And they also ordered Apple and Google to remove the app from their stores. I understand there are workarounds, but I'd really like them to respond with "f*ck yourself". It's a shame they won't do that, though.
Whether they respond with process and patience or not, I’m hard pressed to think of powerful states that abide “f*ck yourself” once they’ve started to think national interest/security.
It definitely change, although I can't say to which direction. He makes the system legitimate, so any successor would have either to be more open and earn some political trust in a normal process or just close the country even more (deploy martial laws, etc.)
And here is another yet problem with walled gardens. It creates a single failure point because Apple and Google are forced to comply with local law, regardless of how absurd it is, if they want to continue doing business there.
In an open environment, you would simply change the mirror urls and run apt-get update.
I'd argue that in this case the centralization helps because blocking GCM would kill all notifications for all apps. As long as they (Russia) are not willing to do that Telegram can use this as a side-channel to update their IPs for all clients.
The other option would be for google to turn push notifications off selectively for Telegram and only in russia. Not sure if they can/will do that.
If Google will comply with an order to remove apps from the store in certain regions then they can certainly comply with orders to filter push messages destined for specific apps as well.
My problem with GCM is not the implementation on the client, but the fact that Google sees traffic. I don't want Google to see my data nor my metadata.
I always get notifications about Telegram messages on my phone at around the same time (within a second or so) as I get the notification on the web client.
Currently Telegram keep working because it's get new backend IPs constantly via Google Play / AppStore services. Since push notifications are centralized they'll stop working as soon as application removed from stores so app wouldn't be able to get lists of unbanned IPs.
So do you think it's good idea for Amazon / Google reputation to cease their service to any SaaS if kremlin dont like it? Unlike many smaller players Telegram might actually afford to pay for even millions of new IPs in thousands of subnets.
I not sure how it's can be against ToS because unlike other case Telegram is actually large enough to actually pay for tens of thousands end point IPs easily even on monthly basis.
And Kremlin minions certainly not going to stop ban subnets now even if will be 1:1000 ratio of Telegram's one and other services.
Does this mean that Google/Amazon customers on mentioned IP addresses are inaccessible? If so, I think Google/Amazon will choose to cease the contract with Telegram.
Just in case previously when same thing happened with service called Zello and back then Amazon cease to provide them service (forbid to change IPs) before actual subnets were banned. Soon we'll see how Amazon / Google will react on Kremlin bullying this time.
If they don't cancel Telegram's service, their other customers who are also being affected by the ban will flee to other services. I don't think they can sit and watch that happen.
Russia is taking a page out of the China internet playbook. Next it will build out it's own great firewall and slowly unblock services after it gain's control.
There the govt builds the controls. Here Twitter, YouTube and Facebook do. No big difference in my book. In terms of outcomes, only clowns get propped up either way.
There is no alternative to Google, Amazon, Youtube, etc. You have tiny, inferior competitors that don't even come close to 10% of the monopolist's market share. Google works very hard to trap you in their ecosystem. Once you're there, escape is almost impossible.
You're conflating legal restriction on individual behavior with market/individual-preference constraints.
"Life" in general is constrained. We are not trying to get rid of limited options (every choise is between limited options), we're trying to limit totalitarian control over individuals.
That is, behaviour which is artificially constrained by imprisonment, punishment and death for the sake of preserving tyrannical power structures.
And the end result are tyrannical power structures that de facto exert totalitarian control. There is very little difference between government-enforced restrictions and those created by global capitalism and its monopolies.
It doesn't matter to me if my rights are restricted by legal means or by corporate hegemonies, in fact the mechanisms in play are so complex nobody can really be sure anymore.
No no, people can be very very very sure. The 20th C. tried both of those experiments and in the totalitarian system 10s of millions -- at least -- died.
Having your choices restricted by social cooperation and negotiation (in a market places) is NOT the same as having them restricted by a bully with a military.
This false equivalence is a defense of genocide whether you are willing to own up to that or not.
