While I am wary of "build-your-own-crypto", saying it has a poor security record is, to my knowledge so far, incorrect. I have yet to see satisfactory cryptanalysis that shows a weakness (theoretical or real) in the protocol. If anything, it seems to withstand scrutiny so far. Even the dedicated security.se.com question[0] seems like it wraps itself in tautologies.
Until then, throwing the "homegrown encryption" argument to argue for Telegram's weakness is hand-waving and a straw man.
Telegram's security is sufficient for the threat model I have to face against now and in the future.
Well, to me the whole thing is about a couple of things:
When Telegram first launched, people were reading their crypto whitepaper and going "Whoa, this is weird. You should probably not be doing it like this", and the reply was "Well, our 6 world champion coders (did you win a coding world championship?) think it is nice. Deal with it".
They then launched a bullshit crypto challenge (which would have been secure even using crypto primitives we _know_ are insecure). People told them that wasn't how it was done. They replied something cocky about world champion coders.
A couple of months later, someone found an gaping hole where the server could MITM every newly started secret chat (which their hack for forward secrecy a couple of years later would have made possible for every 100 messages).
I think their attitude towards encrypted messaging hasn't left puberty yet, and I recommend against it for everyone looking for a secure messenger. For anyone looking for a more convenient whatsapp without caring much for privacy by default, I don't mind recommending Telegram.
Regarding your future threat model: I certainly can't say whether having a copy of a significant chunk of my private communication on a server in Russia is a future threat to me. On the other hand, I don't use any social media, and have proper data retention policies on most of my online communications.
FWIW, four years ago, the HN zeitgeist considered the cryptography blunders made by Telegram, when conbined with their hubris over how their protocol was clearly perfect, a death knell for the company from which they would never recover.
Indeed, I've been attacked and modded to oblivion on here for mentioning that I use Telegram, and the scope wasn't even security related, just an alternative to email for sending non-sensitive photos.
I've found Telegram to be more than good enough for day to day communications where I would previously have used email or SMS/MMS.
I'm normally on the Signal side of this argument, Telegram is trash and should not be used, but basic features like message editing are legitimate requests. I use Signal heavily and a number of times a day at least I or someone I'm chatting with corrects a previous poorly phrased or incorrectly typed messages. Because Signal has no mechanism for that, it usually involves retyping most of the message or the relevant word and adding an asterisk. I believe if Signal had built-in message editing support it would be used far more than I currently see corrections.
To be clear, I would expect Signal to allow me to see previous versions of a message and clearly indicate that it's been changed, but message editing is a valid feature that Signal should absolutely implement.
I've been retyping the offending word and adding * since I started using chat programs 20 years ago, and in every program since...I would think allowing messages to be edited after the fact would allow more problems than solving simple grammar or spelling mistakes most people can think around anyways.
I'd imagine I would have thought the same thing before I actively used a messaging tool that supports message editing (I use Slack for work)
Further, the goal of Signal is not to work well for people who are accustomed to the various quirks of text-based communications that have existed since forever, but to provide a secure, modern communication client that normies don't find difficult to use. Message editing has become a standard feature of any usable modern messaging client.
Because people make (sometimes embarrassing) mistakes all the time. These circumstances can be saved if recipient hasn't read the message, and if they already have, can have a face-saving effect.
Very few people use Telegram because of its security. Literally nobody of my contacts even uses the secret chat feature. They didn’t care when WhatsApp introduced e2e either.
People(IME at least) use Telegram(or WhatsApp) because it’s a nice to use app, both mobile and desktop.
Yes, the best thing about Telegram is that it doesn’t treat the desktop as an afterthought. Its desktop clients are first class true native apps, not be usual hot mess of half baked web/electron things that are offered to desktop users these days.
Not entirely false, no. It does not have end-to-end encryption by default, and not at all for group chats, and the cryptography is a bigger unknown than with others.
> It does not have end-to-end encryption by default
That doesn't mean it "has a poor security record" (implying that the security is broken), it means it is not as secure as other options.
> not at all for group chats
May not be a requirement for group chats
> the cryptography is a bigger unknown than with others
Unknown does not mean bad, it means unknown. Almost definitely worse than Signal, but almost definitely better than Facebook Messenger.
To say Telegram is less secure than e.g. Signal is true. To say it "has a poor security record" is disingenuous and misleading. Once Telegram has had several security breaches, then that would be a fair phrase. Until then, there are levels of security for given threat models, and Telegram's is not as secure as others', by design.
