ So - yes, possible in theory, but quite unlikely.

~~~
fauigerzigerk
"Never" seems a bit much, if you accept the premise that all backdoors would
be made to look like accidential security flaws.

But since there are probably a lot more accidential security flaws than
backdoors, I agree that erring on the side of stupidity is justified.

------
rahuldottech
WhatsApp is bad, but Telegram isn't great either. All chats that you haven't
explicitly made "secret" are not end-to-end encrypted. They're apparently
"encrypted", but the keys are controlled by Telegram.

Furthermore, they frequently "ban" channels that they deem contain
"inappropriate" or "adult" content. Clearly they're reviewed by either humans
or AI of some sort. So... that makes me uncomfortable.

Their reason for why you can trust them with encryption keys was "we didn't
hand them over to <insert country here> and so they banned us where we could
have cooperated and continued to have operating in said country", which seems
like a pretty weak argument.

For truly decentralised, private and encrypted communication, I _highly_
recommend matrix+riot.im.

EDIT:

> To support this idea, Pavel Durov claims that Telegram is banned in Russia
> and Iran, where both governments asked him for encryption keys to access the
> platform’s messages. Hence for refusing the proposal given by the
> governments of those countries, the app was banned.

From [https://outline.com/BK8f7h](https://outline.com/BK8f7h)

Even if telegram hasn't handed over keys so far, the fact remains that the
keys are still controlled by them and tomorrow if they wished they could
read/expose/publish/share all "private" communication.

Think of it this way. If Bezos had been using telegram like is recommended in
the article and the CEO of telegram wanted to spy on Bezos' chats, he would
have totally been able to.

They say that chats don't have e2e by default so that they can be backed up to
the cloud [0], but there's no reason why you can't back up encrypted chats and
ask the user for a pin and decrypt them on-device.

Furthermore, telegram forces you to link your account with a phone number, and
that acts as the primary (or only) form of authentication, opening you up to
sim-jacking.

Also, this means that anyone who has your phone number is told you're on the
app and given your username, which you may not want for privacy reasons.

[0] [https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-
by...](https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-by-
Default-08-14)

~~~
eptcyka
I agree - Telegram's not ideal. But the reason they try and police adult
content is because they're afraid of Apple booting them off the App store.

~~~
Aozi
So Apple will boot an app that gives users the ability to send adult content
to other users....?

That is completely ridiculous and if that is the reason Telegram is policing
adult content then Telegram is ran by idiots. You can use any IM app to share
adult content, there are plenty of groups on Whatsapp sharing porn, there are
plenty of groups in iMessage sharing porn, there are porn accounts on
Instagram and twitter, hell the entire reason snapchat even exists is so that
you can send self destructing nudes to people.

The idea that an app will be banned due to content shared with people using
the app, and not uploaded and/or hosted on some public website accessible to
anyone (CP on tumblr) sounds completely ridiculous to me.

~~~
ben_w
I disapprove of Apple’s puritanical approach to sex, and agree that this is
ridiculous given that the logic applies equally well to literally all apps
with groups or arbitrary URL web access, but it does appear to be the sincere
justification for this situation.

A thought: I hear that most of the complaints about “adult” TV channels
crossing the line from “broadcastable” to “violating obscenity laws” are made
by their competitors. Perhaps a similar thing happens here? That at least one
of Telegram’s competitors constantly look for reasons to get them blocked from
the App Store?

~~~
simonh
There are other apps that use universal e2e encryption and have not been
banned by Apple. Also if someone idi want to use Telegram for seedy purposes,
they still can by enabling full security, so it’s pretty clear this excuse is
flat out bogus. Otherwise all the same arguments would apply to the other
apps.

------
KaiserPro
"Telegram developer says competitor is wrong and dangerous"

I am not a whatsapp fanboy, but I strongly doubt that these flaws were
designed, and to call them "backdoors" is hyperbole.

I also am sure that the only reason we know about this backdoor is because
Bezos was blackmailed.

I am in no doubt that nation states have a cache of exploits for signal,
telgram, facebook messenger and whatsapp.

~~~
donogh
What's more is that Telegram's approach to crypto has been shown to be deeply
flawed[1].

I take my chances with Signal instead. Unfortunately, enticing all of my
contacts to do the same has proven difficult.

