Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop recommending Telegram #29

Closed
arsv opened this issue Jan 6, 2020 · 16 comments
Closed

Stop recommending Telegram #29

arsv opened this issue Jan 6, 2020 · 16 comments
Labels
help wanted

Comments

@arsv
Copy link

@arsv arsv commented Jan 6, 2020

It's not particularly secure, and not privacy-focused at all, at least not compared to the other entries in that section.

https://en.wikipedia.org/wiki/Telegram_(software)

Default Messages and media in Telegram (...) can be accessed by the Telegram service provider, who holds the encryption keys.

@tycrek
Copy link
Owner

@tycrek tycrek commented Jan 8, 2020

Thank you. I'll update the guide to remove Telegram but with a link to this issue.

@tycrek tycrek closed this as completed Jan 8, 2020
@TeaDrinkingProgrammer
Copy link
Contributor

@TeaDrinkingProgrammer TeaDrinkingProgrammer commented Jan 20, 2020

https://telegra.ph/Why-you-should-stop-reading-Gizmodo-right-now-Long
Can for instance this piece change anything about this?

@tycrek
Copy link
Owner

@tycrek tycrek commented Jan 20, 2020

No, sorry. Telegram uses a homegrown encryption protocol called MTProto, which has been proven insecure by multiple studies. Also worth noting are this article from Bloomberg (published March 2018) and this article from CSO (published May 2018).

@nailkhaf
Copy link

@nailkhaf nailkhaf commented Jan 26, 2020

I am not security expert. But mentioned articles describe weak sides of mtproto version 1, now telegram uses mtproto version 2 (late 2017), where as I see, described issues were fixed. Now telegram uses sha-256 and smth new with paddings.
https://core.telegram.org/api/end-to-end
@tycrek Please, can you check it?

@tycrek
Copy link
Owner

@tycrek tycrek commented Jan 26, 2020

I'm might be willing to add it back if there are independent studies that can verify it is secure, or if there is a security expert who can provide input on this Issue. However, even with version 2, I believe @arsv's original comment still holds true:

Default Messages and media in Telegram (...) can be accessed by the Telegram service provider, who holds the encryption keys.

@tycrek tycrek reopened this Jan 26, 2020
@tycrek tycrek added the help wanted label Jan 26, 2020
@nailkhaf
Copy link

@nailkhaf nailkhaf commented Jan 26, 2020

To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.

https://telegram.org/faq#q-do-you-process-data-requests
So cloud providers can't access the user data, because decryption key is stored in several providers, countries.

@alexanderadam
Copy link

@alexanderadam alexanderadam commented Jan 26, 2020

As a result, several court orders from different jurisdictions are required to force us to give up any data.

https://telegram.org/faq#q-do-you-process-data-requests
So cloud providers can't access the user data, because decryption key is stored in several providers, countries.

This argumentation is absolute nonsense. 😉

  1. Some countries simply work together.
  2. If you look further than the "legal" argumentation it is technically still insecure.
  3. The mentioned phrases just satisfy marketing teams and naive users.

@tycrek
Copy link
Owner

@tycrek tycrek commented Jan 26, 2020

@nailkhaf
Copy link

@nailkhaf nailkhaf commented Jan 26, 2020

Yes, maybe, I don't know for sure. But telegram has good privacy policy, reputation and you have ability always use e2ee secret chats. Also telegram has many good public channels, professional chats, bot platform and funny stickers))

As I see this repo about privacy-focused replacements for Google services. Not every service in this repo uses e2ee.

@tycrek
Copy link
Owner

@tycrek tycrek commented Jan 27, 2020

@alexanderadam
Copy link

@alexanderadam alexanderadam commented Jan 27, 2020

telegram has good privacy policy, reputation and you have ability always use e2ee secret chats.

It's "reputation" is mostly marketing as well.
People don't like Telegram because of the "security" it offers, but for the other things you mentioned (good public channels, professional chats, bot platform and funny stickers).
It does not have a good reputation regarding security.

Here's the thing: law enforcement is sniffing Telegram chats since years in different ways (for example by intercepting the validation SMS: see Russia or Germany for example). And I'm very sure that other institutions are doing this as well. I fact even criminals are using variations of this attack (just search for SIM-Jacking or SIM Swap Attack).
So if you think about it, it should be clear that the official story about skirmish at the Russian Court can't be taken seriously. It gives a good legend for users to believe but it does not match to the things that security researchers see in the wild.

In fact even simple flaws in Telegram messengers can be very dangerous. Just recently Telegram had to fix a bug that put Hong Kong protesters into danger.

So I guess it's just reasonable that people shouldn't recommend Telegram.
You should use a protocol/messenger whose security was proved before something happened and not after people were put in danger.

But then again you might favour "funny stickers" about your personal security… 😉

@tycrek tycrek closed this as completed Jan 27, 2020
@TeaDrinkingProgrammer
Copy link
Contributor

@TeaDrinkingProgrammer TeaDrinkingProgrammer commented Jan 27, 2020

telegram has good privacy policy, reputation and you have ability always use e2ee secret chats.

It's "reputation" is mostly marketing as well.
People don't like Telegram because of the "security" it offers, but for the other things you mentioned (good public channels, professional chats, bot platform and funny stickers).
It does not have a good reputation regarding security.

Here's the thing: law enforcement is sniffing Telegram chats since years in different ways (for example by intercepting the validation SMS: see Russia or Germany for example). And I'm very sure that other institutions are doing this as well. I fact even criminals are using variations of this attack (just search for SIM-Jacking or SIM Swap Attack).
So if you think about it, it should be clear that the official story about skirmish at the Russian Court can't be taken seriously. It gives a good legend for users to believe but it does not match to the things that security researchers see in the wild.

In fact even simple flaws in Telegram messengers can be very dangerous. Just recently Telegram had to fix a bug that put Hong Kong protesters into danger.

So I guess it's just reasonable that people shouldn't recommend Telegram.
You should use a protocol/messenger whose security was proved before something happened and not after people were put in danger.

But then again you might favour "funny stickers" about your personal security… wink

I agree with you on that partially, since they recently changed to verifying via Telegram itself, as for all the other reasons, I can' t argue against those.

@cedricfung
Copy link

@cedricfung cedricfung commented Aug 22, 2020

@tycrek as this issue discussed, Riot doesn't have default E2EE yet. Riot E2EE was only enabled as default on May 2020, for new private conversations only. https://matrix.org/blog/2020/05/06/cross-signing-and-end-to-end-encryption-by-default-is-here

@tycrek
Copy link
Owner

@tycrek tycrek commented Aug 24, 2020

@cedricfung please open a new issue if you wish to discuss Element (Riot was renamed), this issue is for Telegram discussion.

@FarisZR
Copy link

@FarisZR FarisZR commented Oct 7, 2020

So if I only have a choice between telegram and WhatsApp which is more secure/trustworthy?

@tycrek
Copy link
Owner

@tycrek tycrek commented Oct 7, 2020

So if I only have a choice between telegram and WhatsApp which is more secure/trustworthy?

I wouldn't recommend either, but if you really do not have a choice and you're unable to use Signal or another service, I would opt for Telegram over WhatsApp due to WhatsApp being owned by Facebook. But like I said, I cannot confidently recommend either of them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted
Projects
None yet
Development

No branches or pull requests

7 participants