37 comments

[ 3.7 ms ] story [ 86.7 ms ] thread
Neat! I use Telegram on a daily basis, so this seems interesting.
...but still not auditable crypto. Questionable priorities there.
It is auditable, but probably no one capable is going to spend time on this. As I get it, it's like developing software for really ancient computer platforms - possible, but no point in doing so, and there are probably better things to do in one's spare time (unless they're really into this kind of stuff, of course).

  > Secure messaging app Telegram […]
  > Telegram, the security-focused messaging app […]
Stopped reading right there. I donʼt even know where to start dismantling this nonsense.
But they have stickers and a gif bot, so normies are going to use that over Signal. And no issues with synchronization between devices (since it's just plaintext xD xD). Seriously.. "secure messaging app" doesn't even have secret chats in the official desktop client.
not sure what you mean, I use the official app on OSX and it has the secret chat option. click on a contact, it shows you all the infos including "start secret chat"
If 'secure' is not the default, how can Telegram claim to be security-focused?
Anyone could claim absolutely anything, and the bigger the player the more likely it would be without any negative consequences (and with positive ones until the discovery - and sometimes even after), even if it's discovered to be an outright, blatant lie. Not like Telegram is unique or exceptional in this regard.
I use Telegram not for bots and stickers but for the fact that it has a quality native Mac client. Signal's desktop client, with its reliance on Chrome/Electron and need to sync with your phone, is half baked and annoying by comparison. I sit in front of computers for over 8 hours every day, so they serve as my digital messaging center far more than my phone does. That calls for a chat app that doesn't make the desktop an afterthought.
Telegram has nothing to do with anonymity and privacy, they are using phone numbers for registration.
And it's impossible to buy a foreign pre-paid SIM with cash in some backwater store, register, and then never use it again, right?
I'm not disagreeing with your argument, but I might disagree with the premise... Signal works the same way.
It's dangerous and irresponsible to build services advertised as such to those you cannot provide the claimed protections to. When we build infrastructure with rotten foundations, people can die.
Telegram, is that the app created in Russia, where the gov demands a backdoor in the chat app?

http://www.businessinsider.com/russia-anti-encryption-telegr...

http://www.ibtimes.co.uk/russia-demands-backdoor-spy-users-w...

Telegram has flaws, but please stop this "Russian backdoors" FUD. They even have this in the FAQ:

"While the Durov brothers were born in Russia, as were some of the key developers, Telegram is not connected to Russia – legally or physically. Telegram's HQ is in Berlin."

https://telegram.org/faq#q-who-are-the-people-behind-telegra...

Also,

"Since being dismissed as CEO of VK in 2014,[7] the Durov brothers have traveled the world in self-imposed exile[8] as citizens of Saint Kitts and Nevis.

[...]

Durov is a self-described libertarian and vegetarian.[27] In 2012, he published manifestos described by commentators as "anarcho-capitalist" detailing his ideas on improving Russia[28]"

https://en.wikipedia.org/wiki/Pavel_Durov

> Since being dismissed as CEO of VK in 2014,[7] the Durov brothers have traveled the world in self-imposed exile[8] as citizens of Saint Kitts and Nevis.

It's b/s. Durov regularly visits Saint-Petersburg's office where Telegram is built. Source: VK employees, own eyes, [0] (in Russian).

[0]: http://uip.me/2016/04/dark-side-of-the-telegram/

Telegram-FOSS (the FOSS friendly fork you can find on F-Droid, not the official app on Play Store) maintainer here. Telegram is NOT a "secure messaging app".
Quote from the Telegram-FOSS Github Page: "Telegram is a messaging app with a focus on speed and security..."
That comes from upstream's README.md. I've never payed any attention to it, but now that you've pointed it out, I'm seriously considering changing that paragraph, or adding a note/disclaimer somewhere.

After all these years and promises, server's code is still closed, federation is nowhere to be found, their update/commit policy for the official Android app is a joke [1] (they even closed its issue tracker), and I'm really tired of their "trust us, we're not evil" policy [2].

If you haven't switched to Matrix/Riot, do it right away.

[1] https://github.com/DrKLO/Telegram/commits/master

[2] https://telegram.org/faq#q-who-are-the-people-behind-telegra...

As one of the resident cryptography nerds: Matrix/Riot seems to be in every way better than Telegram. I still need to review it before I can wholesale recommend it, but it was audited by NCC Group previously.
I don't seem to understand Matrix/Riot.

It appears to be like IRC, but also integrates with Gitter, and IRC and has a identity federator called vector.im.

Matrix is a federated chat protocol. It is like IRC or XMPP but synchronizes history and uses HTTP-based protocol. There are bridges to IRC, XMPP, and Gitter.

Riot is a client. It used to be named Vector.im.

I use telegram on a day to day basis, but calling it "secure" is quite a bit of a stretch. But it is quite possibly the best app I have used in regards to user expetience.

But until signal actually produced a usable (to the average person) app, people will continue to use telegram and other insecure chat platforms.

Unfortunately, some Telegram usability comes from a reduction in security. Things like seamlessly going, with full chat-history, between multiple devices is a bit tricky when your protocol only permits one person to receive a message once, rather than storing the messages unencrypted on the server like Telegram does.

One "secure" approach would be that of the older Skype clients, where chat history synced between the logged in clients of a user. However, that was a horrible user experience, made worse by bad notification management.

So while Signal can get better, you will probably always have to decide between usability and security, which is most likely the very reason that "normal" people always end up with the less secure solution, which in turn renders the secure solution even less usable with its smaller userbase.

How does userbase affect usability?

Also, I tried Wire recently, which has e2e and all your messages on all your devices. I tnink sent messages duplicated, encrypted with each of your devices keys. So when you add a device it can't read previous messages.

An instant messaging platform needs a network of users. I am more likely to use a platform that allows me to talk to all of my contacts, than to use multiple platforms that only allows me to talk to a few each. If I have multiple, I am also only likely to add the new platform if there is at least a handful of people I know there. Likewise, the more users that are on the platform, the more likely that new users will be attracted.

I am on Telegram primarily because it's the best I can come up with that my friends use, and moving my friends is an unlikely task as they have their friends on Telegram as well. You need to move or duplicate users from existing platforms to get a userbase, but you need a userbase to attract users from existing platforms.

I have been looking at Wire. They're using the signal protocol, but in a more closed model IIRC. I didn't know that they had a solution to this problem, though, and always just through of them as basic Signal clone. I guess I'll have to have a look. :)

Well. Facebook is not secure and we don't care.

Most users don't care about security and this should not be a problem.

Telegram is a very nice mobile platform. I use it to share a microblog (Telegram Channel) with some friends and it is very nice.

The only gripe I have with it is their propaganda on security.

Telegram is not secure, but I don't care, I already have Signal for sending encrypted messages.

Well, this is the point. It's really hard to convince people to make a change, especially if it costs them anything (such as synced chat logs), on basis of something they don't care about.

I would say that it is a massive problem that users don't care about security, though. They just don't know, because they haven't been screwed over yet. People cared a lot in retrospect when the password bruteforce leaked iCloud pictures, for example. People don't care about politics before it's too late, either.

On a positive note, Facebook seems to be screwing itself over in usability and content. I used to be on there reluctantly, but now I only check the input every two weeks or so to check for annoying relatives that might message me. The news feeds are nothing but uninteresting clickbaits, and they keep making it harder and hard to just check the bloody messenger inbox.

Telegram is not a secure messaging app.

If anything, Telegram is a modern replacement for newsgroups.

ITT: everyone talking about Telegram instead of Telegraph.
Previously: [1][2]

Telegraph appears to be a minimalist anonymous blogging platform, with images and markdown support. It's link of a blank canvas -- pun intended. It's like anonymous gists where the post becomes uneditable once you clear your cookies. It may turn out to be the next great thing, or may turn into an abusive slugfest of scum and spam.

Other than it being an experiment, it's clear to me that Telegram is actively looking at ways of increasing time that users spend in its app -- much like every other chat messenger has done in recent years, with bots, in-app browsers, stickers, and integrations. The way to cultivate a walled garden people actually like is to have it be a pleasant and varied garden; this seems to be the way of the game, and it's amusing to see Facebook (through its four platforms), Snapchat, Google (through its 3+ platforms), Kik, Viber, LINE, WeChat, Microsoft, and even Apple and Slack get a piece of this pie.

[1] https://news.ycombinator.com/item?id=13017592 [2] https://news.ycombinator.com/item?id=13017604

How can anyone call "Telegram" secure? Those days are over. It's the least secure messaging app of them all now. Even WhatsApp is more secure than Telegram (let alone Threema).