10mo ago

Is Telegram really an encrypted messaging app?

blog.cryptographyengineering.com

Privacy @lemmy.ml

solrize @lemmy.world

10mo ago

Is Telegram really an encrypted messaging app?

blog.cryptographyengineering.com /2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/

112 comments

No.
As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do.
- As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do.
  No, it's not. It's very easy. In the bottom right corner there is a pencil button to compose a new message and right there it asks which tpye of chat to start. Secret chat is the second topmost option after group chat. Really not hidden or complicated at all.
  
  It should be a setting to always use encrypted chat, and it should probably prompt you when you first login.
  Better yet, don't have an option to not have encrypted chats. I don't see a reason to not have everything E2EE all the time.
  
  My man, have you ever worked in tech support? I admire your optimism.
  
  Why would it even be an option to have a non-encryted chat if the app can do encrypted?
  
  It’s three clicks. And it opens a separate chat from the existing one. It’s obscure enough that you could say the UX deprioritizes (which at best is not an actively malicious design choice) usage of end-to-end encryption.
  
  Encryption is part of defense strategy, otherwise it's like a steel door in a house with wall panels made of paper.
  That strategy involves all communications being encrypted. Otherwise rubber hose cryptanalysis becomes practical.
  
  It is not easy, as it's not even possible on desktop.
- That's incorrect, their client is opensource, you can check their e2ee yourself.
When you can't use secret chat at ALL on desktop, fuck no it isn't.
Assuming end-to-end encryption is what's meant in the question.
- That's a step backwards from Whatsapp lol
  
  It's still shit tho. Signal is better.
- You can with Pidgin and purple-tdlib plugin for Telegram.
  But then I'd ask the other person to use the same thing, and we'd both use OTR for encryption, not TG's bogus E2EE.
  
  wow I haven't used Pidgin in like a decade
If Telegram is considered an encrypted messenger, then FB messenger should be too. Works exactly the same. I don’t know about you, but being the same level as FB messenger should speak volumes to whether Telegram is “encrypted” or not 🙄
- FB messenger should be too. Works exactly the same. 🙄
  Facebook licensed Signal's encryption: https://signal.org/blog/facebook-messenger/
  
  Yeah, the fact that FB messenger uses Signal protocol, means the encryption is better recognized than the one used in Telegram. But the lack of on-by-default or the need to drill in a few options before enabling secret chats.. I mean it’s even named the same thing as Telegram.
- If Telegram is considered an encrypted messenger, then FB messenger should be too.
  But strangely only one is being prosecuted.
  
  I suspect that’s because Telegram’s marketing and it’s users consistently try to place Telegram in the same categories as actually secure and encrypted messengers. Whereas I don’t see tech blogs claiming that FB messenger is secure.
- That's ridiculous, Telegram client is opensource, Facebook is not. We know for a fact that Facebook shares their data with... well, anyone. The reason of the recent arrest of the Telegram CEO seems to be that he apparently doesn't share anything.
  
  I mean that is a fair point. But open source client only matters if people were using Telegram’s secret chats consistently. The closed source server is what’s most important when almost all communication happens plain text.
- Then is not than
  
  Good catch 🫡
One of the most important rules of cybersecurity is: never roll your own encryption.
And what did the guys at Telegram do? Rolled their own encryption.
If you are into Telegram because you think it's secure, think again. There are much better alternatives out there, adopting proved industry standards. Signal or Matrix just to name a few.
- No, it's not the rule itself. It's rather an advice not to do as rolling own crypto is very tricky and complicated thing. You have to be very aware of many possible attacks, how they do work, to create own crypto properly
- Generally a good rule, however Signal did develop their own encryption. It was so good it became the industry standard.
- What does 'rolling encryption' mean (if it's possible to ELI15).
  
  'Rolling your own...' is a comparison to rolling your own cigarettes. That is, creating your own version from scratch instead of using something ready-made.
  
  OP probably meant "to roll out", meaning: "to deploy".
- if the people you want to talk to are using telegram then you don't have much of a choice
  
  Maybe tell them you are using signal and that they don't have a choice but to use it
It can be that. But it is also a medium for public forums.
Somehow it has public groups and requires your phone number. Not really sure how to find the groups though.
- But unlike Signal, nobody can see your number
  
  You can hide your phone number now with the release of usernames in Signal. Still need it for registration tho.
Oh here we go.
Manufacturing Consent to tear it down because victims around the world use it to get their voices out when everything else is shut down. People organizing against oppressive governments using it when nothing else is safe.
It can't be allowed to exist. This is them social engineering your acceptance of their tyranny. Don't bite the bait.
- What is this nonsense? This is a technical post explaining why it's not encrypted.
  Plus there's plenty of other services like matrix which can do the same thing better without enriching a billionaire
Sure its is. Russia has the keys so they can snoop. Its encrypted though so just the kremlin can read it. Enjoy.
Its funny how what is out there can't be comprehended by those who only see what they want to see. If he wasn't in putins pocket he would have fell out a window by now. The rest is just a sad song and dance that the weak minded buy into.
- The comment where everything's made up and the points don't matter
  
  Telegram CEO Pavel Durov's Arrest Upends Kremlin Military Communications https://tech.slashdot.org/story/24/08/26/2233226/telegram-ceo-pavel-durovs-arrest-upends-kremlin-military-communications I'm sure its nice with your head in the sand but it doesn't make any of you right.
  The idea that any of them are secure is a pipe dream.
- Durov has been blacklisted in Russia because he refused to cooperate with Putin's government on several occasions.
  
  Yet he is still alive. Misdirection nothing more nothing less.
- Aha that's why telegram is banned and blocked in Russia
  
  Wasn’t it unblocked again soon after?
  
  Its not and it wasn't banned for very long unofficially.
- What was your methodology to determine that?
  
  Racism.

112 comments