Why You Should Stop Using Telegram Right Now

Earlier this week, The Intercept evaluated the best instant messaging clients from the privacy standpoint. The list included Facebook's WhatsApp, Google's Allo, and Signal -- three apps that employ end-to-end encryption. One popular name that was missing from the list was Telegram. A report on Gizmodo sheds further light on the matter, adding that Telegram is riddled with a wide range of security issues, and "doesn't live up to its proclamations as a safe and secure messaging application." Citing many security experts, the report states:One major problem Telegram has is that it doesn't encrypt chats by default, something the FBI has advocated for. "There are many Telegram users who think they are communicating in an encrypted way, when they're not because they don't realize that they have to turn on an additional setting," Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the American Civil Liberties Union, told Gizmodo. "Telegram has delivered everything that the government wants. Would I prefer that they used a method of encryption that followed industry best practices like WhatsApp and Signal? Certainly. But, if it's not turned on by default, it doesn't matter."The other issue that security experts have taken a note of is that Telegram employs its own encryption, which according to them, "is widely considered to be a fatal flaw when developing encrypted messaging apps." The report adds:"They use the MTproto protocol which is effectively homegrown and I've seen no proper proofs of its security," Alan Woodward, professor at the University of Surrey told Gizmodo. Woodward criticized Telegram for their lack of transparency regarding their home cooked encryption protocol. "At present we don't know enough to know if it's secure or insecure. That's the trouble with security by obscurity. It's usual for cryptographers to reveal the algorithms completely, but here we are in the dark. Unless you have considerable experience, you shouldn't write your own crypto. No one really understands why they did that."The list goes on and on.

It should be obvious...

[__aaclcg7560]

The railroads are still here. Shouldn't be surprising that telegrams are still around almost two centuries later.

https://en.wikipedia.org/wiki/Telegraph [wikipedia.org]

Re:

[__aaclcg7560]

Nice try OP, your comment was straight garbage.

I never post as AC. I don't have problem standing behind my opinions. Unlike some people.

Re:

[__aaclcg7560]

Ok, I take it back, "sometimes" I post as AC to make my self look better, but it's something generalized and dumb like "best comment ever", so everyone still knows it's me.

Nope. I don't work that way.

Re:

[__aaclcg7560]

*except when I'm forced to because my comments are the best. ;)

Yawn...

Re:

[__aaclcg7560]

Stop talking to yourself, OP!

I'm not the AC masturbating in public.

Asinine headline

[goombah99]

DOn't we get enough one-weird-trick, and you-wont-believe-what-happened-next headlines elsewhere. Et tu, Slashdot?

Security by obscurity is fine

[Anonymous Coward]

Publicly criticizing them and their users, is not.

Re:Security by obscurity is fine

[NotInHere]

Also, it does not at all apply here. Telegram not just publishes documentation [telegram.org] how their protocol works, but it also releases the full source code: https://telegram.org/apps#sour... [telegram.org]

So even if the mtproto documentation would have a flaw or be not precise enough to fully specify the behaviour (and that often happens!), you could still look into the source code to find out what actually happens.

Why I *do* use Telegram

[NotInHere]

Its the only messenger that:

1. can be used without gapps spyware
2. is halfway popular
3. has the source code released under a open source license
4. has authors who tolerate third party clients connecting to their server. This is not the case for Whatsapp, and also not the case for signal [github.com]

Thanks to 1 and 3, telegram is available in the f-droid app store. This is why I use it, and I don't want to install software from third party stores like google play or sideload apps.

Yes, the encryption is not perfect, but I prefer that over having to install google spyware that would be required for signal for example.

Re: Why I *do* use Telegram

[amiga3D]

It's not paranoia if they really are out to get you.

Re:

[NotInHere]

Well, if I were a dissident or something, then I wouldn't use telegram, but probably signal or something else.

But I am more concerned about software freedom, and avoiding google proprietary apps on my phone. And for that, telegram is the only choice. There are other messengers which use proper encryption and value freedom as well, but they are even less popular than telegram.

I do not say that telegram is perfect or that its encryption is safe (I can't tell for myself), but for me personally its better than

Re: Why I *do* use Telegram

[johanw]

You could always use Silence (https://github.com/SilenceIM/Silence): it is a fork of Signal that uses only sms/mms, so no gapps required or used. They forked after Signal dropped the encrypted sms option.

Re:

[HornyBastard]

Just because you're paranoid, it does not mean they are not out to get you

Re:

[Koen Lefever]

It's not paranoia if they really are out to get you.

That's not Telegram but Telefon [wikipedia.org].

Re:

[NotInHere]

1) GCM client libs are open source. https://github.com/google/gcm [github.com] You interact with GCM through a REST or XMPP API. You can trivially swap out GApps for one of the GCM-only alternatives, rebuild Signal, and point it to OWS's servers. (If you're building Signal from scratch and using it, rather than repackaging it and advertising it as something other than Signal, OWS is perfectly happy for you to point your client at their servers.)

