Since the official Telegram clients are open source and the org encourages open competition between third party clients, it's now possible to build a Slack-like experience with workspaces, folders, integrations, and hot keys. Telefuel.com is one example.
As Telegram launches their $1.7bn blockchain by eoy, it'll be interesting to see how they develop their crypto-economy. There seems to be a bit of development activity in various Telegram groups, but there's still a cloud of secrecy about the whole thing.
Disclosure - I cofounded Telefuel.
My main pain points with Telegram are:
- No way to structure a group into sub-groups
- No way to comment on a specific post without polluting the whole timeline (the new DiscussionBot is the beginning of a solution to this problem)
- No way to "like" a specific comment without adding another message to the group (some discussions are mostly a stream of yes and +1)
- No way to bookmark/star messages and easily find them later (apart the save mechanism which is a bit different)
It looks like Telefuel aims to solve them?
- Yes, we're bringing workspaces & chat folders to Telegram (https://cl.ly/9d0ac52b55cf)
- Not something we're addressing yet
- Not something we're addressing yet
- Something we can address :)
Will talk more next week!
They're not really all that open.
All clients are fully open source, they believe it to be a core requirement for formal verification.
You could make the argument about the play store distributed binary being “unverified”, but that applies to any program that’s distributed in binary form. You never know what additions are made.
FWIW the f-droid version is compiled entirely from source with no binary blobs at all and is still the same client.
You’re not helping anyone by spreading FUD.
They’re literally not. The distributed apps update every couple of weeks or even more often while the source they push lags months behind, if it’s even what’s being used to build those binaries.
I wrote the peertube client Throium which is also available on f-droid . When I Tag a new release on github, f-droid will build the package automatically and publish it the next day. I do not build the packages for f-droid.
Uncommented code is dumped into the GitHub repo every couple of months after enough people complain. That's not what I would call open source.
Or maybe that's the point... but seems short sighted
I've been following their blockchain project since the whitepaper, and they've been quietly missing their launch goals by many quarters...
I think Telegram has a unique position to combat Facebook's Libra.
I haven't looked into it too deeply except what they've released here: https://test.ton.org/download.html
The question is how WhatsApp is E2E by default, if I can open a browser, read the QR-code and see all my E2E chats in there instantly? WA either has them unencrypted or can see my phone’s secret key in transit. Isn’t the whole point of END to END messaging being undecipherable on devices other than these two?
Or how does that work? Is my browser establishing e2e to my phone and downloading all chats? This seems unlikely. Does it synchronize the secret key? Then I see it as a security hole — I don’t want my secret chats to leak to other devices that may be not as protected as a phone.
That’s how it should be. WhatsApp’s desktop apps are technically another front-end to your secured database on your phone. I’m searching for the tweet of one of iOS security researcher that confirmed this. That’s also the reason that your WhatsApp desktop client stops working when you are out of range. That’s being said, I’ve noticed that recently this is changing and somehow the desktop app maintains the data a bit longer. It’s still not completely independent but I think it’s in the transition period. If that happened, then their E2E has to be different.
By the way, I think the security code from one of your devices, probably your phone, can be encoded to the QR code and transfer to the client.
I assume WhatsApp implementation is a hybrid between mirroring the information and some sort of secure handshake via the QR code.
There are different ways keys can be exchanged between devices (of the same user). All of them are E2E and secure. WhatsApp forces you to keep the phone around because the phone is the conduit for all communication even when you use it on the desktop. Signal has a desktop client that you need to link once to your phone, and works as a standalone client even when your phone is not around. Wire has E2E by default (like WhatsApp and Signal) and message synchronization across devices and platforms.
All this is full of false negatives and positives, but concerns too much to ignore, if you’re after secrecy that puts your welfare at stake. If you just hide your pics from a corporate big brother, I admit that whatsapp and regular tg chats may have different weights on scales.
WA used to steal your contacts by default to improve Facebook's data set and probably still does.
The Telegram guy however left his country because he didn't want to cooperate with such entities (like the Kremlin which for me is kind of another organization that seeks to harm your privacy among other goals and is therefor comparable to FB and other spy-companies).
WhatsApp would of course still serve the whole browser application and could do whatever they intend to including leaking key material back home :) Not to mention that even if you opt to trust them not to do something shady or stupid like this you still have to trust DNS, certificate authorities, BGP routing policies, browser and platform security and likely a bunch of other stuff :P
More or less. It interfaces with your phone, which has a number of caveats. You can’t use the web interface without your phone.
I'm not really snarking at you; a lot of things would be better if they were also secure messengers; Slack is an obvious example.
The parent comment is requesting that an existing feature be switched on as default and not introduce a whole change in the communication layer of the app.
Unfortunately you then lose syncing across devices, so I understand where telegram wants to make less secure the default.
I suspect there is enough implementation there to write a server implementation too, at least a simple one.
It's not. If you want to write your own, you have to reverse engineer most of the protocol. The clients aren't fully open source, and when they are, the public code usually lags behind the actual binaries that are released, often by months. It's nearly impossible to write a client that keeps up with the features in Telegram.
You may be thinking of the bot API documentation, which is documented. Many bots don't use that, though, as it's very limiting.
The servers behave in very strange, unexpected ways, and the official clients expect these quirks. Most of the third-party clients either use TDLib, which is official and not fully open source, or have also grown to expect these quirks.
Just as a quick example, pretty much everything in Telegram has a numeric ID. Clients, bots, etc. have come to expect that IDs within certain ranges represent certain objects--users have a range, private chats have a range, channels have a range. These ranges aren't documented and may not be obvious even in a fully open source client, but if you don't adhere to them, stuff will break.
They're not: they reimplement their own frameworks on top of relatively low-level UI primitives.
Non-native to me is typically a a pure web client or when you use Java Swing or Electron.
What do you mean by native?
It's just a matter of how an application has been architected and how to transition a large platform for such an addition. Neither of these are easy to change/do with Telegram's current scale. Telegram also prides itself in very fast searches since it stores messages in plaintext on its servers.
It's not like it's technically impossible for Telegram to transition to E2E as the default and only way to communicate (similar to Signal, WhatsApp and Wire).
Telegram has its issues, yes, but it would be nice if we could agree at some point that it is possible to discuss security outside the context of E2E encryption.
> I'm not really snarking at you;
Well I'll have to take your word for that but you have a long history of showing up on Telegram discussions.
I'm not a security expert, but this sounds like an obvious problem.
Since your average users would be fine with this, it seems fair to have it as an optional feature.
It's also completely unable to work on multiple devices. Not really comparable in usability.
Depending on one's threat model, this could be considered a feature.
But Signal is perfect to stay private against non-nation-state actors. If I want to make sure that my ISP, mobile carrier, etc. can't snoop on my messages, Signal is my phone messenger of choice. Until and unless Facebook is demonstrated to not be on the level regarding Whatsapp's implementation of the Signal protocol, then I'll keep Whatsapp on the list as well.
Telegram is not on that list. If my threat model consisted solely of "that guy with the manbun and macbook working on his novel in the coffeeshop", then maybe Telegram would be acceptable. Let me know when Telegram has default and mandatory end-to-end encryption, using a properly-implemented and proven-secure protocol like Signal's, on all clients both mobile and desktop. Until then I'll consider it to be about as secure as SMS - "hilariously not".
You don't seem to realize this, but your argument is essentially "I trust Signal more", a purely authoritative one. And I don't think there even exists a threat model where anything that Signal offers over competition is important, especially given their obsession with control.
So long as Telegram's developers refuse to implement mandatory-and-default end-to-end-encryption with a properly audited protocol and implementation in all clients, I will not use it. And I will discourage friends and family from using it.
Except there are no solid technical reasons, just trust and distrust, because security people really love to claim authority on how "solid" security things are. The last people on earth you should ask about security are those claiming authority on these issues.
Wrong, you already do. You either don't realize it, or you're being disingenuous about it.
Did you write 100% of the code of the web browser you used to post your comments?
Did you write the OS that browser runs on?
Did you write the compiler used to build the OS, and did you provably avoid the sorts of issues brought up in "Reflections on Trusting Trust"?
Did you fabricate the chips your OS runs on?
Did you design the die mask for those chips?
Did you build the chip fab facility?
Did you design the locks on the front doors of the chip fab facility?
Did you stay awake 24/7 inside the chip fab facility to make sure no-one broke in to conduct an evil maid attack on the process?
Unless your answer to all of the above is an honest "yes", at some point in the chain of tech, you accepted an outside authority. So kindly knock it off with the "you're automatically wrong because that's appeal to authority!" nonsense.