My sympathy with state action ends however, when the leaders are murders, dictators and rutheless pilliagers of the public's wealth.
Russia's oligarchy stole Russia's wealth after the dissolution of the SU, and here you are equivocating objecting to regimes of murder and abuse with "muh food idle dont be having no choices fur me1112"£""11¬11223
The entitlement and ignorance is overwhelming. You arent owed two major search engines. "Bing" not being bigger is not the same as having to use apps which in encrypt your commnunication because you fear the police will imprison or murder you.
You are owed your political freedom. Which is de jure removed from you in Russia, and the suppression of telegram is state action to supress it further.
I sincerely ask the question: Is it possible to evaluate whether freedom has expanded since 1995? It seems like they controlled much, much more when not everyone had their Youtube channel. Now it’s possible to do your own research on, for example, real M/F wage difference, or get informed about Trump news despite MSM. Not ideal, but better than the 90’s.
If your government can pass laws to allow themselves to block any Internet services, it may as well go ahead pass laws to prevent people from circumventing that block.
So, the only defense you have, is to prevent your government from issuing the first law.
Until you create a true point to point channel between households without any corporate or government equipment, this is just a dream. Many people are mistaken about the internet, they think it cannot be easily filtered but this is not true at all. Every country has few major telcos that own the equipment where 100% of the internet traffic flows through. This is why banning IP ranges is super easy for them.
It won't. The antennas will be pretty big and visible, and also they will inevitably leak some RF sideways. It's easy to ban them and catch people who get them illegally.
The sad part is that it's not just authoritarian countries that are doing this, but also the democratic ones, in a foolish effort to stop "fake news" or "terrorism propaganda".
And the "better" AI is going to get, the easier it will be for them to call for such censorship, especially when people like Zuckerberg say they can already "stop 99% of the terrorist posts automatically".
Because that's most definitely misleading and wrong, unless we can actually review what that content was. Like I bet a large portion of those posts were not posts by terrorists, but posts about terrorists. I don't think the AIs we have today can distinguish between them very well. And at least a small portion probably had very little to do with terrorism, but maybe were posts from people in the same area as some terrorists, or stuff like that.
The AI will automatically block content that nobody will ever see. And we'll only depend on people who can somehow raise awareness that their content was blocked, produce a scandal, and then get the companies to unblock it (assuming the censorship will mostly be done by private companies in democratic countries). But this is not going to be a pretty future.
> Which democratic country has blocked a major messaging app because it is used by political dissenters?
While it hasn't yet blocked it, the UK Government is certainly constantly after WhatsApp to remove the encryption (or build a backdoor) because a couple of terrorist jackoffs used it that one time (and I think they count as "political dissenters".)
Not messaging apps, but the government in Switzerland of all places recently introduced a law to block online casinos that don't operate under a Swiss license. The only reason that it hasn't gone into effect yet is because enough signatures have been collected to force a referendum.
That’s right, but basically dpi sends tcp reset in case of https or 302 redirect in case of http before target server response, since it’s located nearer. There’s a tool to bypass this, so you can read more there. https://github.com/ValdikSS/GoodbyeDPI
What does that even mean? Every ISP has it's own filtering system, some (or maybe even most of them) are custom built ones. There is no such thing as single government approved DPI.
Maybe they just don't have enough balls to go after the biggest ones (WhatsApp and Viber). Plus, other IMs don't have public channels anyone can subscribe to. IIRC that was the original problem, "extremist" channels. Why did they ask for encryption keys instead of blocking channels? Who knows lol.
Telegram still works without (manually adding) proxies :D
EC2 Ireland (at least the subnets where my servers are) also works.
Depends on the other IMs, but as far as I know, at least Signal and WhatsApp have no keys they can give the government. WhatsApp could potentially sneak a backdoor in their closed-source code, but I don't think that's something they'd have incentive enough to do.
A few months ago I read an article about Telegram and their related companies and individuals. [1]
The article read like a mix between a nerdy James Bond story, a bad Law and Order episode, a Mexican soap opera and a Russian episode of Cribs.
It was written by an ex-employee so I took it with a grain of salt.
Nevertheless, the article brings up a lot of red flags and shady behavior. Combined with their (alleged) connection with the Russian government, roll-your-own-crypto and the recent >billion dollar ICO it doesn't really make me all that willing to use Telegram any time soon.
This reads like FUD, there are reasons for and against telegram and I won't get into them here. But truth is often stranger than fiction[0] and there are actors with something to gain from making telegram look poor.
Yes, it is obfuscated, the pairing of real person and random id would be much more work, than pairing phone number with real person, and you can throw away and generate as many as you want, whenever you want - unlike your phone number.
Still beats using your phone number for chats, or your SSN in place of bitcoin wallet.
Honestly, I'd say it's much worse than using your phone number or SSN. Sure, an SSN makes it easier to tie an identity to a person, but it doesn't instill a false sense of anonymity in the user.
Again, for the practical example, people bought and sold bitcoins with the broad assumption that it was anonymous. It's a widely understood falsehood, yet new people almost universally believed it was anonymous and safe from law enforcement/the tax man.
Pretending that a random yet static ID adds any level of anonymity is simply dangerous. At best, it keeps honest people honest; like locking your door but not the bay window next to it.
(not just individual people obsessed with privacy, the large numbers of people who can see the advantage of privacy but may not invest a lot of effort to achieve it)
What do tests and CI have to do with the usability and usefulness of a program? I agree that the other issues could be worrying, but those first two throw me for a loop.
Tests and CI help you make sure that functionality actually works, that buttons you press have the desired effect, and that if I as a contributor ship you a pull request for a UX/feature improvement, both your and me can check that it doesn't break anything before merging.
The grandparent poster also wrote about security/privacy, for which I think tests are pretty important.
Finally, having CI would allow the developers/contributors with limited time to spend more time on usability and usefulness instead of on issues like "master doesn't build, anybody else have this problem?" (when I wanted to PR something to Signal, master did not build).
This is still looking at it from a developer's or contributor's point of view. Developer velocity has no practical impact on the user experience. In a way, the constant addition of features or tweaks to the user experience is a net negative, since the user has to re-learn how to do things in the app.
This also makes the assumption that since there are few automated tests, that there are no tests done on a build at all. I disagree that it is a valid assumption. Most security vulnerabilities are not found by unit or functional tests, but instead by linting and code reviews.
> Developer velocity has no practical impact on the user experience.
This may be true in a megacorp. I doubt it's true in a project like Signal where resources are limited and a few developers are the single bottleneck for everything, UX or otherwise.
To your last bullet point, these seem like a good reasons to me. This does not seem to have happened with the iOS version.
>However, the sheer volume of legacy issues, combined with submissions that completely ignore the provided issue template, has created a situation where there are currently more than 1,100 open tickets. Most of these issues have been inactive for several years and they reference versions of Signal that are no longer available. Many open issues are essentially ad-hoc discussion threads or feature requests that are a better fit for the community forum. Perhaps most importantly, many of these issues lack debug logs, descriptions, and the steps that would be necessary to understand and reproduce the reported behavior.
All those issues were closed, as it is explained in your link, because they lacked debug logs/steps to reproduce the problem/etc. It's not feasible to dedicate enormous amounts of resources to try to address those issues. You're welcome to re-open them, properly this time, if you want.
That is wrong, they closed issues indiscriminately.
Oh, and they will keep doing so: "Legacy issues that are more than one month old will be closed by an automated process as part of this cleanup effort."
That is wrong. If you read the thread, you would immediately see that, as I give examples there of how issues that were in the middle of being tested by users were closed, and that were acknowledged as real issues by the developers days before.
I'm running this on my own server (using ejabberd [1] as Prosody - which I used previously - still has problems with some of the required XEPs[2]) using several different clients (Conversations [3] on Android, Pidgin on Linux, etc).
The one weak link in OMEMO is the difficulty of verifying the authenticity of the device key signatures used by communication counterparts. These signatures are 64-character hexadecimal strings which the user is supposed to verify being authentic before initiating encrypted communications. Humans as not very good at this task, computer can help but they can also be tampered with. There are ways around this problem - e.g. meeting up in person before initiating communications (viz. PGP key signing parties), sending Q-codes off-line, using algorithms to turn those numbers into things which humans are better at recognising (e.g. the coloured emoji used by Telegram etc.). Encrypted group chat only works if all participants have all other participants in their address lists. Then again, it does work and it is fully standardised with several compatible implementations.
That would work for graphical clients but not so much for textual versions. Some type of ASCII-art might serve the purpose but whatever solution is chosen it will be hard to visualise the entropy of a 64-digit hex string in such a way as to distinguish it from the same string with 1 bit flipped.
Why block Telegram and not .. all the others? Whatsapp, Signal, Viber, ... Are they objecting to the use of encryption? Because everyone uses encryption almost all the time for everything everywhere. The cat has been well and truly released from that bag. Are they just going to turn off the internet altogether?
That's what's going to happen. Various localities will shut off encrypted passageways altogether because they control the pipes. They will create a corporate-like intranet where they monitor everything.
they know how bad an open internet can hurt them because they do it themselves to other countries. can't blame them that they don't want to be on the receiving end of the weapon they created.
It's just that Telegram is the most used one in Russia so they proceed by targeting this one first but don't worry they will target the other ones after.
Just one remark: Viber/WhatsApp client's code is closed, where is the guarantee that they do not have some "backdoor" to the client's chat right in the application?
Because the Russian government can read all non-E2EE conversations (so 99% of them) on Telegram and is hoping to drive adoption overseas with this PR stunt.
None of the other messengers you mentioned are designed to work like this (not 100% sure about Viber), the ability of operators to read most of the conversations on the platform is very much unique to Telegram.
It's really not a coincidence that the Russian government is choosing to ban the worst "encrypted messenger" on the market.
That Telegram has handed their keys to the Russian government? Difficult, but unnecessary.
That Telegram was deliberately designed in a manner which enables its owners to easily hand over the keys to the government? Easy to prove, Signal and Whatsapp do not share the same surveillance features.
I for one refuse to think that Facebook bought it for a number of billion USD and keep operating and improving it for no good reason.
We also know, based on what they had to tell EU and based on their new EULA - that they tried to introduce by default - that they wanted to harvest metadata from it.
Attacking Telegram while simultaneously praising WhatsApp seems really strange to me.
As for Signal, that's another story. They have their own issues but I personally believe it is better than both Telegram and WhatsApp.
>Attacking Telegram while simultaneously praising WhatsApp seems really strange to me.
Look at them both from a purely technical perspective.
WhatsApp has made an effort to ensure that they're limited to only monetizing the metadata of the chats, Telegram by design does not share this limitation.
Even if you don't trust Whatsapp, you know that they'd have to push a backdoored app to everyone in order to intercept your chats. Telegram is backdoored by default.
Telegram is not the most popular messenger in Russia. It's not even in top-3 as far as I remember. But it is widely used by people who tend to be opposite to the current government (young professionals). Also, there are a lot of anonymous Telegram channels curated by the opposition.
Not only Telegram still working here, but it was a great experience yesterday.
Imagine the following: a manager in a supermarket explaining how to setup a proxy to a customer so that she (a woman in her 60s) could use their bot again.
Or a woman with a kid who is asking what the are going to do: "It's okay, we'll ask dad and he's going to do proxy-something".
Similar things long going on in Crimea for the same reasons established by the other side (whatsapp and viber are blocked by whatsapp and viber owners correspondingly). When I was there, everyone seemed to have a vpn on their phones and getting it installed was none of a problem.
Smarter people are better!
