I realized this as well the first time I logged in the account of the bot I develop and maintain: it's quite creepy.
I'm open to changes but I absolutely need a system with a desktop client and an API or something to interface it with hubot. So Signal, as the author suggested, is not a valid alternative for me.
Same here. I will migrate to Signal and try to convince my network to do the same the second there is a good cross-platform desktop app and all clients have full functionality.
I've been experimenting with ricochet.im as a desktop client.
Ideally, it would be great if Signal and Ricochet could merge best of breed features. That could mean a unified app across mobile and desktop with good security over Tor...
So basically, somebody could use telegram metadata to see when I came online...on telegram? And they could also make a best guess at who I'm talking to?
You don't even have to go to the CLI client for this, the 'target' status is visible on the top of every conversation. Pretty much any chat client I could think of has a feature like this.
Seriously, how is this even on the front page? It seems that people lately are coming up with excuses to call out any app/software/company based on privacy concerns, just so they get some attention.
Which other chat clients reveal if they are the foreground app right now or not? I haven't come across any as far as I remember (I don't use that many though). How many of those reveal it to everybody, without any confirmation?
(And even if it were general default behavior doesn't mean it isn't pretty crappy from a privacy point of view)
I've seen both WhatsApp and Viber do that. Might be a buggy client though, but nevertheless.
I find it amusing that we are raising 'privacy concerns' now for pretty much anything. How does sharing whether you are keeping your phone in your pocket or in your hands (and telegram active) affect your privacy? Its meaningless data.
The attack scenario is described in the article (I'd love to see data on if it actually is viable or not, but reports about similar attacks in the past make me suspect it is).
WhatsApp will hide last seen, but will still show you if a user is online instantaneously - you'd have to have their conversation open.
Facebook too, will show a user as instantaneously online even if they have chat turned off for you (I think). On the plus side, Facebook recently disabled API access for online/offline status of your friends unless they've consented.
Seriously ? This is an app that claims to be a secure communication chatting application. This app is not as secure as it should be. I'm off from Telegram. Trust is gone.
ICQ (remember that one?) used to show when user logs in, or logs out - without need to add user to contact list and get his/her authorization. I used one terminal client to monitor when I get disconnected to see how "stable" my connection was. So this is not new.
For those wondering, head into Setting > Privacy and Security > Last Seen to change the setting. Available options are Everybody, My Contacts, and Nobody. Manual overrides for specific contacts can be toggled with the Always Share With setting.
Yes, it DOES stop showing you as online. If you are not sharing your last seeen/online status with somebody, he will NOT see you online, regardless of the app they are using.
There is one exception to this: people will see you online for a brief period of time right after you send THEM a message (otherwise it would feel like talking to a wall).
I've been more and more concerned about Telegram recently. Here's a mail I sent them recently covering most of these concerns. Naturally, I got no response.
"
Hey there Telegram!
I have been an early Telegram user since late 2013 and was highly optimistic that it would become a perfect messenger.
It's quite perfect from a UX point of view – which is important to gain users – but other things aren't that perfect.
You claim to be open and secure, but taking a closer look that doesn't seem to be true. Your API is open and the client apps were released as open source, but your server-side code remains closed source. It's been 2 years now and you still haven't open sourced the server. Do you still plan to release it? You say that you will eventually add paid options, which doesn't seem to be compatible to open-sourcing the server.
Of course one would have to trust you that you actually use that version of the server on your side, which leads to the second issue that concerns me. You advertise being secure a lot, but default chats don't use end-to-end encryption and secure chats aren't even possible for group chats. Even for encrypted chats a bunch of concerns were raised by much respected people in the security community, I'm sure you are aware of that and will not brag about that here.
I opened an issue on the Android app's issue tracker in early 2014 about end-to-end encryption (https://archive.is/9SfYt). There have been dozens of comments on that issue, discussing how it could be implemented but there was no official reply by the Android maintainer or any official Telegram account, despite numerous attempts.
