
Why Telegram is insecure (2015) - known
https://medium.com/@thegrugq/operational-telegram-cbbaadb9013a
======
yogthos
So, here's the thing I'd like somebody to explain to me. Telegram encryption
spec is published, and the client is open source. This means you can verify
that the server is following the spec by creating a clean room client
implementation. You could even create a green field server implementation if
you wanted.

Telegram regularly has contests to break its encryption with a reward of 300K
USD
[https://telegram.org/blog/cryptocontest](https://telegram.org/blog/cryptocontest)

If it's not secure, then surely people would be cashing in on that sweet
money. So, why is it that we constantly see articles talking about how
insecure Telegram encryption is, but nobody is showing a proof of concept
attack or collecting the prize?

Unless somebody puts their money where their mouth is and shows an actual
exploit with code, it seems like pure FUD to me. On top of that, it appears
that attacks on Telegram often come from people associated with Signal in some
way. Signal is endorsed by NSA who have a history of promoting weak encryption
that they have found backdoors into. I hope everybody still remembers this
debacle
[https://golem.ph.utexas.edu/category/2014/10/new_evidence_of...](https://golem.ph.utexas.edu/category/2014/10/new_evidence_of_nsa_weakening.html)

~~~
saagarjha
> the client is open source

Uh, no it’s not. The client (which happens to seemingly violate a bunch of
open-source licenses) and the code posted to GitHub do not match; occasionally
a source dump is posted online but there’s no indication how this relates to
what they are shipping, as the released binaries differ and update much more
frequently. The author is quite unresponsive about this:
[https://github.com/overtake/TelegramSwift/issues/163](https://github.com/overtake/TelegramSwift/issues/163)

~~~
dijit
Sorry, that's just not true.

I have telegram-desktop (on Linux) which is unofficially distributed and
compiled on my laptop via AUR[0], FDroid also has a version of telegram which
is compiled from sources and not taken from pkg's released by the Telegram
group, although they remove non-free parts apparently[1].

I'm not sure about iOS as I don't currently have the means to verify the
content of my App Store iOS installed version of telegram, but the fact is
that there are (at least) 2 client implementations commonly used that are
compiled from source.

[0]:
[https://git.archlinux.org/svntogit/community.git/tree/trunk/...](https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/telegram-
desktop)

[1]:
[https://www.reddit.com/r/fdroid/comments/9gmkob/why_is_teleg...](https://www.reddit.com/r/fdroid/comments/9gmkob/why_is_telegram_in_f_droid/e6m2is5/)

~~~
j16sdiz
how is it not true?

the version in github works, but the version on play store different a lot
from it..

~~~
dijit
>and the code posted to GitHub do not match;

Well, I was challenging this assertion.

"Does not match" what thing exactly? My point was that people are using the
non-packaged versions (I mean, I'm not FOSS mad, I'm just a user and I'm using
the FOSS version almost by accident).

I would prefer the FOSS version to be 1:1 what is in the repo (or, even the
upstream of the non-free version), but I see the situation as more
chrome/chromium. We're not shitting on chrome for being "the most secure
webbrowser" despite having non-free elements.

Seemingly because large US tech companies deserve more respect than a guy who
was essentially exiled from his country for not handing over his users data?

Sounds like a double standard. Telegrams OSS edition works, so if they're
sneaking things in it would have to be a backdoor, which would be INCREDIBLY
damaging to their endeavour if it was found, and it would be relatively
trivial to find too. So I'm not sure where this FUD is coming from.

Making the argument about the server not being FOSS is valid though, but then
if the E2EE is good enough on the client then the server is basically a relay
and can't pilfer anything except metadata. (which, if we're honest, is what
governments are after anyway)

~~~
saagarjha
> I would prefer the FOSS version to be 1:1 what is in the repo (or, even the
> upstream of the non-free version), but I see the situation as more
> chrome/chromium.

Chrome is not GPL.

------
amaccuish
> Telegram links an account to a telephone number.

> If you want to use secure and private apps, I recommend: Signal Private
> Messenger: [https://signal.org..](https://signal.org..).

I feel it's wrong to criticise Telegram for using phone numbers, and then in
the same breath recommend Signal.

~~~
Erlich_Bachman
Why do all messengers keep requiring phone numbers? Is it because of the
problem of spam? Couldn't this easily be prevented by for example requiring
consent before sending messages to new contacts? You could for example have it
work 2 ways: 1) require a phone number connected to message unknown contacts.
2) without phone number, requiring prior consent from any new unknown contact,
to message them.

~~~
etatoby
Because:

1\. WhatsApp was the first widely-used such app and it was phone number-based,
so all the clones use the same system.

2\. Non-technical people have a hard time (read: bordering on impossible)
remembering their usernames, let alone passwords, and by using the phone
number as both identification and authorization, the problem is sidestepped.

3\. People have an existing address book of contacts (in the form of phone
numbers) in their mobile phones, that can be used to pre-populate the app's
buddy list.

~~~
davestephens
Re 2 - Blackberry Messenger used an eight character alphanumeric ID, and was
enormously popular in the UK (not sure about other countries however) - until
Blackberries died a death at the hands of Apple and Android...

~~~
matwood
Was BB ever really mainstream? I know it had loyal following, particularly for
business users. But, at its peak it had 80M users globally. Most people still
had basic phones then, and many of those with BlackBerries probably had an IT
department supporting them.

~~~
DanBC
BB was thoroughly mainstream in the UK.

[https://www.theguardian.com/media/2011/aug/08/london-
riots-f...](https://www.theguardian.com/media/2011/aug/08/london-riots-
facebook-twitter-blackberry)

from 2010 / 2011

> Using BlackBerry handsets – the smartphone of choice for the majority (37%)
> of British teens, according to last week's Ofcom study – BBM allows users to
> send one-to-many messages to their network of contacts, who are connected by
> "BBM PINs". For many teens armed with a BlackBerry, BBM has replaced text
> messaging because it is free, instant and more part of a much larger
> community than regular SMS.

------
grugq
Not sure what the policy is on plagiarism, but this post plagiarized my write
up.

The structure is the same and the section headings are the same. It is blatant
plagiarism.

[https://link.medium.com/cWfUtKQjgT](https://link.medium.com/cWfUtKQjgT)

~~~
rrdharan
Author just edited it and added your post as a reference:

[https://gitlab.com/edu4rdshl/blog/commit/2fc4d85714d2bde3aca...](https://gitlab.com/edu4rdshl/blog/commit/2fc4d85714d2bde3aca669c86998154c9e840f10)

...

\+ 7 [https://medium.com/@thegrugq/operational-telegram-
cbbaadb901...](https://medium.com/@thegrugq/operational-telegram-cbbaadb9013a)
by [https://twitter.com/thegrugq](https://twitter.com/thegrugq)

~~~
grugq
He did only after I publicly called him out[0]. And it is still plagiarism.

“Plagiarism is the "wrongful appropriation" and "stealing and publication" of
another author's "language, thoughts, ideas, or expressions" and the
representation of them as one's own original work.”[1]

[0]
[https://twitter.com/Edu4rdSHL/status/1081971696431706113](https://twitter.com/Edu4rdSHL/status/1081971696431706113)

[1]
[https://en.m.wikipedia.org/wiki/Plagiarism](https://en.m.wikipedia.org/wiki/Plagiarism)

------
x092
What I find interesting is that this article is very recent, however the
calculations on Crypto are not up to date. MtProto has had some big changes
some time ago already:

\- SHA-256 is used instead of SHA-1;

\- Padding bytes are involved in the computation of msg_key;

\- msg_key depends not only on the message to be encrypted, but on a portion
of auth_key as well;

\- 12..1024 padding bytes are used instead of 0..15 padding bytes in v.1.0.

See
[https://core.telegram.org/mtproto/description](https://core.telegram.org/mtproto/description)

~~~
Fnoord
None of these changes are big enough; it is still homebrew crypto. If there's
issues with cryptography standards you can be sure your OS (such as your Linux
distribution) lost CIA in one way or another. Whereas with MTProto, if that is
broken, only your Telegram chats lose CIA. Which raises the question why _not_
use standards?

~~~
raverbashing
So Signal and others are not "homebrew crypto"?

