Should it really be Telegram? (tim.kicker.dev)

submitted 1 year ago by Provider@feddit.de to c/privacyguides@lemmy.one

29 comments fedilink hide all child comments

Is Telegram really that bad and should i look more into it or is sticking to signal really the best option?

all 30 comments

sorted by: hot top controversial new old

[-] Melody@lemmy.one 33 points 1 year ago

Telegram is legitimately bad, it's only saving grace being that it is STILL BETTER THAN DISCORD! It's main "Sin" is rolling it's own Encryption Algorithm; which has been proven to be less than 100% airtight and secure.

Sadly your average user does not care about privacy above all else. They only care about privacy in as much as it can factually and emotionally affect their daily lives. TL;DR: You have to incentivize them to care, and they will often refuse to move, or outright dislike a platform, if a specific feature they love or depend on doesn't exist, even when it is 100% not critical to the application's function.

[-] dngray@lemmy.one 1 points 1 year ago* (last edited 1 year ago)

which has been proven to be less than 100% airtight and secure.

I don't believe that has been proven. There has been criticism of it 1, 2 from prominent cryptographers though.

Telegram's MTProto protocol isn't obviously broken in a practical way, concedes Matt Green, a cryptographer at Johns Hopkins University who has consulted for Facebook on encrypted messaging systems. But it's uniquely "weird," he says, in a way that suggests its inventors don't understand tried-and-true cryptography practices and raises his suspicions that it may yet have undiscovered vulnerabilities.

Their response was even more dodgy trying to somehow inject some sort of "nationalistic", "america bad" into it:

Telegram's Ravdonikas argues that “Telegram encryption relies on classical algorithms, because we consider some approaches promoted by US-based cryptographers after 9-11/the Patriot Act (which your sources refer to as 'state of the art cryptography') questionable."

At the end of the day math is math regardless where it comes from. Secret chats also only work with the mobile client, have to be manually turned on and do not work for group chats and as it's a centralized server you can't host your own.

And with RFC 9420 aka Messaging Layer Security (MLS) being standardized, it's likely all the good messengers will use that.

[-] eruchitanda@lemmy.world 20 points 1 year ago

Signal considered the best between those 3 apps.

Signal have E2EE. Facebook decided to copy the idea to Whatsapp. AFAIK, attackers have always gained access only by other methods.
Telegram created their own protocol, MTProto. E2E is only enabled on private chats. By default private chat exist only on the device they were created on. So a lot of people don't really use them.

So, in terms of encryption alone, Signal/Whatapp are safer.

I don't know about you, but for me, the last company I'll trust with my information is Facebook.

So if you can, use Signal.

If not, decide who you trust more. Telegram or Facebook.

[-] MigratingtoLemmy@lemmy.world 2 points 1 year ago

Session

[-] Lime66@lemmy.world 1 points 11 months ago

No forward secrecy

[-] CrypticCoffee@lemmy.ml 1 points 1 year ago

Just to clarify. I thought WA had e2e encryption before Signal but got bought out by Facebook, so Signal developed including with e2e encryption and open source code (at least initially) as an alternative. Is that correct?

[-] pranqster@infosec.pub 5 points 1 year ago* (last edited 1 year ago)

The Signal protocol (née TextSecure protocol) was created by Moxie Marlinspike and Trevor Perrin and Signal messenger (née TextSecure) was built from the ground up with e2ee. WhatsApp was acquired by Facebook without e2ee and Moxie later worked with them to integrate the Signal protocol for WhatsApp. Hope that clarifies.

[-] CrypticCoffee@lemmy.ml 1 points 1 year ago

I appreciate the clarification. Thanks.

[-] pabloscloud@lemmy.world 16 points 1 year ago

Sticking to Signal is really the best option

[-] constantokra@lemmy.one 5 points 1 year ago

If you can.actually get people to switch, you should look into simplex chat. It has a lot of really good features, you can run a CLI application on any servers you might have to send you notifications really easily, and it's being rather actively developed. A quick look at their website will show you how dedicated to privacy they are.

[-] 14th_cylon@lemm.ee 16 points 1 year ago* (last edited 1 year ago)

If you can.actually get people to switch, you should look into simplex chat

https://xkcd.com/927/

[-] ips@infosec.pub 2 points 1 year ago

I can recommend SimpleX, too. Easier to install, set up, understand and use, than Matrix for example. Very promising so far!

[-] red0888@ohai.social 3 points 1 year ago

@ips @constantokra fair enough but doesn't come anywhere close to Matrix though. Matrix is meant for privacy while simplex is meant for privacy + anonymity.

[-] ips@infosec.pub 2 points 1 year ago

Well, I use and support both. Matrix is also coming along nicely. But SimpleX is already very usable for everyone as a mobile messenger, that does everything you’re used to from years of other apps. Very clean UX for me.