The Android app's maintainer also doesn't seem to understand version control / git and commits tons of changes in a single commit and also doesn't use tags for versioning. He also doesn't merge pull requests but rather includes them in his large commits (thus also removing all attribution). There are also binary blobs in the source code and there are various licensing issues. All these issues have been raised but the Android maintainer doesn't seem to care about it.
The issue tracker for that app has now been closed by the maintainer and there was no explanation for this. Several people tried several times to reach out to the maintainer, but he never replied. I believe this is a huge problem for a security app, and for open source apps in general.
Last but not least, the current version of Telegram on the Google Play Store (3.2.4) is not open source.
Of course, client apps don't have anything to do with the server implementation, API, or general issues about Telegram. You've linked a Trello board somewhere deep on your website, but the link is broken. It's a major issue that there is no way to discuss problems, feature requests, or ask questions to the developers (we don't even know who the developers are). There is a community-run Telegram support account and a press contact and there's this email address and a Twitter account. Obviously none of these work as a discussion / issue platform, and you don't seem to reply to Telegram questions or Twitter.
A very good way to fix this is creating an organization account on GitHub and create a repo where you can use the issue tracker and wiki. You could also move the "official" clients to that account to have them at one place and you could use it to open-source or document other things related to Telegram.
It's also not clear at all who runs Telegram. All your website says is that it's financially supported by Pavel Durov and technically supported by Nikolai Durov. Your official apps and AS Networks are registered by " Telegram Messenger LLP" or "Telegram LLP" and your website claims your headquarters are based in Berlin, although no such company seems to be registered in the EU. You are legally r...
While I'm generally on Signal bandwagon, I don't buy the previously given reasons for using telephone numbers as endpoint identifiers.
What I would like to see is the ability to periodical regenerate endpoint ids like what Burner does for phone numbers. Also, optionally add the ability to traverse Tor like ricochet.im
So if your have every possible iteration of phone numbers in your contact list, you could find every single Telegram account? How is this not a published attack vector?
I tried to post a link to that on reddit back when it happened, but I got shadowbanned.
I was posting a link to a link to personal information (the phone numbers were censored in the version I referenced) and thus it was considered witch hunting.
Speaking of third party clients... Does anybody know a good way to export/backup all of your Telegram conversations? I see there's a history command in https://github.com/vysheng/tg, but it doesn't look like it will do what I want. Ie. dump each separate each conversation.
I'd say the opposite - to me IM market seems pretty dynamic, and it's not dominated by one player. I myself use a few different apps: iMessages, Facebook Messenger, Whatsapp, Skype, Google Hangouts. Then there's WeChat (huge in China), Line (big in Japan and Korea). I've also met quite a few people using Telegram.
I've seen a lot of change recently: One of my two family chat groups (ok, the one shared with the in-laws) recently moved from Whatsapp to Telegram and other secondary groups (Christmas planning etc) have moved along as well.
My other group is still on Whatsapp but I guess we'll move that one over as soon as we can get everyone to install Telegram.
As much as I loved Whatsapp and have happily not only paid for it but enjoyed paying for it Telegram is so much betterwith replies, hashtags and last but not least a standalone client for PC.
46 comments
[ 251 ms ] story [ 1800 ms ] threadI'm open to changes but I absolutely need a system with a desktop client and an API or something to interface it with hubot. So Signal, as the author suggested, is not a valid alternative for me.
Ideally, it would be great if Signal and Ricochet could merge best of breed features. That could mean a unified app across mobile and desktop with good security over Tor...
> Anyone with the onion address can still estimate availability by watching descriptors
https://github.com/ricochet-im/ricochet/issues/155
Seriously, how is this even on the front page? It seems that people lately are coming up with excuses to call out any app/software/company based on privacy concerns, just so they get some attention.
(And even if it were general default behavior doesn't mean it isn't pretty crappy from a privacy point of view)
I find it amusing that we are raising 'privacy concerns' now for pretty much anything. How does sharing whether you are keeping your phone in your pocket or in your hands (and telegram active) affect your privacy? Its meaningless data.
