This is an article written by telegram’s founder and CEO Pavel Durov in 2019 on “Why whatsapp will never be secure”. Your thoughts?
Sure, fuck WhatsApp, but Telegram isn’t even end-to-end encrypted most of the time. Their group chats never are, and their “secret chat” encryption for non-group chats must be explicitly enabled and hardly ever is because it disables some features. And when it is encrypted, it’s with some dubious nonstandard cryptography.
It’s also pseudo open source; they do publish source code once in a while but it never corresponds to the binaries that nearly everyone actually uses.
And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this post was written) is just… 🤯
State-sponsored exploits against WhatsApp might be more common than against Telegram, or at least we hear about them more, but it’s not because the app is more vulnerable: it’s because governments don’t need to compromise the endpoint to read your Telegram messages: they can just add a new device to your account with an SMS and see everything.
(╯° °)╯︵ ┻━┻
Anything claiming to prioritize privacy yet asking for your phone number (Telegram, WhatsApp, Signal, …) is a farce.
Removed by mod
Shit, 2019 really was five years ago.
Telegram isn’t perfect, but it is infinitely better than Whatsapp because it doesn’t belong to Facebook, and also isn’t from the United States. Also it can be used by normies without problem, unlike Matrix or Xmpp or what have you.
Brother, it has servers all over the world (including the US) where it hosts your data unencrypted. Telegram is nearly not inifinitely better than WhatsApp.
Sure, WhatsApp exposes you to US jurisdiction and Meta bullshit. At the same time, Telegram is very friendly with the Kremlin and associated intelligence services. So it basically comes down to whether you want to be spied on by Russian or US entities.
Source: Wired cover story
Wired story from a year ago about the FSB using Telegram to track down political activists.
Thats just speculation. The fact remains most of the Ukrainians (including their president) used telegram to raise their voice.
If you’d read the linked sources, you’d know that it’s not just speculation. Regardless of Telegram’s user base, it cooperates with Russian authorities. That remains true whether or not Ukranians use it to communicate. I’m not blaming Telegram for cooperating with Russian authorities as it’s well known that not doing so leads to drastic authoritarian measures.
But don’t take my word for it: Wikipedia: Blocking of Telegram in Russia
And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this post was written) is just… 🤯
Not only that, but I believe that they actively try to prevent VoIP numbers from being used to create accounts.
Then what is the choice?
Removed by mod
Read up on Xmpp or matrix as good alternatives.
Matrix not yet untill they implemented proper encryption and security stuff
SimpleX is pretty cool
Removed by mod
Bravo, bravo, bravo!!
Dude, see you on the same side of the barricades when the time comes to fight the centralized army of agent Smiths 👏👏👏
Signal is great. Stop being overzealous
I don’t agree with everything but that last point of yours. Requiring your phone number only means your are not anonymous. There is no need to be anonymous to communicate privately. In fact, it can be counterproductive, since your are much more vulnerable to social engineering.
And also not secure if somebody sim swapped you, and then your privacy goes into the hands of the FSB agent who sim swapped you
What a load of hipocrisy. The dude uses unauthenticated DH for his apps “secret chats”, which a bored student with a laptop can MITM in seconds. Other chats use just TLS, meaning they get to read EVERYTHING.
Use Signal, people.
deleted by creator
which a bored student with a laptop can MITM in seconds
No, how can a bored student breach e2ee in seconds? note that no such cases have been reported by any telegram user so far.
Because the DH is unauthenticated, as I already said. Users can’t report it because there is no way to tell for them.
Users can’t report it because there is no way to tell for them
Atleast the one who breached can tell? no telegram users data have been seen on dark web yet, no person/org have claimed to get any vulnerability in their system. Also if its that easy to breach why govt’s keep banning telegram for not giving them userdata? despite telegram is the biggest app where most terrorist orgs operate, hub of piracy and illegal things, you can call it “public” darkweb.
if its that easy to breach why govt’s keep banning telegram for not giving them userdata
Same reason they ask Apple for backdoors even though they crack iPhones routinely. It’s about legal precedent.
They dont ban apple tho
The data is available. See this article - it’s a Google link.
