This is an article written by telegram’s founder and CEO Pavel Durov in 2019 on “Why whatsapp will never be secure”. Your thoughts?

  • Arthur Besse
    link
    fedilink
    82
    edit-2
    11 months ago

    Sure, fuck WhatsApp, but Telegram isn’t even end-to-end encrypted most of the time. Their group chats never are, and their “secret chat” encryption for non-group chats must be explicitly enabled and hardly ever is because it disables some features. And when it is encrypted, it’s with some dubious nonstandard cryptography.

    It’s also pseudo open source; they do publish source code once in a while but it never corresponds to the binaries that nearly everyone actually uses.

    And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this post was written) is just… 🤯

    State-sponsored exploits against WhatsApp might be more common than against Telegram, or at least we hear about them more, but it’s not because the app is more vulnerable: it’s because governments don’t need to compromise the endpoint to read your Telegram messages: they can just add a new device to your account with an SMS and see everything.

    (╯° °)╯︵ ┻━┻

    Anything claiming to prioritize privacy yet asking for your phone number (Telegram, WhatsApp, Signal, …) is a farce.

    • @[email protected]
      link
      fedilink
      910 months ago

      Telegram isn’t perfect, but it is infinitely better than Whatsapp because it doesn’t belong to Facebook, and also isn’t from the United States. Also it can be used by normies without problem, unlike Matrix or Xmpp or what have you.

        • @[email protected]
          link
          fedilink
          511 months ago

          Matrix not yet untill they implemented proper encryption and security stuff

          SimpleX is pretty cool

      • @[email protected]
        link
        fedilink
        1
        edit-2
        10 months ago

        Simplex - requires nothing, just install. But you connect with other people by sending a code outside of SimpleX. Though they’ve added a directory service for groups.

        XMPP

        Wire (not Wiremin), though it requires an email account, which is easily addressed with a disposable email.

        Signal is very secure from what I’ve read, despite the phone number identifier.

    • Salamander
      link
      fedilink
      310 months ago

      And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this post was written) is just… 🤯

      Not only that, but I believe that they actively try to prevent VoIP numbers from being used to create accounts.

    • @[email protected]
      link
      fedilink
      310 months ago

      Bravo, bravo, bravo!!

      Dude, see you on the same side of the barricades when the time comes to fight the centralized army of agent Smiths 👏👏👏

    • UnfortunateShort
      link
      210 months ago

      I don’t agree with everything but that last point of yours. Requiring your phone number only means your are not anonymous. There is no need to be anonymous to communicate privately. In fact, it can be counterproductive, since your are much more vulnerable to social engineering.

      • @[email protected]
        link
        fedilink
        310 months ago

        And also not secure if somebody sim swapped you, and then your privacy goes into the hands of the FSB agent who sim swapped you

  • @[email protected]
    link
    fedilink
    5311 months ago

    What a load of hipocrisy. The dude uses unauthenticated DH for his apps “secret chats”, which a bored student with a laptop can MITM in seconds. Other chats use just TLS, meaning they get to read EVERYTHING.

    Use Signal, people.

    • ClotOP
      link
      fedilink
      311 months ago

      which a bored student with a laptop can MITM in seconds

      No, how can a bored student breach e2ee in seconds? note that no such cases have been reported by any telegram user so far.

      • @[email protected]
        link
        fedilink
        7
        edit-2
        11 months ago

        Because the DH is unauthenticated, as I already said. Users can’t report it because there is no way to tell for them.

        • ClotOP
          link
          fedilink
          -311 months ago

          Users can’t report it because there is no way to tell for them

          Atleast the one who breached can tell? no telegram users data have been seen on dark web yet, no person/org have claimed to get any vulnerability in their system. Also if its that easy to breach why govt’s keep banning telegram for not giving them userdata? despite telegram is the biggest app where most terrorist orgs operate, hub of piracy and illegal things, you can call it “public” darkweb.

          • @[email protected]
            link
            fedilink
            611 months ago

            if its that easy to breach why govt’s keep banning telegram for not giving them userdata

            Same reason they ask Apple for backdoors even though they crack iPhones routinely. It’s about legal precedent.

            • ClotOP
              link
              fedilink
              010 months ago

              That article literally praises telegram despite being non e2ee by default, authorities can only get ip address and phone number from it (those are public info already and both of them could be avoided by using voip amd paid VPNs), that just proves how solid mtproto have become. Also they are saying one can see your telegram message when they are physically logged in your account for which the Russian authorities took the help of their ISP, in that case its not telegrams fault, set up 2fa on your account or use VoIP.

          • @[email protected]
            link
            fedilink
            411 months ago

            Check stories about russian journalists…

            I have some friends working in the police, many years they showed me how they can read messages of like anyone on telegram I was trying to tell people to stop using telegram for years, but now at least therecs some conversation is going on because of the journalists

            • ClotOP
              link
              fedilink
              010 months ago

              I have tried to google, most of them were assumptions or russian agencies using ISPs to login to their account in which case its not telegrams fault. Can you provide a substantial proof?

  • @[email protected]
    link
    fedilink
    English
    2710 months ago

    “Here’s what someone who has never created a private messenger thinks about Whatsapp’s privacy.”

    Why would anyone care about what he has to say? 💀

      • datendefekt
        link
        fedilink
        1010 months ago

        It’s been a while since I looked into it, and things might have changed since then, but some stuff off the top of my head:

        • Messages are stored on the server, not on the device
        • end-to-end encryption not enabled by default
        • uses proprietary encryption, making security audits difficult

        Apart from that it’s somewhat politically questionable, based in Dubai (I think), with dubious financial backing and Russian developers. Because it’s closed source and the encryption is proprietary, there’s no way of knowing how much info it leaks.

        • ClotOP
          link
          fedilink
          4
          edit-2
          10 months ago

          Messages are stored on the server, not on the device

          Yes, pretty much necessary to provide multidevice support

          end-to-end encryption not enabled by default

          True that and telegram sucks big here, but I donth think e2ee can be enabled in a feasible way for multiple devices.

          uses proprietary encryption, making security audits difficult

          The MTProto isnt open source but its fully documented, there have been security audits on it.

          dubious financial backing

          No. Pavel Durov have always said since starting he paid for telegram’s servers from his pocket, in recent years telegram has started monetisation programs to cover its costs.

          Russian developers

          The founders were born in Russia, but they now have dual citizenship of UAE and France. If you are talking about politically questionable, even signal have been accused of having backdoors for CIA.

      • @[email protected]
        link
        fedilink
        English
        310 months ago

        Never has been, no default e2ee, and those exploits that leaked a ton of users locations.

        Not to mention, no messenger is verifiably private unless it is fully open source.

  • @Papanca
    link
    English
    21
    edit-2
    11 months ago

    Clicking the link gives me the following warning:

    The site ahead may contain harmful programs

    Firefox blocked this page because it might try to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).

      • @[email protected]
        link
        fedilink
        English
        711 months ago

        Your original link is blocked at DNS level on my ‘Threat intelligence’ blocklist.

        And that link is blocked at DNS level by ‘Toxic’ and ‘Stop Forum Spam’ filters.

        So it’s blocked before the browser can even connect for me.

      • Pons_Aelius
        link
        fedilink
        411 months ago

        I got the same warning for the original link with ff as well.

        Your comment link didn’t throw up a red flag.

        • ClotOP
          link
          fedilink
          211 months ago

          sorry for the inconvenience, thing is this website supports multiple domains and is banned in some countries so we have to use different domains to access it, which might give red flags.

      • @Papanca
        link
        English
        211 months ago

        Great, thank you!

  • @[email protected]
    link
    fedilink
    1511 months ago

    WhatsApp’s e2e encryption is based on the Signal protocol and active by default. Telegram’s is opt-in. So much for Telegram’s superior privacy…

    • ClotOP
      link
      fedilink
      -1211 months ago

      No. Whatsapp’s metadata is not encrypted and can be used by its parent company, also backups are not secure. While telegram’s is opt in (yeah that sucks and here’s there excuse for that https://tsf.telegram.org/manuals/e2ee-simple), they are as secure as signal’s (if not more).

          • @Dehydrated
            link
            010 months ago

            That may be true, but it proves that MTProto isn’t “as secure as signal’s (if not more)” as OP said

        • ClotOP
          link
          fedilink
          -4
          edit-2
          11 months ago

          I am not talking about mtproto lmao. I was talking about their opt-in e2ee feature. Edit: Also the research you shared is based on mtproto 1.0 which telegram abandoned almost a decade ago and there have been No such defects found in mtproto 2 yet.

          • @Dehydrated
            link
            911 months ago

            MTProto is what Telegram uses for “Secret Chats”, their opt-in end-to-end encryption. Normal messages aren’t encrypted at all. They’re stored in plain text on Telegram servers. The fact that E2EE is opt-in already makes this app ridiculous. On top of that, it isn’t even secure or private lol

            • ClotOP
              link
              fedilink
              3
              edit-2
              11 months ago

              the fact that E2EE is opt-in already makes this app ridiculous

              in matter of privacy, yes. But it have cool features so.