That criticism is fair a lot of times, but every higher level crypto
construction is going to be unproven for a while until checked.

It's not like they were inventing their own hash function and stream cypher.

~~~
tptacek
Signal is the best-studied multiparty secure messaging protocol; there are
academic papers that provide formal analyses. Trevor and Moxie won the Levchin
Prize at Real World Crypto for Signal Protocol; the Levchin steering committee
is a "Who's Who" of cryptographers, as are the other winners of the prize.

No, Signal is not "homebrew crypto".

~~~
raverbashing
What would be a good definition of Homebrew crypto?

Sure, if I put some primitives together (even if I had a good knowledge of how
to do it) in a closed product and nobody evaluates it (and I add a label like
"military security") that's Homebrew, no questions.

But all systems are born "in secret" (at least for a short while). Unless the
definition involves appeal to authority.

~~~
tptacek
Obviously, the term is a straightforward appeal to authority.

~~~
raverbashing
Which is sometimes unjustly described as fallacious, though even the best can
make mistakes.

~~~
tptacek
Hopefully we agree on the authority here. But I jumped the gun on my response
a little as well, because my argument isn't simply an appeal to authority; for
instance, you can just go read the formal analyses of Signal Protocol and
evaluate them for yourself. Maybe IEEE EuroS&P was wrong to accept the paper!

------
lucb1e
Any reason you mention Signal and Threema but not Wire? Wire is objectively
superior as far as I can tell.

For a quick (probably incomplete) comparison, Wire has proper multi-device
support (not sure how Threema does that), open source and cross-platform
clients and open source server (Threema does not appear to have a Linux client
nor publishes sources as far as I can tell), it's free (allowing everyone to
use it, even if you're in a country where it's hard to pay from), it has a
proper profit model (unlike Telegram, and to a much lesser extent Signal), and
it does not require a phone number.

The two major downsides of Wire is the battery usage due to all clients being
Electron, and that few people know about it (hence my prompt to give them a
mention). Not major stoppers I'd say...

~~~
mfwoods
> not proxying through your phone which Signal used to do and maybe still does

This is what Whatsapp does. Signal never did and has real multi-device
support.

> and the Signal server is closed source

It's not: [https://github.com/signalapp/Signal-
Server](https://github.com/signalapp/Signal-Server)

~~~
fro0116
> This is what Whatsapp does. Signal never did and has real multi-device
> support.

This is news to me. Curious then, why is it not possible to use Signal desktop
without a phone?

[https://support.signal.org/hc/en-
us/articles/360008216551-In...](https://support.signal.org/hc/en-
us/articles/360008216551-Installing-Signal)

> Can I install Signal Desktop without a mobile device?

> Signal Desktop must link with either Signal Android or Signal iOS to be
> available for messaging.

~~~
xashor
You must link a client with a mobile device, but after that apparently you can
use e.g. the Desktop client without your mobile phone turned on.

------
VvR-Ox
Threema is proprietary and I think it's dangerous to recommend it as an
alternative. Everything we trust should be open.

Telegram is not perfect but better than WhatsApp. Also there is people who
want convenience like history sync - it won't help telling them that it's
unsecure. In the end at least facebook doesn't have their data.

For NSA etc. it's not that important where stuff is. From the leaks we know
they can do everything they want (expertise + huge money) so if you want
something more secure you maybe shouldn't use one of the popular solutions at
all ;-)

~~~
chappi42
> Threema is proprietary and I think it's dangerous to recommend it as an
> alternative. Everything we trust should be open.

On the other hand, they have been audited [1], have transparency reports [2]
and their servers are Swiss based [3]. Yes open source would be nice, but a
relative small company with a focused business model (not dependent on
advertisement, data-gathering, donations, kind [bi|mi]llionairs) has its
advantages too.

I'm using Threema since some years and wouldn't want anything else.

[1]:
[https://threema.ch/en/faq/code_audit/](https://threema.ch/en/faq/code_audit/)
[2]:
[https://threema.ch/en/transparencyreport](https://threema.ch/en/transparencyreport)
[3]:
[https://en.wikipedia.org/wiki/Threema#Privacy](https://en.wikipedia.org/wiki/Threema#Privacy)