Telegram was reported by one of three russian cellular network companies as 2nd after Viber by number of clients (both each day and simultanious peak) nearly a week prior to blocking.
Not yet. Moreover, the head of russian regulatory says this year Facebook probably might be blocked as well if they will not receive all data they need.
The FSB wants encryption keys. Telegram won't share, so is blocked. Therefore, Whatsapp and Viber gave up their keys, I suppose. Or provided backdoors.
We know from Snowden leaks that Microsoft (Skype) & Facebook (WhatsApp) are already freely handing info to any government that asks. Search Wikipedia for: PRISM (surveillance program) Other programs have probably superseded it (and include Japanese ecom giant Rakuten who owns Viber), but you can be sure the user info still flows.
Telegram's independence is what separates them from other services, what allowed them to deny the demand for crypto keys, and why they were targeted.
Russians do make up a huge list of telegrams overall userbase. But most importantly, whatsapp and viber are end to end encrypted. Whatsapp uses signal. Viber uses a signal inspired encryption format. The common ground between both is that every single message is encrypted using a different secret key that is deleted after the message is received and decrypted on the device. Whatsapp and Viber have no way to give chat details even if they wanted to. Provided that they follow the protocol, and all accounts seem to point to the fact they do, then there is no backdoor or secret key they can give to any government.
Telegram in contrast uses a set of master keys to encrypt the conversations using RSA and aes256 as they travel through the servers. The keys are split across multiple servers residing in multiple jurisdictions so that legally, a government would have to seek permission to obtain each part of the key from a separate state.
Basically, this means that at the end of the day, if telegram ever forgoes its integrity (based off its public statements), every message will suddenly become decryptable.
That last point is what seems to really make telegram worth targeting.
For unknown reason user verification (for secret chats) is awful and almost useless in practice. Telegram itself reimplemented this specific bit much much better - for video chats
It may indicate where telegram is getting this 2 billion from in their ico, it may be intimatley connected to western establishment, specifically the Americans as we know their Jihadis/subversives are using the platform to coordinate their activities and soon wil have a way of sending funds across borders intergrated with their app of choice.
China and Russia have clamped down on cryptos because of capital flight somthing that the west has used as a weapon to weaken Russia and China but which has largley been stamped out now.
In my mind this now begs the question of Bitcoin, how exactly did it come around, who were the cypher punks working for, were they independent and their creation was coopted or were they 'guided' in their approach to a decentralised mechanism of capital flight, food for thought certainly....
The first round of the fight is clearly won by telegram - roscomnadzor is perceived as a lumbering and inept gorilla whose actions harm innocent bystanders while telegram continues to work almost perfectly.
Next we will see how effective the deletion of the telegram app from the Russian app stores will be. Because of the centralized nature of the stores telegram can’t do much with it (they can try publishing clones of the client under unaffiliated entities, but apple and google can easily ban those too). Also it is rumored that the client uses push notifications to deliver proxy settings to devices and these also can be easily blocked by the store owners.
We used Telegram as the main tool for our team's communication. We all applied proxy settings but it's almost impossible to work without a VPN enabled :(.
This used to be a big problem for colo and decidated service providers. You get 2-3 napster/bittorrent/kazaa/... or worse, some website some law enforcement agency finds objectionable ... with users renting/paying for servers and poef entire countries and large isps block all your ranges. Happened all the time.
I think he meant that only Telegram would be be blocked instead of possibly affecting half of the Internet on the way there. For Telegram it wouldn't be any better.
I'm assuming it would be easier having one IPv6 address used only by a single application, that's why. Amazon/Google services would be less affected then. There's a whole different question if government would bother to be that precise, still.
The whole point of moving to the cloud was to make themselves harder to block. I don't think they would self-defeat by limiting themselves to a single /64 or something.
227 comments
[ 3.1 ms ] story [ 250 ms ] threadMore like Putin's interest/security.
In an open environment, you would simply change the mirror urls and run apt-get update.
I this particular case the centralization around the push service of google actually helps.
No, it does not, and you even argued why. This centralization makes it harder to make the system more resilient.
We need an alternative to GCM.
The other option would be for google to turn push notifications off selectively for Telegram and only in russia. Not sure if they can/will do that.
It's called SMS.
I always get notifications about Telegram messages on my phone at around the same time (within a second or so) as I get the notification on the web client.
Currently Telegram keep working because it's get new backend IPs constantly via Google Play / AppStore services. Since push notifications are centralized they'll stop working as soon as application removed from stores so app wouldn't be able to get lists of unbanned IPs.
It might be immoral, but it's the fastest solution to the harm this causes to all other affected customers I can think of.
And it also shows why relying on AWS or GCP is a horrible business decision.
No, but I don't think that's how it would be spun -- I would exect it to be framed as a ToS violation.
And Kremlin minions certainly not going to stop ban subnets now even if will be 1:1000 ratio of Telegram's one and other services.
(However this might apply: https://www.xkcd.com/1138/ )
https://imgur.com/a/3biqq
(These look like outliers even considering xkcd population density.)
That's not something you can do very fast, especially not from google's compute engine or AWS.
Yes, eventually, they will, but that's a massive task for most companies.
You're conflating legal restriction on individual behavior with market/individual-preference constraints.
"Life" in general is constrained. We are not trying to get rid of limited options (every choise is between limited options), we're trying to limit totalitarian control over individuals.
That is, behaviour which is artificially constrained by imprisonment, punishment and death for the sake of preserving tyrannical power structures.
It doesn't matter to me if my rights are restricted by legal means or by corporate hegemonies, in fact the mechanisms in play are so complex nobody can really be sure anymore.
Having your choices restricted by social cooperation and negotiation (in a market places) is NOT the same as having them restricted by a bully with a military.
This false equivalence is a defense of genocide whether you are willing to own up to that or not.
https://i.imgur.com/Rgvqkln.jpg
My sympathy with state action ends however, when the leaders are murders, dictators and rutheless pilliagers of the public's wealth.
Russia's oligarchy stole Russia's wealth after the dissolution of the SU, and here you are equivocating objecting to regimes of murder and abuse with "muh food idle dont be having no choices fur me1112"£""11¬11223
The entitlement and ignorance is overwhelming. You arent owed two major search engines. "Bing" not being bigger is not the same as having to use apps which in encrypt your commnunication because you fear the police will imprison or murder you.
You are owed your political freedom. Which is de jure removed from you in Russia, and the suppression of telegram is state action to supress it further.
If your government can pass laws to allow themselves to block any Internet services, it may as well go ahead pass laws to prevent people from circumventing that block.
So, the only defense you have, is to prevent your government from issuing the first law.
And the "better" AI is going to get, the easier it will be for them to call for such censorship, especially when people like Zuckerberg say they can already "stop 99% of the terrorist posts automatically".
Because that's most definitely misleading and wrong, unless we can actually review what that content was. Like I bet a large portion of those posts were not posts by terrorists, but posts about terrorists. I don't think the AIs we have today can distinguish between them very well. And at least a small portion probably had very little to do with terrorism, but maybe were posts from people in the same area as some terrorists, or stuff like that.
The AI will automatically block content that nobody will ever see. And we'll only depend on people who can somehow raise awareness that their content was blocked, produce a scandal, and then get the companies to unblock it (assuming the censorship will mostly be done by private companies in democratic countries). But this is not going to be a pretty future.
Which democratic country has blocked a major messaging app because it is used by political dissenters?
While it hasn't yet blocked it, the UK Government is certainly constantly after WhatsApp to remove the encryption (or build a backdoor) because a couple of terrorist jackoffs used it that one time (and I think they count as "political dissenters".)
Australia too. :-(
https://calvinayre.com/2018/01/19/business/swiss-voter-refer...
Also could someone from Russia confirm telegram/AWS are blocked?
