[–] gergles link

Regular reminder that any time Telegram is mentioned on HN people pop out of the woodwork to launch a smear job against it because it isn't Signal.

From 1: "We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack."

The second paper is a huge wall of text that boils down to "the protocol is too hard to analyze and doesn't use what I have declared as crypto best practices, therefore I declare that it is insecure."

There isn't, in either of these, any actual attacks showing any actual problems with the protocol. I'm really sick of people jumping down the throat of anyone who tries to use Telegram by declaring it as insecure without even the first whit of evidence. "This isn't best practice" != "This is insecure and you should never use it."

reply

[–] roywiggins link

When it comes to cryptography, I don't think the burden of proof is on the critics to prove it's insecure. Everything is best assumed to be insecure unless there's convincing evidence otherwise.

I gather that there are enough experts in this sort of thing that aren't convinced that it seems fair to say it's insecure.

Ex: If someone built a bridge, but wasn't an actual engineer, I would assume the bridge was unsafe. I don't need an engineer to actually inspect the bridge before I make that assumption, and I would probably tell everyone I knew not to use that bridge.

reply

[–] reitanqild link

When it comes to cryptography...

then - like in a lot of other fields - it depends on your threat model.

Point is:

If your life or anything valuable really depends on provably strong encryption: you probably shouldn't use Telegram.

My rule for WhatsApp (one of his recommendations) however is even simpler: I don't use it if I can avoid it.

reply

[–] tptacek link

That's fine: use Wire instead. I think you actually have marginally more privacy on WhatsApp than on Wire, but they're comparable.

You should treat Telegram the same way you treat AOL Instant Messenger. If you have friends on AOL IM, by all means use it to organize which bar you're going to meet up in tonight. But don't ever kid yourself that it's a secure messenger. Telegram is deeply unserious about security.

reply

[–] satsuma link

Pretty much this. I use Telegram not because I think it's the most secure messenger, but because it's better than fucking Skype.

reply

[–] reitanqild link

If you have friends on AOL IM, by all means use it to organize which bar you're going to meet up in tonight.

For all intents and purposes that is what most of us do. We share photos of smiling kids and messy homes.

But don't ever kid yourself that it's a secure messenger.

Totally fine. I already don't trust Telegrams crypto.

I'm not saying it is secure, only it works really really well and isn't owned by a known evil entity who for some reason found it worth to pay 19B just to destroy the best messenger app I knew :-)

Also remember: WhatsApp didn't have very good crypto before they changed their protocol.

reply

[–] unicornporn link

> I'm not saying it is secure, only it works really really well and isn't owned by a known evil entity who for some reason found it worth to pay 19B just to destroy the best messenger app I knew :-)

Isn't owned by a known evil entity? I think jury is still out on that. https://www.instagram.com/p/-MrPWGr7aL/

reply

[–] thewhitetulip link

It is highly ironic that those who careabout privacy suggest using whatsapp

reply

[–] jolux link

Granted, it's owned by Facebook, but it's definitely better than Telegram and unlike Signal people actually use it.

I try to get people to use Signal when I can but so many people already use WhatsApp and that counts for something too.

reply

[–] msl09 link

It's not just because it's owned by facebook. It's also because it's closed source which means that the floor can be removed from under your feet when you least expect and they can weaken the security whenever they like to make way for whatever social feature they want.

In theory telegram is insecure because it doesn't follow the best tried standards in security even though no viable attack have been made.

In theory whatsapp is secure because the last time a third party audited the source code no gross infringements existed.

Almost every chat app is insecure next to signal but indeed the only merit of whatsapp is that it's popular in some countries.

reply

[–] kasey_junk link

> the only merit of whatsapp is that it's popular in some countries

whatsapp has a fairly impressive set of merits that check lots of points for people who actually do security work:

- uses a known and vetted protocol

- protocol was implemented with help from known and competent security professionals

- is supported by one of the most resourced and competent private security teams on the planet

- is easy to drive uptake and has impressive network effects

Its major drawback is that it shares metadata with facebook. This may or may not be a big deal to individual users, but on the balance its fairly easy to see why people recommend it.

The closed source thing is largely not a consideration that comes up when you talk with professional security folks, and is a pretty obvious red herring when you think about it.

[note: i'm not a security folk, but i have drinks with them occasionally. I don't use whatsapp or telegram and only very occasionally use signal]

reply

[–] jolux link

WhatsApp uses the Signal Protocol though and its implementation was overseen by Moxie Marlinspike, the creator of Signal.

>even though no viable attack have been made.

All of these references to "in theory" obscure what's actually going on here. Signal is well known to be extremely secure and the code is well-audited. Moxie is a man of integrity and says that WhatsApp is similarly safe.

That's worth a lot more than the statement that no viable attack against Telegram has been demonstrated. That's true of every system until it's not. Once you reach that point, you've already failed. If that's the best proof you can give of a system's security, you've failed as a security communicator.

reply

[–] wglb link

Are you familiar with the BEAST attack on SSL/TLS? It was a flaw that was "theoretical" until the boys that broke the internet showed how it was done.

So that was evidence that was ignored for ten years.

So I wouldn't risk my life on something you claim has no evidence but professional crypto breakers warn about.

reply

[–] kitsunesoba link

>Use Signal or WhatsApp instead.

I might if either of those had proper desktop clients (they don't). I spend most of my day sitting in front of a computer, so chat apps that offer only wonky web app "phone bridges" for desktop users don't make much sense for me.

The best part of iMessage and Telegram is that their desktop clients are as capable as their mobile clients, and they're real independent clients. Until WhatsApp and Signal offer that, I have little interest in them. Maybe the majority of the internet connected world conducts their communication primarily through a smartphone, but that's not me.

reply

[–] 45h34jh53k4j link

Signal has a chrome app that performs as a desktop client.

reply

[–] kitsunesoba link

Yes, it's one of the web app bridges I was referring to.

It's tethered to your phone, ugly, and feels a lot like an afterthought. Last I checked, it also doesn't work with the iOS version of Signal, so if you use an iPhone you don't get any desktop support at all.

In short, it needs a lot of work before it'll be usable for anybody in a similar position to myself.

reply

[–] lorenzhs link

It's not tethered to your phone. It does work with the iOS version of Signal. It's really easy to set up, too. Everything in your comment is incorrect or out of date.

reply

[–] egypturnash link

Can you finally use the same Signal sign in on more than one device at once now? That was one of the things that drove me nuts about it.

reply

[–] tptacek link

Signal is not great on multiple devices (it works, but not always seamlessly), but there's a reason for that: Signal is also generating virtually no serverside metadata. There's a real, practical security win for the inconvenience it's generating for people who want multi-device messaging.

Compare that to Wire, which has much more convenient multi-device support, but accomplishes that at the expense of keeping the entire active graph of communicating Wire users in plaintext in their servers on AWS.

Both Wire and WhatsApp (which have comparable security models with some marginal tradeoffs --- WhatsApp metadata is in Facebook's custody, which is not great, but Wire doesn't have Facebook's extremely competent and well-resourced security team) are reasonable choices for secure messengers.

Telegram is not.

reply

[–] qznc link

Thanks for pointing out the tradeoffs of Wire and Signal so forthrightly. I would not have been able to describe the difference so clearly.

reply

[–] SparkyMcUnicorn link

Yes. I continue conversations from my phone -> computer (and vice versa) every day.

reply

[–] djanatan link

This is the main reason I won't leave Telegram. I don't need perfect privacy, I've never seen any reports of Telegram actually being breached, and I use four different devices over the course of my day. Each one has a fully functioning Telegram client.

reply

[–] kitsunesoba link

It's good that's changed, but that wasn't the case the last time I saw any kind of news about Signal (maybe a few months ago). It would serve them well to publicize these changes.

reply

[–] tptacek link

This is a classic example of what I think we should call "The Message Board Apology": "I was wrong about everything but in a way that makes me even righter."

reply

[–] wjamesg link

A common occurrence here on HN

reply

[–] detaro link

The Signal desktop client as far as I know never was tethered to the phone (during operation, signup and getting the desktop one connected still requires a phone). you might be confusing it with Whatsapp's?

reply

[–] pvg link

The desktop client worked the same way (untethered, after initial setup) a few months ago as well.

reply

[–] reitanqild link

Regular reminder that while CiPHPerCoder might very well be correct about MTProto - technically speaking - I find the recommendation to just use Whatsapp weird.

