Hacker News new | past | comments | ask | show | jobs | submit login
Telegram introduces feature to prevent users from texting too often in a group (techcrunch.com)
169 points by jmsflknr 9 days ago | hide | past | web | favorite | 198 comments

A growing number of people and organizations are starting to choose Telegram over Slack. This became prevalent in the blockchain space where pretty much everyone prefers Telegram to other messaging apps. OTC brokers, quant funds, and the largest exchanges use Telegram in some capacity, some almost exclusively.

Since the official Telegram clients are open source and the org encourages open competition between third party clients, it's now possible to build a Slack-like experience with workspaces, folders, integrations, and hot keys. Telefuel.com is one example.

As Telegram launches their $1.7bn blockchain by eoy, it'll be interesting to see how they develop their crypto-economy. There seems to be a bit of development activity in various Telegram groups, but there's still a cloud of secrecy about the whole thing.

Disclosure - I cofounded Telefuel.

This is very interesting! I'd be happy to try.

My main pain points with Telegram are:

- No way to structure a group into sub-groups

- No way to comment on a specific post without polluting the whole timeline (the new DiscussionBot is the beginning of a solution to this problem)

- No way to "like" a specific comment without adding another message to the group (some discussions are mostly a stream of yes and +1)

- No way to bookmark/star messages and easily find them later (apart the save mechanism which is a bit different)

It looks like Telefuel aims to solve them?

Hi Nick! Received your invite request! Looking forward to speaking with you this week :)

- Yes, we're bringing workspaces & chat folders to Telegram (https://cl.ly/9d0ac52b55cf) - Not something we're addressing yet - Not something we're addressing yet - Something we can address :)

Will talk more next week!

> Since the official Telegram clients are open source

They're not really all that open.

This statement is factually wrong. The server code is not open source but the clients are fully open.

The clients aren’t “fully open”, since their source doesn’t match the binaries that Telegram distributes.

That’s not true at all.

All clients are fully open source, they believe it to be a core requirement for formal verification.

You could make the argument about the play store distributed binary being “unverified”, but that applies to any program that’s distributed in binary form. You never know what additions are made.

FWIW the f-droid version is compiled entirely from source with no binary blobs at all and is still the same client.

You’re not helping anyone by spreading FUD.

> All clients are fully open source

They’re literally not. The distributed apps update every couple of weeks or even more often while the source they push lags months behind, if it’s even what’s being used to build those binaries.

This package [1] on f-droid is built directly of the source on github [2]. Even if the source is old so is the package. F-droid compiles this package not telegram.

I wrote the peertube client Throium which is also available on f-droid [3]. When I Tag a new release on github, f-droid will build the package automatically and publish it the next day. I do not build the packages for f-droid.

[1] https://f-droid.org/en/packages/org.telegram.messenger/

[2] https://github.com/Telegram-FOSS-Team/Telegram-FOSS

[3] https://f-droid.org/en/packages/net.schueller.peertube/

I gave up tracking the delay a while ago but I think the macOS and iOS packages were lagging by six months at one point. Heck, even now the last commit with actual code [1] is over two months old yet the macOS app updated two days ago for me.

Uncommented code is dumped into the GitHub repo every couple of months after enough people complain. That's not what I would call open source.

[1] https://github.com/overtake/TelegramSwift/commits/master

I’m mostly referring to the macOS and iOS clients, since I’m not really familiar with the Android version.

How can finance firms use telegram? aren't there strict compliance laws which require logging of messages - e.g. why Bloomberg chat is popular?

Or maybe that's the point... but seems short sighted

Couldn't a bot do logging?

Sure but then what's the point of the extra encryption hassle

Would be interesting if Telegram can merge with Keybase for organizations and teams platform to compete with Slack.

Do you have a source for their blockchain being launched EOY?

I've been following their blockchain project since the whitepaper, and they've been quietly missing their launch goals by many quarters...

I think Telegram has a unique position to combat Facebook's Libra.

Good question. I don't have any sources on hand, but I've heard whispers that they should launch by end of Oct. We'll see where they land then.

I haven't looked into it too deeply except what they've released here: https://test.ton.org/download.html

WhatsApp vs Telegram E2E encryption seems to be a hot topic here, so I’m not sure in which subthread to ask.

The question is how WhatsApp is E2E by default, if I can open a browser, read the QR-code and see all my E2E chats in there instantly? WA either has them unencrypted or can see my phone’s secret key in transit. Isn’t the whole point of END to END messaging being undecipherable on devices other than these two?

Or how does that work? Is my browser establishing e2e to my phone and downloading all chats? This seems unlikely. Does it synchronize the secret key? Then I see it as a security hole — I don’t want my secret chats to leak to other devices that may be not as protected as a phone.

> Isn’t the whole point of END to END messaging being undecipherable on devices other than these two?

That’s how it should be. WhatsApp’s desktop apps are technically another front-end to your secured database on your phone. I’m searching for the tweet of one of iOS security researcher that confirmed this. That’s also the reason that your WhatsApp desktop client stops working when you are out of range. That’s being said, I’ve noticed that recently this is changing and somehow the desktop app maintains the data a bit longer. It’s still not completely independent but I think it’s in the transition period. If that happened, then their E2E has to be different.

By the way, I think the security code from one of your devices, probably your phone, can be encoded to the QR code and transfer to the client.

I assume WhatsApp implementation is a hybrid between mirroring the information and some sort of secure handshake via the QR code.

I think what you observed is just some smart caching behavior and application code expecting frequent network issues. I can read already synchronized messages and queue messages for being sent on reconnect. I dont see why this would change anything with their encryption scheme...

If anyone has led you to believe that E2E means one specific device to another specific device at all times, they don't know what they're talking about.

There are different ways keys can be exchanged between devices (of the same user). All of them are E2E and secure. WhatsApp forces you to keep the phone around because the phone is the conduit for all communication even when you use it on the desktop. Signal has a desktop client that you need to link once to your phone, and works as a standalone client even when your phone is not around. Wire has E2E by default (like WhatsApp and Signal) and message synchronization across devices and platforms.

I always heard that telegram encryption was disabled by default. If you want security use signal, if you wants stickers and the like, use telegram.

This kind of oversimplification and hyperbole with an attitude is what I dislike in such conversations. Telegram is far, far better in speed, reliability, features and UX than Signal has been and is. Signal cannot even get messages delivered reliably as of today and has a whole bunch of UX issues that aren't addressed (two examples among many: can't restore conversations to a new device on iOS, and can't join past conversations and groups on a new device without going through some additional steps and still struggling to get it working). I appreciate that Signal (team invented and) uses reputed E2E, but there's a whole lot more to communicating with other people than security alone.

Telegram is still a step up from what most people use (Facebook Messenger, WhatsApp). And if you really want a chat to be secure it's easy to set one up. I find it to be a perfect blend of security and usability. Saying it's only good for stickers is pretty disingenuous

Seeing that WhatsApp is using the signal protocol and encrypts all communications by default, I contest the notion that Telegram with its home-grown protocol and clear text by default is a step up.

Seeing that WhatsApp is not prohibited in Russia is a big concern of itself. This country has a law that requires you to pass ‘master key’ (or a backdoor, if you read between the lines) to special agency, or be banned by all ISPs. When my friend researched the topic, some interesting guys told him few years ago that whatsapp is a no-brainer for them to read, but tg+secret is opaque. Subsequent events shown that it was probably true.

All this is full of false negatives and positives, but concerns too much to ignore, if you’re after secrecy that puts your welfare at stake. If you just hide your pics from a corporate big brother, I admit that whatsapp and regular tg chats may have different weights on scales.

And you just trust Facebook to somehow really encrypt everything in this black-box? I think this is naive as Facebook has always lied to us and proved it isn't a trustworthy entity.

WA used to steal your contacts by default to improve Facebook's data set and probably still does.

The Telegram guy however left his country because he didn't want to cooperate with such entities (like the Kremlin which for me is kind of another organization that seeks to harm your privacy among other goals and is therefor comparable to FB and other spy-companies).

I thought Telegram was sending messages encrypted (though not E2E) per default?

It isn't by default. You have to enable it yourself.

This is wrong. All communication is encrypted in transit, even for non-secret chats.

Is it also E2E encrypted though? If not, wouldn't that mean that Telegram servers could snoop in on the non-E2E conversations?

You're talking about "secret chats", the Telegram way of doing E2E, but it doesn't mean that all other communications are sent or stored plain text. And there is no setting in the app to enable encryption (I just checked), because there is no way to disable it. "Not E2E" != "not encrypted"

i think it could be done securely by transmitting the key material via a secure channel directly from the phone to the browser or transmit messages directly encrypted with the probably ephemeral key used for this secure channel. The secure channel could actually be build upon the the QR code you would give the app on your phone. No idea what is actually done though, just saying it could or should ^^

WhatsApp would of course still serve the whole browser application and could do whatever they intend to including leaking key material back home :) Not to mention that even if you opt to trust them not to do something shady or stupid like this you still have to trust DNS, certificate authorities, BGP routing policies, browser and platform security and likely a bunch of other stuff :P

It piggybacks off your cell phone app, I believe. It basically mirrors what's on your app, and if the connection severs at all then the data is wiped from the browser. You do bring up a good point on how it can be an attack vector, though.

> Or how does that work? Is my browser establishing e2e to my phone and downloading all chats?

More or less. It interfaces with your phone, which has a number of caveats. You can’t use the web interface without your phone.

WhatsApp desktop proxies through your phone over HTTPS. The Desktop to phone session is TLS, but not E2E.

I really like Telegram. Only end-to-end encryption by default and in group chats would make it perfect.

"I really like Telegram. It being a secure messenger would make it perfect".

I'm not really snarking at you; a lot of things would be better if they were also secure messengers; Slack is an obvious example.

I'm not really sure what you're saying. It looks like you're humorously drawing attention to the fact that the user considers the app to be extremely good and just lacking one nice-to-have feature (encryption), whereas you believe that they have misjudged the importance of that feature and it is, in fact, essential?


And, just to guess, he's also pointing out that security is not a feature that can be "bolted on" to a chat app later. Secure messaging is an incredible deep space, and any attempts to add security to a chat application will have far reaching implications on features and usability.

There’s a pretty clear distinction between slack and telegram - telegram offers a secure messenger channel with private messages. Slack does not do this, and publicly does not plan on doing this.

The parent comment is requesting that an existing feature be switched on as default and not introduce a whole change in the communication layer of the app.

Unfortunately you then lose syncing across devices, so I understand where telegram wants to make less secure the default.

There's another clear distinction: Telegram has proper native clients and an open protocol.

As someone who’s worked on Telegram clients for years, I can assure you that the protocol isn’t open. It’s quite opaque, and the FOSS thing is mostly a facade.

I mean the protocol is documented enough to create an implementation of it from scratch - that meets the metric of open.

I suspect there is enough implementation there to write a server implementation too, at least a simple one.

I mean the protocol is documented enough to create an implementation of it from scratch

It's not. If you want to write your own, you have to reverse engineer most of the protocol. The clients aren't fully open source, and when they are, the public code usually lags behind the actual binaries that are released, often by months. It's nearly impossible to write a client that keeps up with the features in Telegram.

You may be thinking of the bot API documentation, which is documented. Many bots don't use that, though, as it's very limiting.

I suspect there is enough implementation there to write a server implementation too, at least a simple one.

The servers behave in very strange, unexpected ways, and the official clients expect these quirks. Most of the third-party clients either use TDLib, which is official and not fully open source, or have also grown to expect these quirks.

Just as a quick example, pretty much everything in Telegram has a numeric ID. Clients, bots, etc. have come to expect that IDs within certain ranges represent certain objects--users have a range, private chats have a range, channels have a range. These ranges aren't documented and may not be obvious even in a fully open source client, but if you don't adhere to them, stuff will break.

> Telegram has proper native clients

They're not: they reimplement their own frameworks on top of relatively low-level UI primitives.

Sounds native to me.

Non-native to me is typically a a pure web client or when you use Java Swing or Electron.

What do you mean by native?

I generally have a strict definition of native which means “using platform widgets”. Telegram doesn’t do this because it makes its own copies of almost everything.

Syncing across devices doesn't have to be lost just because E2E is adopted. Wire has been doing E2E chats and group chats by default (there is no non-E2E) and synchronizing chats across devices for years now.

It's just a matter of how an application has been architected and how to transition a large platform for such an addition. Neither of these are easy to change/do with Telegram's current scale. Telegram also prides itself in very fast searches since it stores messages in plaintext on its servers.

It's not like it's technically impossible for Telegram to transition to E2E as the default and only way to communicate (similar to Signal, WhatsApp and Wire).

Slack is an Electron app, taking about 400-500 Mb of memory and it won't be good no matter if it is secure or not. Also, its UI is over-complicated and looks like it was made by a programmer instead of a designer (by the way, Telegram is the opposite: it is written with Qt and has nicer UI).

Slack is only an electron app on desktops. It’s not just an electron app, at all.

Desktop first is a sane assumption.

If you use Telegram a lot, you should check out Telefuel.com. We're building Telefuel for power users and teams, and recently rolled out a feature to filter for unread messages. Might be useful for you!

Unlike WhatsApp that IIRC you've advertised until earlier this year Telegram doesn't upload unencrypted chat history to Google.

Telegram has its issues, yes, but it would be nice if we could agree at some point that it is possible to discuss security outside the context of E2E encryption.

> I'm not really snarking at you;

Well I'll have to take your word for that but you have a long history of showing up on Telegram discussions.

WhatsApp does not upload unencrypted chat history to Google for me. In fact, I don't even have a Google Account on my LineageOS device, so it can't upload to Google either...

If you're using a custom ROM or rooted phone, your messages won't be protected with end-to-end encryption.


Wait wait wait what? Does this mean they disable encryption, or just that the messages will be as "unprotected" as being affected with a key logger?

Presumably they expect the OS security primitives to work in a particular way, and since they can't rely on that from a rooted device they just don't bother.

How would I know whether the person I'm writing to has a rooted phone?

I'm not a security expert, but this sounds like an obvious problem.

It's FUD.

They have end to end encryption available but off by default because it affects searching (they can't index your chat if they don't know what you said).

Since your average users would be fine with this, it seems fair to have it as an optional feature.

Signal (the messenger) and Tutanota (for emails) both have search on their mobile clients with end-to-end encryption. It's definitely feasible to implement client-side search.

Signal will also lose all your messaging history and kick you out of all your group conversations if your phone breaks or you lose it. It also has no usable automated backup solution or sync.

It's also completely unable to work on multiple devices. Not really comparable in usability.

I don't think OP was recommending Signal / Tutanota as alternative apps to use, just showing that you can have your cake (E2E encryption) and eat it too (client-side search).

>Signal will also lose all your messaging history and kick you out of all your group conversations if your phone breaks or you lose it. It also has no usable automated backup solution or sync.

Depending on one's threat model, this could be considered a feature.

If your point is that only people with a Mossad threat model should use Signal, I wholeheartedly agree.

Oh, please. If Mossad really wants my messages, they're not going to give up at the "Oh no, he uses Signal!" step. They're going to go full knee-wrench if they have to. And considering they have a habit of forging my country's passports, don't pretend that me living in another country is a barrier to that. The same goes for my country's government. Our laws are chock-full of "throw him in jail until he gives up the password" allowances to law enforcement. And that's not even getting into the fact that Signal's owners, OWS, are located within the jurisdiction of the "we'll star-chamber NSL you on a moment's notice" US government.

