57 comments

[ 3.1 ms ] story [ 109 ms ] thread
Is it end-to-end encrypted by default yet? Otherwise it doesn't do much more to advance privacy on the Internet than say Whatsapp.
In non-secret chats it even saves all messages on their servers. You can then 'conveniently' retrieve all non-secret your messages when setting up Telegram on other devices.

For non-secret chat it's even worse than Whatsapp, because Whatsapp reasonably convincingly simply relays messages, only storing them on their servers until it is delivered.

I'm pretty sure I've reloaded my Whatsapp conversations after reformatting my phone
Its headquarters are not in the US, so at least the NSA has a slightly harder time getting data access.
From the FAQ:

Q: Why not just make all chats ‘secret’?

The idea behind Telegram is to bring something more secure to the masses, who understand nothing about security and want none of it. Being merely secure is not enough to achieve this — you also need to be fast, powerful and user friendly. Telegram is a secure and powerful alternative to mass market messengers and a fast and user-friendly alternative to secure messengers. Hence the two types of chats that we have: ordinary chats and Secret Chats.

The important thing to remember is that all Telegram messages are always securely encrypted. The difference between messages in Secret Chats and ordinary Telegram messages is in the encryption type: client-client in case of Secret Chats, client-server/server-client for ordinary chats. This enables your ordinary Telegram messages to be both secure and available in the cloud so that you can access them from any of your devices — which is very useful at times.

No. Not default. 1:1 encryption optional and group end to end encryption not possible.
No ads, no fees, no size limit? I'm having questions about their business-model and longevity.
Their business model appears to be "Hey, we're rich and we're not even past 30 yet! YOLO! \:D/"

In all honesty, that makes theirs a pretty good business model (compared to much of Silicon Valley), IMO.

Come on, it's an app that sends freaking messages. More complex things have been created as non-profit open source projects.
But they have servers / real costs, so knowing how they will cover those is important.
A guy behind it is/was a founder of Russian LinkedIn. He's just basically filthy rich and has a thing for sticking it to the authorities.
They say Telegram is the most secure messenger out there.

I'm very excited about the Pavel Durov's another project http://telegra.ph/ which - I hope - is still in development. This is his next social project also with a focus on privacy. Pavel has become more well-known as a Russian IT-entrepreneur since he fled a country with a dozen of colleagues from his former VK company.

Compared to WhatsApp? Maybe. Compared to TextSecure, XMPP using OTR or even iMessage? Definitely not.
Another proprietary IM protocol (although the clients are open).

Can't we all just use XMPP already?

Sorry, but I absolutely disagree with you:

  - first of all, their protocol is open
  - XMPP is terrible protocol nowadays because of XML nature, it
    costly to parse, big overhead for text and awful for binary
    data
  - I heard that recently XMPP require SSL mandatory, 
    but it wasn't from the start, as in Telegram
I prefer to consider that XMPP is as good as dead for mobile and probably for any new startups besides some enterprise.

I don't want to be devil's advocate, their server code is closed. They have some stinky discussions in past. But XMPP never was good protocol.

> XMPP is terrible protocol nowadays because of XML nature, it costly to parse, big overhead for text and awful for binary data

[citation needed] I assume you also want us to move away from html and towards a simpler, ascii-based protocol?

AFAIK xmpp is already pretty simple for what it does[1].

> I heard that recently XMPP require SSL mandatory, but it wasn't from the start, as in Telegram

First, so you claim XMPP has evolved to be (more/as) secure, and still think that's an argument against XMPP? Second, SSL is generally only client-server (without authentication of the client) -- IMNHO you're better off layering OTR on top of XMPP. That said, SSL, VPN, IPSEC or other trusted transport is nice to have.

XMPP already has a standard for link-local messaging[2], supports other extensions, has many open and free servers and clients... I'm not saying it can't be improved on -- but you'd have to show some improvement before it made sense considering a different transport...

[1] http://www.adarshr.com/papers/xmpp

[2] http://www.xmpp.org/extensions/xep-0174.html

I've been using Telegram for several months and have found that it is much more reliable than iMessages.

The key feature for me is that you can access messages through a web app, and through native desktop apps on Mac and Windows. This means that I can really use it with people who aren't on Macs/iOS all day for iMessage, which is most of the world outside of tech unfortunately.

The open protocol means that anyone can write their own client and pull out message transcripts.

The business model is a little sketchy (donated Russian social network money I think) but at some level who cares: if it disappears I can just switch to something else (that probably won't be as good unfortunately).

