top | item 35665763

(no title)

Be cautious when using Telegram for important matters.

I recently examined a situation where confidential messages from high-ranking Moldovan officials were leaked through Telegram. Unlike WhatsApp and Signal, which offer end-to-end encryption by default, protecting your messages even in case of a SIM swap, Telegram does not offer the same level of security. A SIM swap or a breach in their system can lead to message leaks.

Despite advertising themselves as a "secure messaging" platform, Telegram lacks default end-to-end encryption, making it less secure than its competitors.

Read this excellent thread from Moxie https://twitter.com/moxie/status/1474067549574688768

discuss

dsabanin|2 years ago

Telegram may also be under FSB (former KGB) control.

https://www.wired.com/story/the-kremlin-has-entered-the-chat...

https://euromaidanpress.com/2023/04/07/russian-fsb-has-the-k...

https://pdmnews-ru.translate.goog/25704/?_x_tr_sl=auto&_x_tr...

You may or may not trust these sources, however, even just the fact that at one point Durov was extremely afraid of being found by FSB, Telegram being the only network not blocked in Russia, and general embrace of Telegram by Russian propagandists, speaks for itself.

monday_|2 years ago

While this can be true, I'd be careful before making any inferences here. For example, there's good research [1] on how FSB uses the fact that Telegram metadata is in the open to run counter-insurgency on occupied territories. This is likely among FSB's highest priorities - but there's no evidence that they have used some level of insider access or control (or at least that they are willing to burn it even on Ukraine).

Second, Telegram not being blocked is hardly an argument. Neither are Signal, WhatsApp or YouTube for example. Are all of these also controlled by the FSB? And the general embrace of z-propagandists is likely due the fact that Telegram is extremely popular all over post-Soviet space. As far as I know, pro-Ukrainian people use Telegram just as much, and just as much as a news source.

None of this is to say that Telegram is a good choice for a reasonably secure messenger or is trustworthy at all (and [1] lists some very convincing reasons for why it is not so). But "may be run by the feds" is a strong claim, and so far it is not supported by evidence.

[1] https://www.pwnallthethings.com/p/russia-is-spying-on-telegr...

rlex|2 years ago

>Telegram being the only network not blocked in Russia

This is not true. WhatsApp is still working. They banned facebook and instagram but not whatsapp. Viber, Signal, Threema, Wire still works, too. The only blocked currently, i think, is Line.

Not saying "trust telegram", but still.

dachri|2 years ago

The recent events regarding the twitter files for example or the knowledge gained from snowden clearly show you that intelligence agencies worldwide are everywhere to be found where social activities are taking place

skinkestek|2 years ago

Recently, in practice you need to use a second factor (Telegram originally only used one factor, your phone number, which was verified by sending a message or calling it.)

Someone added two clients while I was asleep around new year.

I kicked them out and threw in a password and they tried again (unsuccessfully :) next night.

Meanwhile, way bigger leaks has happened from WhatsApp over the years.

If security is important to you, use something that is made for security, like Signal or Matrix, not "good enough call it secure" like Telegram or "how much data can we get away with stealing" like any Meta product.

dancemethis|2 years ago

WhatsApp is proprietary software. Its implementation of OpenWhisper is quite likely to have been tampered with to allow gathering personal user data. If it were safe, it'd be Free Software.

stiltzkin|2 years ago

No proof you examined this with "high-ranking Moldovan officials".

Also Moxie is extremely biased.

AdrenalinMd|2 years ago

? You may still find the dump of messages online. Is this enough of a proof for you? Something that wouldn't happen if those officials were using WhatsApp or another app that has E2E encryption by default.

https://www.wired.com/story/moldova-leaks-google-privacy-set...

vezycash|2 years ago

For sim swap issue, create a cloud password.

AdrenalinMd|2 years ago

Sure thing. But thinking about security in depth, default E2E encryption is an additional layer of security that is lacking in Telegram.

NayamAmarshe|2 years ago

I'm honestly tired of everyone spreading all this misinformation about telegram and all these assumptions that lead everyone nowhere.

1. SIM Swap is a physical device security issue, not something that telegram or any other app for that matter, is responsible for. Telegram already provides cloud password, comments like these wouldn't ever mention it.

2. Telegram using cloud encryption instead of E2EE by default does not make it less secure. In fact, it only makes it secure in a different way. Proponents of WhatsApp, kindly direct me towards an independent audit or research paper that confirms WhatsApp is using E2EE 100% of the time instead of 95% or even 5% of the time. The classic "but WhatsApp has E2EE" argument is as good as me saying that I'm the CEO of Google writing from an alt account. Telegram's encryption, both E2E and Cloud, have been audited by independent researchers. It doesn't take much to find out what's true and what's not.

3. Moxie's claims are extremely biased and misleading to the point that it almost seems like a propaganda against Telegram. I wouldn't want to hear someone who thinks Signal is too good to be on F-Droid and that any encryption aside from his own is the same as plain text.

emptysongglass|2 years ago

I really don't care if people use Signal but as a Telegram user I'm exhausted by this hatefest that appears every time Telegram announces a new release. Moxie is a terrible source because he very recently was the CEO of Signal, a competitor, and uses words like "plaintext" as a misleading perjorative for any encryption not E2EE.

If you want and need E2EE please God use some other messenger but why don't we stick to the topic of the feature announcement and save the hate, folks?

If you're a user of Signal, I support your choice to use Signal. Please support our choice to use Telegram.

Moldoteck|2 years ago

Just to add context, I think/suppose this happened because of some hijacking of a cookie with logged in web telegram. I've seen multiple complaints of people that got hacked because they used some sort of telegram web login. Problems related to e2e enc are valid though

slondr|2 years ago

Telegram is not less secure, this is misinformation. Telegram is less secure by default; it has a worse UX for secure messaging, as a deliberate choice to improve default UX for new users.

titaniczero|2 years ago

IMO if your app is less secure than your competition by default, the app is less secure, period.

Telegram is said to have been given authorities access to user data [1], despite the fact that they advertise the opposite. I guess that’s what happens when your app is not encrypted E2E by default.

Also, they have used their own encryption algorithm in the past (I don’t know now) instead of the well known and proven algorithms out there. Something highly criticized by experts, back then [2]

-[1] https://www.androidpolice.com/telegram-germany-user-data-sur... -[2] https://eprint.iacr.org/2015/1177

blep-arsh|2 years ago

I tried using secure chats but the UI is nearly unusable. E.g. secure chats are established between two specific devices and can't migrate, so it would make sense to let a currently "active" client (the one the user is currently interacting with) respond to an incoming chat request. Problem is, secure chats were being unpredictably picked up by random devices logged in to my account, so most of the time I couldn't even see any messages.