Here's the thing. There's perhaps a 0.0001% chance that iMessage or WhatsApp contains a backdoor that does not really encrypt a message.
There's a 100% chance that every cloud message, every Windows/Linux desktop message, and EVERY message by default, is sent to Telegram servers, where the vendor, and any intelligence agency, organized crime unit etc., can steal them from. Telegram is a for-profit company. It can also be sold, and that will include billions of messages stored on their server. The only thing stopping them from selling out is "they don't feel like it".
Telegram is not backdoored, but, it is proven to be frontdoored, and this is extremely dangerous because "it's nothing new, we knew this, it's obvious". Yes. It's blindfully obvious to your average crypto anarchist who's spent a year reading about cryptographic protocols. It's anything but obvious to your average user.
To give some idea, I did a survey at my university computer science department: the students have lots of Telegram users. These students study cryptography as part of their network course, number theory course, and there's even a grad-level cryptography course run by Valtteri Niemi. Here's what I found: less than 20% even knew what secret chats were, let alone used them. Everyone just winged it, assumed Telegram was safe by default. Now, if a computer science student body whose field this is don't know about it, what chance is there a hair stylist, a political major, a dissident/activist, or journalist, knows about it.
But I can't blame them: I've long since lost the count of how many times I've seen news media bundle apps together: "Signal, Telegram, Threema ... are secure replacements for WhatsApp". This kind publishing is incredibly irresponsible, and it's no wonder people get the wrong idea.
So yes, Telegram is open source with reproducible builds. But that confirms nothing but the existence of the front door to technical people, that the app doesn't end-to-end encrypt anything, by default.
A 0.0001% chance that a Facebook product has backdoors to spy on people? I see that you have a real hatred of Telegram but come on, this is such a biased take. You are willing to protect a closed-source app from Facebook just because you hate the alternative so much. You are not helping anyone with this.
>A 0.0001% chance that a Facebook product has backdoors to spy on people?
Yeah, I have never ever heard anyone MITM attacked WA user, and I have never seen any claims the app leaks plaintext data or keys to server or third parties. If you have some factual information instead of "hunch", then by all means, lets hear it. I'm not arguing Facebook isn't abusing WhatsApp metadata like there is no tomorrow. They absolutely are, and often metadata is more revealing than the content. I'm not saying WhatsApp is secure enough, I'm saying it's better than Telegram. Consider group messages:
Telegram spies on user's group messages with 100% probability. Therefore, WhatsApp can be at most as insecure as Telegram. But if even if there's 99.9999% probability that WA is backdoored, it's still better odds than Telegram.
If you think WhatsApp can't be trusted because it's proprietary and you have to trust the vendor, then you absolutely can't say Telegram is safe, because you have to trust the vendor not to look at the group messages.
So it boils down to what is the actual probability that WA is backdoored, the number is not zero, but it most certainly is not 100%. If you have useful factual information that overrides Moxie personally telling me that he oversaw WA implement the Signal protocol, I'm willing to update my threat probability estimates, but until then, I'm going to stick with saying it's highly improbable.
>I see that you have a real hatred of Telegram but come on, this is such a biased take.
I have nothing personal against Telegram. I've researched private messaging apps for closer to 10 years, and I'm only interested in all apps improving. But Telegram isn't in the process of locking themselves out of user data, but on the contrary, even the new features, like the group video calls, are collecting 100% of metadata AND content. Telegram isn't helping the world, it's amassing terabytes of data into a silo that's one zero-day away from the biggest breach in modern history.
Here in Finland we've recently had some taste of it when the Vastaamo psychotherapy center was hacked. https://www.wired.com/story/vastaamo-psychotherapy-patients-... Read it. Then realize Telegram private chats can contain messages people wouldn't share with their therapists. Imagine tens of millions of extortion cases (that never end, even if you pay), ruined lives, relationships etc.
The Telegram Hack of 20** is not going to be just another hack, it's going to be the scandal of the century.
> You are willing to protect a closed-source app from Facebook
No, I'm not protecting anyone here, I'm making the distinction that the backdoor is very improbable, because a) Facebook doesn't need it due to the metadata and b) Eavesdropping on your users via backdoor is a felony. Compare that to Telegram where the users send practically everything to the server willingly. There is zero expectation of privacy the user can ask.
>you hate the alternative so much
Telegram is not "the alternative", it's "out of the frying pan, into the fire". As you can see my every post here argue.
There are plenty of open source, secure alternatives like Signal, Element, Wire, Threema, Briar, Cwtch, OnionShare Chats etc.
Please review the HN guidelines. It’s fine to question Facebook’s integrity, given what we know about the company. Attacking another person’s inferred motivations is not.
WhatsApp claims to use a well-known algorithm so it shouldn't be too hard for a researcher to encode a message with their own implementation of the algorithm (while copying the seed/keys from WhatsApp) and confirm that they get the same bytes out of both.
Of course that wouldn't prove that there's no backdoor, just that the normal code paths work as described.
The more likely question is, is your version of the app consistent with everyone elses? I don't think there is a general backdoor, but a crafted one? I'll take that bet.
Decompile and read the resulting source code, then snuff the network traffic to make sure it’s matching what’s expected. Trusting the Hardware and OS is a larger issue.
People always take that lightly, as if it's trivial to read bytecode (tptacek takes that stance a lot if I recall correctly, and his being him, people take it for gospel). Just looking at the underhanded C (style) contests, it's not trivial to spot backdoors in the source code, let alone the code that a machine is meant to interpret after it ran through a compiler. If it were so trivial to find the flaws that allow attacks in the easiest-to-read of code (open source, docs available, mitigations applied, nice choice of language, everything), we would not have security issues in good software in the first place.
As I said reading the source code is only the first step, you also sniff network traffic. A program that’s only sending data you understand can’t also be sending data you don’t want it to send.
Of course this isn’t trivial, but the point of comparison was an open source application which has exactly the same underhanded C style risks. The hardest to evaluate risk is simply using a subtly flawed algorithm or source of entropy which looks secure in any language, but isn’t.