That article literally praises telegram despite being non e2ee by default, authorities can only get ip address and phone number from it (those are public info already and both of them could be avoided by using voip amd paid VPNs), that just proves how solid mtproto have become. Also they are saying one can see your telegram message when they are physically logged in your account for which the Russian authorities took the help of their ISP, in that case its not telegrams fault, set up 2fa on your account or use VoIP.
Check stories about russian journalists…
I have some friends working in the police, many years they showed me how they can read messages of like anyone on telegram I was trying to tell people to stop using telegram for years, but now at least therecs some conversation is going on because of the journalists
I have tried to google, most of them were assumptions or russian agencies using ISPs to login to their account in which case its not telegrams fault. Can you provide a substantial proof?
Signal is based in the United States, enjoy having CIA and NSA reading all your messages.
deleted
Telegram backend is still closed-source, btw
“Here’s what someone who has never created a private messenger thinks about Whatsapp’s privacy.”
Why would anyone care about what he has to say? 💀
Owned by Facebook, which is a giant US company.
Of fucking course it has backdoors.
I’m confused regarding why you don’t consider telegram a private messenger.
It’s been a while since I looked into it, and things might have changed since then, but some stuff off the top of my head:
- Messages are stored on the server, not on the device
- end-to-end encryption not enabled by default
- uses proprietary encryption, making security audits difficult
Apart from that it’s somewhat politically questionable, based in Dubai (I think), with dubious financial backing and Russian developers. Because it’s closed source and the encryption is proprietary, there’s no way of knowing how much info it leaks.
Messages are stored on the server, not on the device
Yes, pretty much necessary to provide multidevice support
end-to-end encryption not enabled by default
True that and telegram sucks big here, but I donth think e2ee can be enabled in a feasible way for multiple devices.
uses proprietary encryption, making security audits difficult
The MTProto isnt open source but its fully documented, there have been security audits on it.
dubious financial backing
No. Pavel Durov have always said since starting he paid for telegram’s servers from his pocket, in recent years telegram has started monetisation programs to cover its costs.
Russian developers
The founders were born in Russia, but they now have dual citizenship of UAE and France. If you are talking about politically questionable, even signal have been accused of having backdoors for CIA.
Never has been, no default e2ee, and those exploits that leaked a ton of users locations.
Not to mention, no messenger is verifiably private unless it is fully open source.
Telegram isn’t, so you must be very confused indeed
Clicking the link gives me the following warning:
The site ahead may contain harmful programs
Firefox blocked this page because it might try to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).
weird, works for me in firefox with all privacy features enabled, can you please try this link: https://telegra.ph/Why-WhatsApp-Will-Never-Be-Secure-05-15
Your original link is blocked at DNS level on my ‘Threat intelligence’ blocklist.
And that link is blocked at DNS level by ‘Toxic’ and ‘Stop Forum Spam’ filters.
So it’s blocked before the browser can even connect for me.
I got the same warning for the original link with ff as well.
Your comment link didn’t throw up a red flag.
sorry for the inconvenience, thing is this website supports multiple domains and is banned in some countries so we have to use different domains to access it, which might give red flags.
Great, thank you!
WhatsApp’s e2e encryption is based on the Signal protocol and active by default. Telegram’s is opt-in. So much for Telegram’s superior privacy…
They tell whatever they want until their claims can be validated with the source code. If we take it for granted that they use an original, unmodified version of the signal protocol programming libraries, there are still multiple questions:
- how often do they update the version they use
- what are they doing with the messages after local decryption (receiving), and before encryption (sending)
- how are they storing the secret keys used for encryption, and what exactly are they doing with it in the code
Any of these questions could reveal problems that would invalidate any security that is added by using the signal protocol. Like if they use an outdated version of the programming library that has a known vulnerability, if they analyze the messages in their plain data form, or on the UI, or the keypresses as you type them, or if they are mishandling your encryption keys by sending them or a part of them to wherever
No. Whatsapp’s metadata is not encrypted and can be used by its parent company, also backups are not secure. While telegram’s is opt in (yeah that sucks and here’s there excuse for that https://tsf.telegram.org/manuals/e2ee-simple), they are as secure as signal’s (if not more).