Telegram still works without (manually adding) proxies :D
EC2 Ireland (at least the subnets where my servers are) also works.
snap?
[1] https://medium.com/@anton.rozenberg/pavel-durov-sued-senior-...
[0]: The story of Karl Koch for example https://en.wikipedia.org/wiki/Karl_Koch_(hacker) who's death was ruled a suicide, and his history is... "colourful".
True anonymity in a messaging service is hard to achieve, and not even remotely user friendly.
As a practical example, would you say that bitcoin wallets are anonymous, given that they use random IDs?
Still beats using your phone number for chats, or your SSN in place of bitcoin wallet.
Again, for the practical example, people bought and sold bitcoins with the broad assumption that it was anonymous. It's a widely understood falsehood, yet new people almost universally believed it was anonymous and safe from law enforcement/the tax man.
Pretending that a random yet static ID adds any level of anonymity is simply dangerous. At best, it keeps honest people honest; like locking your door but not the bay window next to it.
https://signal.org/blog/contact-discovery/
(not just individual people obsessed with privacy, the large numbers of people who can see the advantage of privacy but may not invest a lot of effort to achieve it)
* has (almost) no tests,
* has no CI (at least I could find none),
* lacks some basic features competitors have,
* sometimes doesn't ring when you call, and
* they just closed all 1100 open issues without reading their contents [1]."
Don't get me wrong, I think Signal is a great idea and have contributed some code to it, but these look like some red flags to me.
Obviously hard to compare to Telegram, which is closed source so we can't know whether they have similar problems.
[1]: https://github.com/signalapp/Signal-Android/issues/7598
What do tests and CI have to do with the usability and usefulness of a program? I agree that the other issues could be worrying, but those first two throw me for a loop.
The grandparent poster also wrote about security/privacy, for which I think tests are pretty important.
Finally, having CI would allow the developers/contributors with limited time to spend more time on usability and usefulness instead of on issues like "master doesn't build, anybody else have this problem?" (when I wanted to PR something to Signal, master did not build).
This also makes the assumption that since there are few automated tests, that there are no tests done on a build at all. I disagree that it is a valid assumption. Most security vulnerabilities are not found by unit or functional tests, but instead by linting and code reviews.
This may be true in a megacorp. I doubt it's true in a project like Signal where resources are limited and a few developers are the single bottleneck for everything, UX or otherwise.
>However, the sheer volume of legacy issues, combined with submissions that completely ignore the provided issue template, has created a situation where there are currently more than 1,100 open tickets. Most of these issues have been inactive for several years and they reference versions of Signal that are no longer available. Many open issues are essentially ad-hoc discussion threads or feature requests that are a better fit for the community forum. Perhaps most importantly, many of these issues lack debug logs, descriptions, and the steps that would be necessary to understand and reproduce the reported behavior.
[1] https://github.com/telegramdesktop/tdesktop/issues/1137
Oh, and they will keep doing so: "Legacy issues that are more than one month old will be closed by an automated process as part of this cleanup effort."
https://news.ycombinator.com/item?id=13396083
I'm running this on my own server (using ejabberd [1] as Prosody - which I used previously - still has problems with some of the required XEPs[2]) using several different clients (Conversations [3] on Android, Pidgin on Linux, etc).
The one weak link in OMEMO is the difficulty of verifying the authenticity of the device key signatures used by communication counterparts. These signatures are 64-character hexadecimal strings which the user is supposed to verify being authentic before initiating encrypted communications. Humans as not very good at this task, computer can help but they can also be tampered with. There are ways around this problem - e.g. meeting up in person before initiating communications (viz. PGP key signing parties), sending Q-codes off-line, using algorithms to turn those numbers into things which humans are better at recognising (e.g. the coloured emoji used by Telegram etc.). Encrypted group chat only works if all participants have all other participants in their address lists. Then again, it does work and it is fully standardised with several compatible implementations.
[1] https://github.com/processone/ejabberd
[2] https://xmpp.org/extensions/
[3] https://github.com/siacs/Conversations
It's "good enough" for 90% of cases, but it depends on clients supporting emoji.. :(
https://courses.csail.mit.edu/6.857/2017/project/19.pdf
https://eprint.iacr.org/2015/1177.pdf
Not even close. Whatsapp and Viber are much more popular. Telegram was barely 3rd before the ban. [1]
Viber moved their data to Russia, they won't get a ban.
Not sure about Whatsapp.
[1]: https://leonardo.osnova.io/bf345b20-423b-c508-cbc2-15963a7af...
https://www.viber.com/blog/2018-01-28/your-data-is-protected...
https://www.viber.com/blog/2016-04-19/giving-our-users-contr...
Good catch!
None of the other messengers you mentioned are designed to work like this (not 100% sure about Viber), the ability of operators to read most of the conversations on the platform is very much unique to Telegram.
It's really not a coincidence that the Russian government is choosing to ban the worst "encrypted messenger" on the market.
That Telegram has handed their keys to the Russian government? Difficult, but unnecessary.
That Telegram was deliberately designed in a manner which enables its owners to easily hand over the keys to the government? Easy to prove, Signal and Whatsapp do not share the same surveillance features.
Who pays for it now that it is free?
I for one refuse to think that Facebook bought it for a number of billion USD and keep operating and improving it for no good reason.
We also know, based on what they had to tell EU and based on their new EULA - that they tried to introduce by default - that they wanted to harvest metadata from it.
Attacking Telegram while simultaneously praising WhatsApp seems really strange to me.
As for Signal, that's another story. They have their own issues but I personally believe it is better than both Telegram and WhatsApp.
Look at them both from a purely technical perspective.
WhatsApp has made an effort to ensure that they're limited to only monetizing the metadata of the chats, Telegram by design does not share this limitation.
Even if you don't trust Whatsapp, you know that they'd have to push a backdoored app to everyone in order to intercept your chats. Telegram is backdoored by default.
Imagine the following: a manager in a supermarket explaining how to setup a proxy to a customer so that she (a woman in her 60s) could use their bot again.
Or a woman with a kid who is asking what the are going to do: "It's okay, we'll ask dad and he's going to do proxy-something".
Cyberpunk is now.
Telegram's independence is what separates them from other services, what allowed them to deny the demand for crypto keys, and why they were targeted.
Russians do make up a huge list of telegrams overall userbase. But most importantly, whatsapp and viber are end to end encrypted. Whatsapp uses signal. Viber uses a signal inspired encryption format. The common ground between both is that every single message is encrypted using a different secret key that is deleted after the message is received and decrypted on the device. Whatsapp and Viber have no way to give chat details even if they wanted to. Provided that they follow the protocol, and all accounts seem to point to the fact they do, then there is no backdoor or secret key they can give to any government.
Telegram in contrast uses a set of master keys to encrypt the conversations using RSA and aes256 as they travel through the servers. The keys are split across multiple servers residing in multiple jurisdictions so that legally, a government would have to seek permission to obtain each part of the key from a separate state.
Basically, this means that at the end of the day, if telegram ever forgoes its integrity (based off its public statements), every message will suddenly become decryptable.
That last point is what seems to really make telegram worth targeting.
China and Russia have clamped down on cryptos because of capital flight somthing that the west has used as a weapon to weaken Russia and China but which has largley been stamped out now.
In my mind this now begs the question of Bitcoin, how exactly did it come around, who were the cypher punks working for, were they independent and their creation was coopted or were they 'guided' in their approach to a decentralised mechanism of capital flight, food for thought certainly....
Next we will see how effective the deletion of the telegram app from the Russian app stores will be. Because of the centralized nature of the stores telegram can’t do much with it (they can try publishing clones of the client under unaffiliated entities, but apple and google can easily ban those too). Also it is rumored that the client uses push notifications to deliver proxy settings to devices and these also can be easily blocked by the store owners.
Interesting times.
It's also actually pretty clever.