Good article from January 19, 2023 how Telegram is not as secure as some people might think and as they say themselves:
Q: How secure is Telegram? Telegram is more secure than mass market messengers like WhatsApp and Line. We are based on the MTProto protocol (see description and advanced FAQ), built upon time-tested algorithms to make security compatible with high-speed delivery and reliability on weak connections. We are continuously working with the community to improve the security of our protocol and clients.
Point 1 of 7 from the article:
1. Not all Telegram chats are equally secure Let’s go straight to the root of the problem: Telegram is a unique messenger with two types of chats: regular and secret. Regular chats are not end-to-end encrypted. Only secret ones are.
No other messenger does this: even the notorious WhatsApp, part of Mark Zuckerberg’s data-hungry empire, uses end-to-end encryption by default. The user doesn’t need to do anything at all, there are no special checkboxes or anything: messages are protected from all outsiders (including the service owners) right out of the box.
As for messengers that explicitly position themselves as secure and protected, no one at Signal or Threema would ever think of having two types of correspondence: one end-to-end encrypted, one not. Why bother if you can make all chats equally safe without discombobulating the user? But Telegram is one of a kind.
What do you think where this false sense of security comes from? Because people nowadays expect E2EE? So they just assume that's the case for whatever messenger they use?
I was definitely surprised (after I already used it for a while) when I found out that Telegram is not using E2EE by default.
What do you think where this false sense of security comes from? Because people nowadays expect E2EE? So they just assume that's the case for whatever messenger they use?
This is basically how I was introduced to telegram:
Person: Hey, let's communicate with telegram, it's private and secure
Me: Ok, great, another app to use. But sure, if that's where I have to find you.
And that right there is how the "security" concept was instilled. I didn't really do much research because I didn't really care, which is on me. But that's how it was pitched, so that's what stuck.
reply
10 sats \ 0 replies \ @ek OP 1 Jan
And that right there is how the "security" concept was instilled. I didn't really do much research because I didn't really care, which is on me. But that's how it was pitched, so that's what stuck.
Yeah, same here I guess since I can't really remember. I probably just noticed how popular it was and also just thought that it should be secure since that's also how it's marketed. Another aspect is that so many group chats are on TG. It also has a nice API for writing your own bots.
So I think it comes down to this: It's just very convenient to trust other people and outsource your research. And sometimes, it's also necessary in some way since we don't have time to do research on everything before using it (?).
Also, I have to admit, what bothers me is not necessarily that they don't use E2EE. What bothers me is that I don't really understand why they are not using it.
But I'll have to do more research on that, lol
reply
This article by Geoffroy Couprie tells you all about the encryption.
Telegram, AKA "Stand back, we have Math PhDs!"
Although it's dated, you can see in detail how they response and how weak the idea is instead of using thoroughly tested real encryption.
reply
Yes, don't use telegram! It is "slaveware." "Slaveware" (I am coining this term for 2024) is any damn software program that is not opensource and centralized.
Run your own Matrix server then use Element on GrapheneOS or run your own XMPP server and then use one of the very few XMPP clients on GrapheneOS or download Simplex (but difficult for the user to plug in your server information into the app)
reply
If you don't use something like GrapheneOS or Calyx, but the stock trash installed by the manufacturer, you should behave as if you had Pegasus installed. Therefore every E2EE is defeated, even Signal.
reply
I want to agree but I think using a messenger like Signal is still worth it, even if you use "stock trash installed by the manufacturer". Do you agree?
If we go further down this path, does installing another OS really help? If they exploit your CPU, a different OS wouldn't help, right?
reply
595 sats \ 1 reply \ @0xIlmari 1 Jan
Sure, FOSS is always better for security applications than proprietary garbage. Which is why Signal, Matrix, Nostr are superior to WhatsApp, Telegram, etc.
And yes, hardware can be compromised as well, keyloggers can be installed, for example, Tails OS is not a silver bullet either.
But according to my threat model, it's harder to do these things at a hardware level if you don't have a cooperating software. Say a malicious CPU has recorded your secret - how is it going to exfiltrate it out of the device? Without cooperation from the software (and an open source OS wouldn't cooperate), it would need a completely separate communication hardware+software stack built in just for that purpose.
I posit that it would be orders of magnitude harder for hardware manufacturers to hide the presence of such malicious circuitry than it is to sneak in a rootkit with the OS.
reply
I see, makes sense, thanks for your reply!
reply
What do you think where this false sense of security comes from?
Their own marketing: https://i.nostr.build/J52l.png
reply
Here's what I experienced on Telegram: Restrictions have been placed on my use because I shared a link. Afterwards, I told customer support that I wanted to get a premium membership, but I was upset that my usage was limited. My usage restrictions were lifted immediately. 😄😂
reply
What made you think Telegram was secure in the first place?
reply
Popularity and how they advertise themselves (as @sudocarlos and @WeAreAllSatoshi mentioned here and here)
reply