87 comments

[ 4.5 ms ] story [ 154 ms ] thread
I, for one, shudder at the thought of Facebook getting my banking messages. Telegram has been a great alternative although it's not perfect.
I'd be much more nervous about Telegram getting that data.
It's a toss up:

- WhatsApp uses reputable cryptography from reputable sources, but combines it with a UI so much designed for ease of use that it throws out the possibility of real security

- Telegram uses extremely questionable cryptography to begin with from people who probably shouldn't be designing cryptosystems

If you want real security, go use Signal or better, OTR where socialist millionaire's is still an option for key verification.

> OTR where socialist millionaire's is still an option for key verification.

Can you explain the socialist millionaire comment? I don't get it.

Other people already linked the wikipedia article, but basically the thing it allows for is verification of a key without trust of it and provides effective proof you're not being MITM'd.

I can ask a question or a series of questions to my friend and we can use zero knowledge proofs to determine we're talking about the same answer to verify his key without disclosing anything about that answer.

Also WhatsApp is closed-source, but Telegram's client is open-source.
Not everything with Telegram is open source like Signal. I still use Telegram because it's designed better and updated much more frequently.
I'm using both, too. :) But unfortunately I don't use Chrome, so I can't use Signal on my PC yet.
There are some FF-related pull requests on GitHub, but it seems that guy hasn't signed the contributor agreement. Maybe we'll get an FF-version soon.
Why is a contributor agreement needed? Can you post the link to the PR?
Telegram is actually not open, they just throw some sources to github or as zip files at their's langing page. That's why i quit Telegram and built open source "Telegram" - https://actor.im and replaced spagetti-encryption with enhanced version of Signal's one.
Considering it is pretty much the gold standard for crypto, how did you enhance it?
We added one extra level based on Russian encryption. So if Curve25519 or AES encryption will be broken there are still be russian level. To break our crypto Russia and US need to cooperate that is impossible.
I've read up a while ago on the questionable cryptography (not an expert in that at all myself) but couldn't find a lot of actual substance. Certainly with claims [0] [1] being that Telegram offers nice sums for breaking it, which gives me as a consumer the idea that someone who actually knows this stuff would love to hit that down, if it was something in my area of expertise offering that I'd love to try and hit it.

I get that it might all be some kind of cheat, but an actual cryptography researcher publishing that it is would, obviously, get a lot of bad karma going in the HN circles (for example) about these contests.

[0] https://telegram.org/blog/winter-contest-ends

[1] https://telegram.org/blog/cryptocontest-ends

What have you read about the questionable cryptography in Telegram that you found unpersuasive? That's a better starting point, because the formulation you use here is often used on message boards to bait people into doing research work that is then dismissed.

Your comment includes an assertion that there aren't substantial complaints about Telegram's security (there very much are, BTW). I think the onus is on you to defend that argument.

You're absolutely right if my goal was to get people to post these papers, which reading back can easily be how it is interpreted.

My point was more that, as a 'consumer' of this product without any background knowledge, their contests seem extremely convincing to the point of being slightly ridiculous. A 300,000 dollar bounty, while participants get quite some more access than they would normally get while attacking this system, gives me that feeling of it being actually quite secure, besides some possible attacks. If they're possible, if there are complaints, why can't they be made real and substantiated?

My first post is indeed not delivering the message I intended, hope this one shows it better.

This is one of the rare instances where me and Bruce Schneier agree unequivocally, so maybe you can just take Schneier's word for it --- remembering, when you do, that this happens so often in security that Schneier was moved to write a little article about it!

https://www.schneier.com/crypto-gram/archives/1998/1215.html...

Thanks a lot, that was very insightful and exactly the kind of insight I was looking for.

I think for me as an outsider it's really easy to fall for that trap, where certainly point 3 in his article was a realization that I would look at it the same way, perhaps spend a bit of time in my evenings on it but never spend, say, 3 months of research on the off chance that they might pay and that I might be the first winner/best winner, compared to a good (hourly) pay.

(comment deleted)
Doesn't 'real security' quickly escalate to not having a cell phone at all?

The best opsec advice for normal people seems to be not to op.

I wasn't advocating Telegram as an alternative transport for financial data. More that I'd rather use telegram for im than anything facebook owns.
Which reminds me of the announcement while ago about Whisper Systems is helping WhatsApp implementing E2E [0]. I don't think I've heard ever since about it, and not even sure if that functionality is built into WhatsApp now...

[0]: https://whispersystems.org/blog/whatsapp/

> Starting this year, we will test tools that allow you to use WhatsApp to communicate with businesses and organizations that you want to hear from. That could mean communicating with your bank about whether a recent transaction was fraudulent, or with an airline about a delayed flight.

Sounds a lot like what WeChat has been doing in China with their Official Accounts.

Best explanation I could find quickly: http://knowledge.ckgsb.edu.cn/2016/01/13/ecommerce/welcome-t...