Haven't we agreed that metadata is data?

Isn't everyone aware that Facebook has stopped charging for WhatsApp?

Has anyone presented a good reason for what their reasons for running WhatsApp for free?

Because I doubt it's because of the goodness of Zuckerbergs heart.

I.e. to spell it out: they find you metadata so valuable they are willing to spend billions (!) to get hold of them.

Now I guess I wouldn't care much if it wasn't for the fact that WhatsApp used to be the fantastic. Nice, user friendly, robust and with a sane and user friendly way to generate income.

reply

[–] tptacek link

The question you're asking isn't really about metadata, but rather who has custody if it. Your argument is not that WhatsApp is bad because it generates metadata --- WhatsApp leaks far less data to its provider than Telegram --- but rather than WhatsApp is bad because what metadata it generates goes to Facebook.

That's a fine, coherent argument. There are aspects of Scott's comment I disagree with too --- though I generally think most users are best served by WhatsApp.

If you don't want to use anything operated by Facebook, use Wire. Wire is based on Signal's double-ratchet model. It's encrypted by default. Wire's operators get much less data than Telegram's. Wire is operated out of Europe --- I don't think this matters but many people do.

The important thing is just that you not use Telegram for secure messaging. Telegram is deeply unserious about security. There are much better alternatives. If your friends want to use Telegram to decide which movie to see tonight, fine: I use Slack too, and Slack is probably only marginally more secure than Telegram. But don't use either of them for life-and-death secrets.

reply

[–] reitanqild link

Yep. Now we are talking.

I readily admit that I don't trust the Telegram crypto. (And in case anyone wonders what that means: I might disagree with tptacek in a lot of things but here I agree. DO NOT use Telegram to send messages that might be dangerous if leaked.)

My point is that Telegram is good enough for what I use it for. It is probably more secure than many peoples email and unlike WhatsApp you can use it without supporting Facebook.

Again: DO NOT trust Telegram with your life. I disagree with tptacek in a number of issues but I trust him when he talks about crypto.

reply

[–] CiPHPerCoder link

I know a lot of LGBT folks who use Telegram for non-serious stuff. Mostly shooting the shit, and using stickers for amusing reactions and whatnot.

My original comment probably should've used a semicolon before "Use Signal or WhatsApp instead."

reply

[–] CiPHPerCoder link

(In case anyone got lost halfway through tptacek's comment, my name is Scott.)

reply

[–] CiPHPerCoder link

> I find the recommendation to just use Whatsapp weird.

For most WhatsApp users, the alternative to WhatsApp for most people is unencrypted SMS, which gives metadata and the contents of the communication to anyone with modest skill and a $50 budget. I like to think WhatsApp's use of the Signal protocol makes it preferable to SMS.

reply

[–] thewhitetulip link

So you'd rather give y;ur metadata to whatsapp which gives it to facebook than use telegram because there is a little chance that you'd be hacked? Strange choice as far as I am concerned

reply

[–] mullen link

The majority of people want privacy in their messages and are not really concerned with their metadata.

Whatsapp fills that role and much better than telegram.

reply

[–] thewhitetulip link

What definitive proof do you have that Whatsapp does really use encryption? Facebook's word?

reply

[–] mullen link

I think we would found out by now that Whatsapp was not really encrypting messages. Plus, Moxie said they were using the Signal Protocol Lib for encrypting messages and I trust him 100x's more than any person who does not release information about their encryption and says, "trust us, our encryption works."

