Sorry, another question - TELEGRAM?

I have been meaning to pick the brains of the geniuses here for a little while about this.

I have quite a few contacts who use Telegram. They believe it’s more secure/private than Faceplant and all the other usual suspects. Firstly, do you agree with that?

I have heard the old chants of “encryption is home grown” and “not open source” - and I get the philosophical point there, it’s a valid one. However it doesn’t PROVE that Telegram is unsafe, it just proves that we can’t assess the cryptographic code ourselves, but (just to play devil’s advocate here) isn’t it entirely POSSIBLE that Telegram’s founder/creators managed to come up with a really nice encryption protocol and decided they don’t want to share it as that will actually enhance their security/protection from hackers and govts? I don’t think it has been breached, I know there was the case in Iran but many people mistake that for a breach of T’s system, but it wasn’t, they breached via getting into user’s accounts from the user end. Any system is only as secure as each and every user. If you have a $10,000 lock on your front door, but leave the key under the mat, a burglary doesn’t prove your lock was no good :).

Anyway, it would be REALLY useful if I could use Telegram, but I have hesitated for months because I am just not sure. I know it’s not 100% perfect, nothing online is, but do people in here generally respect it or think it’s at least a lot more secure/private for people posting and communicating on there compared to other things?

I have heard of Mastadon but I read their terms and it didn’t seem privacy focussed at all so I won’t be using that. Any comments will help me decide, thanks

1 Like

Pending removal by 2019-07 due to unaddressed security issues including lack of end-to-end-encryption, late release of source code (often in a format abusing git), missing server source code (that has been promised for years), missing F-Droid app (Telegram-FOSS is a fork) .

I have often been linking to

and there used to be a blog post by author of Signal, but I cannot even find archived copy of that.

People generally think it is secure, because Telegram says it’s secure and the author says it’s secure, but I don’t trust it. Here are two questions I have been presenting to people:

  • Do you even use the end-to-end encryption? Are you aware it’s officially only supported on Android, iOS and macOS (one of the two apps in app store)?
  • How can you be sure of Telegram not having access to messages if you can get access to your old messages by giving a Telegram app your phone number and getting a login code. What prevents Telegram from giving themselves that login code?
    • Yes, there is two factor authentication option by having a password in addition to that code, but how many not-technical people are actually using that option? Telegram does advertise how it’s stopping third parties from accessing Telegram accounts, but they tend to forget those people who don’t have it enabled.

Mastodon is a social network which interface is very similar to TweetDeck and I think they don’t advice trusting it for private things anyway, so it’s very different from instant messengers.

2 Likes

Kiitos Mikaela :slight_smile:

I read that fully. It sounded to me like the pro telegram argument won! I take your point about “most people don’t have secret chats enabled” and it’s valid, but I definitely would have it enabled so I am only interested in the secret chat option.

I agree with your point about Telegram MAY have access to chats. After a lot of reading about T and its creator etc, if I had to choose someone to trust, I think I would probably feel ok trusting Telegram, at least to trust that it isn’t a corporate or govt spyware program. I have to say, I fear Signal may be. (Very unlikely, but I wonder)

the stackexchange post is comical.

So, no. Telegram is by no means secure. For commonly accepted definitions of secure, not the one Telegram made up.

the link to the “nice blog post” appears technical, yet is a self-performed analysis by a hobbyist.

coming to the conclusion that Telegram is “by no means secure” because of a skeptical blog post (1), Moxie’s objection to the way they run their hackevents (fair) (2), this “blog post” (3), and the fact that he’s actually recommending a Facebook owned product (whatsapp) as a secure solution, clarifies the lack of lumens put out by this bulb. the next topic is the reputation of the durov brothers running telegram, which can obviously create a bias.

so, telegram doesn’t check all the boxes we look for when selecting utilities with an emphasis on security and privacy, but, is there proof of it actually being compromised?

1 Like

WhatsApp uses Open Whisper System’s (Signal’s) encryption I believe at the very least, which is far from home-grown like Telegram’s. I think that’s the point they’re getting at.

1 Like

:smiley: :smiley: - Zactly!

Yes I think so, trouble is… they all just jump on a bandwagon. “Home grown” is not proof of “bad”. It just means we can’t CONFIRM it’s GOOD! Disproving a positive doesn’t prove a negative. I am not too familiar with the reputation of the Durov brothers. I do however think a few things are often overlooked:

  1. Signal is PROMOTED EVERYWHERE. THAT gives me cause to pause. It could be because it’s really awesome, or it could be because everyone believes it’s awesome, but actually has some very clever flaw which is being exploited. I would lean towards the first point, that it’s awesome, if it weren’t for the next two points:

  2. It’s hosted in USA - We all know how the FISA and PRISM stuff works. ANYTHING hosted in the US is basically not just open to the government, but it’s open in a way where we can NEVER FIND OUT.

  3. It demands a phone number. That stinks like a steaming pile of manure, to me anyway.

That’s not to say I can prove Signal is anything but awesome, I suspect it probably IS the most secure platform out there, but for these reasons I just can’t use it because I would have to ignore my gut instincts and that pisses me off when I find out I ignored them and was wrong to!!