              They’re stored in plain text on Telegram servers

              No, non secret chats use mptroto but with different schema, thats not plain servers. And no data breach have been reported in telegram yet if it was “that” easy to breach them. From my last comment: “Also the research you shared is based on mtproto 1.0 which telegram abandoned almost a decade ago and there have been No such defects found in mtproto 2 yet.”

              • @[email protected]
                link
                fedilink
                -111 months ago

                But it have [sic!] cool features so.

                So what? If minimum requirements are not given, it can be as cool as possible. Only not so smart people think that’s a good deal.

            • @[email protected]
              link
              fedilink
              310 months ago

              And that UX makes it a hard sell to non-tech/privacy folks.

              I had a few converts, then they pulled SMS. My converts left.

              Telegram has its problems, I completely agree the encryption issue is problematic. But how do you get non-tech people to use a tool like this when to have a new device get the history, or signing into multiple devices simultaneously, requires transmitting an encryption key? I really don’t know.

              I know SimpleX is working on this very issue - their current approach requires switching between active devices by scanning a QR code (or sharing code between devices out-of-band). So currently only one device can be active with your credsntials/ID. It has an ok UI, I’d say slightly better than Signal. But it’s security and privacy are just about the best I’ve seen.

              This seems to be the big hurdle - people want a simple login, most don’t care if their convos are stored in servers iut means they can just login.

              I’m using telegram with a few people for just this reason, since it gets us off SMS. They like that they can use whatever device is in front of them.

              Getting people to switch to Telegram is far easier than anything else, since it’s UI is much better than Signal, Wire, XMPP clients (which can be some of the best).

              We know exactly how bad Whatsapp is from a privacy standpoint - I’d choose telegram over it any day.

                • ClotOP
                  link
                  fedilink
                  010 months ago

                  I would prefer telegram because its just not from Meta. There is bounty on breaking telegram’s protocol too.

                  Telegram sells ads on public channels with consent of owners and the ads are based on the channel data and not users data. They are back up with their crypto schemes, infact idk whats wrong with crypto, they are better for privacy than normal bank transactions. Anyone cant pay from their pocket for lifetime, it was coming since longway because telegram have no parent company to fund it neither its founder are that rich to spend billions of dollars on it every year. Those “nitro” features didnt take anything away from free users tho, also if they are trying to cover up their cost from the userbase that just proves they have no dubious financing from backdoors.

                  I dont know how rape laws are connected with a messenger being based there. US have its social problems too or wherever signal is located, every country have social issues.

                  Yeah facebook is big enough reason to not use facebook. On top of that there have been no data breaches, almost no big outages in telegram till date. They offer a lot of features, from bots to channels, to large public communities and much more.

                  Telegram just claims its private enough and they never said they are e2ee by default, I dont see the misinformation here, yeah they exaggerate it sometimes but the fact that there have been no data breaches in a decade with almost 800 million monthly active users is quite a bit of achievement. They invested on developing their own encryption protocol, it maybe less private but they made it to remove complexities which signal have. There’s no point on having some 100% secure stuff when no one gonna use it due to complexities, telegram have fueled pro democratic protests worldwide and I thank them for that atleast (even they got banned in many countries for doing so).

        • @[email protected]
          link
          fedilink
          110 months ago

          ×Years ago*.

          Kills me I was running XMPP on my phone in 2010. Couldn’t get people off SMS to XMPP, though it synced with my desktop messenger even then! Yea, encryption hadn’t been fully sorted yet, but it’s not like SMS has encryption!

      • @[email protected]
        link
        fedilink
        211 months ago

        they are as secure as signal’s (if not more

        Incorrect. They are trivially breakable as it is unauthenticated DH which is as good as no encryption at all.

        • ClotOP
          link
          fedilink
          -511 months ago

          good as no encryption at all.

          0 data breaches till date.

      • @[email protected]
        link
        fedilink
        -2
        edit-2
        11 months ago

        I’m not saying that WhatsApp is the good guy here, Meta sucks but compared to Telegram I rather trust them if I have to.
        And the unencrypted backups are only problematic when you use the automatic Google Drive upload.

