Be cautious when using Telegram for important matters.
I recently examined a situation where confidential messages from high-ranking Moldovan officials were leaked through Telegram. Unlike WhatsApp and Signal, which offer end-to-end encryption by default, protecting your messages even in case of a SIM swap, Telegram does not offer the same level of security. A SIM swap or a breach in their system can lead to message leaks.
Despite advertising themselves as a "secure messaging" platform, Telegram lacks default end-to-end encryption, making it less secure than its competitors.
You may or may not trust these sources, however, even just the fact that at one point Durov was extremely afraid of being found by FSB, Telegram being the only network not blocked in Russia, and general embrace of Telegram by Russian propagandists, speaks for itself.
While this can be true, I'd be careful before making any inferences here.
For example, there's good research [1] on how FSB uses the fact that Telegram metadata is in the open to run counter-insurgency on occupied territories. This is likely among FSB's highest priorities - but there's no evidence that they have used some level of insider access or control (or at least that they are willing to burn it even on Ukraine).
Second, Telegram not being blocked is hardly an argument. Neither are Signal, WhatsApp or YouTube for example. Are all of these also controlled by the FSB? And the general embrace of z-propagandists is likely due the fact that Telegram is extremely popular all over post-Soviet space. As far as I know, pro-Ukrainian people use Telegram just as much, and just as much as a news source.
None of this is to say that Telegram is a good choice for a reasonably secure messenger or is trustworthy at all (and [1] lists some very convincing reasons for why it is not so). But "may be run by the feds" is a strong claim, and so far it is not supported by evidence.
>Telegram being the only network not blocked in Russia
This is not true. WhatsApp is still working. They banned facebook and instagram but not whatsapp. Viber, Signal, Threema, Wire still works, too. The only blocked currently, i think, is Line.
The recent events regarding the twitter files for example or the knowledge gained from snowden clearly show you that intelligence agencies worldwide are everywhere to be found where social activities are taking place
I’d be totally shocked if they were not. From their point of view setting up honeypots and tapping social media is an absolute no brainer, as is leveraging it for “active measures.”
All major intelligence agencies are probably neck deep in these activities.
Recently, in practice you need to use a second factor (Telegram originally only used one factor, your phone number, which was verified by sending a message or calling it.)
Someone added two clients while I was asleep around new year.
I kicked them out and threw in a password and they tried again (unsuccessfully :) next night.
Meanwhile, way bigger leaks has happened from WhatsApp over the years.
If security is important to you, use something that is made for security, like Signal or Matrix, not "good enough call it secure" like Telegram or "how much data can we get away with stealing" like any Meta product.
WhatsApp is proprietary software. Its implementation of OpenWhisper is quite likely to have been tampered with to allow gathering personal user data. If it were safe, it'd be Free Software.
? You may still find the dump of messages online. Is this enough of a proof for you?
Something that wouldn't happen if those officials were using WhatsApp or another app that has E2E encryption by default.
I'm honestly tired of everyone spreading all this misinformation about telegram and all these assumptions that lead everyone nowhere.
1. SIM Swap is a physical device security issue, not something that telegram or any other app for that matter, is responsible for. Telegram already provides cloud password, comments like these wouldn't ever mention it.
2. Telegram using cloud encryption instead of E2EE by default does not make it less secure. In fact, it only makes it secure in a different way. Proponents of WhatsApp, kindly direct me towards an independent audit or research paper that confirms WhatsApp is using E2EE 100% of the time instead of 95% or even 5% of the time. The classic "but WhatsApp has E2EE" argument is as good as me saying that I'm the CEO of Google writing from an alt account.
Telegram's encryption, both E2E and Cloud, have been audited by independent researchers. It doesn't take much to find out what's true and what's not.
3. Moxie's claims are extremely biased and misleading to the point that it almost seems like a propaganda against Telegram. I wouldn't want to hear someone who thinks Signal is too good to be on F-Droid and that any encryption aside from his own is the same as plain text.
I really don't care if people use Signal but as a Telegram user I'm exhausted by this hatefest that appears every time Telegram announces a new release. Moxie is a terrible source because he very recently was the CEO of Signal, a competitor, and uses words like "plaintext" as a misleading perjorative for any encryption not E2EE.
If you want and need E2EE please God use some other messenger but why don't we stick to the topic of the feature announcement and save the hate, folks?
If you're a user of Signal, I support your choice to use Signal. Please support our choice to use Telegram.
I believe most people here use WhatsApp and they've gotten comfortable enough with the idea of trusting Facebook (even when nobody ever should if they respect themselves as a user).
This is proven by the fact that posts about WhatsApp, a closed source app from Facebook where you can never even confirm any of their security claims, gets a lot of praise compared to an open source app with a strong privacy and no-data-selling track record. Even here in the comments you can see people claiming about WhatsApp's E2EE when in reality they cannot prove it.
Telegram on the other hand has been audited multiple times by independent researchers and yet somehow, that's not enough. Apparently, symmetric encryption is considered plain-text these days and some closed source unverified implementation of E2EE as private and secure.
Just to add context, I think/suppose this happened because of some hijacking of a cookie with logged in web telegram. I've seen multiple complaints of people that got hacked because they used some sort of telegram web login. Problems related to e2e enc are valid though
Telegram is not less secure, this is misinformation. Telegram is less secure by default; it has a worse UX for secure messaging, as a deliberate choice to improve default UX for new users.
IMO if your app is less secure than your competition by default, the app is less secure, period.
Telegram is said to have been given authorities access to user data [1], despite the fact that they advertise the opposite. I guess that’s what happens when your app is not encrypted E2E by default.
Also, they have used their own encryption algorithm in the past (I don’t know now) instead of the well known and proven algorithms out there. Something highly criticized by experts, back then [2]
I tried using secure chats but the UI is nearly unusable. E.g. secure chats are established between two specific devices and can't migrate, so it would make sense to let a currently "active" client (the one the user is currently interacting with) respond to an incoming chat request. Problem is, secure chats were being unpredictably picked up by random devices logged in to my account, so most of the time I couldn't even see any messages.
I recently examined a situation where confidential messages from high-ranking Moldovan officials were leaked through Telegram. Unlike WhatsApp and Signal, which offer end-to-end encryption by default, protecting your messages even in case of a SIM swap, Telegram does not offer the same level of security. A SIM swap or a breach in their system can lead to message leaks.
Despite advertising themselves as a "secure messaging" platform, Telegram lacks default end-to-end encryption, making it less secure than its competitors.
Read this excellent thread from Moxie https://twitter.com/moxie/status/1474067549574688768