Wire for me, for now!
But Telegram is something I REALLY need to use IF I can talk myself into it! So I have a bias. I would LIKE to believe it’s safe, and I need to be careful with that bias. I am a bit paranoid, I don’t have any rational fears as I am law-abiding, but I just despise being spied on and try to avoid it for freedom reasons rather than avoiding jailtime reasons :smiley:

Interesting as I am leaving Telegram due to not trusting the creator as they keep lying all the time on the security. How can you know it’s not a corporate or goverment spyware program?

One example is everyhing WhatsApp related, WhatsApp is E2E encrypted, even if the cloud backups many users end up doing aren’t. Telegram is not E2EEd by default and the mjority doesn’t use E2EE, so all your chats and contacts are available by getting access to your phone number and redirecting the Telegram login code to malicious party, unless you have enabled a password which I guess majority of the users don’t do.

I think there is a plenty of proof on getting into accounts that don’t have those passwords enabled, I heard something about Russia doing that recently with the founder only mentioning the cases that had the 2FA password enabled.

I agree with where you’re coming from. really. it just raises the larger common question of who can you really trust – we’re all trying to identify the lesser of, well, all evils. which i think proves intriguing for many privacy enthusiasts since the question provokes creativity in finding a solution.

this isn’t exactly what i was going for. it’s like the difference between “hacking” someone’s root pw (which was set to password), vs. finding something like… well, here’s the segue:

right, and looking from afar, it looks whatsapp is basically secure as signal then, right? does this mean NGO Group also owned all Signal users with CVE-2019-3568? i mean…

Conclusion
WhatsApp implemented their own implementation of the complex SRTCP protocol, and it is implemented in native code, i.e. C/C++ and not Java. During our patch analysis of CVE-2019-3568, we found two newly added size checks that are explicitly described as sanitation checks against memory overflows when parsing and handling the network packets in memory.

As the entire SRTCP module is pretty big, there could be additional patches that we’ve missed. In addition, judging by the nature of the fixed vulnerabilities and by the complexity of the mentioned module, there is also a probable chance that there are still additional unknown parsing vulnerabilities in this module.

…and we can definitely shame Telegram for not open sourcing their ways, but the opening line of the conclusion above doesn’t instill much confidence in the alternatives.

I can’t :). Lying about security? Well that’s good enough for me (coming from you) to pass it over. Thanks.

Very well put.

The end-to-end encryption is theoretically as secure as Signal, that’s correct. You still have to trust the app itself though. For all you know your phone itself sending screenshots of all your messages to Facebook for “analytics” or whatever. They’re also planning on introducing advertisements :thinking:

I wouldn’t recommend WhatsApp by any means, I just also wouldn’t recommend Telegram secure chats necessarily when Signal and Wire exist.

1 Like

Jonah - Do you use XMPP at all?

I don’t, I basically only use Matrix nowadays.

1 Like

Interesting. Is that for privacy/security reasons or purely due to functionality? I suspect the latter.

Do you think there is a big difference in privacy/security between just joining Riot and hosting your own Matrix/Synapse server?

Probably not a huge difference, because if you send messages to other homeservers you have to trust them as well anyways. If you use end-to-end encryption for your chats it doesn’t matter which homeserver you use.

1 Like

Cool thanks. I would certainly be using any and all security features I can, whether self hosted or not. So encrypted chats on Riot would be pretty much as good as you can get these days. I may try it out, it only has one competitor - Wire. Maybe I will use both.

Since you’re a regular matrix user, do you know if you can do screenshare during an audio/video call?

I don’t believe so, but I must admit I’ve actually never made any audio/video calls on Matrix before :stuck_out_tongue:

1 Like

I do Audio / Video calls all the time on Riot/Matrix , They both work great!. The one thing Riot is still bad at is screensharing.

Excellent. When you say it’s bad at screensharing, are you saying it does have it but it just doesn’t work well yet?

@StanTheMan
Riot has two ways to video conference, one is built into riot. (Works great for one on one video / audio calls, as it is peer to peer and E2E encrypted) and it has the feature to use a Jitsi plug in for 2 or more people. On the jitsi conference, the Screenshare button is not working. On the other hand for the one on one video calls there is a Screenshare feature, It works Pretty well but it is hard to find and afaik only the person who starts the call can share the screen.

So you can not change that during a call.

Well that sounds damn good to me! Thanks.

PS One thing that confuses me slightly, and maybe it’s due to people regurgitating information they read on (often old) websites, is that most people seem to think Riot isn’t very secure. I keep hearing people saying “you can make it more secure if you host it yourself” and stuff like that, which suggests it isn’t very secure/private out of the box. You said P2P and E2E. That sounds damn private and damn secure to me. Some people say the encryption is in beta so not reliable yet, other people say the whole thing is beta and unreliable, and other people say it’s all working perfectly and is VERY secure and private!! If I understood tech stuff (especially cryptography) then the simple answer is to test it all myself! Sadly I am just a patsie :smiley: