-
Notifications
You must be signed in to change notification settings - Fork 344
Stop recommending Telegram #29
Comments
Thank you. I'll update the guide to remove Telegram but with a link to this issue. |
https://telegra.ph/Why-you-should-stop-reading-Gizmodo-right-now-Long |
No, sorry. Telegram uses a homegrown encryption protocol called MTProto, which has been proven insecure by multiple studies. Also worth noting are this article from Bloomberg (published March 2018) and this article from CSO (published May 2018). |
I am not security expert. But mentioned articles describe weak sides of mtproto version 1, now telegram uses mtproto version 2 (late 2017), where as I see, described issues were fixed. Now telegram uses sha-256 and smth new with paddings. |
I'm might be willing to add it back if there are independent studies that can verify it is secure, or if there is a security expert who can provide input on this Issue. However, even with version 2, I believe @arsv's original comment still holds true:
|
https://telegram.org/faq#q-do-you-process-data-requests |
This argumentation is absolute nonsense. 😉
|
Agreed. Even if the keys are on different servers, Telegram still has the ability to retrieve and assemble the divided parts. Then they can decrypt the data because this method is used for data that is *not* E2EE. Correct me if I'm wrong, but I believe this is how it could be accomplished.
Jan. 26, 2020, 12:09 p.m. by notifications@github.com:
…>>
>> As a result, several court orders from different jurisdictions are required to force us to give up any data.
>>
>>
>
>
> https://telegram.org/faq#q-do-you-process-data-requests
> So cloud providers can't access the user data, because decryption key is stored in several providers, countries.
>
>
>
This argumentation is absolute nonsense. 😉
Some countries simply work together.
If you look further than the "legal" argumentation it is > technically> still insecure.
The mentioned phrases just satisfy marketing teams and naive users.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, > view it on GitHub <#29?email_source=notifications&email_token=AHEKGAHJ53KOHQYDT6K5O6LQ7XUYZA5CNFSM4KDJVPT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ54UQA#issuecomment-578538048>> , or > unsubscribe <https://github.com/notifications/unsubscribe-auth/AHEKGACQ4QMPLDWT6KZKYQDQ7XUYZANCNFSM4KDJVPTQ>> .
|
Yes, maybe, I don't know for sure. But telegram has good privacy policy, reputation and you have ability always use e2ee secret chats. Also telegram has many good public channels, professional chats, bot platform and funny stickers)) As I see this repo about privacy-focused replacements for Google services. Not every service in this repo uses e2ee. |
Not every service in this repo uses E2EE because for some it is not possible... For example OpenStreetMaps would not benefit at all from E2EE. In fact, you could almost argue that it *is* because of HTTPS connections through a browser. One end is device, the other end is server, and the certificate encrypts that traffic.
Public channels, bot platforms, and funny stickers are not at all valid arguments for adding it back to the list. As far as professional chats goes, Wire is a better decentralized choice.
You do have the ability to always use their so-called "secret chats", but it is **not** enabled by default as far as I can tell. Signal, Wire, Tox, and Riot are all E2EE by default without a choice to turn it off.
Telegram does **not** have a good reputation. The controversies of MTProto 1 is still fresh in many people's minds in the security sector. Their app and servers have also been compromised multiple times.
Jan. 26, 2020, 2:00 p.m. by notifications@github.com:
…
Yes, maybe, I don't know for sure. But telegram has good privacy policy, reputation and you have ability always use e2ee secret chats. Also telegram has many good public channels, professional chats, bot platform and funny stickers))
As I see this repo about privacy-focused replacements for Google services. Not every service in this repo uses e2ee.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, > view it on GitHub <#29?email_source=notifications&email_token=AHEKGADBFXPXA44DF5PUALDQ7YBY7A5CNFSM4KDJVPT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ57AQI#issuecomment-578547777>> , or > unsubscribe <https://github.com/notifications/unsubscribe-auth/AHEKGADIJAT6JLKTVQTC4JDQ7YBY7ANCNFSM4KDJVPTQ>> .
|
It's "reputation" is mostly marketing as well. Here's the thing: law enforcement is sniffing Telegram chats since years in different ways (for example by intercepting the validation SMS: see Russia or Germany for example). And I'm very sure that other institutions are doing this as well. I fact even criminals are using variations of this attack (just search for In fact even simple flaws in Telegram messengers can be very dangerous. Just recently Telegram had to fix a bug that put Hong Kong protesters into danger. So I guess it's just reasonable that people shouldn't recommend Telegram. But then again you might favour "funny stickers" about your personal security… 😉 |
I agree with you on that partially, since they recently changed to verifying via Telegram itself, as for all the other reasons, I can' t argue against those. |
@tycrek as this issue discussed, Riot doesn't have default E2EE yet. Riot E2EE was only enabled as default on May 2020, for new private conversations only. https://matrix.org/blog/2020/05/06/cross-signing-and-end-to-end-encryption-by-default-is-here |
@cedricfung please open a new issue if you wish to discuss Element (Riot was renamed), this issue is for Telegram discussion. |
So if I only have a choice between telegram and WhatsApp which is more secure/trustworthy? |
I wouldn't recommend either, but if you really do not have a choice and you're unable to use Signal or another service, I would opt for Telegram over WhatsApp due to WhatsApp being owned by Facebook. But like I said, I cannot confidently recommend either of them. |
It's not particularly secure, and not privacy-focused at all, at least not compared to the other entries in that section.
https://en.wikipedia.org/wiki/Telegram_(software)
The text was updated successfully, but these errors were encountered: