It's not surprising that every time Telegram pops up here, many comments miss the fact that Telegram has a great UX, a great feature set and also provides the kind of privacy protestors value, i.e., not having their phone numbers flashed to every random stranger in groups or to random channel owners whose channels you've subscribed to. With Telegram you cannot even do a phone number enumeration attack (this can be changed in settings) by adding phone numbers to your contacts list to find out who's using it.
And nope, Signal doesn't make the cut for the above reasons because it exposes your phone number to everyone else. WhatsApp is the same in this respect. Neither of them prevent enumeration attacks (they may slow that down a bit, but not sufficient enough to protect against state actors).
Wire and Element (Matrix) are comparatively better than Telegram, Signal and WhatsApp because you don't need a phone number to sign up and they also have end to end encryption for all chats (with Element it's a bit more recent). Hopefully more people can soon ditch phone number based apps that cause them to be vulnerable because of that vector.
Using Telegram is my guilty pleasure for sure. They just added video calling and it, like most of their other features, Just Works™.
Just don't send your passwords or whatever to your Telegram buds and you should be alright. Funny enough, here in the UK Telegram is mostly associated with shady stuff like drug dealers.
I was making this exact point today to a couple of friends. Telegram's features puts it way ahead of its competitors. While using it, I feel I'm charge and not the other way around (WhatsApp being the worst offender here).
With the recent addition of video calls, and if you judged only by its feature set, it could arguably be called the best messaging app at the moment.
As for countering the network effect, I do my part. I politely ask my acquaintances to message me through telegram for anything important.
The problem with telegram is, what is their buisnessmodell?
There is none at the moment.
Signal lives off donations.
WhatsApp off the Facebook datagrabbing connection
Matrix/Element from support/server renting
But Telegramm has invested a lot, but received no money in return yet. So, I suppose the current plan is to get dominant and then .. ROI with who knows?
I also use it right now. Creating and managing groups is easy. You can edit messages!
It is fast and reliable.
But I surely would not use it if I would be scared of the government.
It used to be the TON Blockchain, but that got shut down. If you're not familiar, Telegram is the pet project of Pavel Durov, the founder and ex-CEO of VK, which is essentially the Russian version of Facebook. I have no idea what the future holds, but he's quite wealthy and has been really successful in the past, so I'm not fearing the future right now.
When you realize end-to-end encryption is a necessary property of all features, you realize Telegram lacks even basic things like desktop clients, syncable chats, and group chats. Not so feature rich anymore ;)
E2E-encryption is really nice but not anymore necessary for most users of Telegram than for
- WhatsApp before they implemented it
- GMail (or any other mail service)
- Matrix (by default, until recently?)
- IRC
- SMS
- Letters in the mail
For some reason this has a tendency to boil down very quickly to
- E2E-encryptet === good, no further information needed
- anything else === bad, no further information needed
Which obviously isn't the whole truth:
It is far less likely give you trouble
- if you receive a stream of unencrypted postcards from Grandma on vacation
- than it is if you send and receive perfectly encrypted messages to/from a criminal mastermind over a channel that leaks metadata or by default backs up your data to any mainstream cloud provider.
The availability of metadata, who can access that metadata etc etc plays a role.
Telegram has significant problems, as far as I know both technically and also at higher levels, but for some reason someone always have to pull the E2E: Good, anything else: Bad.
Since E2E encryption is not enabled by default in Telegram, I believe it's used by 2% of their users at most. Messages of the rest can be read by Telegram team.
> Since E2E encryption is not enabled by default in Telegram, I believe it's used by 2% of their users at most.
You are probably answering another post here. I don't think it is intentional.
> Messages of the rest can be read by Telegram team.
Well, there are a number of ways to prevent that from happening easily.
I cannot verify this, but Telegram said years ago that they solved certain problems by routing keys and messages through different datacenters in different jurisdictions.
That said: the big question is if their solutions work and if it works that way? I don't know, they seem remarkable competent at certain aspects of what they do and other times I feel they suffer from the same thing that Elon Musk sometimes suffer from where they publicly state things that sound immediately unreasonable.
But that would be meaningful criticism so probably off topic in a Telegram bashing contest ;-)
"I cannot verify this, but Telegram said years ago that they solved certain problems by routing keys and messages through different datacenters in different jurisdictions."
