By default it's no more encrypted than HN (as in, traffic to their servers uses TLS, messages on the server are not encrypted at all).
There's Secret Chats feature which they claim to be end-to-end encrypted, meaning that it's no more secure than Facebook's Messenger (also end-to-end encrypted in Secret Conversations). Even less so considering that they roll their own encryption (MTProto), while Facebook's Messenger uses Signal's protocol.
Can we stop using 6-year-old info for apps that get updated monthly? The problems they have with MTProto have been patched literally 5 years ago, the only other criticism comes from a direct competitor, and they recommend WhatsApp despite the fact that it's closed-source and nobody can verify if its encryption truly works.
Facebook is planning to merge Messenger, WhatsApp and Instagram, which makes it even more awful of a choice.
Telegram still doesn't encrypt chats end to end (by default¹), which means it's not a strictly superior choice to WhatsApp.
Facebook can't read your WhatsApp messages (of course they can add an update any time to do that), but Telegram has access to all your messages right now.
¹ Yes, you can select the end-to-end encrypted sessions, but they're very crippled from a usability perspective. I don't remember the last time anyone used it with me, yet all my chats on WhatsApp are end-to-end encrypted without anyone doing anything.
Are we sure it can't? Because WhatsApp is closed-source, its GDrive backups are unencrypted and Facebook's whole profit model is based around snooping. Unless they make the app open-source, I'm not trusting them even with a grocery list. People act like E2E is the be-all and end-all but trusting an incredibly shady company on its word is not something I'm comfortable with.
Yes, people are reverse engineering the app. You can check the discussions on HackerNews when security of WhatsApp is discussed.
GDrive backups are not readable by Facebook, they're readable by Google. End-to-end, if properly implemented is the be-all and end-all. Except for metadata, which is a problem, but a different one, and Facebook definitely abuses that. But they don't/can't read the contents of chat messages (for now).
It's not merely trusting that shady company, but also realizing that the news of FB not having E2E-encrypted messages would definitely make the news, you'd be aware of it.
> It's not merely trusting that shady company, but also realizing that the news of FB not having E2E-encrypted messages would definitely make the news, you'd be aware of it.
Right.. consider what your adversary would be giving up by revealing such a secret, even if it was true. That alone provides a not-insubstantial amount of security.
The real question is, why is Telegram more secure? There's a 100% chance it can read your group messages, because it says so on their documentation that describes the cloud encryption. There is no E2EE at all for groups. There is no E2EE at all for desktop. Together these mean E2EE are completely neutered and useless. I'm a privacy researcher and I don't use them at all. Why would an average joe?
Open source is not the be-all end-all of security either. Closed source apps can still be audited (with increased difficulty), and open source apps might still be impractical to audit even though they are open source.
No, it is not necessary _or_ sufficient. That is what I'm saying. You can audit a closed-source app, and there also might be open-source apps which are impractical to audit despite them being open source.
If you have your closed-source app audited, everyone needs to trust the audit company. And I've seen some shit audits in my life that told absolutely nothing about the actual security.
Open source means anyone can audit and verify nothing was done after audit.
Moxie more or less audited WhatsApp's Signal protocol implementation, and people are right to be concerned about whether changes have been made since FB bought the app.
Facebook does get your WhatsApp communication metadata, and has been for years now. As the three letter agencies showed, metadata is actually quite valuable in many respects without needing to trawl through massive amounts of content.
Can’t Facebook read most people’s WhatsApp messages because cloud backups of chats are enabled by default, and only the tiny minority of users who disable that feature will get truly end-to-end encryption?
I don't see the problem of using a hand-rolled encryption algorithm or the strange choices that went into that algorithm as "patched literally 5 years ago".
"Can we stop using 6-year-old info for apps that get updated monthly?"
The fact Telegram's E2EE has not been available
1. by default
2. on desktop apps
3. for group messages
for seven years tells you exactly how secure it is.
"the only other criticism comes from a direct competitor"
Fuck this attitude. Everyone has the right to criticize. If Telegram can't own their mistakes it's their fault, not that of the people who are beating them. Also, impartial professional cryptographers like Bruce Schneier and Matthew Green have told people not to use Telegram. Why is that if not because it's so horribly insecure. Why isn't there a single recommendation for Telegram from ANY cryptographer on the entire planet?
"they recommend WhatsApp despite the fact that it's closed-source and nobody can verify if its encryption truly works."
