this post was submitted on 12 Jan 2024
75 points (76.6% liked)

Privacy

31876 readers
1 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

This is an article written by telegram's founder and CEO Pavel Durov in 2019 on "Why whatsapp will never be secure". Your thoughts?

top 50 comments
sorted by: hot top controversial new old
[–] cypherpunks@lemmy.ml 75 points 2 years ago* (last edited 2 years ago) (7 children)

Sure, fuck WhatsApp, but Telegram isn't even end-to-end encrypted most of the time. Their group chats never are, and their "secret chat" encryption for non-group chats must be explicitly enabled and hardly ever is because it disables some features. And when it is encrypted, it's with some dubious nonstandard cryptography.

It's also pseudo open source; they do publish source code once in a while but it never corresponds to the binaries that nearly everyone actually uses.

And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this post was written) is just... 🀯

State-sponsored exploits against WhatsApp might be more common than against Telegram, or at least we hear about them more, but it's not because the app is more vulnerable: it's because governments don't need to compromise the endpoint to read your Telegram messages: they can just add a new device to your account with an SMS and see everything.

(β•―Β° Β°οΌ‰β•―οΈ΅ ┻━┻

Anything claiming to prioritize privacy yet asking for your phone number (Telegram, WhatsApp, Signal, ...) is a farce.

[–] Neon@lemmy.world 21 points 2 years ago* (last edited 2 years ago)

Anything claiming to prioritize privacy yet asking for your phone number (Telegram, WhatsApp, Signal, ...) is a farce.

Yeah, sure. The privacy farce signal.

I'm getting tired of this stupid hardline-take.

Shit, 2019 really was five years ago.

[–] nutomic@lemmy.ml 5 points 2 years ago (4 children)

Telegram isn't perfect, but it is infinitely better than Whatsapp because it doesn't belong to Facebook, and also isn't from the United States. Also it can be used by normies without problem, unlike Matrix or Xmpp or what have you.

load more comments (4 replies)
[–] Dra@lemmy.zip 5 points 2 years ago

Signal is great. Stop being overzealous

[–] qyron@sopuli.xyz 4 points 2 years ago (3 children)
[–] Neon@lemmy.world 13 points 2 years ago* (last edited 2 years ago)

Signal is just fine. This with the PhoneNumber is a really stupid hardliner-take.

Something can be private without being anonymous.

[–] lemonuri@lemmy.ml 7 points 2 years ago

Read up on Xmpp or matrix as good alternatives.

load more comments (1 replies)
[–] Sal@mander.xyz 3 points 2 years ago

And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this post was written) is just… 🀯

Not only that, but I believe that they actively try to prevent VoIP numbers from being used to create accounts.

[–] UnfortunateShort@lemmy.world 3 points 2 years ago

I don't agree with everything but that last point of yours. Requiring your phone number only means your are not anonymous. There is no need to be anonymous to communicate privately. In fact, it can be counterproductive, since your are much more vulnerable to social engineering.

[–] crispy_kilt@feddit.de 49 points 2 years ago (3 children)

What a load of hipocrisy. The dude uses unauthenticated DH for his apps "secret chats", which a bored student with a laptop can MITM in seconds. Other chats use just TLS, meaning they get to read EVERYTHING.

Use Signal, people.

[–] clot27@lemm.ee 3 points 2 years ago (1 children)

which a bored student with a laptop can MITM in seconds

No, how can a bored student breach e2ee in seconds? note that no such cases have been reported by any telegram user so far.

[–] crispy_kilt@feddit.de 6 points 2 years ago* (last edited 2 years ago) (5 children)

Because the DH is unauthenticated, as I already said. Users can't report it because there is no way to tell for them.

load more comments (5 replies)
load more comments (1 replies)
[–] LWD@lemm.ee 31 points 2 years ago* (last edited 2 years ago) (1 children)
load more comments (1 replies)
[–] amanneedsamaid@sopuli.xyz 22 points 2 years ago (2 children)

"Here's what someone who has never created a private messenger thinks about Whatsapp's privacy."

Why would anyone care about what he has to say? πŸ’€

[–] flying_sheep@lemmy.ml 7 points 2 years ago

Owned by Facebook, which is a giant US company.

Of fucking course it has backdoors.

[–] detalferous@lemm.ee 3 points 2 years ago (3 children)

I'm confused regarding why you don't consider telegram a private messenger.

[–] datendefekt@lemmy.ml 10 points 2 years ago (1 children)

It's been a while since I looked into it, and things might have changed since then, but some stuff off the top of my head:

  • Messages are stored on the server, not on the device
  • end-to-end encryption not enabled by default
  • uses proprietary encryption, making security audits difficult

Apart from that it's somewhat politically questionable, based in Dubai (I think), with dubious financial backing and Russian developers. Because it's closed source and the encryption is proprietary, there's no way of knowing how much info it leaks.

[–] clot27@lemm.ee 4 points 2 years ago* (last edited 2 years ago)

Messages are stored on the server, not on the device

Yes, pretty much necessary to provide multidevice support

end-to-end encryption not enabled by default

True that and telegram sucks big here, but I donth think e2ee can be enabled in a feasible way for multiple devices.

uses proprietary encryption, making security audits difficult

The MTProto isnt open source but its fully documented, there have been security audits on it.

dubious financial backing

No. Pavel Durov have always said since starting he paid for telegram's servers from his pocket, in recent years telegram has started monetisation programs to cover its costs.