~~~
gsich
>their servers are Swiss based

which doesn't mean anything.

~~~
chappi42
Why not? Law, regulation and policies matter. The servers fall under the
jurisdiction of the country where they are located.

There are certainly other options, but I think Switzerland is among the
countries with quite reasonable data protection laws. Here the text...
[https://www.admin.ch/opc/en/classified-
compilation/19920153/...](https://www.admin.ch/opc/en/classified-
compilation/19920153/index.html)) or some statements which I found with a
quick google search:
[https://protonmail.com/blog/switzerland/](https://protonmail.com/blog/switzerland/)
or [https://swissmade.host/en/data-protection](https://swissmade.host/en/data-
protection).

------
arctica123
Does anyone have experience with using Matrix [0] as an alternative to
Telegram and Signal? Maybe even running your own homeserver which stores your
history on a server you control and syncs that across all devices?

As far as I saw you can also bridge to other messaging services, even to
WhatsApp [1] which is why it might be worth a try.

[0] [https://matrix.org/blog/home/](https://matrix.org/blog/home/) [1]
[https://github.com/tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-
whatsapp)

~~~
pinusc
I'm currently self-hosting a Matrix homeserver! I got a few friends to join me
and we use it to chat daily.

I can't really speak for its security. Afaik the protocol is almost considered
stable, and I trust it for everyday communications — but I wouldn't trust it
if dealing with a nation-state level adversary.

The only privacy pain point is that if you run a synapse home server (the
reference implementation), by default your voice and video chats are routed
through Google's servers. You have to run your own TURN server alongside
synapse to prevent this. This is fine, but imho it's not well explained on the
install guide.

Riot is... Okay. It's great ffor power users, but imho is quite obscure for
the average chat app user; the ux isn't great yet. Perhaps with the
redesign...

Lastly, bridges are the biggest reason why I want matrix to succeed... But as
of now, none of them are really useful or even usable. They're all in very
early stages of development and need contributions.

~~~
squeezingswirls
>Lastly, bridges are the biggest reason why I want matrix to succeed... But as
of now, none of them are really useful or even usable

Why do you say that? I know many projects using bridges successfully. For
example the UBports [0] guys have bridges between their Telegram and Matrix
rooms.

Besides FluffyChat [1] works wonderfully on UT phones, so that's a plus for
them.

[0] [https://ubports.com/](https://ubports.com/) [1]
[https://christianpauly.github.io/fluffychat/](https://christianpauly.github.io/fluffychat/)

------
wtmt
This post has some useful information, but the recommendation of other
centralized platforms that rely on a phone number make this post seem like the
pile of FUD that Telegram has been enduring for long. Contact theft, metadata,
susceptibility to phone number for setting up or verifying an account are
issues shared by the other recommendations too. [1] For someone who doesn’t
know much about security, it comes down to “who can be trusted”, and that
question applies to Signal and Threema too.

[1]: Edit. I wasn’t aware that Threema does not require phone numbers. Thanks
to dbrgn for correcting me.

~~~
dbrgn
Threema does not rely on phone numbers. You can use it anonymously, and you
can add other contacts without knowing their phone number.

More details can be found in the crypto whitepaper: [https://threema.ch/press-
files/2_documentation/cryptography_...](https://threema.ch/press-
files/2_documentation/cryptography_whitepaper.pdf)

------
dm33tri
Telegram is popular because of it's convenience, not security. I've tried
using whatsapp and the app seemed so much inferior: no nicknames, crippled
desktop client, no separate contact list. It happened so that telegram became
some kind of standart for formal chatting in my country (universities,
businesses, journalists, officials use it) even thought it's blocked by ISPs
(still works fine most of the time), I think mainly because you don't have to
expose your phone number to be contacted and you can easily use it on desktop
(also bots, I know one big store chain that uses tg bots for managing your
bonus programme).

------
ymolodtsov
Yes, because it’s such a delight to don’t have a synced history across
devices. When I was figuring out how to transfer WhatsApp hustory from my
mother’s Android to her new iPhone I realized that was no longer possible
unless you use some wacky paid tools, because one only syncs with Drive and
the other is with iCloud. Although I’d love to log in Telegram with Authy.

~~~
lucb1e
The usability of Telegram is indeed awesome and I'm sure that's why it's so
widely used (well, that and it not being owned by Facebook). But there are so
many choices they could have done better.

So you want synchronised devices? Encrypted ("secret") group chats? Heck,
encrypted group video calls? Wire.com has you covered.

You want chat history? Any of your old devices could transfer the encryption
key via a QR code or by having you type it over. The server could store opaque
blobs that only your devices can decrypt.

The only thing you can't do with current technology is server-side searching
without server-side access to the plaintext (as far as I know, homomorphic
encryption is not practical enough yet for that). But they could at least give
you the option not to store your plaintexts and only have device-local
searching. I'd just put a telegram-cli client on my server and have searches
deferred there. Heck, media storage could be deferred there so I don't use
hundreds of gigabytes (that's how large my account is) on their servers with
no known profit model. The whole thing is just so shady.

Anyway, most of the features are easily possible, but instead of working on
it, Telegram keeps perpetuating insecure defaults since they launched. The
desktop client never even supported encrypted chats. They make it very
cumbersome to use the encryption (mobile only, no device sync) that I do it
only for a few exceptional cases.

~~~
wtmt
I don’t understand why Telegram still doesn’t have E2E (“secret chats”) on the
desktop. That’s such a pain for longer and hotter conversations when one needs
to type a lot.

~~~
romseb
The App Store MacOS version of Telegram offers end-to-end encrypted chats.

~~~
wtmt
Thanks. I wasn't aware of that, and will look into it. But if at all it
doesn't sync secret chat across devices, then it's again not of much value.

------
Gasp0de
"Telegram provides a feature called "Links previews" that's available and on
by default in not encrypted chats, anyways if you use a "Secret chat",
Telegram app ask to you if you want to use "links previews" adversiting that
it previews are done in the server side. How can they know what links are you
writing? Can they read your messages still if you are using "Secret chats"?
(Not sure but is a edge case)."

They probably do pattern matching on the app, why would they need to send
anything to the servers for content previews?

~~~
morrbo
Not verified but i'd imagine the retrieval of the metadata (the cards/tags
needed to show the image previews, etc.) is done by proxying via telegram
servers, possible to prevent semi-doxxing someone (returning their real IP)
just by sending them a message?

------
qwerty456127
> Telegram provides a feature called "Links previews" that's available and on
> by default in not encrypted chats, anyways if you use a "Secret chat",
> Telegram app ask to you if you want to use "links previews" adversiting that
> it previews are done in the server side. How can they know what links are
> you writing? Can they read your messages still if you are using "Secret
> chats"? (Not sure but is a edge case).

It feels reasonable to assume the Telegram client detects the links (using a
regexp or something) and sends them to the server side. Of course they see the
links if you ask them to but this doesn't mean they also see all the text.

------
ancarda
Sadly switching to Signal, Wire, and other "technologically superior to
Telegram" apps means a drop in user experience. For example, I tried switching
to Wire recently but I found that setting up a new device means I wouldn't
have access to my old messages.

I understand these apps don't want to upload messages to a server, but can't
messages be synced between clients? Even if I had to scan a QR code on my
phone to sync with my laptop and had to stay on the same Wi-Fi network until
it was done, it could then sync historical messages. I have Telegram messages
from 2015 when I had a different computer, laptop, phone, and lived in a
different house.

This is also why I don't use the secret chat on Telegram. As soon as you add
too much encryption and security you have to trade-off usability. Must it
always be that way? If you have to chose between security and usability,
people will always choose usability.

~~~
kitsunesoba
Those other more secure chat apps also treat desktop as an afterthought or
worse, which is simply not acceptable for my use case. I live at my desk, not
on my phone, and expect desktop to be treated as a first class citizen. At
present, the only two services that do this are iMessage and Telegram, so I
use iMessage with everybody with Apple stuff and Telegram for everybody else.

------
fabiandesimone
I checked Threema because of this post (didn't know about it) and while
searching, some people are complaining about it being under control of the
Russian gov? Does anyone know anything about this?