[-] people_are_cute 4 points 1 year ago* (last edited 1 year ago)

Well, movie pirates use it so it must be safe! /s

Telegram has a lot of pros, but it can be safe only as long as you and every person in your circle sets it as such. Chats are not encrypted by default, you have to set it in group settings. Your phone number isn't hidden by default, you have to manually set its visibility to "Nobody". It even asks to let it pull your contacts, Facebook-style. There might be several such gimmicks, but generally they are easy to notice and control.

The biggest advantage(?) Telegram has is that everything is saved server-side instead of your phone. So you don't need to keep having to back up your chats and be scared of losing everything if you lost your phone.

[-] 14th_cylon@lemm.ee 11 points 1 year ago

The biggest advantage(?) Telegram has is that everything is saved server-side

yeah, having all your secret data on a server you know nothing about is massive advantage 😂

[-] caglel@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

There is an standard client-server encryption in Telegram. If you want e2e encrypted chat, then use Secret chats. Almost all messengers nowadays use client server encryption. So the biggest problem is not man-in-the-middle attack, but physical access to device by someone and malware installed via breaches.

[-] lo__@mastodon.social 3 points 1 year ago

@caglel @people_are_cute The standard encryption is utter trash. First, they never needed to make it. Ever. Second, it was audited and laughed at by everyone. Third, even after they fixed the issues, it's still laughed at by everyone.

[-] fuckyou_m8@lemmy.fmhy.ml 1 points 1 year ago

What is the problem in asking for pulling your contact list? Isn't it to check which of your contacts also have telegram?

[-] constantokra@lemmy.one 7 points 1 year ago

Pulling your contacts lets it get a pretty good fingerprint of who you are, from who you talk to. It can already get that from who you actually message, but it's getting a lot more information about you from pulling the whole list and not just who you talk to through telegram.

[-] fuckyou_m8@lemmy.fmhy.ml 2 points 1 year ago

I understand, but if you are new to this conversation app, right after installing it would be good to know which of your contacts your are able to talk to there. I don't see asking one by one and adding them manually a good solution, maybe there is another one I don't see

[-] pabloscloud@lemmy.world 4 points 1 year ago

Well, I'd say they can do that as long as it stays on my device like with Signal.

[-] fuckyou_m8@lemmy.fmhy.ml 2 points 1 year ago

Signal still have access to your contact list at first, they simply not store it anywhere. Which is good for me

[-] Awry@lemmy.one 1 points 1 year ago

You were calling someone cringe for asking why Telegram isn't secure. Now here you are thinking your Signal messages aren't sitting in an NSA server somewhere in front of all these people. You're delusional, mate. You're like a step above a script kiddy in regards to technical understanding. You're so close to understanding the reality that you have no data privacy, but you're still so far...

[-] constantokra@lemmy.one 1 points 1 year ago

How does it stay on your device? I'm notified if a contact of mine uses signal. That means if someone has my.number in their phone signal will let them know I use signal. I don't really want someone to be able to confirm that I use a service.

[-] pabloscloud@lemmy.world 1 points 1 year ago

It just does. Your phone can check by itself if someone is on signal or not - no upload of contacts needed.

[-] mister_monster@monero.town 3 points 1 year ago

Signal publishes a unique identifier and the board is like 50% feds with close intelligence ties. I use it, but only for those that insist. It's better than the other mainstream ones.

Use simplex.

[-] PublicLewdness@burggit.moe 1 points 1 year ago

Telegram is closed source on the server side. I don't trust it. Lots of better options:

https://alternativeto.net/software/telegram/?license=opensource

[-] dngray@lemmy.one 1 points 1 year ago* (last edited 1 year ago)

We have a website too https://www.privacyguides.org/en/real-time-communication which has decisions based on a privacy and security related context.

One of the main requirements there is that recommended instant messengers undergo auditing.

this post was submitted on 18 Jul 2023

48 points (100.0% liked)

Privacy Guides

16263 readers

18 users here now

In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.

This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.

You can subscribe to this community from any Kbin or Lemmy instance:

Learn more...

Check out our website at privacyguides.org before asking your questions here. We've tried answering the common questions and recommendations there!

Want to get involved? The website is open-source on GitHub, and your help would be appreciated!

This community is the "official" Privacy Guides community on Lemmy, which can be verified here. Other "Privacy Guides" communities on other Lemmy servers are not moderated by this team or associated with the website.

Moderation Rules:

We prefer posting about open-source software whenever possible.
This is not the place for self-promotion if you are not listed on privacyguides.org. If you want to be listed, make a suggestion on our forum first.
No soliciting engagement: Don't ask for upvotes, follows, etc.
Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
Be civil, no violence, hate speech. Assume people here are posting in good faith.
Don't repost topics which have already been covered here.
News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
No help vampires: This is not a tech support subreddit, don't abuse our community's willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
No misinformation: Extraordinary claims must be matched with evidence.
Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.

Additional Resources:

founded 1 year ago

MODERATORS

jonah@lemmy.jonaharagon.net