An aside: is anyone else disturbed by the fact that Whatsapp now shows the
Facebook logo when you first open the app? The day the Facebook
Messenger/Instagram/Whatsapp merge happens is the day I'm deleting Whatsapp.

[1] [https://security.stackexchange.com/questions/49782/is-
telegr...](https://security.stackexchange.com/questions/49782/is-telegram-
secure)

~~~
rdslw
Sorry. You're wrong and you're spreading SEVEN years old information, which is
not true in 2020.

Telegram crypto was redone, and is now using standard primitives. You can
verify it at high level at
[https://core.telegram.org/mtproto](https://core.telegram.org/mtproto) or low
level if you'd like to check sourcecode in their github. BTW, telegram has
reproducible builds since last year.

I'm tired of people repeating 7 years old meme without verification.

~~~
md_
Standard primitives, perhaps, but has the scheme itself been reviewed by
competent cryptographers?

At best, the Telegram developers are well meaning but have demonstrated in
previous versions of MTProto that they lack a background in cryptography or a
desire to consult experts. And their public face—posts like this one—seem
often to be hyperbolic attacks on competitors, which is not a great look.

I’m not a cryptographer, so I’m not going to review the current MTProto. I
hope it’s awesome and bug-free. But some skepticism seems warranted.

------
objclxt
> Had Jeff Bezos relied on Telegram instead of WhatsApp, he wouldn't have been
> blackmailed by people who compromised his communications

You can have a healthy debate about whether Telegram is a better option than
WhatsApp for the average Joe (I don't think it is, but that's just my
opinion). Jeff Bezos is not the average Joe.

The idea Telegram somehow offers people like Bezos more protection than
WhatsApp from _nation state attacks_ is crazy. Pavel Durov is irresponsible
for suggesting otherwise.

If you're a Bezos level target and Saudi Arabia wants your messages to
blackmail you, _they will get them_. This is a country with effectively
unlimited resources and no moral qualms. The app you're using is irrelevant.

~~~
anticodon
President of Ecuador was forced to give up Julian Assange because he was
blackmailed using content from conversations he had with his relatives in
Telegram. This makes me think that Telegram is not as safe as it tries to
appear. At least there's a backdoor for CIA/USA government.

~~~
harry8
Wow!

Citation?

~~~
JimBlackwood
[https://defend.wikileaks.org/2019/04/03/ecuador-twists-
embar...](https://defend.wikileaks.org/2019/04/03/ecuador-twists-embarrassing-
ina-papers-into-pretext-to-oust-assange/)

I found this, I think that’s what is being referred to.

~~~
wrboyce
The only mentions of Telegram on that page also mention WhatsApp right next to
it. I’d love to read more about the alleged Telegram hack/leak but this link
does not appear to be a source for the accusations levelled upthread.

~~~
anticodon
Also, his phone can be hacked. After Snowden revelations I do not trust any
piece of electronic equipment. I don't worry because I don't believe any
privacy is possible in contemporary society. Every device has tons of bugs.
Every application I use phones multiple networks gathering facts about me.

Just yesterday I've visited Off-facebook activity and was very surprised to
find there information that I though nobody could trace back to me. And I
believe it's only tip of an iceberg. Probably there wasn't even direct
wiretapping - it was guessed by comparing some patterns of my checkins or
pages I've browsed.

Still, I don't believe Telegram and Pavel Durov. Also, the first story I've
read about this case mentioned only Telegram. I'm not sure I can find it now -
it was almost one year ago - it's long gone from my browsing history.

------
BoppreH
At least WhatsApp has End to End encryption by default. I would be surprised
if more than 1% of Telegram communications were similarly secure. I also find
the constant mention of the vulns being "backdoors" disingenuous.

I'm a big fan of Telegram for its top notch bot support, but I'm flagging this
submission.

~~~
arkadiytehgraet
Have you seen sources of WhatsApp?

Do you trust claims made by _Facebook_ about privacy and encryption?

~~~
anchpop
> Do you trust claims made by Facebook about privacy and encryption?

I trust facebook that when they say something is E2E encrypted, it really is
(except in the case of targeted attacks). If it weren't, I would expect an
internal whistleblower to very quickly report it.

~~~
spaceandshit
You have a lot of trust in strangers.