Interested, although not surprised, to see my factually indisputable comment getting massively downvoted.
Talk about network effects and people not doing their research. Or not caring about UX.
I'm surprised more aren't using Signal, open source, and I believe funded by a non-profit organization. With founders that are known to care about organizational transparency and user privacy.
Another way to describe them is people who lost the largest social network in Russia and are now Russian expats and dissidents.
> Signal, open source [...] With founders that are known to care about organizational transparency and user privacy.
Not open source, only partly, just like Telegram. And founders are known to have a radical position on trading privacy for centralizing as much control over the app as they can, tying identity to phone numbers, etc. They have exactly as much control over the app as Telegram has. But they are not dissidents or expats and who knows what they are going to do or did with covert or overt government backdooring attempts. Still, despite all the flaws both Signal and Telegram are in a bit better situation wrt privacy than Facebook owned Whatsapp, being in a business of compromising privacy and all.
Signal is completely open source. I'm not sure why you think it's only partly open source.
> All Signal software are free and open-source. The clients are published under the GPLv3 license, while the server code is published under the AGPLv3 license.
They've also gone to extreme lengths to prove that the software running on their servers has not been tampered with: https://signal.org/blog/private-contact-discovery/#trust-but...
I think your doubts create very unreasonable expectations for Signal.
It doesn't get much more open source than that.
Also, the owners of Telegram are not on good terms with the Russian government (its been banned before).
It does make Signal a little less usable than some other messengers, and I'd be lying if I said I didn't use Slack a lot more than Signal. But this is also why Signal is what I use when the secrecy of what I'm talking about actually matters.
Which is fine but will never work with the average WhatsApp/Telegram user. First, they have to be educated, they have to care, they have to decide if what they are typing affords that extra level of protection, if the inteded destination is on Signal, etc. It's too much.
I've tried to convert friends and family to Signal but not a single one continued to use it after a few days.
But I think it's fine that Signal is making these compromises in favor of security and privacy. Maybe we don't really need mass adoption, as long as the people that really need it know where to look.
Signal may be open source, but it's still as centralized as Telegram is. Signal.org will never federate with other servers running Signal (this is the official position). Signal also lags behind a lot in UX and convenience, when compared to Wire or Telegram.
A margin of error of about 1% is a very minor issue in having a democracy. And neither of them had over 50% anyway.
The low voter turnout is a far more important issue but even that's not a disqualifier.
It's just no polished like Telegram. It's painful to use compared to other apps.
I'm not sure if telegram app developers suck or if IOS, Android and battery saver apps are in collusion with Whatsapp.
It's not just about UX or not doing research.
When the NSA tapped the dark fibers of Google etc they were also not exactly in bed with the government and yet they found out about the fact afterwards and started encrypting everything only then. (https://www.washingtonpost.com/world/national-security/nsa-i...)
When you look at the surveillance happening in Russia paired with the unclear status of Telegram's encryption and it being off by default I'd say it's valid to be suspicious.
And given how fast the west is moving on backdooring mass communications, in a few years Telegram might end up as one of the few unbackdoored apps left standing.
End-to-end encryption can be pretty useful, but just not in Whatsapp, Telegram, Signal or any app with that level of control.
If Signal has kept their promise so far then all of the messages I have already sent were EtoE encrypted and they never had any way to see those messages, indeed if me and my co-conspirators all destroy our devices the messages simply cease to exist altogether. If tomorrow Signal breaks their promise, that promise was already kept in the past and can't be undone, Signal can't read messages that no longer exist.
If Telegram kept their promise that's permanently conditional, they still have the data, and only their continuing promise not to look at it keeps it safe. Tomorrow they can break the promise and previous messages are now available, but you can't retrospectively stop having sent the messages in the past.
Secondly, as I wrote here recently on another topic: Only impossible things don't happen, everything else is fair game. In choosing to do EtoE Signal gets to make certain things _impossible_ whereas Telegram just promises not to do them. This means those things might happen by accident, or a bad guy might do them and I'm sure Telegram would be very apologetic (if anybody found out) but it couldn't undo them.
Thirdly: Signal actually publishes the software component that behave the way they say it does. Reproducible builds are tricky (as a general problem in modern software) but Signal does a pretty good job of convincing you that the binaries you can download are just the code you can see, built for your platform. So then either they need to not only break the promise but also hide the broken promise in the code, or they need to break the promise AND hide the build difference. It's just easier to keep the promise.
British-Emirati, but same difference.
The messages are still available in plaintext at either endpoint, and to the companies if they want them.
Facebook already publicly announced that they are going to use their AI to scan whatsapp messages for content violations (prior to encryption).
An unencrypted voice chat app could do VBR Opus, which would need slightly less bandwidth on average for the same quality but might mess with flow performance estimators in the network and make the experience worse by mistake.
One of the inadvertent benefits of Signal's strong centralisation of control is that they could just go "Opus CBR is great, we're using that now" and do it. No multi-year phase-in with most calls still being "legacy", no need to accumulate "buy in" from third parties who might not prioritize this work, they just did it.
Also Whatsapp UX is much simpler and I value simplicity. Telegram is starting to look like a spaceship with so many features.
The founders have lamented that the project is screwed, so you're left with a claim made my Zuckerberg and his buddies?
"As of today, the integration is fully complete. Users running the most recent versions of WhatsApp on any platform now get full end-to-end encryption for every message they send and every WhatsApp call they make when communicating with each other."
Telegram has encrypted chats by default, just not E2E-encrypted.
Warning: the above is just my very simplified explanation of my understanding of what I read a while ago.
Edit: again, this is based on something I read a while ago, but I think Gmail has or had a similar system where you have to have access to two different places in the system to get hold of the messages, so yes, Google can get hold of anyones messages bjt it is not like anyone can do a select * from messages where accountid = 12345. (And this is not how I think they store the mails anyway :-)
That is wrong.
I guess there are some real issues with Telegram, but lets be honest and not lie and say it isn't encrypted.
... in fact, this is so useful I think it merits its own HN post!
Do you mean browsing news.yc through the InstantView feature?
I'm from India and I had to go look up what you were talking about. Literally the first time I'm hearing about this. I am also pretty sure that not many have moved to it from WhatsApp. Truth is, after so many years I am just now seeing the slow growth of Telegram amongst the city crowd.
- customizable posting limits (per day, per week, etc);
- time windows (no posts on Sundays, for instance);
At the same time group chat does encourage background chatter and it's a bit annoying to put your phone down and see the notification bubble say there is a ton of unread.
Sub-channels really can help because people can create specific channels for a specific events, hangouts, topics etc... and not have to get everyone's attention. Though, invariably there will be someone who will go into the #general chat and send a message to @everyone. But sub-channels hasn't made it into SMS, and WhatsApp.
Maybe the real problem is people aren't mindful of how wide their messages are being sent and how annoying it can be to get a bunch of messages that aren't relevant to you?
Leave. Or put the group on mute. You can't fix noisy people. Let them stick together in their own playground.
> - time windows (no posts on Sundays, for instance);
Why? Either it is work-related, which means out of work I'm not listening, or it is non-work related. If someone feels like they want to contribute to the group on Sunday, let them be?
You're trying to fix a problem from the wrong angle. You're doing damage control instead of fixing the problem.
This group chat BS was cooked up more so app devs could hit engagement metrics to satisfy braindead unimaginative investors.
Or alternatively so that my family could have a persistent, searchable group chat solution.
However even that is too simple. You would need to pair it with good UX so users aren't stuck without messages when someone is asking them a question.
If you haven't seen it you have either been very nice and avoided angering anyone or you haven't posted many times in a day
Sometimes you just need to contain your arguments to a single thread so others can enjoy the show.
HN has a rate limit but I think it should kick in more aggressively once you're making your, say, 5th post on the same submission.
I think the limiter kicks in as soon as one of one’s comments get any downvotes at all (i.e. even when also being mostly upvoted), but I’m obviously not sure about this.
This is obviously very annoying, and I can’t see how it helps discussions.
I'm curious as to why a story like this makes it to the 2nd or 3rd top ranking story with only 6 points.
Especially for an article about what seems to be a minor feature upgrade.
Is there some context about telegram that I am missing?
From the FAQ:
> "How are stories ranked?"
> "The basic algorithm divides points by a power of the time since a story was submitted. Comments in threads are ranked the same way."
> "Other factors affecting rank include user flags, anti-abuse software, software which demotes overheated discussions, and moderator intervention."
Given that most of the front page articles have been around most of the day I imagine prioritising things with fast upvotes becomes more important.