top | item 41376824

(no title)

jiiam | 1 year ago

Maybe? When you login from a new device you're asked to provide an OTP so maybe there is at least that layer of protection and, hopefully, requires some circumvention at the application code level.

However I think the real question is: even if that's possible, can law enforcement compel Durov or an employee to do so?

discuss

JumpCrisscross|1 year ago

> can law enforcement compel Durov or an employee to do so?

The E2E encrypted comms are a red herring. There is plenty on Telegram that is public, plaintext and presumably illegal.

If Telegram refused to respond (note: not bend over and comply, just respond) to French legal requests in respect of plaintext criminal behaviour the way any other company would and should, that’s somewhat damning. If Durov went above and beyond and interacted with that content, his goose—as the author put it—is cooked.

codedokode|1 year ago

If you don't use 2FA then the government can simply intercept SMS code for any phone number. Russian government did it against opposition activists, and it prompted Telegram to add a password as second factor. So any service which allows login or restoring access using SMS (incluging Gmail in default configuration) is vulnerable to such kind of attacks. It seems that people in the West are unaware of this type of attack.

jiiam|1 year ago

EDIT: I just want to clarify that I don't believe the claim that an employee can intercept the validation code

saurik|1 year ago

There existed one server which sent the code, so whomever administrated that server could trivially have intercepted it by just modifying the software running there to copy/log it to them.