Definitely not. Telegram’s MTProto encryption protocol is garbage
The Signal protocol is far superior. Stop spreading misinformation.
That paper is eight years old and yet there has been no major hack of the Telegram protocol.
That may be true, but it proves that MTProto isn’t “as secure as signal’s (if not more)” as OP said
I am not talking about mtproto lmao. I was talking about their opt-in e2ee feature. Edit: Also the research you shared is based on mtproto 1.0 which telegram abandoned almost a decade ago and there have been No such defects found in mtproto 2 yet.
MTProto is what Telegram uses for “Secret Chats”, their opt-in end-to-end encryption. Normal messages aren’t encrypted at all. They’re stored in plain text on Telegram servers. The fact that E2EE is opt-in already makes this app ridiculous. On top of that, it isn’t even secure or private lol
the fact that E2EE is opt-in already makes this app ridiculous
in matter of privacy, yes. But it have cool features so.
They’re stored in plain text on Telegram servers
No, non secret chats use mptroto but with different schema, thats not plain servers. And no data breach have been reported in telegram yet if it was “that” easy to breach them. From my last comment: “Also the research you shared is based on mtproto 1.0 which telegram abandoned almost a decade ago and there have been No such defects found in mtproto 2 yet.”
But it have [sic!] cool features so.
So what? If minimum requirements are not given, it can be as cool as possible. Only not so smart people think that’s a good deal.
deleted by creator
Removed by mod
deleted by creator
I would prefer telegram because its just not from Meta. There is bounty on breaking telegram’s protocol too.
Telegram sells ads on public channels with consent of owners and the ads are based on the channel data and not users data. They are back up with their crypto schemes, infact idk whats wrong with crypto, they are better for privacy than normal bank transactions. Anyone cant pay from their pocket for lifetime, it was coming since longway because telegram have no parent company to fund it neither its founder are that rich to spend billions of dollars on it every year. Those “nitro” features didnt take anything away from free users tho, also if they are trying to cover up their cost from the userbase that just proves they have no dubious financing from backdoors.
I dont know how rape laws are connected with a messenger being based there. US have its social problems too or wherever signal is located, every country have social issues.
Yeah facebook is big enough reason to not use facebook. On top of that there have been no data breaches, almost no big outages in telegram till date. They offer a lot of features, from bots to channels, to large public communities and much more.
Telegram just claims its private enough and they never said they are e2ee by default, I dont see the misinformation here, yeah they exaggerate it sometimes but the fact that there have been no data breaches in a decade with almost 800 million monthly active users is quite a bit of achievement. They invested on developing their own encryption protocol, it maybe less private but they made it to remove complexities which signal have. There’s no point on having some 100% secure stuff when no one gonna use it due to complexities, telegram have fueled pro democratic protests worldwide and I thank them for that atleast (even they got banned in many countries for doing so).
Multi-device End-to-end encrypted chats are a mess
I’m not going to read it all but matrix managed to deliver on fully encrypted messages that you can have on multiple devices.
Removed by mod
they are as secure as signal’s (if not more
Incorrect. They are trivially breakable as it is unauthenticated DH which is as good as no encryption at all.
good as no encryption at all.
0 data breaches till date.
I’m not saying that WhatsApp is the good guy here, Meta sucks but compared to Telegram I rather trust them if I have to.
And the unencrypted backups are only problematic when you use the automatic Google Drive upload.WHY?
Telegram is a shell company and only offers mediocre, opt-in encryption. The thing I like most about them is their support for 3rd party clients.
I have to use their service for some contacts same as with WhatsApp but I would prefer more secure and privacy friendly alternatives.Removed by mod
He writes as if signal’s devs would have to be quiet about whatsapps encryption
E.g.
Last year, the founders of WhatsApp left the company due to concerns over users’ privacy [16]. They are surely tied by either gag orders or NDAs, so are unable to discuss backdoors publicly without risking their fortunes and freedom. They were able to admit, however, that “they sold their users’ privacy” [17].
