Email or username:

Password:

Forgot your password?
GrapheneOS

Telegram has full access to all of the content of group chats and regular one-to-one chats due to lack of end-to-end encryption. Their opt-in secret chats use homegrown end-to-end encryption with weaknesses. Deleting the content from the app likely won't remove all copies of it.

36 comments
🌹 𝐫𝐮𝐳𝐚 ✅:catjam: (eng🇬🇧)

@GrapheneOS Does it still apply to MTProto 2.0?
en.wikipedia.org/wiki/Telegram

I do not consider Telegram to be a good solution for private communication. it seems that they can still have copies of encrypted and unencrypted messages on the server and the server decides on the encryption parameters.

GrapheneOS

@ruza Yes, it does. Also, proving code correct simply shows it matches a specification. It doesn't mean it's secure. Code that's proven correct can still have bugs both since the specification can have bugs and proving it correct can have bugs.

Oliver D. Reithmaier

@GrapheneOS any resources or info about these e2ee weaknesses you could link to? I've heard this a couple of times already but couldn't find anything myself...

Edit: read the wiki article. Not too much in the know considering crypto to know how grave this is. Would love comments from people who do.

Oliver D. Reithmaier

@DM_Ronin @GrapheneOS let me preface this by stressing that I use signal, and don't really care for telegram as a messenger. All I'm doing here is being curious.
Regarding the things you linked: Green's link is just a lot of stuff about signal, all he says about TG is that he doesn't know how MTProto works or "thinks" it's insecure in some way.
The second link is just the default problem and says nothing about encryption weaknesses(victim probably didn't use secret chats).
The YT link does an audit/validation of the Mtproto model, discloses some vulnerabilities that they say have been fixed.

Wiki states that the model of MTProto 2.0 was audited by Italian researchers. This doesn't really say anything about weaknesses in the current implementation.

@DM_Ronin @GrapheneOS let me preface this by stressing that I use signal, and don't really care for telegram as a messenger. All I'm doing here is being curious.
Regarding the things you linked: Green's link is just a lot of stuff about signal, all he says about TG is that he doesn't know how MTProto works or "thinks" it's insecure in some way.
The second link is just the default problem and says nothing about encryption weaknesses(victim probably didn't use secret chats).
The YT link does an...

Oliver D. Reithmaier

@SupportGrapheneOS_667 @GrapheneOS same here as in my previous comment. This just states the default problem and is also outdated since MTProto 2.0, Kuketz references problems of 1.0, which were real. While I don't like bad defaults, this ultimately is a design choice. The malicious part is calling it private by default. But: That's just bad faith marketing. Microsoft also says their shit is secure. Nothing different.

Anybody got something _recent_ about MTProto 2.0?

GrapheneOS

@somatalos SimpleX is a real private messaging app with end-to-end encryption, and unlike some other non-Signal E2EE messaging apps has perfect forward secrecy.

> talos ▉

@GrapheneOS Cheers for the feedback. I've had a look at the info on their website, even trying out the app it seems like they're doing something pretty unique in the private messaging scene.

GrapheneOS

Telegram has heavily participated in misinformation campaigns targeting actual private messaging apps with always enabled, properly implemented end-to-end encryption such as Signal. Should stop getting any advice from anyone who told you to use Telegram as a private messenger.

GrapheneOS

Telegram is capable of handing over all messages in every group and regular one-to-one chat to authorities in France or any other country. A real private messaging app like Signal isn't capable of turning over your messages and media. Telegram/Discord aren't private platforms.

Carolyn

@GrapheneOS Letters and landlines if you really need to be paranoid, as actual warrants are needed to have them accessed. You can burn the letters afterwards. :)

GrapheneOS

@CStamp Don't use carrier-based calls if you care about privacy. That's the opposite of private. Even Telegram is a far better choice than using carrier-based calls and Telegram does have E2EE for calls. We were talking about messages. They shouldn't be storing calls regardless so it shouldn't be data that's available on their servers persistently rather than just during the call even if they didn't use E2EE.

Madame President

@GrapheneOS CEO of Telegram was just arrested in France and Putin is mad because the guy may have Russian intelligence that France can now tap into.

Bob 🇺🇲♒🐧🪖

@GrapheneOS

And the decentralized XMPP too. 2 different encryption methods just to add to it, 😜

juliam

@GrapheneOS@grapheneos.social signal requiring a phone number is still a tough sell

GrapheneOS

A major example of how Telegram's opt-in secret chat encryption has gone seriously wrong before: words.filippo.io/dispatches/te.

The practical near term threat is for the vast majority of chats without end-to-end encryption: 100% of Telegram group chats and the regular 1-to-1 chats.

Martin Ruskov

@GrapheneOS "The current consensus seems to be that the latest version is not broken in known ways that are severe or relevant enough to affect end users, assuming the implementation is correct. That is about as safe as leaving exposed wires around your house because they are either not live or placed high enough that no one should touch them."
#Telegram #TelegramSecurity #MTProto

DELETED

@GrapheneOS In general Telegram is not the best example for a successful implementation of secure and private communication. Most of their success seems to be based on group chat and the concept of followers. There are definitely better messengers.

DELETED

@GrapheneOS Did anyone ever believe that communication over Telegram or Discord is secure???

DELETED

@ben @GrapheneOS I would say that Signal is not less convenient, but far more trustworthy.

Benjamin Kwiecień 🇵🇸

@doerk @GrapheneOS to me the main difference is the utilization of cloud storage to quickly and accurately synchronize chats across devices. I suppose a platform like Matrix can offer something similar but with better levels of trust than Telegram. Going with something like Signal/XMPP/Delta Chat is probably more secure but ever-so-slightly less convenient. Probably worth it, though

GrapheneOS

@doerk Many people do, look at the angry replies to the same thread on X including harassment directed at our team because of it which is not something we expected. Russian military and special forces uses both for operational communications including coordinating artillery strikes, etc...

WerySkok :verified_think:

@GrapheneOS while there are actual security concerns about Telegram's way of handling data, there has been no known case of the messenger disclosing actual conversations, which means that they still respect the privacy of their users, even if it only stands on their word of honor.

Also, claims about lack of moderation are also fake, Telegram is known for banning channels and users for various reasons.

Overall, all of this is a test of a right for privacy, which Telegram actually was respecting

GrapheneOS

@WerySkok

> Telegram's way of handling data, there has been no known case of the messenger disclosing actual conversations

They like to imply they haven't complied with warrants requesting data but that does not appear to be the case. One example:

spiegel.de/netzwelt/apps/teleg

> Also, claims about lack of moderation are also fake

Not our area of our expertise.

> Overall, all of this is a test of a right for privacy

By misleading users about what they can access and what they provide?

@WerySkok

> Telegram's way of handling data, there has been no known case of the messenger disclosing actual conversations

They like to imply they haven't complied with warrants requesting data but that does not appear to be the case. One example:

spiegel.de/netzwelt/apps/teleg

DELETED

@WerySkok You're right, they are banning channels. Not those of criminals or Neo-Nazis, but those of whistleblowers who published leaked data from the Israeli ministry of "justice"

newarab.com/news/whistleblower

ddosecrets.com/article/israel-

This is yet another reason not to use this insecure garbage app that cooperates with the Russian and Israeli fascist governments.

Go Up