Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop recommending Telegram #29

Closed
arsv opened this issue Jan 6, 2020 · 12 comments
Closed

Stop recommending Telegram #29

arsv opened this issue Jan 6, 2020 · 12 comments
Labels

Comments

@arsv
Copy link

@arsv arsv commented Jan 6, 2020

It's not particularly secure, and not privacy-focused at all, at least not compared to the other entries in that section.

https://en.wikipedia.org/wiki/Telegram_(software)

Default Messages and media in Telegram (...) can be accessed by the Telegram service provider, who holds the encryption keys.

@tycrek

This comment has been minimized.

Copy link
Owner

@tycrek tycrek commented Jan 8, 2020

Thank you. I'll update the guide to remove Telegram but with a link to this issue.

@tycrek tycrek closed this Jan 8, 2020
@svhnl

This comment has been minimized.

Copy link
Contributor

@svhnl svhnl commented Jan 20, 2020

https://telegra.ph/Why-you-should-stop-reading-Gizmodo-right-now-Long
Can for instance this piece change anything about this?

@tycrek

This comment has been minimized.

Copy link
Owner

@tycrek tycrek commented Jan 20, 2020

No, sorry. Telegram uses a homegrown encryption protocol called MTProto, which has been proven insecure by multiple studies. Also worth noting are this article from Bloomberg (published March 2018) and this article from CSO (published May 2018).

@nailkhaf

This comment has been minimized.

Copy link

@nailkhaf nailkhaf commented Jan 26, 2020

I am not security expert. But mentioned articles describe weak sides of mtproto version 1, now telegram uses mtproto version 2 (late 2017), where as I see, described issues were fixed. Now telegram uses sha-256 and smth new with paddings.
https://core.telegram.org/api/end-to-end
@tycrek Please, can you check it?

@tycrek

This comment has been minimized.

Copy link
Owner

@tycrek tycrek commented Jan 26, 2020

I'm might be willing to add it back if there are independent studies that can verify it is secure, or if there is a security expert who can provide input on this Issue. However, even with version 2, I believe @arsv's original comment still holds true:

Default Messages and media in Telegram (...) can be accessed by the Telegram service provider, who holds the encryption keys.

@tycrek tycrek reopened this Jan 26, 2020
@tycrek tycrek added the help wanted label Jan 26, 2020
@nailkhaf

This comment has been minimized.

Copy link

@nailkhaf nailkhaf commented Jan 26, 2020

To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.

https://telegram.org/faq#q-do-you-process-data-requests
So cloud providers can't access the user data, because decryption key is stored in several providers, countries.

@alexanderadam

This comment has been minimized.

Copy link

@alexanderadam alexanderadam commented Jan 26, 2020

As a result, several court orders from different jurisdictions are required to force us to give up any data.

https://telegram.org/faq#q-do-you-process-data-requests
So cloud providers can't access the user data, because decryption key is stored in several providers, countries.

This argumentation is absolute nonsense. 😉

  1. Some countries simply work together.
  2. If you look further than the "legal" argumentation it is technically still insecure.
  3. The mentioned phrases just satisfies marketing teams and naive users.
@tycrek

This comment has been minimized.

Copy link
Owner

@tycrek tycrek commented Jan 26, 2020

@nailkhaf

This comment has been minimized.

Copy link

@nailkhaf nailkhaf commented Jan 26, 2020

Yes, maybe, I don't know for sure. But telegram has good privacy policy, reputation and you have ability always use e2ee secret chats. Also telegram has many good public channels, professional chats, bot platform and funny stickers))

As I see this repo about privacy-focused replacements for Google services. Not every service in this repo uses e2ee.

@tycrek

This comment has been minimized.

Copy link
Owner

@tycrek tycrek commented Jan 27, 2020

@alexanderadam

This comment has been minimized.

Copy link

@alexanderadam alexanderadam commented Jan 27, 2020

telegram has good privacy policy, reputation and you have ability always use e2ee secret chats.

It's "reputation" is mostly marketing as well.
People don't like Telegram because of the "security" it offers, but for the other things you mentioned (good public channels, professional chats, bot platform and funny stickers).
It does not have a good reputation regarding security.

Here's the thing: law enforcement is sniffing Telegram chats since years in different ways (for example by intercepting the validation SMS: see Russia or Germany for example). And I'm very sure that other institutions are doing this as well. I fact even criminals are using variations of this attack (just search for SIM-Jacking or SIM Swap Attack).
So if you think about it, it should be clear that the official story about skirmish at the Russian Court can't be taken seriously. It gives a good legend for users to believe but it does not match to the things that security researchers see in the wild.

In fact even simple flaws in Telegram messengers can be very dangerous. Just recently Telegram had to fix a bug that put Hong Kong protesters into danger.

So I guess it's just reasonable that people shouldn't recommend Telegram.
You should use a protocol/messenger whose security was proved before something happened and not after people were put in danger.

But then again you might favour "funny stickers" about your personal security… 😉

@tycrek tycrek closed this Jan 27, 2020
@svhnl

This comment has been minimized.

Copy link
Contributor

@svhnl svhnl commented Jan 27, 2020

telegram has good privacy policy, reputation and you have ability always use e2ee secret chats.

It's "reputation" is mostly marketing as well.
People don't like Telegram because of the "security" it offers, but for the other things you mentioned (good public channels, professional chats, bot platform and funny stickers).
It does not have a good reputation regarding security.

Here's the thing: law enforcement is sniffing Telegram chats since years in different ways (for example by intercepting the validation SMS: see Russia or Germany for example). And I'm very sure that other institutions are doing this as well. I fact even criminals are using variations of this attack (just search for SIM-Jacking or SIM Swap Attack).
So if you think about it, it should be clear that the official story about skirmish at the Russian Court can't be taken seriously. It gives a good legend for users to believe but it does not match to the things that security researchers see in the wild.

In fact even simple flaws in Telegram messengers can be very dangerous. Just recently Telegram had to fix a bug that put Hong Kong protesters into danger.

So I guess it's just reasonable that people shouldn't recommend Telegram.
You should use a protocol/messenger whose security was proved before something happened and not after people were put in danger.

But then again you might favour "funny stickers" about your personal security… wink

I agree with you on that partially, since they recently changed to verifying via Telegram itself, as for all the other reasons, I can' t argue against those.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.