------
aneutron
I was put off at the very beginning of the article by the claim that it was a
"backdoor". None of the sources I read even alluded to this, and in fact, it
was, as far as I understood, a very "classical" buffer overflow problem.

But I went ahead with the article and it's just marketing spiel for Telegram.
Basically based around FUD.

\- Telegram offers opensource clients and WhatsApp doesn't.

\- Casts doubt about the actual implementation of E2E encryption in WhatsApp.
And his claim of "you can't be sure" is actually pretty wrong. There have been
open-source clients (of limited success) but they still prove that it is
indeed at least implemented.

\- I think the author is missing the fact that WhatsApp's encryption is,
technically, documented in a whitepaper that highlights all of the protocol
and how to different tokens and keys are generated and recycled. Because he
clearly thinks Telegram is the only one to document its encryption.

Overall, I love Telegram, I use it daily. I don't mind the lack of
demonstrable privacy, because I really don't need it for what I do on
Telegram. It's convenient and I love the cross-platform TRUE clients, none of
that webapp packaging stuff (Seriously the QT client is amazing). But this is
almost all wrong ...

------
hestefisk
This is a case of the pot calling the kettle back, to be honest. Telegram
controls encryption keys centrally as well. If you want true end to end
encrypted messaging then Signal is the way to go. FWIW, I don’t understand the
trend in open source projects to use Telegram for messaging given its closed
source / proprietary origins.

~~~
brnt
> Telegram controls encryption keys centrally as well.

Source?

~~~
hestefisk
See
[https://en.wikipedia.org/wiki/Telegram_(software)](https://en.wikipedia.org/wiki/Telegram_\(software\))

“Telegram's security model has received notable criticism by cryptography
experts. They criticized the general security model of permanently storing all
contacts, messages and media together with their decryption keys on its
servers by default and by not enabling end-to-end encryption for messages by
default.”

~~~
brnt
That part does not refer to the E2EE Keys though. The Wikipedia article was
also mostly written before MTProto2.

------
nnx
The whole article is disingenuous:

\- This kind of vulnerability could happen in any app, including Telegram
(similar issue also happened in the past with iMessage)

\- WhatsApp conversations are all end-to-end encrypted by default, Telegram
does not (have to explicitely create "secret chat")

\- If this vulnerability used privilege escalation to access some data outside
WhatsApp, iOS indeed had additional vulnerability (and Android too)

~~~
dancemethis
There is no way to prove WhatsApp didn't tamper with OpenWhisper internally.

~~~
joshuaissac
Even if they did, it would just mean that Facebook (WhatsApp's parent company)
could now see your messages, but that is still no worse than the default
Telegram setting, which guarantees that the company will be able to decrypt
your messages. And what prevents Telegram from tampering with their own end-
to-end encryption for the binary they upload to app stores? Hardly anyone
compiles their own apps if they can download it from a convenient app store
instead.

~~~
wrboyce
Telegram clients are open source and have reproducible builds. There is so
much FUD being spread in the comments here which could probably be resolved by
sticking your HN comment directly into your search engine of choice.

[https://core.telegram.org/reproducible-
builds](https://core.telegram.org/reproducible-builds)

~~~
joshuaissac
They started having reproducible builds since the start of this month, when
they released v5.13, and I admit that I had not checked to see if it had
changed since the last time I looked.

However, this still lets Telegram decrypt people's messages (on the default
setting), which makes it less secure than WhatsApp and Signal.

The article itself is riddled with FUD about WhatsApp, and the author has
written similar FUD/unfounded claims before.

1\. [https://www.independent.co.uk/life-style/gadgets-and-
tech/ne...](https://www.independent.co.uk/life-style/gadgets-and-
tech/news/whatsapp-surveillance-privacy-telegram-pavel-durov-
facebook-a9211151.html)

2\. [https://telegra.ph/Why-WhatsApp-Will-Never-Be-
Secure-05-15](https://telegra.ph/Why-WhatsApp-Will-Never-Be-Secure-05-15)

~~~
dancemethis1
FUD "against" proprietary software is pretty much the "reverse racism" of
technology.