But Signal is perfect to stay private against non-nation-state actors. If I want to make sure that my ISP, mobile carrier, etc. can't snoop on my messages, Signal is my phone messenger of choice. Until and unless Facebook is demonstrated to not be on the level regarding Whatsapp's implementation of the Signal protocol, then I'll keep Whatsapp on the list as well.

Telegram is not on that list. If my threat model consisted solely of "that guy with the manbun and macbook working on his novel in the coffeeshop", then maybe Telegram would be acceptable. Let me know when Telegram has default and mandatory end-to-end encryption, using a properly-implemented and proven-secure protocol like Signal's, on all clients both mobile and desktop. Until then I'll consider it to be about as secure as SMS - "hilariously not".

> properly-implemented and proven-secure

You don't seem to realize this, but your argument is essentially "I trust Signal more", a purely authoritative one. And I don't think there even exists a threat model where anything that Signal offers over competition is important, especially given their obsession with control.

I'm glad you picked up on that, because yes, I DO trust Signal more than Telegram. I trust Signal and distrust Telegram for many solid technical reasons. If you want to misinterpret that as "appeal to authority", then go nuts. But frankly, your own argument reeks of government-friendly "If you're not doing anything wrong, you have nothing to hide" nonsense.

So long as Telegram's developers refuse to implement mandatory-and-default end-to-end-encryption with a properly audited protocol and implementation in all clients, I will not use it. And I will discourage friends and family from using it.

> I trust Signal and distrust Telegram for many solid technical reasons.

Except there are no solid technical reasons, just trust and distrust, because security people really love to claim authority on how "solid" security things are. The last people on earth you should ask about security are those claiming authority on these issues.

This is incoherent FUD.

It's not. I'm just not going to accept authoritative arguments on security, sorry. If you have actual technical reasons, please give them. If you don't, that's fine too.

>It's not. I'm just not going to accept authoritative arguments on security, sorry.

Wrong, you already do. You either don't realize it, or you're being disingenuous about it.

Did you write 100% of the code of the web browser you used to post your comments?

Did you write the OS that browser runs on?

Did you write the compiler used to build the OS, and did you provably avoid the sorts of issues brought up in "Reflections on Trusting Trust"?

Did you fabricate the chips your OS runs on?

Did you design the die mask for those chips?

Did you build the chip fab facility?

Did you design the locks on the front doors of the chip fab facility?

Did you stay awake 24/7 inside the chip fab facility to make sure no-one broke in to conduct an evil maid attack on the process?

Unless your answer to all of the above is an honest "yes", at some point in the chain of tech, you accepted an outside authority. So kindly knock it off with the "you're automatically wrong because that's appeal to authority!" nonsense.

Also, it will snark on you to all contacts whenever you move to a new device. And plead with you to let it handle your ordinary sms texting, then hold your text messages hostage, not exportable back to any other app.

It doesn't plead. It asks one time. At least on Android. I said no and it has never asked me again.

It asked me a number of times. And it never warned that this was a oneway process.

Idle curiosity: The above is a report of fact as observed by me. It's not really up for discussion - this is what happened. Could someone for our edification explain a bit about the reasoning behing their downvotes? Other than my having sinned in the church of moxie and his true disciple tptacek.

Do you mean "nark"? "Snark" is when you use humor to pick at someone or something. "Narking" is being a tattle-tale.

Yes, that was a late-night typo.

Interested, although not surprised, to see my factually indisputable comment getting massively downvoted.

I've never understood the culture with that on HN. I probably never will.

They could index chats locally…

They have it available only for 1:1 chats and cryptographers have criticized their odd encryption scheme. They do not have it available for group chat at all, Telegram always has access to all group chat content.

It’s secure but only if you choose it to be explicitly.

Slack does have E2E (from their perspective) encryption available, but it's the company paying for it that holds the keys, not individual employees.

Customer managed keys are not the same thing as end-to-end encryption. With CMK Slack employees still have access to your message content and can still respond to subpoenas / FISA orders / national security letters / etc.

Say what you want about Telegram, they innovate much faster than WhatsApp with way fewer resources.

Definitely, but they need video chat like yesteryear.

I'd argue they don't need it, out of the 10-20 people I know that use Telegram I've never heard one of them mention it being something that bothers them, especially not since you can send video clips (which arguably is better anyway in my opinion, since it sacrifices near-real time comms for no stuttering, and I vastly prefer the latter). I imagine the ones that really do care about real time video chat will solve it through a different app for the occasions they use it. Hopefully Telegram is aware that they shouldn't sprawl too much, lest they risk being seen as a worse alternative to Snapchat, Duo, Skype etc. in addition to all the lunches they're already eating.

Boggles my mind how WhatsApp is still a more popular messenger than Telegram by a long shot.

Talk about network effects and people not doing their research. Or not caring about UX.

I mean, your choice is between an app owned by Facebook or an app owned by the creators of the largest social network in Russia.

I'm surprised more aren't using Signal, open source, and I believe funded by a non-profit organization. With founders that are known to care about organizational transparency and user privacy.

