

Breaking Half of the Telegram Contest - xnyhps
https://blog.thijsalkema.de/blog/2014/04/02/breaking-half-of-the-telegram-contest/

======
lawl
It's _incredibly_ difficult to keep people from using insecure technology.

After the whatsapp facebook aquisition many of my friends looked for something
different. So they choose Threema and Telegram. Which are both _horrible_.

Please guys. Use TextSecure [0].

[0]
[https://en.wikipedia.org/wiki/TextSecure](https://en.wikipedia.org/wiki/TextSecure)

~~~
tptacek
I'm another enthusiastic vote for TextSecure; those guys work on TextSecure
because they love the core problem of doing secure comms right, and it vividly
shows in their architecture and the way they write about it.

~~~
tinco
The problem is that TextSecure is not seriously trying to be the next
messaging app, and Threema and Telegram are.

It would be nice if there was actually anything better than Telegram I could
recommend to my friends, but there just isn't.

~~~
foobarqux
moxie has openly invited devs to use TextSecure as a backend.

------
oleganza
Just FYI. While Bitmessage is not a fast option (anti-spam proof-of-work per
message may take a couple of minutes), it is a remarkable example of a very
secure messaging tool in every aspect. Its design even gives you better
privacy than Tor.

More info: [https://bitmessage.org](https://bitmessage.org)

The idea behind Bitmessage is that messages are fully encrypted (including
recipient's address) with per-message random DH key derived from recipient's
key. Then message is transmitted to everyone in a p2p network. Every node
tries to decrypt the message with its key and if it succeeds - that's the
message for them. If not, it passes the message to other nodes. Propagation
time is quick, but to prevent DoS, each message goes with an expensive one-
time proof-of-work proportional to the message size. Another measure is
artificial separation of messages and nodes in "streams" so that message is
only propagated within a smaller part of the network. As network grows this
will not hurt privacy, but will keep amount of data flowing around in check.
Bitmessage in principle is like email (that is checked every few minutes, not
seconds) rather than real-time chat. But the idea could be brought to real-
time chats too if we solve DoS and bandwidth issues in a different way.

~~~
thedufer
How do you initially learn a recipient's key? That seems to often be the
problem point.

~~~
oleganza
How do you learn someone's username or email? They tell it to you. Actually,
in Bitmessage they tell you an "address" which is a compact hash of a pubkey.
Then, p2p network uses special kind of message "what's the pubkey for this
address?" which allows your client to find out the pubkey.

An address looks like this: BM-orkCbppXWSqPpAxnz6jnfTZ2djb5pJKDb (this one
belongs to an echo server). People who got used to Base58-encoded Bitcoin
addresses will find this familiar.

------
pearjuice
Please guys, Use AlternativeChatAppNoneofThePeopleIKnowAreOn.

The real problem with all of these oh-so-secure-much-better-alternative-chat-
apps is that nobody uses them. What's a communication network when there are
no communicators? Just a network.

Unless X or Y gets better traction than WhatsApp, you will just be "that guy"
who refuses to use WhatsApp and is instead on some novelty app nobody else
uses. Though tinfoil insults are passé, they will bring them back just for
you.

~~~
chadillac
Really makes me wonder why some of these existing clients don't just implement
the OTR stuff that is already pretty standardized on desktop clients.

[http://en.wikipedia.org/wiki/Off-the-
Record_Messaging](http://en.wikipedia.org/wiki/Off-the-Record_Messaging)

edit: looks like Xabber and ChatSecure both support it on Android.

~~~
kuschku
1\. Because you need to have a session open at every time 2\. Because OTR
appends the key for the next message on every single message, so if A is
sending several messages after each other while B is offline all of them will
be encrypted with the same key.

TextSecure fixed both of these issues but is otherwise based on OTR. You
should really look into it.