Firstly, there is no proof of this happening. I've been looking for the documentation and/or source code for this for more than five years now, and it's never been published.
Secondly, even IF it was happening, the server that strips the in-transit encryption has access to the plaintext, and can copy the message to anywhere it damn pleases. It can write it to "plaintext-messages.txt" for all it cares, that's like two lines of Python in the backend.
Also, the servers creating database entries must by definition have the full database encryption key in its RAM, from where privileged processes can exfiltrate it (computer organization 101).
The thing is, there isn't technology out there that allows Telegram to do what it claims as securely as it claims. If they are indeed innovating on this, why aren't they publishing their research and proving their worth?
"they seem remarkable competent at certain aspects of what they do"
Yeah, you can be great at UX design and shitty at cryptography. That's perfectly fine. The fact they won't spend money to hire competent cryptographers is the shitty part. I don't know if it's this Russian pride wrt. Nikolai being an award winning mathematician, or if they don't really give a fuck and think damage control can mend the damage that resulted from nepotism.
Well, the first time they get hacked properly shows how shit the architecture was. We can only hope people will then ask "ok where the fuck did we go wrong, again, can we switch to something that fixed this once and for all", and that by then, Signal is usable enough for their needs.
> Firstly, there is no proof of this happening. I've been looking for the documentation and/or source code for this for more than five years now, and it's never been published.
I haven't found anything more either. See also below.
> Secondly, even IF it was happening, the server that strips the in-transit encryption has access to the plaintext, and can copy the message to anywhere it damn pleases. It can write it to "plaintext-messages.txt" for all it cares, that's like two lines of Python in the backend.
Theoretically, couldn't the client send the message to one server and the keys to a different set of servers? Clients would request the encrypted messages from one server and the keys from another?
It is still not nearly as good security as proper E2E-encryption but should still be possible to set up so that a single rogue sysadmin cannot get hold of messages.
> Also, the servers creating database entries must by definition have the full database encryption key in its RAM, from where privileged processes can exfiltrate it (computer organization 101).
The thing is, there isn't technology out there that allows Telegram to do what it claims as securely as it claims. If they are indeed innovating on this, why aren't they publishing their research and proving their worth?
See above. As long as they don't do serverside search or anything this should be possible?
> "they seem remarkable competent at certain aspects of what they do"
Yeah, you can be great at UX design and shitty at cryptography. That's perfectly fine.
Definitely.
As mentioned before I prefer Signal. I actually like your answer.
We need more of these answers and less:
- X is definitely in the pocket of FSB.
- E2E or nothing!
- Use WhatsApp or nothing!
Hey, even tptacek went as far as admitting this at some point:
Theoretically, couldn't the client send the message to one server and the keys to a different set of servers? Clients would request the encrypted messages from one server and the keys from another?
That would imply client-side encrypted cloud backups, with external key management which isn't the case in Telegram, if it were it could be shown from client-side code. Also, even if that would be the case, it would just need combining key and ciphertext in once place which is again the weak link.
Also, there's no way the search would work as fast as it does now if key /ciphertexts would have to be transported via servers, and finally, since it's a single server that can request data (I have checked the destination IPs), anything of the sort is not happening.
"should still be possible to set up so that a single rogue sysadmin cannot get hold of messages."
I'm afraid that's not possible. When the message arrives to server and the outer layer that is in-transit encryption is stripped, what must remain is the plaintext message, or a message that the server can not decrypt. Such technology already exists, it's called end-to-end encryption. If there was a simpler way to protect from malicious servers, there wouldn't be a need for E2EE communication ;)
"See above. As long as they don't do serverside search or anything this should be possible?"
So no that wouldn't work in practice. Proper cryptographic design in secure messaging apps doesn't distinguish between entities on server who have access to keys. "Jack has one part of the key and Jill has another, but they will never collude or get hacked at the same time" is very bad security rationale.
"- X is definitely in the pocket of FSB."
Well, the problem here is, if the scenario is this "Telegram is secretly in the pocket of the FSB and they're giving access to every message on their server" I can't say "No way, it's all end-to-end encrypted they have nothing to give". I can say that for Signal, however, so I'd rather recommend it instead, and actually, because I can't say Telegram definitely isn't in the pocket of FSB, I don't think it should be used. I hope you understand this requirement of verifiability. If Telegram really wanted to lock themselves from user data, the would've implemented E2EE from the get go.
"E2E or nothing!"
Not sure what to make of this, I haven't heard anyone claim no encryption is better than weaker encryption. But wrt. message confidentiality, since there is no difference when it comes to service provider obtaining the plaintext copy, it's hard to not say "don't use it if it's not E2EE".
"- Use WhatsApp or nothing!"
Another complex problem that boils down to trusting WA has not changed source code after Moxie helped implement Signal Protocol. Like I said earlier, there's maybe a 1..2% chance of backdoor that allows WA to snoop on it's E2EE. So if for some reason one would have to compare these particular ones (IRL this is what we'd call a false dilemma), I'd say
1. Telegram secret messages for one-on-one chats
2. WhatsApp group messages
3. Telegram group messages
WhatsApp may have 1..2% chance of backdoor, but with Telegram I know there's a front door with 100% probability.
If we forget the false dilemma, suddenly Signal solves all of our woes wrt. cross-platform private one-on-one chats and group chats.
"Hey, even tptacek went as far as admitting this at some point:"
Let's not put his words "almost literally any secure messenger is better than email."
Firstly, that assumes he considers Telegram a secure messenger. Secondly, encrypted email has serious problems with deniability (which we'll ignore this time) and forward secrecy: in those respects Telegram's E2EE is better, sure, but E2EE email for group chats (Assuming the client knows how to reply individually to all, and to use each individual's PGP key to protect it) is again more private than Telegram's group chats.
I always took the claim of routing keys and messages in different jurisdiction to be about not writing them to storage in those jurisdiction, not about not having them in RAM.
the idea being that there can be an internal policy to shut down the server and wipe the ram but it is harder to do with drives.
I also have a question since you probably can answer: can E2E offer a similar user experience to what normal telegram chats offer?
" I always took the claim of routing keys and messages in different jurisdiction to be about not writing them to storage in those jurisdiction, not about not having them in RAM."
There's no precedent I'm aware of that if e.g. NL Telegram server has the key in its RAM but not in its disk, that it doesn't have to hand out the keys. Also the keys and/or plaintexts can just be stolen by foreign intelligence establishments. It's not just judicial means we need to be concerned about. E.g., just because it's legal in China to hack Telegram servers abroad, doesn't mean it's right, and Telegram should take this into account.
"the idea being that there can be an internal policy to shut down the server and wipe the ram but it is harder to do with drives."
This is pure speculation and it wouldn't matter because key lifting attacks would be transparent, i.e. the exploit is polished enough not to raise alarms.
"I also have a question since you probably can answer: can E2E offer a similar user experience to what normal telegram chats offer?"
Yes. Except channels and extremely large supergroups. But these two don't enjoy expectation of privacy. You can't expect something you say to a group of 10,000+ people to remain private, people consider such groups public.
Encrpytion is just math so there's also no way around the UX problem of authentication that's part of E2EE, but since that's expected of users, it's not a problem either.
Everything else, group chats with roles, synced chats, file transfers, locations, stickers... you name it, can be done over E2EE, just look at how Signal is showing each of those can be done. It's not trivial of course, but like you asked, "can it be done", yes, it can.
Does anyone know of good extension to use PGP on top of Telegram Web? So that whenever you chat with person X, if thats persons public key is saved, all messages with that person are PGP encrypted
"- if you receive a stream of unencrypted postcards from Grandma on vacation"
That's such a bullshit excuse. Everything goes with outer layer of encryption these days, what matters is will Telegram offer to lock themselves out of the messages to which the answer is no by default. If you want to chat on desktop or create a group, the answer is no whether you like it or not.
So again, some niché use case of "it's probably nothing sensitive so you might as well send it in the clear because that says you're not a dissident" is thus not even valid. There's almost always outer layer of encryption.
"The availability of metadata, who can access that metadata etc etc plays a role."
Indeed. All the more reason to avoid Telegram that by default stores all that metadata.
"someone always have to pull the E2E: Good, anything else: Bad."
No the point is we'll never even get to the debate on reducing metadata as long as we need to play whack-a-mole with shit apps like Telegram that don't E2EE by default, let alone provide any kind of metadata protection, even sealed sender like Signal does.
As the author of messaging system[1] that provides both E2EE by default for everything as well as metadata protection (more than any other app out there) and advanced protections like endpoint security, I don't really like you putting me into some square of caring only about E2EE. All I can say to you is, first things first.
> you realize Telegram lacks even basic things like desktop clients
the desktop client of telegram is the main reason to use it over the competition for me. something that does not lag when you type text or resize its window, opens in a quarter of second, etc etc
It's the vendor that should be releasing the clients with support for it. The fact it's a third party is both a problem and proof of huge internal problem.
"And nope, Signal doesn't make the cut for the above reasons because it exposes your phone number to everyone else"
This is being worked on.
The thing is you're mixing two threat models. One is a creepy dude who will give you nightly calls if they learn your phone number. The other is a state actor who will hack the server and track you based on your IP-address if no phone number is being used otherwise: hence the enumeration attacks won't matter. You can't escape state actors looking at your metadata with Wire, Element or Signal. For that you want an Onion Service based system like Briar, Cwtch, Ricochet, or TFC.
For the creepy people not having to hand out your phone number is a nicety, but it's not at all hard to block a phone number either, it works just like any other app's blacklist: just add the number and be done with it.
they sent phishing links thru sms and also do sim swaps. They hijack the phone number by connecting it to another sim card. They also have people work at the providers that give them access to these numbers. I'm in those groups so I'm not talking out of my ass.
yes? just knowing a phone number is enough to log into a non-2fa google account if you know the pass, plus it can be easily triangulated to a real-world address
exactly. And not only that, people who work at telecom providers sell illegal services to whoever wants to pay. They give you access to anyones numbers for money.
> With Telegram you cannot even do a phone number enumeration attack (this can be changed in settings) by adding phone numbers to your contacts list to find out who's using it
You mean how multiple companies have done on dozens of millions of accounts before Tg added that feature last year, and are openly selling that data? Like with that dump of 40 million numbers just from Iran and Russia. How often do you change your number?
Telegram has a weird contact syncing default option. I had two accounts with separate phone numbers, but it would nonetheless advertise newly joined Telegram users associated with the respective other account. I think people were also able to view the profile pics of both accounts(?).
And a great bot API. It's literally one of the easiest to use APIs I've ever seen. If you need a home-made solution to control something from your phone or even get push notifications, a Telegram bot is the way to go.
They also have an API which lets you make clients. That, on the other hand, is one of the worst APIs I've ever seen, but it exists, and you can't say that about most centralized and popular messaging solutions.
Because of that API, there's a great client for Windows 10 called Unigram, which is much more pleasant to use than all those Electron apps.
I suspect Unigram is the single reason why Telegram is so popular in the blind community, even though iOS accessibility is horrible, much worse than in most apps of this kind.
It’s no more unsafe as using whatsapp or some other similar service. To be fair, if most of my relatives would not use whatsapp, i would’ve turned 100% telegram already.
Facebook's Messenger app is TLS-encrypted (i.e. encryption happens between client and server) unless special E2EE mode with Signal protocol is enabled.
Telegram is encrypted with client-server MTProto (i.e. encryption ALSO happens between client and server) unless their the special secret chat with its hand-rolled E2EE is enabled.
In LTE networks SMS uses the SNOW3G[1] encryption between the cell-tower and phone. This is also equivalent to client-server encryption in that the server-side area covers the more or less TelCo side decentralized SS7 backbone where message travel more or less unencrypted.
So by default with all three Telegram, Facebook, and SMS, all messages are readable by the vendor. Telegram and Facebook offer E2EE as an opt-in measure, but given that neither offers it for groups, they're not a viable option. Signal uses E2EE for everything, hence it's the recommendation by every security expert out there, nobody's recommending Telegram or Facebook.
There's nothing puristic about expecting companies in 2020 to implement basic security like E2EE for everything, by default. After all, we're not talking about anything short from protecting universal human right to privacy here.
And nope, Signal doesn't make the cut for the above reasons because it exposes your phone number to everyone else. WhatsApp is the same in this respect. Neither of them prevent enumeration attacks (they may slow that down a bit, but not sufficient enough to protect against state actors).
Wire and Element (Matrix) are comparatively better than Telegram, Signal and WhatsApp because you don't need a phone number to sign up and they also have end to end encryption for all chats (with Element it's a bit more recent). Hopefully more people can soon ditch phone number based apps that cause them to be vulnerable because of that vector.