Instead of, say, downloading the Uber app to get a ride, you'd open up WeChat and message its app account.

> Sounds a lot like what WeChat has been doing in China with their Official Accounts.

Or Line, not sure which one was the first.

This. A messaging app like WhatsApp could become a platform. I'm not sure how the "apps" in this world would look like but I would find it great if text interactions (like on IRC, in the shell, or a text adventure) would have a comeback. Forget most of HTML/CSS and get back to basics ;-) In reality, some graphical UI will probably be necessary.
I just wish we had a good way to do this without locking it all into a single proprietary platform.
Yeah I visited china recently and I was very jealous seeing my girlfriend (grew up there) order taxis, pay for food and loads of other small tasks all through WeChat.

This should definitely be developed for WhatsApp (or something similar).

Telegram has its Bot API which, among many other things, makes it possible for any organization or individual to create applications that "allow you to use [Telegram] to communicate with businesses and organizations that you want to hear from".

Telegram offers this for free.

Not that I have met anyone who paid for Whatsapp, ever. :)
This is what I thought as well.

WhatsApp asked me for money a few times but wasn't overly bullish about it after I ignored it for a few days.

Not using WhatsApp isn't any obstacle as everyone seems to have a few messengers. I just pressed a different button, others answered on the platform I swiched to.

I paid 99c for Whatsapp on iOS years back. This was before IAP and I believe it was the only way to get it on the platform.
Good to so I'm not alone. Heck, I've even moved countries like 3 times and I haven't paid a cent.
I don't like that WhatsApp is tied to my phone number.
FWIW, this was my biggest gripe with it too. I did not start using WhatsApp till 2014 while all of my friends had already switched a couple of years back. I was happy with Facebook messenger, but i was forced to switch to be in the loop. Although since Facebook messenger also needs your number to verify the phone, if I remember correctly, it hardly matters.

I have recently made the switch to Signal[1], and made my partner switch too. It's been a blessing.

[1] https://whispersystems.org/

Sadly signal uses your number too.
Yes. But I'd rather give it to moxie than anybody else.
Your name and number are already in all major databases if you have any friends with smartphones.

I am just annoyed that I cannot choose and control my 'identity' but instead am bound to the provider's number.

I like that WhatsApp is tied to my phone number. It just works. That's the one of the biggest reasons of its success.
Same here.

I have two phone numbers (one in the US and one in Austria) and also spend a considerable amount of time in both countries each year. I'm usually reachable on both numbers (and usually only give the local number to people in each country), with one number forwarding to the other number.

With WhatsApp I can't link both numbers at the same time. Even worse, according to the FAQ there's a limit on how often you can change the phone number linked to the account, so it's not even an option to just always change it to the "local" number.

I remember being prompted for a small payment once or twice but still ended up being able to use the app regardless? strange
That's too bad. If you're paying, you're the customer. If you're not paying, you're the product.
People seem to say this all the time, but assuming it's true, what's inherently wrong with "being the product"?
It's just a catchy phrase designed to sound shocking as it suggests some opaque objectification.

Obviously you don't need to "be the product". Selling a shortcut to a bit of your attention makes a lot of money, too.

Edit: And you are always in the position to choose how much attention you grant the apps you use.

There's not much wrong with being the product as long as you are aware of that distinction. The problem arises when people aren't aware because this in essence takes away their right(option, if you will) to refuse to use the service.
> what's inherently wrong with "being the product"?

Products are sold

So long as revenue sources other than subscription fees are more lucrative than the subscription fees, it remains the case that users are "the product", even if fees are charged.

For fees to change the balance, they have to have enough economic weight to swamp advertising and tracking revenue, so that losing users makes tracking unprofitable. But very few services like WhatsApp can charge so much that the balance is shifted.

Paying for something doesn't mean you're not a product.
Signal is also free and based on a business model that doesn't require eventually being able to interfere with your privacy and mine your data.

https://itunes.apple.com/gb/app/signal-private-messenger/id8...

https://play.google.com/store/apps/details?id=org.thoughtcri...

What business model is Signal based on?
From their description in the iTunes store: 'Pay Nothing - Signal is supported by a team of dedicated developers, community donations, and grants. There are no advertisements, and it doesn't cost anything to use.'
So it's a project, not a business.
If that's how you see it, I'm very curious to know how you would define the linux kernel.
I was not aware that the Linux kernel required a server infrastructure to be running to work on my device.
I am thinking there is likely a massive infrastructure behind Linux running on your device. And thanks to all those that support it.
Nitpick. It still requires development.
You say that as if is has less value for not being a business.

When ideals are involved (strong encryption, privacy, ad-free), being run as a lean, open-source project is worth much more than being owned by a megacorp like Facebook.

> You say that as if is has less value for not being a business.

No, I did not :-P

I couldn't see from those links, but what is their business model exactly?

I am a happy signal user BTW, but I can't see how they are making money off me.

Paid business services for customer interaction, sound like a plausible business model for WhatsApp. However, I get the feeling this is only part of the story. I assume that data mined by WhatsApp are probably more valuable to Facebook.
I would agree. I think their user base has hit some tipping point which ensures other revenue streams. That's the only reason I can think they would throw the fees... out the window.

(nice user name)

So I know internal figures from facebook regarding whatsapp. A large majority of our users are never actually charged a subscription fee.

The app is facing stiff competition in some markets against apps that don't have any subscription model. Even though whatsapp won't actually charge those users the presence of a subscription feature seems to be causing a growth hinderance.

Not sure how it will compete in these markets now given the entrenched nature of social platforms and how hard it is to convince people to switch but that remains to be seen.

Also, until recently whatsapp/facebook couldn't actually read any message sent by users to other users/groups because of the end to end encryption in place. Not sure why they would change that just to get a data mined revenue source, metadata is quite sufficient for that. Even with NSLs on fb in place, the impossibility of of us to read the messages in whatsapp is sufficient reason to deny a NSL request.

Zuck doesn't really interfere with whatsapp, but like with some other things this seems like a bid to increase DAUs and retention instead of any new source of revenue.

> until recently whatsapp/facebook couldn't actually read any message sent by users to other users/groups because of the end to end encryption in place

Does that mean they can now?

Your question would have been answered if you had read the paragraph.

That statement is based on my latest information, which is a few months dated, that they couldn't. Things could have changed but it's unlikely.

The paragraph doesn't say anything one way or another.
I couldn't resist to smile. Back on topic, it would be great if WhatsApp clarifies which data they share with Facebook and how that data is being used.
Whatspp charges $1/year, right?

The announcement said handling payment was a big problem. Well, a support call costs $20 or so. If 5% of customers have a payment problem (don't have credit card any more etc) and 50% of those incidents require human attention, that's half of Whatsapp's revenue and a serious reason for churn and user dissatisfaction. 5% and 50% are random numbers, but you see the point, right?

I was in the audience and he gave a pretty clear hint that commerce (a la tencent) would be the path forward for monetization
I don't think I ever paid fees for Whatsapp, and I'm not sure how or why. But this also seems too late. Facebook own them, my family started using Facebook, and with Messenger as a separate app I more or less lost any incentive to use it.
I think only new sign ups after the fee introduction paid the fee.
When I signed up for WhatsApp in 2012, the iOS app cost 0.79 € (I believe it was a promotion, usually 1.79 €) and gave me a free lifetime license. I think the Android app already asked for a yearly fee after one year at that time, at least in theory.
Worth reading of course is the post (pre FB acquisition) on why they don't sell ads: https://blog.whatsapp.com/245/Why-we-dont-sell-ads
And for those who didn't read the link, the punchline at the end of that post is:

"When people ask us why we charge for WhatsApp, we say 'Have you considered the alternative?'"

The (implied) alternative here is advertising; the author just spent the previous 8 paragraphs discussing all the unpleasantness and creepiness that that entails.

When I very recently started using WhatsApp, the client displayed a link to a blog post[0] they wrote about why charging subscription fees was important and a good thing:

"At every company that sells ads, a significant portion of their engineering team spends their day tuning data mining, writing better code to collect all your personal data, upgrading the servers that hold all the data and making sure it's all being logged and collated and sliced and packaged and shipped out... And at the end of the day the result of it all is a slightly different advertising banner in your browser or on your mobile screen.

"Remember, when advertising is involved you the user are the product.

...

"When people ask us why we charge for WhatsApp, we say 'Have you considered the alternative?'"

Given that this new blog post carefully talks about not introducing "third-party ads", presumably first-party ads are still on the table? Which would make this new model the alternative that they warned us about earlier.

[0] https://blog.whatsapp.com/245/Why-we-dont-sell-ads

(comment deleted)
Heh, I guess it's not particularly surprising that making the founders billionaires changed their minds - although it really did read as if they had principles at the time!

"These days companies know literally everything about you, your friends, your interests, and they use it all to sell ads."

There really is only one company this could be describing isn't there? Facebook.

I'm not sure how true that ever was. I've been using WhatsApp for years and never paid anything. They'd always just extend the subscription. None of my friends ever paid anything either (most of the people who use WhatsApp here don't even have a CC on file at Google Play).
I'm just going to stick to Email :) I'm old enough to see all these messaging applications come and go (ICQ, MSN Messanger anyone?). I'd rather see a company try and improve email's flaws then try and force new protocols and undefined encryption down our throats.

Yes I sound grumpy, but that's because all my family are on WhatsApp and I don't want to be :)

When a business becomes "free" with no clear indication what the monetization model is, my "spider" senses are tingling. Time to abandon ship.
For the 5 years I've been using WhatsApp, I've never been charged anything. I always get a "trial extension", even after changing numbers many times and changing countries 3 times.

I don't know if this happens frequently, or I'm just lucky