I don't understand why #Telegram is so popular
it's the worst messanger in regards to security by far.
There's no encryption, even 'secure chats' have a broken impl since years and russian gov reads and manipulates all.
Lots of nice features though
Conversation
Notices
-
Embed this notice
saxnot (saxnot@chaos.social)'s status on Monday, 17-Mar-2025 07:03:59 JST 
saxnot
-
Embed this notice
feld (feld@friedcheese.us)'s status on Monday, 17-Mar-2025 07:03:57 JST 
feld
@saxnot > There's no encryption, even 'secure chats' have a broken impl since years and russian gov reads and manipulates all.
that's not true, really. They updated the protocol to address those early findings. Now people just criticize it for some unconventional choices but it's not like "broken" where anyone who MITMs the packets can decrypt it. It has some potential weaknesses but nothing that anyone has been able to proveably exploit. There's even a formal verification from a few years ago
https://github.com/miculan/telegram-mtproto2-verification -
Embed this notice
feld (feld@friedcheese.us)'s status on Tuesday, 18-Mar-2025 01:16:06 JST
feld
@saxnot TLS is the transport encryption. Inside they use MTProto 2.0 to talk to the server. MTProto is basically their API as well. I don't know why this is so hard to believe. It's all documented here: https://core.telegram.org/mtproto -
Embed this notice
saxnot (saxnot@chaos.social)'s status on Tuesday, 18-Mar-2025 01:16:07 JST
saxnot
@feld the claim of them using the same E2EE with communicating to the server is laughable.
They most likely use TLS like every other sane person.
In fact using TLS for secret chats would be a much smarter idea in the first place rather than rolling their own crypto which is known in the industry to be a failure only the most inept security engineers do.Every crypto is insecure unless shown otherwise.
AES, GPG, EC, … have been spotless since decades and that's why they're trusted -
Embed this notice
saxnot (saxnot@chaos.social)'s status on Tuesday, 18-Mar-2025 01:16:08 JST
saxnot
@feld According to german security expert @kuketz in his blog article from 2020 there is at the time no audit for the Telegram MTProto 2.0 protocol.
https://www.kuketz-blog.de/telegram-sicherheit-gibt-es-nur-auf-anfrage-messenger-teil3/Correct me if that is wrong. The first MTProto was broken in a very amateurish way. The second not audited at all to my knowledge.
I like to believe Telegram being an unattractive target for audits anyways since it's closed source and publicly criticizing tools of the russian state might be bad for your health
#telegram -
Embed this notice
saxnot (saxnot@chaos.social)'s status on Tuesday, 18-Mar-2025 01:16:09 JST
saxnot
@feld it's a funny read and it's certainly an important building block when that was his opinion in 2017.
It's correct that not having #E2EE is more convenient. And that in itself is a valid reason. But then advertise as "simple and hassle free" and don't pretend to offer any security in #Telegram
In case I wasn't clear: I am finished looking at the formal proof because I don't have that software and I see no link to the results / paper / etc.
According to german security expert…
-
Embed this notice
saxnot (saxnot@chaos.social)'s status on Tuesday, 18-Mar-2025 01:16:10 JST
saxnot
@feld i know this source is old but just look at the this 2017 blog article by Pavel Durov: https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-by-Default-08-14
it immediately opens with the most far-fetched and niche argument ever. All of E2EE is not what you truly want because... some users to unencrypted backups.
The same users would do the same backups for telegram but let's ignore that.
All of Telegram shall have no E2EE because they leak it anyway.
Signal is niche and cringe (didn't use the latter word) because they encrypt backups -
Embed this notice
saxnot (saxnot@chaos.social)'s status on Tuesday, 18-Mar-2025 01:16:11 JST
saxnot
@feld that format verification is five years old
just saying that.I was unaware that formal verification of such complex systems is even possible.
not even AES is formally verified and it's magnitude simpler in design
-
Embed this notice
saxnot (saxnot@chaos.social)'s status on Tuesday, 18-Mar-2025 01:16:12 JST
saxnot
@feld excuse me did you just say "unconventional choices" in regards to cryptography?
I am sorry there are ways that stand the test of time and everything else is flawed.
That's how cryptographers think about these things and for a good reason.Do I want a heart surgeon to be known for their "unconventional choices"? No. That's like the ultimate flaw in that industry of knowing it better in an otherwise peer reviewed world
-
Embed this notice
saxnot (saxnot@chaos.social)'s status on Tuesday, 18-Mar-2025 01:16:13 JST
saxnot
@feld of course I could say "it's not floss, thus can't be independantly audited, thus immediacy no go for people interested interested in information security.
But that would be too much of an easy W I should stay within my original claim of them having no encryption at all -
Embed this notice
saxnot (saxnot@chaos.social)'s status on Tuesday, 18-Mar-2025 01:16:14 JST
saxnot
@feld thanks for the source
last time I checked the mtproto had such an obvious flaw to diffie-hellman it would have been a beginner question in crypto 1 at my uni (and my uni is worst in the country for c.s.)
we're only talking about the secure chat feature here. Every other chat (nearly 100 %) is still unencrypted (and they're open about that).
They sometimes communicate this premise in a way very confusing to the uninitiiated
-
Embed this notice
All GNU social JP content and data are available under the