Yet signal published multiple posts about how secure whatsapp is. I don’t buy it but it’s not like they would be quiet. (They=moxie) https://signal.org/blog/there-is-no-whatsapp-backdoor/ https://signal.org/blog/whatsapp-complete/
I believe Moxie helped them integrate Signal protocol into WA successfully while preserving user integrity and privacy.
However, it wouldnt be out of the realm for them to make modifications to their custom protocol that Moxie helped design, and turn it into a privacy nightmare after the fact.
Exactly
WhatsApp will be never private and secure, while Telegram will be never private. 😁
Who said telegram is secure?
No one said the opposite, while on WhatsApp they had several vulnerabilities that allowed attackers to get the user phone control.
An example: https://thehackernews.com/2021/04/new-whatsapp-bug-couldve-let-attackers.html
But there were many more vulnerabilities or “features” that WhatsApp allowed attackers or governments to get into user data. While I haven’t read anything about against Telegram security.
deleted by creator
It is secure as secure is logging into your bank account from your web browser.
deleted by creator
I think you are mixing concepts, encryptions isn’t related to “secure” but to “privacy”. On my example, your data on bank is encrypted via SSL which the server has the private key to read it, but it is encrypted. Telegram is the same, your messages are being encrypted by a public key owned by the server, but it is encrypted, just not end to end.
deleted by creator
I’m not qualified enough to argue, but I wouldn’t trust Durov. He’s a competitor, after all. And he has a history of questionable decisions.
Guys, please stop using telegram if you care for your security and privacy
Telegram is not fully open source, sometimes they release the source, but the hashes of the builds don’t even match (so it’s a different source code) 🚩
Zero transparency about data handling, even when they get caught they don’t tell details 🚩 (Telegram in the recent years has got really shady reputation)
Very often ways they implement security is weird: non open source app, non open source server, leaking APIs, use of phone numbers, at some point they started asking for an email, non encrypted chats by default, never encrypted group chats… it can continue forever 🚩
Non-standard encryption is a real red flag, non-open-source 🚩
I know some people that work/worked for the police, and they can read all the messages easy peasy, i was trying to tell to the people many years ago, but everyone was so amused by the stickers. Now you can just read stories of the journalists and activists, and how they got imprisoned with the use telegram 👁️🗨️💀
PLEASE, STOP USING TELEGRAM IF YOU CARE FOR YOUR PRIVACY OR SECURITY
Except if you open source server, there’s no way to verify it is using same code anyways and their client is already open source so waste point.
sometimes they release the source, but the hashes of the builds don’t even match.
When did this happen? Source?
Signal asks phone numbers, emails are universally known. If you don’t want to give them your real phone number, buy one from fragment.com (their web3 service where they sell phone number for crypto). Emails are already public and they ask them only for recovery process and its opt on so there’s no problem with that.
All chats are encrypted by default from private to group using mtproto, where there have been no breaches found yet so stop spreading misinformation.
Again telling personal experience which maybe lie, can you share source of your claims? Which journalist got arrested due to telegram?
You can go and check yourself mr. Senior Officer of FSB, i don’t want to fight for your war
I would spread misinformation on internet and tell others to find source of it 🤓
This is a very good reminder why one should worry about the new messaging standard for interoperability.
WhatsApp users resilient enough not to fall for constant popups telling them to back up their chats can still be traced by a number of other tricks – from accessing their contacts’ backups to invisible encryption key changes [13]. The metadata generated by WhatsApp users – logs describing who chats with whom and when – is leaked to all kinds of agencies in large volumes by WhatsApp’s parent company [14].
It even might result in me thinking that we should have to ban facebook from entering the fediverse because people are lazy and don’t switch to the real fediverse if they can see your posts and contact you directly.
deleted
This is not about getting the data. This data is public.
It’s about market power
Both WhatsApp and Telegram suck. Just like any other messenger that’s either proprietary or not end to end encrypted. Signal is clearly the best choice.
Durov is a suspicious RuSSian who very likely works for FSB. Do not use Telegram at all costs!
Crazy racism
Where is racism there? I’m Russian myself and I know what I’m saying.
Ok, use Telegram, then don’t cry when they leak your data
Yeah you clearly are a russian and you clearly know what you are saying by those intentional caps.
Haven’t you heard anything about the war with Ukraine?