Russian developers

The founders were born in Russia, but they now have dual citizenship of UAE and France. If you are talking about politically questionable, even signal have been accused of having backdoors for CIA.

[–] amanneedsamaid@sopuli.xyz 3 points 2 years ago

Never has been, no default e2ee, and those exploits that leaked a ton of users locations.

Not to mention, no messenger is verifiably private unless it is fully open source.

load more comments (1 replies)
[–] mustbe3to20signs@feddit.de 14 points 2 years ago (21 children)

WhatsApp's e2e encryption is based on the Signal protocol and active by default. Telegram's is opt-in. So much for Telegram's superior privacy...

[–] ReversalHatchery@beehaw.org 2 points 2 years ago

They tell whatever they want until their claims can be validated with the source code. If we take it for granted that they use an original, unmodified version of the signal protocol programming libraries, there are still multiple questions:

  • how often do they update the version they use
  • what are they doing with the messages after local decryption (receiving), and before encryption (sending)
  • how are they storing the secret keys used for encryption, and what exactly are they doing with it in the code

Any of these questions could reveal problems that would invalidate any security that is added by using the signal protocol. Like if they use an outdated version of the programming library that has a known vulnerability, if they analyze the messages in their plain data form, or on the UI, or the keypresses as you type them, or if they are mishandling your encryption keys by sending them or a part of them to wherever

load more comments (20 replies)
[–] Papanca@lemmy.world 14 points 2 years ago* (last edited 2 years ago) (1 children)

Clicking the link gives me the following warning:

The site ahead may contain harmful programs

Firefox blocked this page because it might try to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).

[–] clot27@lemm.ee 4 points 2 years ago (2 children)

weird, works for me in firefox with all privacy features enabled, can you please try this link: https://telegra.ph/Why-WhatsApp-Will-Never-Be-Secure-05-15

[–] Pons_Aelius@kbin.social 4 points 2 years ago (1 children)

I got the same warning for the original link with ff as well.

Your comment link didn't throw up a red flag.

[–] clot27@lemm.ee 2 points 2 years ago

sorry for the inconvenience, thing is this website supports multiple domains and is banned in some countries so we have to use different domains to access it, which might give red flags.

load more comments (1 replies)
[–] beta_tester@lemmy.ml 11 points 2 years ago (1 children)

He writes as if signal's devs would have to be quiet about whatsapps encryption

E.g.

Last year, the founders of WhatsApp left the company due to concerns over users’ privacy [16]. They are surely tied by either gag orders or NDAs, so are unable to discuss backdoors publicly without risking their fortunes and freedom. They were able to admit, however, that "they sold their users' privacy" [17].

Yet signal published multiple posts about how secure whatsapp is. I don't buy it but it's not like they would be quiet. (They=moxie) https://signal.org/blog/there-is-no-whatsapp-backdoor/ https://signal.org/blog/whatsapp-complete/

[–] CaptainSpaceman@lemmy.world 7 points 2 years ago (1 children)

I believe Moxie helped them integrate Signal protocol into WA successfully while preserving user integrity and privacy.

However, it wouldnt be out of the realm for them to make modifications to their custom protocol that Moxie helped design, and turn it into a privacy nightmare after the fact.

[–] beta_tester@lemmy.ml 4 points 2 years ago
[–] Aradia@lemmy.ml 8 points 2 years ago (1 children)

WhatsApp will be never private and secure, while Telegram will be never private. 😁

[–] Asudox@lemmy.world 6 points 2 years ago (1 children)

Who said telegram is secure?

[–] Aradia@lemmy.ml 5 points 2 years ago (7 children)

No one said the opposite, while on WhatsApp they had several vulnerabilities that allowed attackers to get the user phone control.

An example: https://thehackernews.com/2021/04/new-whatsapp-bug-couldve-let-attackers.html

But there were many more vulnerabilities or "features" that WhatsApp allowed attackers or governments to get into user data. While I haven't read anything about against Telegram security.

load more comments (7 replies)
[–] java@beehaw.org 6 points 2 years ago

I'm not qualified enough to argue, but I wouldn't trust Durov. He's a competitor, after all. And he has a history of questionable decisions.

[–] beta_tester@lemmy.ml 4 points 2 years ago (2 children)

This is a very good reminder why one should worry about the new messaging standard for interoperability.

WhatsApp users resilient enough not to fall for constant popups telling them to back up their chats can still be traced by a number of other tricks – from accessing their contacts’ backups to invisible encryption key changes [13]. The metadata generated by WhatsApp users – logs describing who chats with whom and when – is leaked to all kinds of agencies in large volumes by WhatsApp’s parent company [14].

It even might result in me thinking that we should have to ban facebook from entering the fediverse because people are lazy and don't switch to the real fediverse if they can see your posts and contact you directly.

load more comments (2 replies)
[–] Dehydrated@lemmy.world 3 points 2 years ago

Both WhatsApp and Telegram suck. Just like any other messenger that's either proprietary or not end to end encrypted. Signal is clearly the best choice.

load more comments
view more: next β€Ί