          • @[email protected]
            link
            fedilink
            2
            edit-2
            10 months ago

            Telegram is a shell company and only offers mediocre, opt-in encryption. The thing I like most about them is their support for 3rd party clients.
            I have to use their service for some contacts same as with WhatsApp but I would prefer more secure and privacy friendly alternatives.

            • @[email protected]
              link
              fedilink
              110 months ago

              You obviously haven’t seen the charts of the metadata that WhatsApp collects. And we know how anti-consuner, adversarial and anti-privacy Facebook is overall with their tracking pixels, ghost profiles, etc.

              Telegram at least doesn’t have the FB dataset. FB knows about me, though I’ve never once in my life been on their website or used anything related to them. Not once. The first I heard of FB I saw immediately the privacy problem with them, and made sure to never have anything to do with them. But they know about me from other peoe posting pics and such, which they then correlate with sites I’ve been on that have tracking pixels. WhatsApp ads a metric shitton of metadata to that pile, with date, time, location, duration of conversations, businesses you’re near at the time, their operating hours, etc, etc. They have a massive, constantly growing dataset, which they can easily correlate elements.

              WhatsApp may be encrypted, but I trust Zuck so little that I wouldn’t doubt they capture keystrokes in app before the message is sent. They have the capability as was shown in a recent research article (though no evidence of it happening).

              Id rather not use Telegram, but it’s far lesser of the two evils. I’m trying to get folks to other apps. Signal doesn’t sell, SimpleX isn’t quite ready, I think Wire has the same stored encryption key issue, though I may be mistaken (I’m not fully clear how it’s managed).

    • @CaptainSpaceman
      cake
      link
      711 months ago

      I believe Moxie helped them integrate Signal protocol into WA successfully while preserving user integrity and privacy.

      However, it wouldnt be out of the realm for them to make modifications to their custom protocol that Moxie helped design, and turn it into a privacy nightmare after the fact.

  • ⲇⲅⲇ
    link
    fedilink
    911 months ago

    WhatsApp will be never private and secure, while Telegram will be never private. 😁

    • asudox
      link
      611 months ago

      Who said telegram is secure?

          • ⲇⲅⲇ
            link
            fedilink
            311 months ago

            It is secure as secure is logging into your bank account from your web browser.

              • ⲇⲅⲇ
                link
                fedilink
                4
                edit-2
                10 months ago

                I think you are mixing concepts, encryptions isn’t related to “secure” but to “privacy”. On my example, your data on bank is encrypted via SSL which the server has the private key to read it, but it is encrypted. Telegram is the same, your messages are being encrypted by a public key owned by the server, but it is encrypted, just not end to end.

  • @Dehydrated
    link
    511 months ago

    Both WhatsApp and Telegram suck. Just like any other messenger that’s either proprietary or not end to end encrypted. Signal is clearly the best choice.

    • @[email protected]
      link
      fedilink
      1011 months ago

      Signal is not the best choice, it’s just a somewhat aceptable middle ground. I prefer something that doesn’t require a phone number and something you can self-host, like XMPP.

      • @Dehydrated
        link
        711 months ago

        Good luck convincing normies to use some obscure messaging protocol. It’s difficult with Signal, even harder with Matrix, basically impossible with XMPP. 99.99999% have never in their life heard about XMPP. Also most mobile clients absolutely suck. You also can’t get proper push notifications without completely ruining your battery life. What a great choice!

        • @[email protected]
          link
          fedilink
          511 months ago

          I don’t see a big difference, the hardest thing by itself is convincing someone to install one more program or app. Also Conversations does not suck.

          • @Dehydrated
            link
            211 months ago

            Conversations is only available on Android. And that’s the problem. You need different clients on different plattforms, etc. It’s just a mess. Some clients don’t support encryption and everything is just unnecessarily complicated, especially for new users. You can’t just tell someone “let’s chat on XMPP”. You need to explain to them what XMPP is, what app to download depending on what OS they use, tell them how to set everything up, etc, etc…

            Signal is definitely not perfect, but it’s the best known private messenger and doesn’t compromise on privacy and security. It’s very simple to use, the setup process is basically the exact same as on WhatsApp or Telegram, it has good clients for every platform and they have operated safely with a great record for over 10 years.

            I understand that other solutions might be better in theory, but if we keep suggesting a new obscure and hard to use messenger to noobs, they will never make the switch. In order to get more privacy for ourselves and the (potentially less technical) people we need to communicate with, let’s just get them to use something simple and private like Signal.