[https://www.newsbtc.com/2017/10/04/crypviser-secure-
messagin...](https://www.newsbtc.com/2017/10/04/crypviser-secure-messaging/)

~~~
dbrgn
Threema does not fall under Russian jurisdiction, so no.

[http://www.ewdn.com/2017/03/16/russia-adds-intrernational-
me...](http://www.ewdn.com/2017/03/16/russia-adds-intrernational-messenger-
threema-to-official-registry-with-a-view-to-control-users-communications/)

> Interviewed by Runet Echo, a Threema spokesperson said, however: “We operate
> under Swiss law and are neither allowed nor willing to provide any
> information about our users to foreign authorities.”

~~~
gsich
That seems suspiciously specific.

>foreign authorities

This reads as "but local authorities are no problem" to me.

~~~
dbrgn
Check out the transparency report for details:
[https://threema.ch/en/transparencyreport](https://threema.ch/en/transparencyreport)

------
tareqak
At the end, the author recommends Signal
([https://signal.org/](https://signal.org/)) and Threema
(([https://threema.ch/en](https://threema.ch/en)). I've never heard of Threema
before, but having more viable options in this space is definitely a good
thing.

~~~
polskibus
Signal requires phone number just like Telegram does. Does it mean it is
susceptible to the same attack that Telegram is?

~~~
xashor
With Signal, if a the numbers registers a new account like in this attack
scenario, 1. the attacker cannot access old/pending messages (as they are
_always_ encrypted), and 2. the person on the other side of the conversation
gets a warning that the keys have changed, thus need new verification before
continuing the conversation. So, Signal is more secure on that front.

~~~
mesaframe
Telegram got two factor support which a user can enable anytime for security.

------
saagarjha
> When registering an account with Telegram, the app helpfully uploads the
> entire Contacts database to Telegram's servers (optional on iOS).

The Telegram iOS client has started pushing dark patterns to get me to upload
my contacts: it now shows a perpetual “badge” in the app’s main tab view (so
that I can’t ever miss it), as if it has an error or alert it needs to tell me
about. If I tap on it Telegram will helpfully tell me, on a visually broken
page, that I should please allow Telegram to access and upload all my contacts
to “seamlessly find all my friends” (like I needed this).

~~~
Fins
You my not need it, but FSB sure does.

------
d0mine
To summarize: there is a _theoretical_ concern about the MTProto protocol used
by Telegram.

Mentioning "nation states" is laughable and it seems everybody should be
reminded that not only advertisers have access to "metadata" generated by
their mobile devices.

To make the life less convenient but more "secure", one could enable "secure
chats", set an explicit password and don't allow access to the Contacts on
iOS.

~~~
opencl
A theoretical concern about MTProto _that was already fixed over a year ago_
with MTProto 2.0.

------
stabbles
I made a habit of using automatically disappearing messages in chat using
Signal (after a day or week). You have to manually save important messages,
but typically this is not an issue.

The only downside is that the Signal servers may store automatically
disappearing messages until all devices have received it, so you can't rely on
messages being removed in due time.

It would be nice to have an e2e encrypted p2p messaging platform to overcome
this issue.

~~~
xena
So, Tox?

~~~
eeZah7Ux
No way. Tox claims to keep users safe from governments and does not even have
a threat model in the documentation.

------
pmlnr
XMPP: OMEMO, XEP-313, XEP-280, done. Cross-device e2e encrypted, synchronized
messages. Local storage is not in-app encrypted though, but that needs to be
taken care of on the system level anyway in my opinion.

~~~
lucb1e
Where can I sign up?

Serious question because I can't tell a few dozen friends and family to either
run their own server, nor do I want to play customer support for all of them.

~~~
throwaway72555
Also take a look at Quicksy [0]. It is done by the author of Conversations but
allows phone number sign up, which simplifies things for non-tech people.

[0] [https://quicksy.im/](https://quicksy.im/)

------
tinus_hn
So storing data remotely is now a security nightmare? It doesn’t really help
to exaggerate like this.

~~~
mfwoods
Not necessarily. But storing them in plain text on the server and all history
accessible just by hijacking a phone number (or a single text message) is,
considering the alternatives, don't you agree?

