
Telegram told to give encryption keys to Russian authorities - wglb
http://www.zdnet.com/article/telegram-forced-to-give-encryption-keys-to-russian-authorities/
======
yoavm
Well, if Telegram had end-to-end encryption enabled by default, this wouldn't
even be technically possible.

~~~
golergka
It also would have had much worse usability in the most common case: when
government agencies aren't a real risk factor, but you want conversations
synced between different apps.

Seriously, disregarding trade-off between security and usability is exactly
how we ended up with very secure, 20-digit passwords, containing every
possible unicode symbol, updated every Monday, written on post-it notes
hanging on the wall.

~~~
DCKing
Ugh, this keeps on coming up.

Wire [1] already has both end-to-end encryption _and_ cross device sync. It's
not the only one to do that either.

It's _not_ a tradeoff.

[1]:
[https://en.m.wikipedia.org/wiki/Wire_(software)](https://en.m.wikipedia.org/wiki/Wire_\(software\))

~~~
trisimix
It also has a better user experience. And encryption enabled by default.

~~~
melkhior
+1 for Wire from me, have been using it for about a year and a half now.

I only wish it had a better desktop client, the current one is a little laggy
especially when scrolling up chat history.

~~~
petre
I use the web client and it works fibe. I suspect the desktop clients are
Electron based.

------
handbanana
Not 100% relevant to the article, but if anyone hasn't already given it a try
- Signal is a great cross-platform messaging service. I don't understand why
more people aren't using it

~~~
andreagrandi
Unfortunately Signal doesn't have a desktop client (and no, Chrome apps don't
count. They will be retired and unsupported too in the near future)

~~~
detaro
Signal deprecated their Chrome App client months ago. The desktop client they
have right now is not a Chrome app.

------
phyzome
I like that the article ends with the author's PGP fingerprint... and is
served over plain HTTP. Bold move.

~~~
ahelwer
The personal intellectual highlight of my life was when I published my PGP
fingerprint on my Wikipedia userpage.

------
shmerl
This highlights the problem. Why should they have any keys? It should be end
to end encryption, where users have the keys. Otherwise it's already insecure
and no one should be using it. Government demanding something is just a
symptom.

~~~
parliament32
This has been the chief complaint about Telegram, and the entire reason I've
never even tried using it. As long as you're trusting the corp with your keys,
you're just as secure as any other site that provides chat over HTTPS.

------
Karrot_Kream
Telegram has publicly stated that they refuse to hand over their keys (though
whether or not they will, time will tell). This is in contrast to FB, Google,
and Twitter who have not released a statement about whether or not they will
comply: [http://www.zdnet.com/article/facebook-twitter-google-
censors...](http://www.zdnet.com/article/facebook-twitter-google-censorship-
ban-russia-tech-dark-ages/)

~~~
aorth
Remember in 2013 when Lavabit said their email was so secure that even their
sysadmins can't read it? And then, after the secret US government subpoena was
made public it turned out that Lavabit's claim of "can't" was more like
"won't".

Better to not have to trust the intentions (or ability to resist torture, etc)
of Telegram, Pavel Durov, et al. Better to have end-to-end encryption by
default, like in Signal.

[https://www.techdirt.com/articles/20131002/17443624734/lavab...](https://www.techdirt.com/articles/20131002/17443624734/lavabit-
tried-giving-feds-its-ssl-key-11-pages-4-point-type-feds-complained-that-it-
was-illegible.shtml)

~~~
miaklesp
Signal and Telegram are in different categories.

Signal is more secure in general due to end-to-end encryption but user
experience is bad. I would use Signal when I really have something to fear
very seriously, in this case personal security more important than usability.

Telegram is much better made UX-wise. It's a more decent product for average
user. It's a Facebook Messenger alternative which is secure enough and doesn't
sell your data to anyone.

If you are not security expert or journalist and black helicopters are not
chaising you, you don't need Signal, Telegram is much better messenger with
great clients on different platforms.

~~~
mykull
I don't see what's bad about signal UX honestly. I have a few private 1on1
conversations in it and it feels like any other text messaging client.
However, the only place I use it is on my Android phone, and there may be
features others are missing that just never interested me personally.

------
LinuxBender
There has never been such a thing as end to end encryption on a cell phone.
Carrier "debugging" tools such as CarierIQ hook at a lower level and can
intercept and log everything that any application can see. CarrierIQ was
acquired by AT&T and doesn't even officially have a name any more. They would
tell you it only runs if the phone is in debug mode, but the dial home to the
carrier can enable it via a simple header.

Perhaps the difference here is that Russia does not have access to this data?

~~~
krick
Could you please provide some home-reading material on the topic? I understand
that the notion of "secure messenger" linked to your phone number and running
on a phone is laughable, but it's the first time I hear accusations that my
mobile operator can retrieve basically any info from my phone, like actually
right now, without breaking a sweat.

Does it apply to all mobile operators or only to american ones?

~~~
LinuxBender
There used to be a really good walk through and demo of the software on
youtube, but it was pulled down. Perhaps someone has uploaded it again. I will
see if I can find it.

IIRC, these debugging tools exist on all carriers and each have their own
custom implementations.

~~~
snowpanda
Is it this one?
[https://youtube.com/watch?v=T17XQI_AYNo](https://youtube.com/watch?v=T17XQI_AYNo)

~~~
LinuxBender
That looks like part of it. :-)

------
dharma1
If FSB really wants access - and sooner or later they will, as Telegram keeps
growing... As long as Telegram founders still have family inside Russia, they
are vulnerable

~~~
gmemstr
Do the founders have family in Russia? I'm not really up to date with Telegram
as a company or the people behind it.

~~~
saurik
[http://techcrunch.com/2013/10/27/meet-telegram-a-secure-
mess...](http://techcrunch.com/2013/10/27/meet-telegram-a-secure-messaging-
app-from-the-founders-of-vk-russias-largest-social-network/)

> Meet Telegram, A Secure Messaging App From The Founders Of VK, Russia’s
> Largest Social Network

~~~
thathappened
Does no one care that Digital Ocean is owned and created by Russia? You're all
worried about apps, what about the hosts they use?

~~~
luxpir
I care, but had no idea. Any more info? Search not showing up much.

~~~
sli
It's not true.

------
coolspot
BTW does anyone know how Viber and WhatsApp (both are very popular there)
operating in Russia?

Do they cooperate?

~~~
gagabity
WhatsApp cant cooperate by design they don't have the keys although they do
have some metadata, not sure about Viber.

~~~
mort96
How do we know WhatsApp doesn't cooperate? It's closed source, and owned by
Facebook no less, so how can we know there's no backdoor?

~~~
gagabity
You can analyse the traffic data being sent by the App, also there are third
party Apps that work on the WhatsApp network.

~~~
mort96
You can maybe verify that the app doesn't currently send messages anywhere,
but what if there's a way for Facebook to send a request to WhatsApp for a
dump of all messages within a date range?

------
eitland
More interestingly perhaps:

Telegram _as usually_ refuses to give encryption keys to anyone.

While there seems to be a lot to say about Telegram crypto at least their
priorities seems to be aligned with mine unlike WhatsApp that is owned by
Facebook.

~~~
ChristianBundy
Why use Telegram over something _actually secure_ like Signal?

~~~
krick
Skipping discussion about "actual security": vendor lock-in & network effects.
_None_ of my peers uses Signal for everyday communication. Quite a few use
Telegram, +Telegram channels & conferences, bots, and, well, honestly, it's
really quite nice app to use. So, yeah. It's sad.

~~~
zzzcpan
But in fairness, you cannot really claim that Signal is actually secure just
because it has a better encryption.

~~~
literallycancer
True. Then again, Telegram really has no encryption at all, since no one uses
the secret chats. So he probably meant something like "why not use an app that
actually tries to do what it claims to?".

~~~
eitland
It actually has encryption. Just not end-to-end by default.

------
Justsignedup
Let's be fair.

WhatsApp is NOT any different. They may have Signal's encryption algo, but
they still store effectively unencrypted messages in their servers. Because
that is the only way to sync between devices when adding a new device. And
also the only way for FB to data mine.

So... Yeah bad reporting.

~~~
bjoli
That is not correct. WhatsApp syncs messages between devices (mobile client
must be connected to the internet to use WhatsApp web on the desktop).

They store undelivered, encrypted messages on the server.

~~~
Justsignedup
If you are in private chat mode, this works well, because all devices have an
encryption key.

But if you are doing regular messages between people, those messages are
certainly readable by the server and because adding a new device decrypts all
previous messages, the server has decryption knowledge.

Note: At each point in their sesame algorithm the user has a non-empty set of
devices. So if you want to sync another device acts as a p2p syncer.

What happens when you remove your last device and add another new one. Hence
why whatsapp has a non-privacy mode. Or am I misunderstanding?

~~~
bjoli
WhatsApp has no private chat mode. Every message is e2e encrypted.

If you switch devices, other clients will use the old keys until they have
received the new one (and then they will silently re-encrypt and resend
undelivered messages, something WhatsApp was heavily criticized for).

~~~
Justsignedup
Gotcha!