            • @CaptainSpaceman
              cake
              link
              311 months ago

              Yea, ive gotten pretty wide adoption from friends and family on Signal, but id love to have a comparable product with even more features/security/privacy

              Matrix may get there eventually, but for now its Signal.

            • @[email protected]
              link
              fedilink
              1
              edit-2
              11 months ago

              When it comes to clients being not fully compatible - I understand where there might be a problem, but I personally never encountered it. Conversations covers Android, and Gajim is on both Windows and Linux. In my experience, they work just fine with each other, and Android+Windows+Linux covers the majority.

              I do use Signal with a few people who refused to use XMPP, but I’d disagree they have good clients for every platform. Because the desktop one essentially doesn’t work without a smartphone. Registering in something like Waydroid doesn’t allow binding a desktop client because it wants to scan a QR code, and Signal-Cli just didn’t work with binding a regular client. So I am stuck using the inconvenient Signal-cli, because the only alternative I saw so far would be using it on Waydroid, which is even less convenient. Not to mention that the client itself is on Electron.

      • @[email protected]
        link
        fedilink
        111 months ago

        You mean that XMPP protocol which is not encrypted by default? Oh yes you mean that.

        XMPP would need to be redesigned from ground up as a secure and private messaging protocol to be a valid choice.

        XMPP has it advantages but to many cry out that it is the savior when it is not. We need something better.

        • @[email protected]
          link
          fedilink
          111 months ago

          The major clients now do have OMEMO. Yea, I agree it’s flawed but that’s so far it’s the one I settled on. Do you know other, more refined selfhostable solutions? I am now looking for development there but doubt I’d get few people that I already got there to switch again.

          • @[email protected]
            link
            fedilink
            110 months ago

            Not aware that there is a modern decentralized secure and private chat protocol. Sadly. I also am not aware of any developmenta of something like that, so XMPP is the best we got (for decentralized open widly supported protocols)

            I know that a lot of clients do encryption of the message body by default, but it still leaves a lot of stuff in plain text (afaik).

  • @[email protected]
    link
    fedilink
    4
    edit-2
    10 months ago

    Guys, please stop using telegram if you care for your security and privacy

    Telegram is not fully open source, sometimes they release the source, but the hashes of the builds don’t even match (so it’s a different source code) 🚩

    Zero transparency about data handling, even when they get caught they don’t tell details 🚩 (Telegram in the recent years has got really shady reputation)

    Very often ways they implement security is weird: non open source app, non open source server, leaking APIs, use of phone numbers, at some point they started asking for an email, non encrypted chats by default, never encrypted group chats… it can continue forever 🚩

    Non-standard encryption is a real red flag, non-open-source 🚩

    I know some people that work/worked for the police, and they can read all the messages easy peasy, i was trying to tell to the people many years ago, but everyone was so amused by the stickers. Now you can just read stories of the journalists and activists, and how they got imprisoned with the use telegram 👁️‍🗨️💀

    PLEASE, STOP USING TELEGRAM IF YOU CARE FOR YOUR PRIVACY OR SECURITY

    • ClotOP
      link
      fedilink
      0
      edit-2
      10 months ago

      Except if you open source server, there’s no way to verify it is using same code anyways and their client is already open source so waste point.

      sometimes they release the source, but the hashes of the builds don’t even match.

      When did this happen? Source?

      Signal asks phone numbers, emails are universally known. If you don’t want to give them your real phone number, buy one from fragment.com (their web3 service where they sell phone number for crypto). Emails are already public and they ask them only for recovery process and its opt on so there’s no problem with that.

      All chats are encrypted by default from private to group using mtproto, where there have been no breaches found yet so stop spreading misinformation.

      Again telling personal experience which maybe lie, can you share source of your claims? Which journalist got arrested due to telegram?

      • @[email protected]
        link
        fedilink
        -110 months ago

        You can go and check yourself mr. Senior Officer of FSB, i don’t want to fight for your war

        • ClotOP
          link
          fedilink
          010 months ago

          I would spread misinformation on internet and tell others to find source of it 🤓

  • @[email protected]
    link
    fedilink
    -410 months ago

    Durov is a suspicious RuSSian who very likely works for FSB. Do not use Telegram at all costs!

      • @[email protected]
        link
        fedilink
        -1
        edit-2
        10 months ago

        Where is racism there? I’m Russian myself and I know what I’m saying.

        Ok, use Telegram, then don’t cry when they leak your data

        • ClotOP
          link
          fedilink
          110 months ago

          Yeah you clearly are a russian and you clearly know what you are saying by those intentional caps.