~~~
jhasse
How do you know that it is stored in plain text on the server?

~~~
mfwoods
Because there is no end to end encryption (other than some very limited
temporary one on one chats that only work between two mobile devices) which
means the server can (and does) read and store all your messages. Getting
access to your full chat history is as simple as intercepting a single text,
because the server has access to your plain text messages.

They might do some form of encryption to store the messages, but this is
meaningless when they also have access to the keys and can decrypt any message
whenever they want.

~~~
tinus_hn
So in essence, like about any service that performs manipulations on your
files? Like a storage service that creates thumbnails of your photos?

------
john4534243
Telegram does not store private keys only on client. On the other hand
telegram splits the private key and stores in multiple severs in several
countries making it legally very very hard to process requests. But this also
means the founders or just some developer who has access to the servers can
read the messages as they have access to private keys. Signal app is more
secure.Signal app does not store private keys on the server. The following faq
is from telegram site.

Q: Do you process data requests?

Secret chats use end-to-end encryption, thanks to which we don't have any data
to disclose.

To protect the data that is not covered by end-to-end encryption, Telegram
uses a distributed infrastructure. Cloud chat data is stored in multiple data
centers around the globe that are controlled by different legal entities
spread across different jurisdictions. The relevant decryption keys are split
into parts and are never kept in the same place as the data they protect. As a
result, several court orders from different jurisdictions are required to
force us to give up any data.

Thanks to this structure, we can ensure that no single government or block of
like-minded countries can intrude on people's privacy and freedom of
expression. Telegram can be forced to give up data only if an issue is grave
and universal enough to pass the scrutiny of several different legal systems
around the world.

To this day, we have disclosed 0 bytes of user data to third parties,
including governments.

### End of Faq ####

Even the secret chats in telegram are not secret because the protocol is
custom developed by amateurs devs. It is not tested and have seen some
articles on methods to attack, could not get the link now.

------
zelon88
Sounds more like this guy works for a competitor than a security firm.

No proof, and he apparently didn't even test his own theories.

And the whole "Telegram isn't secure because nation states can abuse their
telcos to break 2fa" is, while accurate, also true for about 90% of the
internet.

And what's with this method of disclosure? It's not ethical or responsible.
It's plain defamatory.

------
wscott
Keybase.io is an alternative for secure chats. Anyone know how it compares to
signal, wire & threema?

~~~
otachack
I think Keybase does chat well and their code is open source. One issue I see
with them is that they seem in a perpetual beta phase, so who knows how
dependent you can be on their software. I also don't like the React Native
based phone apps as they don't feel native and lack polish. I also worry about
them having joined the crypto train with no reason besides being backed up by
Stellar foundation. The stake from Stellar into Keybase isn't clear and may
influence decision making in direction of Keybase.

The chat clients do have a nifty feature of setting up a time based, self
destroying message. And you can share git repos within your registered clients
and peers. They also have a shared filesystem and team based chat. You can
also generate a PGP key pair for identity. The feature list is vast.

The main point of Keybase is also sound in my book, which is to have a network
of proof such that you can prove who you are in your correspondence in
whatever social media or chat you use. You can even use the encryption /
decryption services of Keybase only and send the encrypted payloads however
you'd like.

I think with more polish on their clients and proven stability that Keybase
will be a great service to depend on. But I do think they need more personnel
and/or they need to step up on their social aspect because their last blog
post was 200 days ago.

~~~
AngryAnt
A bit of input on the beta worry:

By no means has our experience been flawless, but as a small business we have
been running entirely on Keybase for around a year and a half now.

We use Keybase every day for team & partner chat, shared storage, and git
repository hosting. Our email is on ProtonMail, A/V chat via Wire, and our
static websites I am not entirely sure where we host. Keybase IPs are not
fixed at time of writing, so a CNAME solution would be our only option for
root DNS hosting on Keybase - so we are not interested in that at the moment.

Again, we are just a small business and we do indeed run frequent backups of
repositories and KBFS to offline storage (though I am not sure I would want
things different with any other third party host), but given daily heavy
collaborative use for our size, we do not really have complaints on beta-ness.

Primary feedback at this point are mostly feature requests - like support for
git-lfs, static IPs for better DNS flexibility, minor client usability tweaks,
and support for tablet displays. Thankfully the Keybase team is very active in
community channels so we have a good idea on the status of these things and
rapid turnaround time for bugfixes.

Active clients in the team are on android, Docker, iOS, macOS, and Win7.

------
TACIXAT
Let me preface this by saying I work in security and use Signal. That said,
the security industry can be incredibly obtuse at times. End users don't care.
Full stop. Having the best encryption isn't a selling point to the masses. I'm
making a chat app right now and I'm doing it exactly the same way as Telegram,
unencrypted by default with an E2E private chat option. Why? Search. I don't
need E2E. I use it based on principle. I do need to be able to search my
conversations. As long as the chat provider is trusted, I'm happy to have my
messages in plain text to be searchable and I think 99% of end users feel the
same way.

~~~
nitrogen
Why can't search be done entirely client side?

~~~
TACIXAT
It could, with IndexedDB or similar, but then you have a massive conversation
history being stored on user devices. Space is a precious commodity on phones.

~~~
xashor
For text? Nah. Most apps automatically store photos on your device, and that's
fine. Mobile phones have several GB for storage. That is enough for hundred
thousands of messages, before even noticeable. Please reconsider your E2E
policy and don't make the world a more insecure place.

------
nithinm
The whole article is based on the fact that secret chats are not enabled by
default. But i dont understand why that's a critical point, if you are so
worried about privacy just start a secret chat. Also from what i can
understand its a design decision telegram took. If the secret chats are always
on then the private key needs to be transfered from device to device and on
new devices,which is a security risk.

The points about the contacts is right though. Also i am a strict no for
closed-source privacy app. Even though telegrams code is open, the repo is
handedly very badly. With squashed commits pushed once in few months, issues
disabled.

~~~
saagarjha
> But i dont understand why that's a critical point, if you are so worried
> about privacy just start a secret chat.

Usability is important. The more steps you put in the way of security, the
less likely people will do the right thing.

------
ape4
Is there a standard checklist for messaging services that want to be secure?

~~~
r3bl
EFF designed a way of scoring the security/privacy practices of IM
applications. They've called it Secure Messaging Scorecard.

While it was useful, they've decided it was a fruitless attempt[0] and their
arguments are very convincing to me. On the other hand, it's kind of shitty
not to have a reputable resource to point to and say "you shouldn't be using
this, it's at the bottom of this list". I appreciated the list while it was a
thing more for its bottom than its top.

[0] [https://www.eff.org/deeplinks/2018/03/secure-messaging-
more-...](https://www.eff.org/deeplinks/2018/03/secure-messaging-more-secure-
mess)

------
localguy
[https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHal...](https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHalWVztqZo7uxlCeKPQ-8uoFOU/htmlview?sle=true)
Digital Communications Protocols

------
enitihas
I think we should always remember that users want usability too and most of
the times aren't willing to surrender features for the extra gain in security.
If users preferred security, a lot more people would be using PGP.

------
xte
Telegram is insecure by nature because it's a proprietary service. It doesn't
really matter much how is coded or how appear to be coded.

Not to reduce the value of author's analysis of course, but just to clarify a
point: no proprietary service can be considered secure, no matter how good and
well intentioned it's property is.

~~~
gtirloni
Unless you're advocating for P2P chat, I don't see how it's any different for
open source solutions. At some point you have to trust the people hosting the
centralized servers, OSS or proprietary.

~~~
xte
Of course, we need decentralized solution at minimum, distributed at best.

Also about trust: I can trust a bit certain kind of paid hosting/services, for
instance companies that are in my country under my country law can be trusted
in the sense that I have a certain kind of legal protection and a clear signed
contract. It does not stop them do thing I can't know with my data but I have
few options. Against services hosted elsewhere in the world with "not-real-
contracts" and zero formal fee my possibility of action is essentially ZERO so
I can't even being protected by my country's law.

------
fiatjaf
All these criticisms apply to Gmail, Slack, Hangouts, Skype, whatever.

~~~
saagarjha
None of these use “security” as their a primary component of their advertising
strategy.