Maybe OWS would agree with that, but would google? Is use of the GCM service legal if you don't have a valid gapps license?

Also, I don't really know where OWS draws the line, whether a howto posted somewhere on the internet how to download + build without gapps is okay, or whether pushing the modifications to a git repo somewhere is okay. At which degree does it become a separate "product"?

Also, if you donwload via git and build it yourself with your own modifications, then its surely harder to update than

Re:

[NotInHere]

Yes. Read the official GCM (now called FCM) docs.

You seem to know the situation far better than me, so its probably easier for you to navigate around. Can you give a specific link or something?

you can do a bit of digging to find the relevant GitHub Issues where Moxie has spoken about the issue.

It would be best to have a list of stuff moxie right now considers as okay or not somewhere on github or sth, his opinions on matters do change. If he said something three years ago then that may be something completely different.

Probably the advantage is on my side, due to me doing the customisations just for me, I probably succeed to stay under the radar, and won'

Re:

[maztuhblastah]

You mean aside from Silence, which

1) Is entirely open source.

2) Is based on SMS, not IP (plus or minus, depending on whether you view SMS as being the more universally-available transport in your area)

3) Does not have a central server.

4) Supports easy, in-person key exchange.

5) Requires no Google anything, and is the default messaging app for several Android spins that have no Google integration.

Re:

[NotInHere]

Well SMS has lots of bad properties, one being that lots of bad guys have access to at least metadata.

Also, it costs money. If you tell your contacts "look this costs money", they surely won't like it.

SMS is alot like the CA system in many ways: outdated, overpriced, old, insecure and broken.

Re: Why I *do* use Telegram

[corychristison]

I use Telegram for.convenience. Not because sharing gifs with my wife needs to be ultra secure, or anything.

Having clients available everywhere is what got my attention also the fact it "Just Worksâ" for my needs.

Re:

[MRZA]

Why I don't use Telegram:
It knows my phone number. All this crypto is useless then you are not anonymous.
It's centralized. It's very bad idea to use centralized services because it's a weak point. Use only federated services.

Re:

[NotInHere]

Well yes anonymity is a problem about phone numbers, but they are really convenient to use for most users. Their whole address book can be re-used if you have the phone number.

And about centralisation: centralized services are as well more convenient for the users. With federation you will need an @ some way or another (or you will get totally randomly generated usernames, which is shit too). The only escape here seems to be namecoin, but then your address info is public, which maybe is something not everyb

Re:

[MRZA]

I thinks it's a security problem if such apps have access to user's phonebook. On Android I always deny apps from accessing my phonebook. Why do they want to know my contacts? They shouldn't!

In case of XMPP your username looks like yourname@someserver.tld. Looks like email. I see no problem here. Random IDs just give you more anonymity. You always have a choice.

Re:

[derrickoswald]

Is it just me or does anyone else view the timing between these reports and Google I/O a month ago launching Allo a little suspicious?

Alphabet marketing person: "Yeah, it would be good in the timeline if there was a review the month after I/O, to legitimize Allo as one of the major players in the messaging App space."
Intercept editor: "The optics wouldn't be good if it was just a review of one App. We could do a comparison of the 'top ten' Apps."
Alphabet: "Make it the 'top three'."
Intercept: "We would

All right!

[93 Escort Wagon]

We can all just re-post pretty much the exact same comments we made a few days ago! Woo hoo!

Re:

[johanw]

Yes, that's obvious an advertisement. However, I think "Allo" will become just as popular as Google+ or Hangouts - both have ignorable market shares in the messenger market. At lease Telegram has something of a user base. Signal is nice but their user base is too small yet. Fortunately WhatsApp uses their protocol now.

Bullshit

[Brethil]

I'll just leave this here. https://telegram.org/faq#q-how... [telegram.org]

Better headline

[dbIII]

Why You Should STOP Using Telegram Right Now STOP

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jours]

Best explanation seems to be that they were concerned about portability of the chats between desktop and handset (they wouldn't be.) There are 3rd party clients that implement it.

Re:

[RockDoctor]

Given a choice between the advice of an AC and the advice of every encryption specialist I've heard of since Phil Zimmermann wrote his "snake oil" warnings in 1991 [philzimmermann.com] ... you know, I think I'll pass on the AC.

Yeah STOP OMG STOP PLEASE!

[GeekWithAKnife]

Remember, Telegram only promises high grade encryption for Secret Chats.

This is something you get for free with Telegram and no big corporation can spy on you.

Sorry, you should be very upset about the lack of spying in Secret chats. Stop using Telegram right now before you continue!

You should immediately use WhatsApp which uses your data in ways that will make you shit yourself.

Oh, and also; PLEASE PLEASE PLEASE stop using Telegram. A huge consortium of eaves dropping government bodies and gigantic