Again, there is no proof OpenWhisper wasn't tampered with. It'd take WhatsApp
becoming Free Software and having independent audits to be reliable as a
communications platform. Suspiscion is but a matter of survival, and chances
will continue to be usually against the most vulnerable party: the users.

~~~
UncleMeat
Why would it need to be Free? Surely a license for modifying the code has
exactly nothing to do with being able to audit it. They could distribute the
source in a different manner if you really really really need to be able to
see it in order to audit it (professionals don't).

------
tptacek
A reminder, because this sometimes surprises people, and feel free to correct
me if the facts have changed recently:

Telegram supports end-to-end encryption only in 1:1 private chats.

End-to-end encryption is disabled by default.

Telegram does not support end-to-end encryption, at all for group chats, its
most popular use case.

Instead, Telegram claims that those group chats are "encrypted" by dint of the
TLS connection between Telegram clients and the Telegram servers, which can,
in this model, read all group traffic.

People like to dunk on the weirdness of the limited E2E crypto Telegram does
have; it's archaic and idiosyncratic and people have published research
results about it, though none to my understanding are of real practical
impact. I support people dunking on bad crypto. But that has nothing to do
with why Telegram is an inferior secure messenger.

By comparison, Signal, which Durov has repeatedly talked down:

* has modern, ratchet-based forward secure end-to-end crypto, always, in both group and private messaging;

* won the Levchin Prize, refereed by some of best-known names in academic cryptography, for the design and implementation of that cryptosystem, as well as for its implementation at WhatsApp;

* ha repeatedly foregone basic messaging app features simply to avoid collecting user metadata; Signal didn't even have user profiles until they could figure out a way to implement it in a privacy-preserving manner, and even their GIF sharing feature has a purpose-built anonymity system; we'll only this year potentially get _usernames instead of phone numbers_ because it took that long to design a trustworthy social graph that didn't leave Signal with a giant pile of subpoenable metadata.

Use whatever messaging app you want.

------
phh
Reading this article, I was thinking that Durov was really over-exagerating
when saying that WhatsApp plant backdoors, while it was simply security flaws.

But then I looked at the flaws, and that definitely raises questions. At least
two of the flaws are in mp4 parsing done by WhatsApp itself, while both
Android and iOS provide hardened platform tools for that.

There are two reasons you would want to do that:

\- Increase security. Yeah that's a bit paradoxal considering what I said
before, but it is possible you could want to do that, because Android devices
are barely updated, and even though the mp4 parsing is hardened, there are
known not fixed flaws on many devices. If that was the intent, then the very
first thing they would have done, is have this run inside a dedicated
sandboxed process (Android allows that pretty easily), with no access to
either the data or the internet. Or they could have written it in a managed
language, where the worst case of failed parsing is crashing/DoS-ing. Or they
could do it in rust of course :-)

\- Increase compatibility with a wider range of mp4 files. As far as I know,
mp4 support of those platforms should be good enough for most cases, but ok,
let's say such a case exist, that means that they don't actually care about
the security. As Durov say, they are using "end-to-end encryption" to say they
are secured, but don't seem to care much past that.

I'm still not convinced those are actual purpose-built backdoors, but I will
at least agree that security doesn't seem to be a core value of WhatsApp.

~~~
londons_explore
Video decoding ability on Android devices varies widely device to device, and
on some devices if you try to play a video it is incapable of playing, you
have no way to know the user is looking at a blank screen. On a few devices,
trying to play a bad file even results in an instant device reboot. You 100%
don't want to be sticking untrusted data into the platform media api's, and in
fact I'd caution against using them at all unless power usage is so important
you need hardware accelerated decodes.

Considering that, I can completely see why WhatsApp decided to bundle their
own libraries.

~~~
phh
In my understanding, they are using only mp4 files, and control the mp4
writers, so they should be fine with most devices' Android MediaPlayer.

Though yeah, I'd personally rather go to ExoPlayer to have a managed,
maintained solution that already contains most fucked up hardware workarounds
you might need. Sure it's not cross-platform, but just define a high-level
player api, use iOS' native player, ExoPlayer on Android, vlc on other
platforms, and you're good to go.

As for "sticking untrusted data into platform media api's", well the power
consumption of reading a video with CPU is absurdly high. You'd be going from
6 hours view time on a standard smartphone to 2 I'd say? You could decide that
you value security /that much/. But then if you do, the very first thing to do
is to run the player in a dedicated isolated process.

I doubt WhatsApp is doing software video decoding, but if they are, it is all
the more ridiculous.

------
rapsey
> On the contrary, Telegram apps have been open-source and its encryption
> fully documented since 2013.

Yeah and well known to be a cryptographically poor.

~~~
thrwaway69
Citation?

I know a lot of people who use telegram over whatsapp because it's more
_secure_.

~~~
eganist
I'm not op, but

2016 (corrected from 2019): [https://gizmodo.com/why-you-should-stop-using-
telegram-right...](https://gizmodo.com/why-you-should-stop-using-telegram-
right-now-1782557415)

2017:
[https://courses.csail.mit.edu/6.857/2017/project/19.pdf](https://courses.csail.mit.edu/6.857/2017/project/19.pdf)

2018:
[https://twitter.com/tqbf/status/987372998935105539](https://twitter.com/tqbf/status/987372998935105539)

2019:
[https://www.forbes.com/sites/zakdoffman/2019/08/25/chinese-a...](https://www.forbes.com/sites/zakdoffman/2019/08/25/chinese-
agencies-crack-telegram-a-timely-warning-for-end-to-end-
encryption/#43aed9e96342)

2019: lmao
[https://twitter.com/durumcrustulum/status/116034777473242316...](https://twitter.com/durumcrustulum/status/1160347774732423169)

Etc

~~~
rdslw
Gizmodo is 2016. Do not spread false information.

p.s. and is based on information which in 2020 is not anymore actual as most
things were corrected.

~~~
eganist
Edited to fix dates and references.

Got a citation for this? I'm having a hard time finding it:

> p.s. and is based on information which in 2020 is not anymore actual as most
> things were corrected.

------
taneq
Last I tried WhatsApp it refused to let me use it without giving it access to
my entire contact list. Even when “giving it access” to a blank list via
PrivacyGuard, I couldn’t see a way to add a contact manually. That was a deal
breaker for me.

~~~
ElectronShak
I think this helps prevent spamming, If I could add anyone manually, spamming
a set of random phone numbers would be easy.

~~~
taneq
I was willing to let it have _my_ phone number, which is the thing that would
cut down spamming (as a hard-to-generate-in-bulk identifier). I just wasn't
willing to give it my contact list.

------
earloftyrone
I've heard signal is the best to use

~~~
nobodyshere
Have they added group chats yet?

~~~
bjoli
Available since many years.

------
hurricanetc
Next part in the series: Why using Telegram is dangerous.

~~~
celticninja
I doubt it, Pavel Durov (the author) is the owner of Telegram

------
mr-karan
> Telegram, an application used by hundreds of millions of people including
> heads of states and large companies, has had no issues of that severity in
> the last 6 years.

Sounds misleading no? Should rather say: no issues of that severity "reported"
in the last 6 years.

------
forgotmypw
What is most surprising to me is that someone like Jeff Bezos is rubbing
shoulders with the masses on WhatsApp.

If I was him, I would have spent a couple million rolling my own, with
gateways to web, email, and SMS.

------
namanaggarwal
Why using Telegram is Dangerous?

E2E is not by default and terrible UX to make people think they have secure
communication

------
slipheen
He says this is a vulnerability in Whatsapp, rather than in iOS/Android-

But if a full-phone exploit is possible using the app, isn't that inherently
an iOS/Android bug?

My understanding is that that an application should not have full access to
the system. I would expect that even if it were hacked/acting maliciously all
you could pull is what the app already has access to.

Did they stack an iOS exploit on top of a WhatsApp bug?

(Using WhatsApp for remote execution, then a privilege escalation of some
sort?)

------
diebeforei485
WhatsApp is also quite user-hostile. For example: (1) There is no way to stop
being added to groups.

(2) There is no way to disable their calling service. I don't want people to
call me on WhatsApp.

(3) If you've chosen not to give them your contact book, they have worsened
the UX over time (for example, it only shows phone numbers now and not the
display names they have set).

~~~
rfmw19
> (3) If you've chosen not to give them your contact book, they have worsened
> the UX over time (for example, it only shows phone numbers now and not the
> display names they have set).

Adding to this, you also cannot initiate a first (new) message to anyone
unless you have granted contact access. The workaround is to ask the other
person to message you first...

~~~
veniversum
You can initiate a message to anyone using
[https://api.whatsapp.com/send?phone=<phone_number>](https://api.whatsapp.com/send?phone=<phone_number>)

------
gravity_123
I use WhatsApp and generally trust Facebook when they talk about e2e (of
course there will be bugs but Facebook has lots of eyes on them, are a huge
public company with staffed security team, encryption has been tested in
Brazil where they didn't have anything to hand over to the govt, have lots to
lose by lying here and Metadata collection and WhatsApp business sound like a
potential business). In my opinion the biggest issue is the backups. Everybody
I know backs up the chats to icloud or Google drive (even if you don't your
friends might) because it offers great convenience. These backups are not
encrypted( well, encrypted with key with whatsapp) and hence is a weak link.
In an e2e encryption system all we need is one weak link and this is imo the
one. Hopefully whatsapp or Apple or Google solves it elegantly without too
much hit on user convenience.

------
eddvdm
> Telegram, an application used by hundreds of millions of people including
> heads of states and large companies, has had no issues of that severity in
> the last 6 years.

Maybe the author says "of that severity" because he keeps adding "the richest
man on the planet" there, but most people in Brazil wouldn't agree with him.

He sure have heard about Operation Car Wash and how it took an "arrow in the
knee" after dozens of Telegram leaks?

One source between various others with a bit more info on the tech side:
"Telegram voicemail hack used towards Brazil’s president, ministers"[0]

[0] [https://ethhack.com/2019/07/telegram-voicemail-hack-used-
aga...](https://ethhack.com/2019/07/telegram-voicemail-hack-used-against-
brazils-president-ministers/)

~~~
p1anecrazy
"In keeping with courtroom paperwork, the 4 used a comparatively unknown
hacking trick to bind the victims’ Telegram accounts to their telephones.

Native media reported that the hackers used entry to the accounts to ship spam
messages with malicious hyperlinks to customers’ contacts."

Good ol' phishing.

~~~
eddvdm
True, but you can imagine how mainstream media reports those. They put
everything in a pot labeled "hack" and push it forward.

One thing they (mainstream media) failed to mention is they were indeed
victims of sim-jacking as well, if ever by simple link phishing. That was
througly described by the victims themselves at Congress investigative
sessions.

Sadly, in Brazil the current mainstream media is mostly biased towards the
previous government and all the people that was arrested by the Car Wash
Operation. They won't openly say it ever (in here they're not as transparent
as US ones, for example - and the Operation is probably one of the most
popular events ever in the country's history), but the ones at mainstream
media that won their place last 20 years' government just want their corrupt
politicians back in power.

To say the victims there were hacked because they clicked suspicious links by
their own will it's not only convenient, but what they actually want the broad
population to believe.

------
lern_too_spel
Clegg is presumably referring to the fact that the Saudis had access to data
from Bezos's phone that the WhatsApp app itself did not have, indicating a
privilege escalation (iOS issue) in addition to the RCE (WhatsApp issue).

------
yannovitch
I, personally, think that neither Telegram nor Whatsapp, nor even Signal, are
good for privacy.

Even if Pavel Durov say that Telegram has verifiable builds and open source
client, as long as you're not in control of the whole chain (server+client),
you're not in control at all. Even with e2e, an adverse party can always have
access to lots of metadata, or with vulnerabilities as disclosed in this blog
post, get access to the actual content.

Now that OMEMO is widespread in the XMPP world, I try to push in that
direction, but as an other user has said, the hardest part is to get users to
move to your "new" solution.

~~~
_nalply
Maybe publish source and let people compile their clients themselves. For
mobile platforms offer reproducible builds and a tool to checksum both your
build and the package on the mobile. Caveat: I don't know whether totally
reproducible builds are possible at all, and the checksum tool must be
compiled too and uploaded as a test package to the phone. Probably only useful
for groups of paranoid tech-savvy people.

------
badrabbit
This guy is like nostradamus, makes a lot of generic predictions using vague
time frame. Except when his prediction comes true,he uses it as an opportunity
to advertise telegram.

For a guy who made telegram,I would expect a much more technical and objective
post instead of ad-hominem based compariaons where the solution is his own
product (feels dishonest since there are plenty of alternatives as well)

But Mr Durov aside, of course you shouldn't use anything facebbook touched!
Just like you shouldn't trust a convicted arsonist to build a house compliant
with fire code regardless of talent and reputation.

------
daminimal
It doesn't really help to know that it's dangerous. I might be overly
pessimistic, but from my anecdotal evidence, it is very difficult to get users
to move from one messaging platform to another. And once you have gotten all
of your close people moved from say Facebook Messenger to Whatsapp (In my
example) as it's more recognized than, say, Signal - it would be close to
impossible to get everyone to move yet _again_ in the near future in the fear
of some security flaws.

Other people just don't care as much...

------
pelasaco
Was the issue with Telegram sending password via SMS already being fixed?
That's was the argument number one against it, if you fear any State
adversary.
[https://www.forbes.com/sites/thomasbrewster/2019/12/12/myste...](https://www.forbes.com/sites/thomasbrewster/2019/12/12/mystery-
russian-telegram-hacks-intercept-secret-codes-to-spy-on-messages/)

------
IshKebab
This is a terrible article.

\- There evidence for Bezos's phone being hacked is pretty poor.

\- The "backdoor" was not a backdoor. It was an ordinary bug. Whatsapp cannot
pledge to not make mistakes. He can claim that it was deliberate all he likes
but he doesn't have any actual evidence.

\- Other apps have bugs too. Telegram may have fewer but that's because it has
far fewer users. They claim 100 million. WhatsApp has 1.5 _billion_.

------
huffmsa
If you can turn a blind eye to the absolute horror show that Whatsapp calls a
UI you probably deserve whatever befalls you.

Now I'll plug my friends company as an alternative for secure messaging (and
because I like purple UIs) [https://www.cyph.com/](https://www.cyph.com/)

------
latte
Can't comment on WhatsApp's security profile, but it's probably the least
convenient among the messengers I use - there is no easy way to access the API
to set up a bot for my personal use or do any other kind of scripting /
automation. I hope that it will change at some point.

~~~
namanaggarwal
Yes, It may be least convenient for you but not for a majority of users who
don't want/need bots. Telegram has bots and lot of it is just spam.

Facebook has decided a B2B sort of model for bots for this specific purpose

~~~
anoncake
> Yes, It may be least convenient for you but not for a majority of users who
> don't want/need bots.

No one's going to make them use bots against their will.

> Telegram has bots and lot of it is just spam.

Bots can't even initiate conversations.

> Facebook has decided a B2B sort of model for bots for this specific purpose

Which almost certainly will be used for Spam because that's Facebook's line of
business.

------
lostgame
This reads very clearly as an advertisement for Telegram.

The intelligent discussion and criticism at the beginning of the article
quickly derailed into ‘this is why you should use our product.’

If it was written by a third party, I’d be able to take it at face value.

------
gargs
I tried searching, but couldn't find a good explanation online on the
differences between Keybase and Riot, and why one is better than the other.
Could anyone help?

~~~
ptman
Riot is open source. Matrix is an open protocol that is designed to federate
so that users on different servers can talk to each other. Is the keybase
server open source?

------
parliament32
Telegram and WhatsApp are both pretending to be secure when they're really
not. Signal is the only sane choice at this point.

------
blumomo
Coincidently, I deleted my Whatsapp account today. Apart from the fact that I
can't really judge yet how much more secure Telegram is, I find Telegram also
much more usable. Let alone being able to edit messages when swipe-writing
words selected totally different words than I had intended. How often did I
send a second Whatsapp message just because the first was full of swipe
detection errors.

~~~
mantap
It pains me to read these comments even on HN. Telegram is strictly less
secure than Whatsapp. Telegram is not designed with security in mind and if I
was a TLA I'd be pretty happy about people using it.

------
fkfaduc
The one thing that made me quit WhatsApp was a few years ago when it got
bought by facebook.

------
rodolphoarruda
Off topic: this Telegra.ph UX is really neat. I wish I could use Wordpress
like that.

~~~
jszymborski
Is it basically a pastebin for long posts?

------
doomrobo
Friends don't let friends use Telegram

[https://threadreaderapp.com/thread/1129026681291911168.html](https://threadreaderapp.com/thread/1129026681291911168.html)

------
eximius
Use Signal or Matrix.

------
nathias
use signal instead

------
joecool1029
I'm a little late to the party but I'm just going to write about what happened
last night on Telegram.

I was speaking with a friend who's often pushed me towards Signal. For
context: I left Signal because of Moxie. The usability concerns and terrible
Electron desktop apps didn't help but Moxie's attitude and the fact that he's
just not rich enough to be free of gov/corp influence were my motivating
factors. He fought us for dropping dependency on Google Play Services, refuses
to allow 3rd party distribution, and is anti-federation.

I've been having a back and forth with Telegram over email since the events of
last night. It's... interesting. (last response was a couple minutes ago)

So last night, I was speaking with this friend and he remarked that he used a
burner to register his Telegram number, he was expected it to be banned at any
time. I was in the middle of typing back to him "I wouldn't worry, so long as
the account is active" and my account was instantly banned before I could hit
send. I was trying to provide him this re-assurance because I use Telegram
with a Google Voice number instead of a carrier number that could be ported
out easier.

Trying to sign back in the clients tell you the number is banned. There is a
help button. It gives you a pre-drafted email filled out with app version, OS
version, and phone number asking for help to unban.... and it's addressed to
login@stel.com. I found this peculiar as recover@telegram.org is the email
used in most documentation and is what other people suggested to email.

Within a few minutes of this email being sent my account was re-enabled with
nothing deleted except my chat mutes. They apologized and I inquired about wtf
had just happened. They told me that it was likely due to my usage of Google
Voice and not to worry as my number is now on a whitelist. Furthermore they
said in their response: "Or why did you have such unusual authorization
parameters?".

I use the secondary app password, I listed off all the clients I've used...
the only really bizarre one being an ancient QT port of the desktop client to
Blackberry 10 (I was curious to see if anything still worked on that
platform). They told me it was likely due to that.

I questioned them about use of pattern matching in private messages, not once
did I hear a denial of this. I could see it being done to prevent bot or
terrorist activity, but my guess is talking about 'burners' and having a
Google Voice number was enough to have me slip below their trust level even
though my account is years old.

EDIT: Turns out the friend I was speaking to had people logging into his
account this morning. I've also reported this to Telegram. The unauthorized
logins changed his account name on each login.

------
MuricaFYeah
I'm just going to leave this here in case people still think this guy has
anybody's best interests in mind. Is it true? Is if fake? Make your own
conclusions.

[https://medium.com/@anton.rozenberg/pavel-durov-sued-
senior-...](https://medium.com/@anton.rozenberg/pavel-durov-sued-senior-tech-
lead-for-1-7-b24961dec503)

------
mojuba
> I am not exactly an Apple fanboy

Can we stop using "Apple fanboy" as a derogatory term? You insult everyone -
every single person - who likes the company. A lot of the times I'm tempted to
say "those who don't like Apple's products are tasteless idiots" but I never
say that out loud. Nope I don't :) So keep your opinion to yourself.

~~~
romanovcode
> A lot of the times I'm tempted to say "those who don't like Apple's products
> are tasteless idiots"

Wow, you are a real apple fanboy, aren't you.

------
Brave-Steak
This is like the pot calling the kettle black. Why are people still
recommending Telegram over solutions like Signal or Matrix?

~~~
anoncake
Why are people still recommending Telegram over solutions like Signal

Usability, freedom.

~~~
AdmiralAsshat
>Usability, freedom.

Uh? Isn't Telegram's server-side code closed/proprietary?

~~~
dimensi0nal
Who cares? You can't verify a server's claim that its software was actually
compiled from some specific source code, so this could be a valid criticism of
any service.

------
andresramon
WhatsApp is kind of best digital and I vow for it

------
camillomiller
In Italy fake news about the corona virus are spreading like a bushfire on the
platform, thanks to the broadcast features and the utter absence of any
possible moderation on something Facebook turned into a proto-social network.
That’s really why using whatsapp is dangerous.

~~~
lappet
Why is this downvoted? The spread of fake news through Whatsapp is a real
issue in many countries

~~~
camillomiller
I don’t know, I just stated a fact. Also, WhatsApp is worse than other
messaging apps because of many social-style features Facebook introduced to
prioritize interaction metrics, such as stories, on a platform born to br
based on peer-to-peer and get-to-know trust.