I know there has been some controversy about their encryption, but I would not trust any IM platform with perfect security. I care much more about reliability and availability on multiple platforms, which is where Telegram wins hands down.

>The key feature for me is that you can access messages through a web app, and through native desktop apps on Mac and Windows. This means that I can really use it with people who aren't on Macs/iOS all day for iMessage, which is most of the world outside of tech unfortunately.

And plenty of people in tech as well ;)

> The key feature for me is that you can access messages through a web app, and through native desktop apps on Mac and Windows.

FWIW you can use desktop/mobile xmpp clients with facebook chat in a similar way (not that that I really recommend that -- although it does allow you to layer OTR on top, so facebook can't read your messages).

So I guess we've just forgotten about the 5-6 posts half a year ago about how dodgy this service was claiming it was 'secure'.
source? no? no thanks.
Is Whatsapp open source? Plus, do you really read through hundreds of thousands of lines of code before using a service?
The "would you really read through the code" argument against open source is old and tired. There is no good reason to trust crypto-related software with secret source. You may not personally audit the code, but if there is no source, nobody will, and you basically have to take the publisher at their word. The promise of crypto is that you can manage who you trust, but you can't do that with unauditable code.
No, but a trusted expert may read through hundreds of thousands of lines of code and publish their findings in an article.
What I liked about it: The fact that It can be accessed from webapp / browser plugin / mobile app, which means it will be storing all my messages in the cloud, and claims to be the most secure of them all.

Alright then, I use Facebook Messenger a lot, it can be accessed from the web, I can use it on my phone and other devices, and I don't need to add contacts as my friends are already using it. Bam!

And security? Well, does it matter?

Last time when Telegram appeared on HN it was strongly criticized for coding encryption from scratch instead of using something well-known and checked library. Now with all that story with Heartbleed bug it looks like this idea was not so bad.
> Now with all that story with Heartbleed bug it looks like this idea was not so bad.

To make that claim you're assuming their implementation has fewer exploitable holes than OpenSSL or some other well-known and checked library.

I don't put that much faith on them.

I disagree, who says there isn't a bug with Heartbleed-like severity in their crypto?

You could flip your argument around and say the fact it took so long for Heartbleed to have been discovered means even OpenSSL didn't have enough people checking it. Which it probably didn't. And Telegram has even less people combing through its source than OpenSSL did pre-Heartbleed.

The only valid reason I can think of is a small and obscure proprietary crypto algorithm and implementation isn't worth the bad guys/agencies' time for finding the inevitable bugs. But Telegram has gained more than enough popularity for that ship to have sailed months ago.

Why is this on top of HN? Their protocol is not secure and they do not encrypt 1:1 chats by default and encrypting group chats with end to end is not even possible!!! Guys, please read http://www.cryptofails.com/post/70546720222/telegrams-crypta... and http://thoughtcrime.org/blog/telegram-crypto-challenge/ and go to more secure things like Threema or Textsecure!
Why is this on top of HN? Because the original founder of Telegram was forced out of his company and his shares now belong to Russian oligarchs, so we all forget that this was a bad softwar with old crypto and claiming to be open source when there's a server side code that was never published and we all thik it's cool to give away all of your phone to Putin's friends.

Why Threema? It's proprietary, so you can't say if it's really more secure. Just use TextSecure and please, build some TextSecure federated services.

What do you mean by "encrypting group chats with end to end is not even possible"? Can not group chats be viewed as N*(N-1)/2 two-way chats for purposes of encryption?
he means not possible in Telegram
(comment deleted)
I wish one of these services would allow signing up without a sim and allow chatting over a desktop client.
Not sure why they are trying to sell "the most secure messenger"… but it solves all my problems:

- whatsapp — mobile only (and phone number dependent)

- hangouts — slow

- fb messenger — does not have native mac app

Telegram solves it all

Yeah, I don't care much about security (I just wouldn't trust any IM software with confidential conversations) but the killer feature for me is that it lets me chat from my PC, while being fast and as easy to use as Whatsapp (I could never convince some of my friends to use things like GChat/Hangouts, but with Telegram being a rather faithful Whatsapp clone, it's easy).

I still don't get the insistence of WhatsApp on being tied to a single device and phone number, in an age where increasingly more people have a phone, a tablet, a PC, maybe a smart TV, etc.

(comment deleted)
I flagged this. It's insecure (bad home-grown crypto), it's not open source (the client side, but who cares when it's the server you should be worried about), its ownership is dubious, in other words you really should be using something else that doesn't lie on its landing page.
This post was killed by user flags.