Quoting Moxie: THere's nothing to be broken because there's no end-to-end encryption to begin with. Do you think nation state hackers publish their finding about the trove of private messages telegram's vast server complex holds indefinitely? hahahahaha
Are they allowing you to have accounts that don't depend on your phone number yet? I think last I checked you could only login with your phone number, which I consider extremely insecure, especially against a nation state agent (you'd think the Telegram team would care more about that, considering where they come from - and in fact, I believe there were some reports of Russian government hacking people like this with the help of national carriers, too).
You're just evading my point. Implicitely or explicitely you must have a _working_ hypothesis. When you make decisions, you must assume one or the other.
And by the way, "no end to end encryption by default" -- is intentional tradeoff for cross-device message history sharing by default, which is not possible in case of e2e, without key transferring
I use a messaging service called Wire that does E2E, cross device messaging history by default (up to 6 devices), using very friendly, familiar UX - you only need to sign in on your device.
It might have been an intentional tradeoff when Telegram came out, but it's not any more. It's not a great defense for the fact that you chat history exists in plain text on Telegram servers.
Well for me, I prefer the way telegram has decided to handle end to end encryption. Let's face it - me and my friends have no use for it, and never will. Our threat model just doesn't really care about actors like the NSA hacking us. If they wanted there's tons of other ways to get our information any (like Google or Facebook accounts). But not being encrypted gives us features not possible otherwise, like url prefetching from the server or (when telegram was released, I guess it can be done now) accessing the chat from as many devices as you want. Yes, there is a tradeoff, but really I don't think most users are worried, nor should they be.
While I do find such features convenient, more importantly to me they draw people to a more secure and privacy conscious messaging platform than the ultra-popular alternatives all the while allowing to upgrade to E2E† on demand. Signal completely fails in that regard, as the number of contacts (actual or potential) on it is precisely zero for me.
Anon1096 clearly stated that he was speaking for himself (or herself) but I agree with him: I want privacy but I don't necessarily need complete secrecy. This isn't a zero sum game: Telegram and Signal can coexist and serve different needs.
I really don't understand the "hate" for Telegram on HN. I understand that its not (allegedly) as secure as signal for example, but like you said, state actors etc have other ways of getting that info (see xkcd [1]).
I personally use Telegram when talking to my wife because it lets me have a client on every platform i use and the messages follow me. I could do that with some of the other platforms as well, but im already on this platform, the wife is on the platform, and some other family members as well. Now would it be better if it was "more" secure? Of course it could, I mean, we could all be communicating with PGP as well, but most people don't because its a pain to use. So to me personally, Telegram is a useful middle ground between great security and usability.
As a added bonus, using the bot framework that Telegram offers, i have started creating a home automation bot. The framework is really fun and easy to use.
> So to me personally, Telegram is a useful middle ground between great security and usability.
Same. I tried Signal a couple of years ago but the iOS app was prone to crashing, corrupting messages, and just plain losing words. Not really what you want.
> The framework is really fun and easy to use.
Yeah, I've done a couple of bots for it and it's pretty handy.
"It allows you to set up a password that will be required every time you log into your account from a new device – in addition to the code you get in the SMS.
Be careful though: if you forget this password, you won't be able to access your messages from other devices."
This sounds to me that the chat history is encrypted with the password which doesn't leave my devices and therefore I'm not able to recover the history if I lose it. Since all clients are open-source, it should be possible to verify this.
edit: Okay the option for a recovery email could mean that they still have the password (or a key derived of it) on their servers - so basically plain-text.
I'm flattered you assume I have this knowledge, but I don't. I would presume the key is derived from your sign-in information, but I honestly don't know.
What I do know is that you don't have access to messages that happened before you first signed in to the device you're using. My message history is complete on the phone I created my Wire account on, but I installed it on a laptop a few days later and as such is missing those first days. Messages get delivered to all your active devices without problem though.
The source code for all their different client varieties (iOS, Android, Web/Electron) and server software can be found here if you're interested [0].
> cross-device message history sharing by default, which is not possible in case of e2e, without key transferring
iMessage does that† (is that what you mean by "key transferring"?). I wish it could display the device key fingerprints somewhere, allow for key pinning, as well as offline key exchange between parties though††.
† in fact history is not centrally shared: messages are encrypted and published once per receiving device by the sender.
†† And be cross-platform. But the optimist in me says it's to control the security experience while the cynical in me says it's about network effects (although mitigated by SMS integration) for commercial reasons.