Because they've helped implement the encryption? Also if proprietary tools doing encryption are not secure, then why do Telegram users think it's ok for Telegram to use closed-source server that's doing the "distributed datacenter encryption" for group messages' at-rest protection. There's not even documentation available for this let alone source code.
Fair point, but from my perspective, even if it was absolutely the best end-to-end encryption there is, it wouldn't mean much unless everyone's using Telegram for 1-to-1 communication using Secret Chats feature.
> Some of its channels helped unconnected, scattered rallies mature into well-coordinated action.
This line alone makes their encryption rather meaningless for this use case, since Secret Chats only work between two people.
Which is why I'm confused people are even talking about their encryption in this thread.
This has nothing to do with secure chats and everything to do with Telegram's Channels feature. But a ton of people that have never used Telegram nor read the article don't know that.
And proxies. Telegram has great proxy support and virtually anyone can install their own MTProxy in 5 min.
A multitude of proxies, shadow optic cables over the border and a bit of whitelisting from the government to allow payment processing made Telegram invincible.
Correct. What anyone in an oppressive regime could do though is to make sure settings are set to "share your phone number with no one," as well as delete their own messages from the channel in their entirety after having been read 15-30 min later or whatever arbitrary time they'd like. They would do best to not use an @username or account name which could identify them. Beyond that, there's no way anyone in Belarus can do a thing besides physical violence and take an individual's or a group of people's phones.
There are also options for invite only channels ( I manage several TG channels, public and private) in which nobody can join without having been given the invite link, or added to the channel if their settings permit other users adding them to channels.
This is all information in bad faith.
The protocol and all Telegram is open source. Are you a cryptographer?
And who "rolled" the Signal protocol, Moxie Marlinspike? Did he not design that himself?
This is demonstrably false. Telegram's apps are open sourced (except Telegram X for some reason), same as Signal's (no exceptions). None of the two offer you their server's code.
> And who "rolled" the Signal protocol, Moxie Marlinspike? Did he not design that himself?
And again, this is completely irrelevant because even if Telegram's end-to-end encryption was absolutely the best there is, a) it doesn't work on group chats, and b) it's not enabled by default, only in Secret Chats. The vast majority of Telegram's usage is not end-to-end encrypted at all.
"The vast majority of Telegram's usage is not end-to-end encrypted at all."
This. This is the backdoor right here. It was never going to be shady flaw in the implementation. It's SO much easier to put it out there in the open, spread misinformation about Telegram being at the forefront of privacy battle and silence all criticism (my links were shadowbanned on their subreddit), and to attack straw men like people posting example's of Telegram's bad track record. tl;dr: damage control.
Telegram's encryption OTOH was designed by Nikolai Durov who is not a cryptographer, but a geometrician. That's like asking a gynecologist to perform brain surgery, lol.
Signal Protocol won the Levchin Prize at Real World Crypto, which was awarded by a panel of several of the most renowned academic cryptographers in the field (including Dan Boneh and Kenny Paterson). Other winners include Bellare, Krawczyk, and Joan Daemon. The protocol has been extensively analyzed and is the current gold standard for messaging encryption.
This. It's not the Durov brothers who are moving the field of secure messaging onwards, or talking at conferences. They're complete amateurs surrounded by fanboys who don't understand the very basics of the field, and who think copy-pasting from https://tsf.telegram.org/manuals/e2ee-simple makes them useful as opposed to spreading propaganda.
But the standard we should apply to secure chat protocols isn't how many awards it won, but whether it's watertight. Obviously winning a prestigious prize means it's watertight, but the converse doesn't follow. A protocol can be safe for practical use without winning any prizes.
It can, but given Telegram's history and professional cryptographers like Schneier[1] and Green[2] saying DO NOT USE IT, it's obvious it's _anything_ but watertight.
No. Still not E2EE by default, still no E2EE for groups, still no E2EE for desktop clients. Why do you want to imagine Telegram magically got better when it's so obvious it didn't?
Because they “magically” updated and improved tons of stuff in the last four years. So I think it’s not unreasonable to consider whether their encryption improved too.
But yes, not having encryption on by default speaks poorly of them. OTOH it’s not concrete proof that the encryption still sucks as of now.
Don't get me wrong, I'm not saying the E2EE encryption itself is flawed. I'm saying it's not being used at all by default. And I'm saying it's not possible to use it for groups or desktop clients. That's _the_ travesty, and the proof that this is the state of things is so obvious people don't realize how serious it is. And my concern is that will lead to a tragedy.
Yeah, it’s true that not having E2EE makes Telegram a bad choice for the purposes of the protesters. Convenience and inertia wins out though. And when you have groups of hundreds of thousands of people, there aren’t too many choices in the first place.
The expectation of privacy loses it's meaning when the group size grows. It's more likely what you said remains private when you say it in a group of five people than if you say it in a group of 50, 500, 5000, or 500,000 people. IMO supergroups and channels don't need E2EE, normal groups in Telegram definitely do. It's not an all-or-nothing thing. E2EE where expectation of privacy can be assumed from group size isn't a problem.
Also, Signal has no upper group size limit but E2EE would make group with 100,000s a bit sluggish. But that's a problem that reduces with Moore's law.
No, and obviously it doesn't have to, because I'm replying to you. You hint at Telegram's protocol being inferior based on the number of awards it won, a heuristic that isn't too relevant in practice.
First of all, most of this goes back five years and things have likely changed, but basically MTProto used several non-standard and out of date security mechanisms (no AE and using SHA1 were fairly notable at the time) whereas Signal was purposing fairly standard and widely used mechanisms (OTR). It's possible that many of those failures have been addressed over the years, but I haven't followed it closely. It's worth noting that Signal has been widely vetted over time and is the underpinning of WhatsApp, whereas MTProto continues to have a poor reputation, it seems.
The very fact out-of-date security mechanisms passed into first version should tell the developers don't follow their field, or that they're complete amateurs. Both are flags so red Stalin would have a problem with it.
The Signal Protocol[0] is based on OTR, a technology which had already seen a number of implementations and informed scrutiny by the time Signal came along.
Also an important aspect is that it is open sourced, meaning others can audit it. I'm a little untrusting of people that say "trust me" but also "no, you can't look at it." (unless there is a good reason to hide it, which in this case I do not believe there is)
(DH-ratchet is still there. 1536-bit FF-DH was replaced with X3DH etc, but the basic idea is still there. Adding hash ratchet for non-round-trip messaging was a good idea, as was pre-keys stored on server. IMO it's fair to say it's been expanded around OTR)
It is encrypted by default but end-to-end is only for calls and Secret Chats (one-on-one). You can delete any message at any time without a trace for both sides, which protesters often do, really don't think the government needs messages to pin a crime on them. Hell, they've pinned crimes on people for literally no reason before.
So when you try and go tell the other person's device to delete your message, how does it go into their iCloud backups and delete that message, or some other backup?
Don't depend on asking someone else's device to delete the data as that data being gone.
It is stored locally, although only temporarily. I rarely connect my phone to the internet and still can scroll through quite a bit of message history.
Not by default, no, because that has UX implications (e.g the chat will only be available on one on your device instead of being synced between all your devices). Though it’s quite easy to start an encrypted chat, and you can decide to have auto destructive messages.
I'm pretty sure Signal at least doesn't encrypt at rest on your phone. So the drive would have to be encrypted as well, which is not default on Android
Signal does encrypt your messages locally. Also Android supports file encryption you don't need to use full disk encryption anymore. Also I think the policy has changed in Android 10.
> All compatible Android devices newly launching with Android Q are required to encrypt user data, with no exceptions.
Signal traditionally had an easy to get encryption key for the local encryption. Now there is a PIN but I don't think it is any protection against having access to the disk. The signal people would prefer that that you deal with the end point security yourself, because they really can't do much there.
Indeed, the PIN is just for SVR. Exported message logs on Android use separate, client-generated, 30-digit, PINs.
Unless the OS+HW provide API for some sort of TPM, it's not possible to provide strong protection for app databases without asking for strong password every time the app is opened. Android has had some sort of sandboxing for a while but it's not comparable to secure enclaves etc. AFAIK.
Android has encrypted storage by default since a few years ago. Of course, by default it uses a default key. But, the point is, enabling "encryption" just means changing that key, not reencrypting the entire device.
Apart from that, regardless if you're on Signal or Telegram if authorities get hold of a protester's identity on such an app and have the power to access the app's servers they can gradually uncover social networks by reading metadata (if I'm not mistaken).
I think you are mistaken. Before your text is sent to Signal your sender information is encrypted with the receiver's public key. So while Signal's servers can see who to deliver the message to they cannot see who sent it. Only the receiving client can decrypt and authenticate the message. This feature was rolled out in late 2018 and is called "sealed sender". It was developed to prevent leakage of any social network information via the message metadata.
But as far as I know Telegram has no equivalent feature.
"So while Signal's servers can see who to deliver the message to they cannot see who sent it."
Why can't they look at the TCP headers of incoming packets to determine source-IP? Also, why can't they look at session identifier or signal ID like phone number to determine who the sender is?
I assume if you are trying to hide your communications you aren't connecting directly to signals servers, so IP should get you nothing. There is no session identifier or signalID attached to your message, its contained within the encrypted part of the message so only the receiver can determine who the message was sent by. https://signal.org/blog/sealed-sender/
> [The characters'] goal is to facilitate anonymous Internet banking using electronic money and (later) digital gold currency, with a long-term objective to distribute Holocaust Education and Avoidance Pod (HEAP) media for instructing genocide-target populations on defensive warfare.
"good enough" relies on a threat model. Cryptography researchers work in the abstract - without a threat model you must consider cases where your attacker has unlimited resources.
It's good enough for you and me, but research isn't meant to be practical, imo
What. The first thing any security paper defines is the assumed threat model. People design all kinds of schemes for different threat models.
The point with assuming conservative threat models for key primitives like hash functions is that the threat model can change rapidly even within the same application, and attackers only get stronger. So you err on the side of caution, and don't rely on luck to keep safe.
So, what's different about cliqz? You promise not to keep logs, skew results, and sell data?
Also,
> With 93% of the search market, Google’s algorithms decide what becomes truth. Can you think of a TV channel with a 93% audience? Would you find it acceptable if there were only one TV channel?
Seems to me like Google is more analogous to the TV remote.
As blog post mentions, more than half of Google searches do not result in an (out-)click, but stay on Google. So, the comparison is not completely outlandish.
Yep, I've been getting Russian events in my google cal that just reappear the day after I report them as spam (which does what?)
Unfortunately, it's pretty inconvenient to just not show calendar events that I haven't accepted. If you have a busy calendar, it can be helpful to prioritize events - some will inevitably be declined or left hanging, but those are useful to see.
It's pretty crazy that calendar invites that are already filtered out to my spam email folder show up in my normal google calendar. Seems like a quick solution for google to go fix.
I don't know about that. Authentication mechanisms seem within scope of any protocol, and if an implementation refuses service based on some extra requirement (such as being signed in to Facebook) then that implementation is simply not up to spec.
> Facebook could start using an open protocol today
Richard Stallman would prefer you to use the term "free protocol", which I think is what we're all trying to say here ;)
Authentication mechanisms are in scope (obviously). The set of authorized accessors is not, right? I guess people are not accounting for the distinction, but it’s rather critical here.
> But really this is Google's problem, not Apple's.
I'm not sure we agree on what the problem is? If Google monopolized years ago, the story would play the same - only now it's the kid without Hangouts/Gmail. Sure, you're not locked into a physical device, but you're still locked into a service, and that's not guaranteed to hold true forever.
IMO we need a modern messaging standard that's vendor agnostic. SMS/MMS were good but feel ancient now. XMPP seems promising but there's too many extensions such that it's nearly unusable for the layman. I don't see an obvious solution, and asking the top vendors to collaborate on a common messaging protocol seems like a far cry.
Matrix is the answer. Unlike all the other trendy competitors (Signal, Telegram, etc) it is both fully open source and—crucially—federated.
But just because it's the best technical solution doesn't mean it'll take hold. If the best tech always won, we'd have adopted XMPP a long time before Matrix was created.
Sadly, I'm beginning to think the only way we're gonna put a stop to this crap is to threaten companies like Apple with antitrust regulation for such actions.
Have you read the GPL? It makes very little sense for hardware (it’s actually a pretty weird license full of all kinds of software specific things. “Linking” to “operating system components” for example doesn’t make them a derivative work, whatever all that means. There’s quite a lot of other stuff.)
The argument for using the GPL when creating copyleft software is that most copyleft software uses the GPL and you want everything to have a compatible license, that’s not really the case for hardware.
While it's true that there's an abundance of water, the issue is that there's limited drinking water.
You can't survive on drinking ocean water. There's currently no energy-efficient process to remove salt and other impurities from unpotable water. That's a real issue.
Increased rainfall could be good, but could cause flooding and doesn't do much benefit when it's acidic.
Well we really don't have very good predictions for how much rainfall will occur over the next century, but we have no reason to believe that droughts will become standard. Especially since we just experienced record rainfall in the midst of the 4th hottest year in modern records.
There are ways to remove salt from ocean water. It's just almost always more expensive than extracting from the widely available fresh water sources on the planet.
As long as the water cycle is going, we'll still have fresh water.
Rainfall is good, but flooding is a localized issue. It's not a global concern. CO2 doesn't cause acid rain.