> owned by the creators of the largest social network in Russia

Another way to describe them is people who lost the largest social network in Russia and are now Russian expats and dissidents.

> Signal, open source [...] With founders that are known to care about organizational transparency and user privacy.

Not open source, only partly, just like Telegram. And founders are known to have a radical position on trading privacy for centralizing as much control over the app as they can, tying identity to phone numbers, etc. They have exactly as much control over the app as Telegram has. But they are not dissidents or expats and who knows what they are going to do or did with covert or overt government backdooring attempts. Still, despite all the flaws both Signal and Telegram are in a bit better situation wrt privacy than Facebook owned Whatsapp, being in a business of compromising privacy and all.

> Not open source, only partly, just like Telegram.

Signal is completely open source. I'm not sure why you think it's only partly open source.

Quoting Wikipedia[1]:

> All Signal software are free and open-source. The clients are published under the GPLv3 license, while the server code is published under the AGPLv3 license.

[1] https://en.wikipedia.org/wiki/Signal_(software)

It's not even on f-droid. You install the binary they control and connect to the servers they run, it's literally a proprietary app, just like Telegram.

App being open-source means you can compile and build it yourself.

They've also gone to extreme lengths to prove that the software running on their servers has not been tampered with: https://signal.org/blog/private-contact-discovery/#trust-but...

I think your doubts create very unreasonable expectations for Signal.

Telegram can be built locally too, and there are independent apps for it, and they have taken efforts within the security community to prove that it is secure.

Can you build and run the server locally?

You may be able to run Signal server from your build, but you won't be able to talk to users on Signal.org. Signal's official position is that it will never federate with others. So I don't understand how building and running a server locally is a step up in any way.

You can run your own signal server and compile the app to point to your own server instead of theirs.

It doesn't get much more open source than that.

I like the concept of Signal but Telegram has some great features like usernames and public chat groups. In the end, better encryption by itself (Telegram rolled their own) loses out over function.

Also, the owners of Telegram are not on good terms with the Russian government (its been banned before).

My routine reminder that Signal doesn't have these features because they genuinely care about privacy and metadata security, and will withhold basic messaging app features until they know how to provide them without (a) creating a database of every pair of communicating users that they retain serverside and (b) leaking information about conversations to traffic analysis. See: user profiles, GIF sharing, both with really interesting explanations of how Signal ultimately figured out how to implement these features.

It does make Signal a little less usable than some other messengers, and I'd be lying if I said I didn't use Slack a lot more than Signal. But this is also why Signal is what I use when the secrecy of what I'm talking about actually matters.

Signal might care about the privacy of my information with respect to themselves or eavesdroppers but it is not very effective at protecting my privacy with respect to people I might want to talk to because I have to give them my phone number, which reveals my location and potentially my identity if it is linked to Facebook or something similar.

I really like the idea of Signal and try to use it as much as I can, but man it’s an ugly app. There must be a way to design the UI a bit better without compromising security and privacy.

> But this is also why Signal is what I use when the secrecy of what I'm talking about actually matters.

Which is fine but will never work with the average WhatsApp/Telegram user. First, they have to be educated, they have to care, they have to decide if what they are typing affords that extra level of protection, if the inteded destination is on Signal, etc. It's too much.

I've tried to convert friends and family to Signal but not a single one continued to use it after a few days.

But I think it's fine that Signal is making these compromises in favor of security and privacy. Maybe we don't really need mass adoption, as long as the people that really need it know where to look.

If they care about privacy then why do they require a phone number which is linked to identity and location? If they worry about bot registrations, they could require a small fee in Bitcoins to sign up.

Careful conflating privacy and anonymity

The Telegram founder is hated by the Russian government, and does not live in Russia. There have been some futile attempts to block Telegram in Russia.

Signal may be open source, but it's still as centralized as Telegram is. Signal.org will never federate with other servers running Signal (this is the official position). Signal also lags behind a lot in UX and convenience, when compared to Wire or Telegram.

I don't get the Russia hate. Sure they have problems as a country, but how does that affect the average user? I would think that since I don't live there I can trust Russian companies more than I can ones in the US.


How about the so-called "free media" whose only mission seems to be creating anxiety and outrage for advertising revenue?


> "the system that elects presidents with a minority vote"

A margin of error of about 1% is a very minor issue in having a democracy. And neither of them had over 50% anyway.

The low voter turnout is a far more important issue but even that's not a disqualifier.

No, he means Western, including the EU for example, which maintains https://euvsdisinfo.eu/ a site collecting Russian disinformation. Right now because Americans spend two years every four years fighting an election they are focused on the US (although with some border stuff continuing to persuade Ukrainians that actually Russia are the good guys as they continue to invade that country...) but if you go back a few months there's plenty to underscore the destabilising message that the EU are actually Nazis and if only everybody would put Russia in charge that'd be so much nicer...

> I'm surprised more aren't using Signal

It's just no polished like Telegram. It's painful to use compared to other apps.

I think it is worth noting that the creator of VK (Russia’s Facebook equivalent; overtaken by the Russian state), is actually a known libertarian dissident.

Yes, politically Telegram is in the best position between all three.

By the way, Signal requires a phone number which is linked to the passport. It means that the government can scan it for all possible phone numbers and get a list of people using it, and maybe even their nicknames and profiles.

Signal could help themselves by making their product a bit more accessible. And I'm not buying the "e2e encryption would get compromised" arg, other have figure it out. I'm talking about the fact that some of us can't install their desktop app on our work machines, or use Chromebooks, or use tablets. Give us a web interface ffs!

Telegram wins for me, because desktop is a first class citizen.

I have both Signal and Telegram and although I don't use as much Telegram to say this with absolute certainty, but Signal definitely has issues on all platforms I use (Android, macOS, Linux) - not deal-breakers, but issues. Telegram on the other hand has had none thus far.

I'm curious to know what issues you have with Signal on Android. I use Signal on Android daily and I haven't had problems with it for a few years now.

That and it's dead easy to write a bot.

It's pretty easy to write a bot for Signal too, if you're willing to run a daemon:


yup. i wrote a simple one for my group of friends (i was also playing around with asyncio for the first time) and it took me less than an afternoon.

Desktop is a first class citizen, so much that encrypted chats aren't supported yet.

That's not accurate, it's supported on one of the two desktop clients.

Ah, you mean the one for macOS only. No, I was talking about the multiplatform one.

Encrypted chats are just useless on telegram

I've brought over at least 10 people to telegram but only one uses it regularly. The main reason is notifications don't deliver.

I'm not sure if telegram app developers suck or if IOS, Android and battery saver apps are in collusion with Whatsapp.

If I have to I use WhatsApp (Using Signal's encryption framework) over Telegram as I don't like to use a russian chat app that came up with their own encryption and doesn't even enable encryption by default.

It's not just about UX or not doing research.

What's with the massive xenophobia here? It takes one second to find out they are not exactly in bed with the government and you're just left with racist statement.

It has nothing to do with xenophobia or racism.

When the NSA tapped the dark fibers of Google etc they were also not exactly in bed with the government and yet they found out about the fact afterwards and started encrypting everything only then. (https://www.washingtonpost.com/world/national-security/nsa-i...)

When you look at the surveillance happening in Russia paired with the unclear status of Telegram's encryption and it being off by default I'd say it's valid to be suspicious.

Telegram is not a Russian company, it has encryption on by default and is literally famous for fighting "scary Russian government" and all those helping Russian government censor it, including the megacorps you for some reason assume are not in bed with the government.

And given how fast the west is moving on backdooring mass communications, in a few years Telegram might end up as one of the few unbackdoored apps left standing.

End to end encryption is not on by default, they even say that in their own FAQ.


You failed to reply about it not being a Russian company.

So? Encryption is still on by default and end-to-end encryption is a joke anyway when distribution of the app is controlled by the app developer. They can only pinky promise that it's there, but they can compromise it silently on a whim.

End-to-end encryption can be pretty useful, but just not in Whatsapp, Telegram, Signal or any app with that level of control.

"So? Only one company can read your chats by default, and privacy is a joke anyway, you need to believe their promises or read the publicly available codebase yourself."

Please explain, how do you think making a promise not to read your messages is different from making a promise by the same company to have a working end-to-end encryption and not willing to compromise it, given the company has a complete control over the app and updates you receive? You can't verify any of it nor that it will be like that with the next update.

Sure. Firstly and most importantly Time's Arrow applies. A promise kept in the past is not a promise kept in the future.

If Signal has kept their promise so far then all of the messages I have already sent were EtoE encrypted and they never had any way to see those messages, indeed if me and my co-conspirators all destroy our devices the messages simply cease to exist altogether. If tomorrow Signal breaks their promise, that promise was already kept in the past and can't be undone, Signal can't read messages that no longer exist.

If Telegram kept their promise that's permanently conditional, they still have the data, and only their continuing promise not to look at it keeps it safe. Tomorrow they can break the promise and previous messages are now available, but you can't retrospectively stop having sent the messages in the past.

Secondly, as I wrote here recently on another topic: Only impossible things don't happen, everything else is fair game. In choosing to do EtoE Signal gets to make certain things _impossible_ whereas Telegram just promises not to do them. This means those things might happen by accident, or a bad guy might do them and I'm sure Telegram would be very apologetic (if anybody found out) but it couldn't undo them.

Thirdly: Signal actually publishes the software component that behave the way they say it does. Reproducible builds are tricky (as a general problem in modern software) but Signal does a pretty good job of convincing you that the binaries you can download are just the code you can see, built for your platform. So then either they need to not only break the promise but also hide the broken promise in the code, or they need to break the promise AND hide the build difference. It's just easier to keep the promise.

Brothers who were originally born in Russia made it. What’s with your bigotry?

>russian chat app

British-Emirati, but same difference.

End-to-end encryption only encrypts messages in-transit.

The messages are still available in plaintext at either endpoint, and to the companies if they want them.

Facebook already publicly announced that they are going to use their AI to scan whatsapp messages for content violations (prior to encryption).

Dislike Facebook as much as anyone here and expect them to do anything they can come up with as long as they can get away with it but it seems this particular piece was debunked:


Taking to my friends who are heavy WhatsApp users it's less about text chatting and more about voice chat over data because it's far cheaper per minute than crossing the PSTN.

Signal has great voice calling. At least, I rarely have any trouble and the calls are usually crystal clear.

Specifically, Signal's secured VoIP is Ogg Opus (better performance than the technology your phone uses to make actual phone calls) but in CBR mode (compression but with a fixed ratio so that a frame of audio is always the same number of bytes, thus a MITM attacker can't determine anything except how long your call lasted)

An unencrypted voice chat app could do VBR Opus, which would need slightly less bandwidth on average for the same quality but might mess with flow performance estimators in the network and make the experience worse by mistake.

One of the inadvertent benefits of Signal's strong centralisation of control is that they could just go "Opus CBR is great, we're using that now" and do it. No multi-year phase-in with most calls still being "legacy", no need to accumulate "buy in" from third parties who might not prioritize this work, they just did it.

All these apps have voice calling, including Telegram.

If you care about security Whatsapp is so much better imo.

I've done my research. Whatsapp has encrypted chats by default, Telegram doesn't.

Also Whatsapp UX is much simpler and I value simplicity. Telegram is starting to look like a spaceship with so many features.

How do you verify that WhatsApp actually is end to end encrypted?

The founders have lamented that the project is screwed, so you're left with a claim made my Zuckerberg and his buddies?

They are using the same encryption as Signal and it was done by the people running and developing Signal.

"As of today, the integration is fully complete. Users running the most recent versions of WhatsApp on any platform now get full end-to-end encryption for every message they send and every WhatsApp call they make when communicating with each other."


> I've done my research. Whatsapp has encrypted chats by default, Telegram doesn't.

Telegram has encrypted chats by default, just not E2E-encrypted.

What does it mean that they're encrypted, but not E2E? That means the chats are MITM'd by the company, no? If you're talking about HTTPS, that's an incredibly low bar.

As far as I understand it it means keys goes one way, messages another way, so that no single jurisdiction can get hold of anyones messages by seizing the servers.

Warning: the above is just my very simplified explanation of my understanding of what I read a while ago.

Edit: again, this is based on something I read a while ago, but I think Gmail has or had a similar system where you have to have access to two different places in the system to get hold of the messages, so yes, Google can get hold of anyones messages bjt it is not like anyone can do a select * from messages where accountid = 12345. (And this is not how I think they store the mails anyway :-)

Ah interesting, thanks very much for explaining it.

I don't think we should be celebrating that the chats are not sent in plaintext over the net in 2019. That's not the point.

You not only implied that Telwgram chats where unencrypted (AKA plaintext), you outright stated it.

That is wrong.

I guess there are some real issues with Telegram, but lets be honest and not lie and say it isn't encrypted.

They also added a feature to send silent messages, which is a pretty nice idea.

I could swear I just read about that somewhere ;)

Telegram is a great way to read HN articles, by subscribing to the channel, especially if you can't onboard enough people in your circle, to use it as a primary messenger. It also fires up on iPad, unlike WhatsApp.

I like https://t.me/hacker_news_feed, it posts only the articles that have a score of 100+ so you don't get flooded by goodness, it just trickles in ; )

... in fact, this is so useful I think it merits its own HN post!

Agreed, I had no idea it's been around for so long, this seems to be the original comment (2017): https://news.ycombinator.com/item?id=15312468

> Telegram is a great way to read HN articles,

Do you mean browsing news.yc through the InstantView feature?


Which channel?


What does everyone think of Microsoft Kaizala? It meets HIPPA requirements and you can backup your messages. It has a lot of group chat features. It also has a beta web chat. I've heard a lot of people in India are moving to it for personal and work chat ilo WhatsApp.

> I've heard a lot of people in India are moving to it for personal and work chat ilo WhatsApp.

I'm from India and I had to go look up what you were talking about. Literally the first time I'm hearing about this. I am also pretty sure that not many have moved to it from WhatsApp. Truth is, after so many years I am just now seeing the slow growth of Telegram amongst the city crowd.

From what I've read, it was developed in India under Microsoft Garage. It's being used more for business.

I think of it like Microsoft Windows. It isn't open source, and truly auditable at-will by independent researchers, so I have no reason to trust it.

I will ask the ignorant question, why Kaizala and not MS Teams? It also has groups, DMs, picture messaging, office integration, etc... I feel rather overwhelmed lately with all the various messaging options on the market with the same company often having multiple solutions.

I don't work for Microsoft, so I couldn't tell you why. From what I understand though, (I haven't used Kaizala yet, but use Teams at work) Teams uses AD, whereas Kaizala only needs a registered phone number.

India is WhatsApp's biggest market too.

Interesting to see more and more forum features from way back being integrated into chat apps. Are chat apps the new forums now? Discord sure is already there I guess.

Typically, forums are public and can be read by a great number of people. The replacement for that seems to be Facebook and reddit. Chat apps are basically the new IRC. They’re not too different than apps available decades ago like ICQ and AIM.

I think this would be an interesting concept even in 1-1 communication. Instant messaging is too fast, we don't think before we send. I think adding a 1 minute delay between all messages would lead to much higher quality conversation

Discord has already had it for a while. Some users seem to appreciate the mandatory cooling-off period while others feel it makes it harder for them to respond when a bunch of users pile on them in quick succession.

If I may ask a tangential question. In none of the comments have I seen mention of Wickr messenger which seems well designed with respect to security and provides e2e encryption, ephemeral messaging, device anonymity (to the servers), video and audio comms. And I believe it’s open source. Is this a case of just not being well known or is there some problem with it that everyone but me has heard about?


I had this idea a while back. I was in a group with just too much useless conversation. So I listed a few things I would like:

- customizable posting limits (per day, per week, etc);

- timeouts;

- time windows (no posts on Sundays, for instance);

I feel like the point of a group chat is to have a channel to speak to a set of people. By having a rate at which you can send messages seems to defeat the purpose of having the communication channel. What if you made a typo or forgot to say something?

At the same time group chat does encourage background chatter and it's a bit annoying to put your phone down and see the notification bubble say there is a ton of unread.

Sub-channels really can help because people can create specific channels for a specific events, hangouts, topics etc... and not have to get everyone's attention. Though, invariably there will be someone who will go into the #general chat and send a message to @everyone. But sub-channels hasn't made it into SMS, and WhatsApp.

Maybe the real problem is people aren't mindful of how wide their messages are being sent and how annoying it can be to get a bunch of messages that aren't relevant to you?

You can still edit your messages.

> I was in a group with just too much useless conversation. So I listed a few things I would like:

Leave. Or put the group on mute. You can't fix noisy people. Let them stick together in their own playground.

> - time windows (no posts on Sundays, for instance);

Why? Either it is work-related, which means out of work I'm not listening, or it is non-work related. If someone feels like they want to contribute to the group on Sunday, let them be?

You're trying to fix a problem from the wrong angle. You're doing damage control instead of fixing the problem.

Once upon a time that was called a chat room. You entered when you wanted to socialize and left when you were done. Which is more in tune with natural group interactions in real life.

This group chat BS was cooked up more so app devs could hit engagement metrics to satisfy braindead unimaginative investors.

> This group chat BS was cooked up more so app devs could hit engagement metrics to satisfy braindead unimaginative investors.

Or alternatively so that my family could have a persistent, searchable group chat solution.

I think the idea is useful for large groups however a simple "cool down period" is far too simple. Something like "10 messages an hour" would be far more useful I think as you can still have quick and efficient exchanges while preventing the ability for any single user to be dominant.

However even that is too simple. You would need to pair it with good UX so users aren't stuck without messages when someone is asking them a question.

It is worth noting that earlier moderators in some chats used bots with admin rights to limit posting rate. So Telegram just made this feature easier to use, without needing to set up a server with bot.

@dang I’d enjoy seeing a trial run of this on HN for one day.

It does exist :-)

If you haven't seen it you have either been very nice and avoided angering anyone or you haven't posted many times in a day

I'd especially enjoy seeing "15 minutes between comments, sitewide" without regard to where they're posted. If you only got 96 comments a day, and they had to be "at least one attention span" apart, what changes would occur to the tone of discussion at HN and would the quality of discussion end up higher or lower as a result?

I don't really see the reason for that. Usually people don't reply in bursts here like you'd expect in a chat app. If there are multiple comments by a person in a short amount it's usually because you are replying to questions or addressing points of a discussion, hindering that doesn't really seem like something that helps the discussion.

I've been in the comments sections of HN hot-topics where one person basically derails the conversation on every top-level thread with their same argument, yet it's such tempting flame-bait that nobody can resist responding every time.

Sometimes you just need to contain your arguments to a single thread so others can enjoy the show.

HN has a rate limit but I think it should kick in more aggressively once you're making your, say, 5th post on the same submission.

I seem to recall hitting the limit after posting something like two replies on one story and being confronted with “you’re posting too fast” when trying to post an unrelated comment on another story.

I think the limiter kicks in as soon as one of one’s comments get any downvotes at all (i.e. even when also being mostly upvoted), but I’m obviously not sure about this.

This is obviously very annoying, and I can’t see how it helps discussions.

Is the HN ranking algorithm open source?

I'm curious as to why a story like this makes it to the 2nd or 3rd top ranking story with only 6 points.

Especially for an article about what seems to be a minor feature upgrade.

Is there some context about telegram that I am missing?

As 'jrimbault provided[0], an earlier version was open source.

From the FAQ[1]:

> "How are stories ranked?"

> "The basic algorithm divides points by a power of the time since a story was submitted. Comments in threads are ranked the same way."

> "Other factors affecting rank include user flags, anti-abuse software, software which demotes overheated discussions, and moderator intervention."

[0]: https://news.ycombinator.com/item?id=20664068

[1]: https://news.ycombinator.com/newsfaq.html

I think it's supposed to be a combination of upvote speed and how quiet HN is at the given time.

Given that most of the front page articles have been around most of the day I imagine prioritising things with fast upvotes becomes more important.

Moderators will sometimes rescue a post which didn't receive a lot of upvotes and reset the submission time on the post. This is part of an experiment in giving good HN submissions multiple chances at the front page: https://news.ycombinator.com/item?id=11662380

The moderators leave a lot of notes (as comments) when they modify the flow of information, but do they in that case?

No, at least not when my story was "re-upped", as they term it. The only indication that a story was rescued is observing the timestamp on the homepage vs. the timestamp on its comments page.

I'd guess that some keywords are ranked higher. Put telegram, crypto, Trump and guns in the title, and it'll make to the top with 1 vote.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact