As a reminder, Telegram groups are not encrypted at all, and 1:1 chats are not encrypted by default, so while WhatsApp might see your contacts, Telegram can see most of your messages.
> As a reminder encrypted messages aren't easily searchable
That's false. Encrypted messages aren't searchable by third-parties. End-to-end encrypted messages are searchable by only the communicating parties regardless of where they're stored.
There's also the issue of mirroring by third-parties, but then we're talking about data in transit versus at rest, your backup methods, and so forth. (And I don't have time to get into that this morning.)
Building and maintaining a super fast searching index on a phone is not an easy task or even doable.
Telegram is used a lot in developing countries which are using phones made 3-7 years ago. Or phones that are made recently but with old chips and tech. Maintaining a search index across literally millions or billions (some groups are really really big) messages isn't something your phone can reasonably do.
I do wish telegram was e2ee for IMs, but for groups and super groups and channels I don't particularly care.
Assuming a message is 200 bytes or so, searching millions of messages is trivially doable on your phone (200 MB full text index). Billions is pushing it a bit, but you can work around on the app level (e.g. only index the last month in high traffic groups).
How are you indexing literally billions of messages on tiny mobile devices? What happens when you wipe your device and you want to have your chat history from before? How do you download all the previous chat messages? Who hosts the chat index?
I think it is very unlikely for a conversation to reach billions of messages. There are less than 32 million seconds in a year. So, Yoigo would need to send a message per seconds for decades to reach a billion.
Of course there are people who are much more popular than me, so it might be possible and I am not aware of it. :)
There is no limit to joining these chats. These design decisions Telegram has picked has allowed the app to be quasi social media, rather than just IM. You can't index these and maintain chat history locally. You'd need way more bandwidth and energy and computational power than the average cellphone has.
All Signal clients have a search feature. Its about as easy to use as any other search tool. You can have end to end encryption on messaging and still have a client-side search feature.
> Many Telegram users are away of it's quirks and how it operates differently to other IMs
That's probably true, but a significant proportion of users are not, and do not realize that their chats are not encrypted. It's no surprise either, given that security is one of the core things that Telegram markets itself on -- unfairly so, in my opinion.
Not really. Whatsapp is used by every person in Brazil, yet didn't get around a temporary ban [1]. Telegram gained about
1.5 Million people switching to telegram in a day. [2]
Whatsapp didn't win many users, even when Telegram was banned in Russia for months.
Telegram even worked in Belarus despite the whole internet shutting down there. [3]
But they are easily searchable for the vast majority of scenarios. I've got years worth of message history on my $300 phone, and yet it has no problems returning search results nearly instantly.
I don’t think so. It doesn’t use the double ratchet algorithm used in DMs but still the participants of the group formulate a secret key for the group and share this key with every participant using the more secure protocol. The key cannot be read by the server as it is shared using conventional E2EE.
It is proprietary, so there is no proof they didn't tamper with the code to appear to be working on clients. And chances are against the fragile link in the chain - the user.
Which discusses how Telegram was banned in many countries for refusing cooperation while WhatsApp suspiciously was never banned, which could mean that WhatsApp gives governments everything they demand.
I suspect the Google/Facebook deal for "free backup of WhatsApp chats on your Google account" is exactly that.
WhatsApp had perfectly usable encrypted backup - which took up space on your Google backup. And then, all of a sudden, it wasn't encrypted and didn't take up space. But you don't have access to it yourself - only Google does (and WhatsApp if it is recovering). This is a perfect way to provide all the data to various governments for 99.9% of users, without killing the E2E encryption.
They didn't backdoor it. It was back in 2013 when they were new. Everyone was going "whoa, your encryption is weird" and they were defending themselves by saying "we have 6 world champion programmers".
Anyways, something like 6 months after launch a Russian guy found that they were seeding their secret chat keys with entropy from the server, meaning the server could trivially MITM any secret chat. Pretty embarrassing.
Iirc it got quite little publicity since most of the discussion was in Russian, and the disclosure was in a forum post in an obscure forum.
That was the month telegram launched? It's been 7 years. It was a new app. The same bug is still being used against it?
Do you have any recent bugs? Or 'backdoors'? All their official apps are open source and reproducible. Must be easy to find bugs for security researchers. They even offer much larger bounties compared to other apps.
Anything? I want to believe people saying bad crypto, but it looks like there's no actual proof.
Here's something that says it is good, published more recently.
It’s really obvious this wasn’t a bug, but a backdoor. It proves that Telegram is an actively hostile adversary, the fact that their encryption scheme hasn’t been publicly broken since then doesn’t change that.
> Or 'backdoors'?
