I really want to like Telegram (it's certainly a handy gateway to my attempts at getting people off Facebook Messenger) but this article seems pretty misleading & reads like a marketing grab
_Disclaimer: This thread is mostly based off of a sporadic interest in this space, not necessarily up-to-date research of counterpoints_
A few observations in no particular order:
- Telegram use their own proprietary encryption algorithm which has had some questions raised in the crypto community
- Telegram appear to do a fair bit of hand-waving re. distinguishing their end-to-end "secure" messaging vs. the default (and more convenient) group and non-secret messages - which are encrypted differently, and cloud-archived similarly to what the article describes WhatsApp doing.
- Not that there's necessarily a satisfactory alternative, but a privacy-first solution would ideally be more overt
- Article never mentions Signal (either the protocol, or the competing application) which have undergone significant peer review, but does refer to Telegram as distinguishing itself through open source and open process.
- One can't help but question the motive of a crypto-first app which doesn't follow crypto best practice, or at least speak candidly about their attempts to iteratively improve this.
- Telegram seem to be making moves towards an increasingly "social media messenger" space - does this run at odds with privacy-first? (my guess would be it does)
I use Telegram and so does my friends despite I (primarily) know about the questionable security.
And the reasons are very simple: Because it's packed with features and it's user interface is so extremely well done it simply outclasses any other option in those regards.
Second, our normal level of communication simply does not require perfect security. Being on Telegram or as a group on a bus being overheard by everyone would make no difference. No one of us cares because it doesn't matter.
I talk to my family and spouse over "normal" Telegram, and it's the same thing there. When we need to talk about intimate things we do so eye-to-eye, and even if it would become public I believe audience would find TV soap operas more exciting.
What I am saying our choices are dictated by convenience and enjoyment. Signal, Riot and Wire provides none of those compared to Telegram.
Absolutely - I also use it, for very similar reasons.
It's the closest I can recommend to people when trying to help ween them off of Facebook Messenger
My commentary is more around the seemingly bait-and-switch approach of riding in on the "we respect privacy" wave, but ultimately having that as secondary to bells and whistles
There's a bit of misunderstanding. Pavel is talking about backups to Google Drive / iCloud that you do in order to preserve the messages and move them to the other phone. While it's true they aren't encrypted, it makes a lot of sense for such a mainstream product — I wouldn't imagine the app asking people to save a private key for it.
All communication itself is E2E-encrypted with WhatsApp. Telegram doesn't have that by default but in return the app is available on multiple platforms and these instances work independently with great cloud sync.
Real questions, which will sound like a conspiracy theory:
- Is being open source, and some eager and independent security researchers having done an audit enough to convince you (or some other well-informed part on the thread) that no clever flaws are intentionally in the source?
- Do the funding or institutions which support the development of a piece of tech change the answer to the above question? E.g. I've been encouraged to avoid Signal b/c it was created partly with US State Dept funding (via the Open Technology Fund). The main point made during that conversation was that the US supports projects like Signal and Tor as a means of supporting dissidents in other countries. But a side implication was that it may be naive to rely on tools (indirectly) provided by the state to avoid surveillance by the state.
Another positive is Signal have been very intentionally slow and transparent about security considerations when it comes to adding new features (gif search, link previews)
Telegram appear to be more focused on feature parity with competitors than "crushing the core" of secure messaging
_Disclaimer: This thread is mostly based off of a sporadic interest in this space, not necessarily up-to-date research of counterpoints_
A few observations in no particular order:
- Telegram use their own proprietary encryption algorithm which has had some questions raised in the crypto community
- Telegram appear to do a fair bit of hand-waving re. distinguishing their end-to-end "secure" messaging vs. the default (and more convenient) group and non-secret messages - which are encrypted differently, and cloud-archived similarly to what the article describes WhatsApp doing.
- Article never mentions Signal (either the protocol, or the competing application) which have undergone significant peer review, but does refer to Telegram as distinguishing itself through open source and open process.- One can't help but question the motive of a crypto-first app which doesn't follow crypto best practice, or at least speak candidly about their attempts to iteratively improve this.
- Telegram seem to be making moves towards an increasingly "social media messenger" space - does this run at odds with privacy-first? (my guess would be it does)
---
Some links:
- [Is Telegram Secure? (security stack exchange)](https://security.stackexchange.com/questions/49782/is-telegr...)
- [white paper analysis of Telegram's crypto](https://eprint.iacr.org/2015/1177.pdf)
- [Signal's Moxie Marlinspike on Telegram's founder](https://techcrunch.com/2017/09/18/signal-moxie-marlinspike-t...)
EDIT: formatting