Facebook too, will show a user as instantaneously online even if they have chat turned off for you (I think). On the plus side, Facebook recently disabled API access for online/offline status of your friends unless they've consented.
Is this for just the messenger app or the facebook mobile app?
The limitation is in the API only, you can still see the statuses in-app and online, but you would have to resort to a webscraper to get them.
There is one exception to this: people will see you online for a brief period of time right after you send THEM a message (otherwise it would feel like talking to a wall).
See: https://telegram.org/faq#q-can-i-hide-my-last-seen-time And: https://telegram.org/faq#q-who-can-see-me-online
" Hey there Telegram!
I have been an early Telegram user since late 2013 and was highly optimistic that it would become a perfect messenger. It's quite perfect from a UX point of view – which is important to gain users – but other things aren't that perfect.
You claim to be open and secure, but taking a closer look that doesn't seem to be true. Your API is open and the client apps were released as open source, but your server-side code remains closed source. It's been 2 years now and you still haven't open sourced the server. Do you still plan to release it? You say that you will eventually add paid options, which doesn't seem to be compatible to open-sourcing the server.
Of course one would have to trust you that you actually use that version of the server on your side, which leads to the second issue that concerns me. You advertise being secure a lot, but default chats don't use end-to-end encryption and secure chats aren't even possible for group chats. Even for encrypted chats a bunch of concerns were raised by much respected people in the security community, I'm sure you are aware of that and will not brag about that here.
I opened an issue on the Android app's issue tracker in early 2014 about end-to-end encryption (https://archive.is/9SfYt). There have been dozens of comments on that issue, discussing how it could be implemented but there was no official reply by the Android maintainer or any official Telegram account, despite numerous attempts.
The Android app's maintainer also doesn't seem to understand version control / git and commits tons of changes in a single commit and also doesn't use tags for versioning. He also doesn't merge pull requests but rather includes them in his large commits (thus also removing all attribution). There are also binary blobs in the source code and there are various licensing issues. All these issues have been raised but the Android maintainer doesn't seem to care about it.
The issue tracker for that app has now been closed by the maintainer and there was no explanation for this. Several people tried several times to reach out to the maintainer, but he never replied. I believe this is a huge problem for a security app, and for open source apps in general.
Last but not least, the current version of Telegram on the Google Play Store (3.2.4) is not open source.
Of course, client apps don't have anything to do with the server implementation, API, or general issues about Telegram. You've linked a Trello board somewhere deep on your website, but the link is broken. It's a major issue that there is no way to discuss problems, feature requests, or ask questions to the developers (we don't even know who the developers are). There is a community-run Telegram support account and a press contact and there's this email address and a Twitter account. Obviously none of these work as a discussion / issue platform, and you don't seem to reply to Telegram questions or Twitter.
A very good way to fix this is creating an organization account on GitHub and create a repo where you can use the issue tracker and wiki. You could also move the "official" clients to that account to have them at one place and you could use it to open-source or document other things related to Telegram.
It's also not clear at all who runs Telegram. All your website says is that it's financially supported by Pavel Durov and technically supported by Nikolai Durov. Your official apps and AS Networks are registered by " Telegram Messenger LLP" or "Telegram LLP" and your website claims your headquarters are based in Berlin, although no such company seems to be registered in the EU. You are legally r...
After a year we are already well-established company and fully open source platform.
What I would like to see is the ability to periodical regenerate endpoint ids like what Burner does for phone numbers. Also, optionally add the ability to traverse Tor like ricochet.im
That would be nice.
I was posting a link to a link to personal information (the phone numbers were censored in the version I referenced) and thus it was considered witch hunting.
Witch hunting every single user of Snapchat...
It's too bad, because I would use it otherwise.
only problem is that nobody uses it. so i might as well not use as well. which increases the problem that nobody uses it.
it is really hard to break into the IM market.
My other group is still on Whatsapp but I guess we'll move that one over as soon as we can get everyone to install Telegram.
As much as I loved Whatsapp and have happily not only paid for it but enjoyed paying for it Telegram is so much betterwith replies, hashtags and last but not least a standalone client for PC.