You might argue that their deliberate decision to not encrypt most chats is exactly that, more of a front door really.
This is false. No proposed ads in 1:1 or any size group chats, only large channels (which are like RSS feeds, you can join but not post).
In addition 100% of Telegram traffic is encrypted over the wire (like this website, your bank, etc). The only difference with secret chats is that they're end to end encrypted.
Signal is a very bad user experience if you use several devices (phone, tablet, home computer, work computer). Continuing a chat on a different device doesn't work nearly as well as on Telegram where it's flawless.
Not true at all - you have no ads looking at your screen, neither chatting privately. Group/channel owners may choose to add ads, but you can always run your own client made to ignore them - telegram is open source.
Not showing you ads in 1:1 chat or in groups the maintainer has chose not to enable them in is different from, "I have your data ready to go for targeted advertisement".
This is essentially the Google model. Your search queries and browsing history (and Android and Chrome) are essential to targeted ads shown on every website "the webmasters choose to enable them on".
What? Google uses all your info for creepy personalized ads. Telegram is showing the same ads to everyone in a channel. And it isn't in 1:1 chats cuz they're supposed to be non-intrusive and gives a feeling of privacy.
Who is the 'maintainer'? Telegram is the only entity here.
The data is still on Telegram's servers, unencrypted. They may be doing ads in a channel/group, but I don't think for one second that's where they're going to stop now that they've entered that rabbit hole. By the time you'd realise, it'd be too late, since they've got your data on their servers, unencrypted. This is strictly worse than WhatsApp.
I'd say forcing me to type on a shitty tiny on-screen keyboard (or use a _browser_ while still keeping the network on my phone running) is such a terrible experience that literally everything else wins in comparison to this.
> ...literally everything else wins in comparison to this.
I think you do realise that WhatsApp not only uses E2E but pins identity to a phone number; and so, there's no way to do desktop-client any more securely unless the messages always go through the phone and/or the phone is also connected to the WhatsApp servers.
I believe you have already made a choice to use insecure services because "convenience", but in the context of current discussion (privacy and security), WhatsApp comes out superior despite Facebook's involvement. And that's saying something.
> As a reminder, Telegram groups are not encrypted at all, and 1:1 chats are not encrypted by default
This isn't just misleading but actually plain wrong.
Unless you want to tell my your internet banking is unencrypted too ;-)
Edit: as seen downthread there a number of ways to make this more or less correct, but as it stand, and particularly with the "at all" at the end of one of the claims it is just plain wrong.
> Telegram can see most of your messages.
This part is technically correct however. Telegram says they taken steps to prevent rouge admins from seing it and to prevent themselves from being able to produce copies for governments, however there's no way for us to know if it was true then, if it is true now, if it is true in the future or at any point in between so worthless if you don't trust them.
If this is a problem for you generally I recommend stop using email, stop sending letters etc and rely only on Signal or Matrix.
For many of us however this is acceptable: we send letters or even post cards fully unencrypted fully aware that they might be read.
We send mails fully aware that it can be read at any server from we send it to the one the recipient download it from.
But for some reason the same level of security is deeply problematic when Telegram is mentioned.
Although they're client/server encrypted, I think contextually it was obvious that the person was talking about end-to-end encryption. "Encrypted chat" means end-to-end encrypted, if it's used to mean client/server encrypted then that's misleading.
Encryped chat might mean E2E-encrypted yes, but even then why not add those four extra letters "E2E-" and make it obvious?
Besides, here is what I replied to:
> As a reminder, Telegram groups are not encrypted at all[...]
(emphasis mine)
This is very possible to misunderstand for someone who isn't aware and the result might easily be that they stay in their abusive relationship with WhatsApp because of such FUD.
As can probably be seen from my comment history I'm no stranger to criticizing Telegram but we should stick to the facts.
Because unlike with Facebook no one has been able to show a single example of Telegram abusing their customers even once.
Let me use an example:
Would you want to ride the absolutely bulletproof and soundproof taxi that has one disadvantage: that it is well known that the drivers make notes about who you are and who you visit and sell that data to companies like Cambridge Analytica?
Or would you take another more ordinary taxi that might not be armoured and soundproof and might or might not log your visits - but at least no one has caught them red handed?
The answer depends on who you are I guess: [edit: if your main fear is that someone might be listening to your conversations and you don't care if the known shady taxi company logs who you visit, go with armoured, bulletproof taxi. I admit] there are times when E2E is a massive difference but for me this is mostly about preventing future Cambridge Analytica situations.
Because Telegram doesn't gobble up all your metadata to sell to advertisers & malcontents. Who you talk to at what moment and from what location is equally as valuable as the content of your messages.