From the Signal Blog:

"Signal Protocol powers our own private messaging app, Signal. The protocol is designed from the ground up to make seamless end-to-end encrypted messaging possible and to make private communication simple. To amplify the impact and scope of private communication, we also collaborate with other popular messaging apps like WhatsApp, Google Allo, and now Facebook Messenger to help integrate Signal Protocol into those products."

reply

[–] sinaa link

I think, while it may not be out of the goodness of Zuckerberg's heart, it's the cost of keeping the Facebook monopoly. That, and the $19B they initially had to fork out.

reply

[–] reitanqild link

Very reasonable explanation.

I'd still say though that if they bought WhatsApp for 19B only to stop accepting payments and run it for free to avoid competition then maybe the should be punished for being an evil monopoly.

Until then I'll continue muy little campaign against the guys who destroyed the good, privacy-focused WhatsApp and tried to feed our data into Facebook after first lying through their teeth about not being able to do that.

Summary: WhatsApp is now owned by a big, lying and likely also evil megacorp.[0]

Recommendation: avoid until Facebook change their ways, voluntarily or not. (No, I'm not against big companies, not against huge profits.)

[0]: big is easy to prove, lying is easy to prove and based on the way they lie and what they did to WhatsApp I guess they are evil.

reply

[–] skrowl link

Regular reminder that Signal has had 0 messages ever provably decrypted and that Telegram has had 0 messages provably decrypted. All of the MTproto weaknesses are theoretical and have 0 working proof of concept attacks.

reply

[–] Johnny_Brahms link

Well, there was this glaring hole that let the server MITM secret chats on every key negotiation back when they were all cocky on HN.

That was not theoretical at all, and very much something that could be used without detection, even if the users verified fingerprints, since it made clients create insecure keys.

The guy who found it got their maximum bounty IIRC.

Whereas the best attack on signal was somewhat sort of relay thing of very questionable usability to an attacker.

reply

[–] jhasse link

> That was not theoretical at all, and very much something that could be used without detection, even if the users verified fingerprints, since it made clients create insecure keys.

It could have been done by Telegram. No proof it was. Still sound theoretical to me. I doubt they knew it was possible.

Also: Was Telegram's source used to find the vulnability? If so, it's unfair to compare WhatsApp and Telegram like that.

Also WhatsApp doesn't bait with a bounty like Telegram does (see https://www.linkedin.com/pulse/whatsapp-security-vulnerabili... for example).

reply

[–] Johnny_Brahms link

It wasn't theoretical in the sense "this could potentially be a problem" as with most crypto vulnerabilities. We don't know that it was performed, but we know that the protocol was vulnerable, either because of malice or because their world champion programmers thought it was a good idea to let the server provide the client with entropy to create keys.

I don't know which one is worse.

There is also a pretty substantial branch of the computer security industry that thrives on security problems found in software they don't have the source code of. And good luck keeping up reviewing telegram. They release sources every 6 months. Last one was for 3.18 which had something like 170k additions and 90k deletions.

reply

[–] SpartanMindset link

His point still stands though

reply

[–] codedokode link

Why WhatsApp? It is closed source (Telegram has open source clients). It belongs to Facebook. And Zuckerberg doesn't look like a person who can stand against government, while Durov has been saying several times that he is not going to cooperate with any government.

The disadvantage of Telegram is that it requires you to provide a phone number (and this is much more important than some rare cases when encryption could fail). It means you cannot stay anonymous while using it. If there is an error in Telegram server code then your phone number can be leaked.

A messenger that cares about privacy should never require a phone number and should not have history enabled by default (because your history will be used against you as an evidence). As I understand WhatsApp doesn't match these requirements.

reply

[–] krick link

Using a messenger bound to your phone number "for security" is funny any way you look at it.

reply

[–] thewhitetulip link

I'd rather use telegram and get blown than trust anything in the hands of Zuckerberg and Facebook.

If the rumours are correct, NSA has a backdoor to both signal and whatsapp but when they have to hack telegram they use state telexom providers, get the password and access the telegram acc.

Again, not sure. Just a rumour I heard

reply

[–] tptacek link

I don't even believe this is a real rumor.

(It's obviously not true).

reply

[–] CiPHPerCoder link

> If the rumours are correct, NSA has a backdoor to both signal and whatsapp

The rumors you heard are both wrong and stupid.

reply

[–] jolux link

Probably based off of that awful article in The Guardian at a guess.

reply

[–] SpartanMindset link

What makes them stupid and wrong? Can you with 100% certainty say WhatsApp isn't backdoored?

reply

[–] CiPHPerCoder link

Regular reminder that Telegram's encryption protocol, MTProto, is not secure, and you should not ever rely on it for privacy. Use Signal or WhatsApp instead.

https://eprint.iacr.org/2015/1177.pdf

http://www.cryptofails.com/post/70546720222/telegrams-crypta...

reply

[–] jnmandal link

Definitely. This is the biggest development of the recent release. They have one of the best bot APIs out there but bot developers have been waiting for this for 2 years.

reply

[–] castratikron link

What I thought was more interesting was the ability to send money to Telegram bots. Maybe they are trying to take on WeChat as the "everything" app.

reply

[–] jyrkesh link

Totally. All crypto concerns aside--though I am on the side of the fence that says, while Signal is clearly superior, MTProto still hasn't really been cracked, and WhatsApp's server-side key reset is a bigger deal--the UX for Telegram's mobile (iOS AND Android) and Desktop clients (Windows, Mac, AND Linux) all kick ass. They're blazing fast, sync works phenomenally (except for secure chats, RIP), the ability to share arbitrary files up to 1500 MBs is awesome, Instant View is everything FB Instant Articles should have been, and the (admittedly gray-area copyright) stickers ROCK.

My closest friends/family all use Telegram now because it's just better. When I want truly secure messaging, I use Signal or PGP

reply

[–] penetrarthur link

It's amazing how they entered the dense market of messaging apps and with superior UX, native clients and a bit of luck(brazil banning whatsapp for couple of days), they managed to get 100m MAU.

reply

[–] sturmen link

The "Instant View for every site" update is here: it's part of the big 4.0 release. Basically you make a "template" to parse your site and Instant View will handle it. They're also crowdsourcing Instant View templates in, I must admit, a clever fashion.

reply

[–] thewhitetulip link

May I know how to get xkcd on telegram?

reply

[–] lavezzi link

I would imagine this would be through a personalised bot that you can create very easily through IFTTT or Zapier.

https://core.telegram.org/bots

reply

[–] skiman10 link

I use this channel to get xkcd comics on Telegram. https://t.me/xkcdchannel

reply

[–] undefined link
[deleted]

reply

[–] otalp link

Telegram is definitely the most feature-rich, customisable messaging app out there.

The stuff you can do with it is amazing. Aside from having a true desktop client not dependant on your phone, I've set it up so that I receive my favourite comics(XKCD, Dilbert) when a new one releases. I can also see and delete my mail through another bot, and I can get sport scores too.

The new instant view also opens up links immediately without loading times(Medium a few other sites only so far, but most major websites are apparently coming with the new update).

It also allows you to quickly go to any date in a chat you've had with someone else(What did you talk about on 2nd June 2015?) and it has a self chat feature which is essentially an unlimited cloud service. Since you can upload files unto 1.5 GB, you can store links, photos, text and files in your self-chat, and have it available on all your devices.

reply

[–] otalp link

They've stated that they have enough cash from Durov's funding to last 4-5 years comfortably, and that if they ever need cash, they will introduce non-essential paid features.

reply

[–] reitanqild link

I don't know but I would guess a natural place to make some money would be around the payments API that was also mentioned.

reply

[–] GranPC link

They now have a donation bot, as a demo of their payment API.

reply

[–] skdotdan link

Awesome update.

By the way, any update on how are they planning to make money? It is still true that they don't plan to make money at all?

reply