This is an article written by telegram’s founder and CEO Pavel Durov in 2019 on “Why whatsapp will never be secure”. Your thoughts?

  • Gooey0210@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    10 months ago

    Guys, please stop using telegram if you care for your security and privacy

    Telegram is not fully open source, sometimes they release the source, but the hashes of the builds don’t even match (so it’s a different source code) 🚩

    Zero transparency about data handling, even when they get caught they don’t tell details 🚩 (Telegram in the recent years has got really shady reputation)

    Very often ways they implement security is weird: non open source app, non open source server, leaking APIs, use of phone numbers, at some point they started asking for an email, non encrypted chats by default, never encrypted group chats… it can continue forever 🚩

    Non-standard encryption is a real red flag, non-open-source 🚩

    I know some people that work/worked for the police, and they can read all the messages easy peasy, i was trying to tell to the people many years ago, but everyone was so amused by the stickers. Now you can just read stories of the journalists and activists, and how they got imprisoned with the use telegram 👁️‍🗨️💀

    PLEASE, STOP USING TELEGRAM IF YOU CARE FOR YOUR PRIVACY OR SECURITY

    • Clot@lemm.eeOP
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      Except if you open source server, theres no way to verify it is using same code anyways and their client is already open source so waste point.

      sometimes they release the source, but the hashes of the builds don’t even match.

      When did this happen? Source?

      Signal asks phone numbers, emails are universally known. If you dont want to give them your real phone number, buy one from fragment.com (their web3 service where they sell ohone number for crypto). Emails are already public and they ask them only for recovery process and its opt on so theres no problem with that.

      All chats are encrypted by default from private to group using mtproto, where there have been no breaches found yet so stop spreading misinformation.

      Again telling personal experience which maybe lie, can you share source of your claims? Which journalist got arrested due to telegram?

        • Clot@lemm.eeOP
          link
          fedilink
          arrow-up
          0
          ·
          10 months ago

          I would spread misinformation on internet and tell others to find source of it 🤓

  • beta_tester@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    This is a very good reminder why one should worry about the new messaging standard for interoperability.

    WhatsApp users resilient enough not to fall for constant popups telling them to back up their chats can still be traced by a number of other tricks – from accessing their contacts’ backups to invisible encryption key changes [13]. The metadata generated by WhatsApp users – logs describing who chats with whom and when – is leaked to all kinds of agencies in large volumes by WhatsApp’s parent company [14].

    It even might result in me thinking that we should have to ban facebook from entering the fediverse because people are lazy and don’t switch to the real fediverse if they can see your posts and contact you directly.

    • LWD@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      As it stands, Facebook can make unlimited, unauthenticated API calls to Lemmy and Mastodon right now… Blocking them only prevents their users from accessing the data.

      Anybody who spins up a server basically gets instant access to that data from other instances, too. You don’t have to ask for permission. They just share it with you.

      Dumb fucks

  • labbbb@thelemmy.club
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    Durov is a suspicious RuSSian who very likely works for FSB. Do not use Telegram at all costs!

      • labbbb@thelemmy.club
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        10 months ago

        Where is racism there? I’m Russian myself and I know what I’m saying.

        Ok, use Telegram, then don’t cry when they leak your data

        • Clot@lemm.eeOP
          link
          fedilink
          arrow-up
          0
          ·
          10 months ago

          Yeah you clearly are a russian and you clearly know what you are saying by those intentional caps.

  • java@beehaw.org
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    I’m not qualified enough to argue, but I wouldn’t trust Durov. He’s a competitor, after all. And he has a history of questionable decisions.

  • beta_tester@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    He writes as if signal’s devs would have to be quiet about whatsapps encryption

    E.g.

    Last year, the founders of WhatsApp left the company due to concerns over users’ privacy [16]. They are surely tied by either gag orders or NDAs, so are unable to discuss backdoors publicly without risking their fortunes and freedom. They were able to admit, however, that “they sold their users’ privacy” [17].

    Yet signal published multiple posts about how secure whatsapp is. I don’t buy it but it’s not like they would be quiet. (They=moxie) https://signal.org/blog/there-is-no-whatsapp-backdoor/ https://signal.org/blog/whatsapp-complete/

  • mustbe3to20signs@feddit.de
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    WhatsApp’s e2e encryption is based on the Signal protocol and active by default. Telegram’s is opt-in. So much for Telegram’s superior privacy…

    • ReversalHatchery@beehaw.org
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      They tell whatever they want until their claims can be validated with the source code. If we take it for granted that they use an original, unmodified version of the signal protocol programming libraries, there are still multiple questions:

      • how often do they update the version they use
      • what are they doing with the messages after local decryption (receiving), and before encryption (sending)
      • how are they storing the secret keys used for encryption, and what exactly are they doing with it in the code

      Any of these questions could reveal problems that would invalidate any security that is added by using the signal protocol. Like if they use an outdated version of the programming library that has a known vulnerability, if they analyze the messages in their plain data form, or on the UI, or the keypresses as you type them, or if they are mishandling your encryption keys by sending them or a part of them to wherever

    • Clot@lemm.eeOP
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      No. Whatsapp’s metadata is not encrypted and can be used by its parent company, also backups are not secure. While telegram’s is opt in (yeah that sucks and here’s there excuse for that https://tsf.telegram.org/manuals/e2ee-simple), they are as secure as signal’s (if not more).

      • crispy_kilt@feddit.de
        link
        fedilink
        arrow-up
        0
        ·
        10 months ago

        they are as secure as signal’s (if not more

        Incorrect. They are trivially breakable as it is unauthenticated DH which is as good as no encryption at all.

        • Clot@lemm.eeOP
          link
          fedilink
          arrow-up
          0
          ·
          10 months ago

          good as no encryption at all.

          0 data breaches till date.

      • mustbe3to20signs@feddit.de
        link
        fedilink
        arrow-up
        0
        ·
        10 months ago

        I’m not saying that WhatsApp is the good guy here, Meta sucks but compared to Telegram I rather trust them if I have to.
        And the the encrypted backups are only problematic when you use the automatic Google Drive upload.

          • mustbe3to20signs@feddit.de
            link
            fedilink
            arrow-up
            0
            ·
            10 months ago

            Telegram is a shell company and only offers mediocre, opt-in encryption. The thing I like most about them is there support for 3rd party clients.

            • BearOfaTime@lemm.ee
              link
              fedilink
              arrow-up
              0
              ·
              10 months ago

              You obviously haven’t seen the charts of the metadata that WhatsApp collects. And we know how anti-consuner, adversarial and anti-privacy Facebook is overall with their tracking pixels, ghost profiles, etc.

              Telegram at least doesn’t have the FB dataset. FB knows about me, though I’ve never once in my life been on their website or used anything related to them. Not once. The first I heard of FB I saw immediately the privacy problem with them, and made sure to never have anything to do with them. But they know about me from other peoe posting pics and such, which they then correlate with sites I’ve been on that have tracking pixels. WhatsApp ads a metric shitton of metadata to that pile, with date, time, location, duration of conversations, businesses you’re near at the time, their operating hours, etc, etc. They have a massive, constantly growing dataset, which they can easily correlate elements.

              WhatsApp may be encrypted, but I trust Zuck so little that I wouldn’t doubt they capture keystrokes in app before the message is sent. They have the capability as was shown in a recent research article (though no evidence of it happening).

              Id rather not use Telegram, but it’s far lesser of the two evils. I’m trying to get folks to other apps. Signal doesn’t sell, SimpleX isn’t quite ready, I think Wire has the same stored encryption key issue, though I may be mistaken (I’m not fully clear how it’s managed).

      • beta_tester@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        10 months ago

        Multi-device End-to-end encrypted chats are a mess

        I’m not going to read it all but matrix managed to deliver on fully encrypted messages that you can have on multiple devices.

        • BearOfaTime@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          10 months ago

          ×Years ago*.

          Kills me I was running XMPP on my phone in 2010. Couldn’t get people off SMS to XMPP, though it synced with my desktop messenger even then! Yea, encryption hadn’t been fully sorted yet, but it’s not like SMS has encryption!

  • ⲇⲅⲇ@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    WhatsApp will be never private and secure, while Telegram will be never private. 😁

  • crispy_kilt@feddit.de
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    What a load of hipocrisy. The dude uses unauthenticated DH for his apps “secret chats”, which a bored student with a laptop can MITM in seconds. Other chats use just TLS, meaning they get to read EVERYTHING.

    Use Signal, people.

    • Clot@lemm.eeOP
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      which a bored student with a laptop can MITM in seconds

      No, how can a bored student breach e2ee in seconds? note that no such cases have been reported by any telegram user so far.

      • crispy_kilt@feddit.de
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        10 months ago

        Because the DH is unauthenticated, as I already said. Users can’t report it because there is no way to tell for them.

        • Clot@lemm.eeOP
          link
          fedilink
          arrow-up
          0
          ·
          10 months ago

          Users can’t report it because there is no way to tell for them

          Atleast the one who breached can tell? no telegram users data have been seen on dark web yet, no person/org have claimed to get any vulnerability in their system. Also if its that easy to breach why govt’s keep banning telegram for not giving them userdata? despite telegram is the biggest app where most terrorist orgs operate, hub of piracy and illegal things, you can call it “public” darkweb.

          • Gooey0210@sh.itjust.works
            link
            fedilink
            arrow-up
            0
            ·
            10 months ago

            Check stories about russian journalists…

            I have some friends working in the police, many years they showed me how they can read messages of like anyone on telegram I was trying to tell people to stop using telegram for years, but now at least therecs some conversation is going on because of the journalists

            • Clot@lemm.eeOP
              link
              fedilink
              arrow-up
              0
              ·
              10 months ago

              I have tried to google, most of them were assumptions or russian agencies using ISPs to login to their account in which case its not telegrams fault. Can you provide a substantial proof?

          • crispy_kilt@feddit.de
            link
            fedilink
            arrow-up
            0
            ·
            10 months ago

            if its that easy to breach why govt’s keep banning telegram for not giving them userdata

            Same reason they ask Apple for backdoors even though they crack iPhones routinely. It’s about legal precedent.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      10 months ago

      He’s not wrong about WhatsApp, though. WhatsApp is closed source, and did have a string of vulnerabilities that lead to remote code execution. I disagree with the presumption that open source means secure, but their security guarantees can’t be validated to the same extent their competition can be validated.

      Of course, WhatsApp being bad doesn’t make Telegram any good. I don’t think their DH is still vulnerable (MTProto 2.0 has been out for ages now) but as a general purpose chat app, it’s practically worthless in terms of privacy.

      Signal beats WhatsApp/RCS, which beat Telegram, which beats IRC/SMS.

    • nutomic@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      Signal is based in the United States, enjoy having CIA and NSA reading all your messages.

  • LWD@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    Unlike Telegram, WhatsApp is not open source

    An absolutely meaningless statement when the source sucks. The corporation that releases the source code maintains full control over it, keeping out stuff that security researchers have suggested for years.

  • Arthur Besse@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    10 months ago

    Sure, fuck WhatsApp, but Telegram isn’t even end-to-end encrypted most of the time. Their group chats never are, and their “secret chat” encryption for non-group chats must be explicitly enabled and hardly ever is because it disables some features. And when it is encrypted, it’s with some dubious nonstandard cryptography.

    It’s also pseudo open source; they do publish source code once in a while but it never corresponds to the binaries everyone actually uses.

    And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this was written) is just… 🤯

    State-sponsored exploits against WhatsApp might be more common than against Telegram, or at least we hear about them more, because governments don’t need to compromise the endpoint to read your Telegram messages: they can just add a new device to your account with an SMS and see everything.

    (╯° °)╯︵ ┻━┻

    Anything claiming to prioritize privacy yet asking for your phone number (Telegram, WhatsApp, Signal, …) is a farce.

      • BearOfaTime@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        10 months ago

        Simplex - requires nothing, just install. But you connect with other people by sending a code outside of SimpleX. Though they’ve added a directory service for groups.

        XMPP

        Wire (not Wiremin), though it requires an email account, which is easily addressed with a disposable email.

        Signal is very secure from what I’ve read, despite the phone number identifier.

    • nutomic@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      Telegram isn’t perfect, but it is infinitely better than Whatsapp because it doesn’t belong to Facebook, and also isn’t from the United States. Also it can be used by normies without problem, unlike Matrix or Xmpp or what have you.

      • moreeni@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        10 months ago

        Brother, it has servers all over the world (including the US) where it hosts your data unencrypted. Telegram is nearly not inifinitely better than WhatsApp.

        • Clot@lemm.eeOP
          link
          fedilink
          arrow-up
          0
          ·
          10 months ago

          Thats just speculation. The fact remains most of the Ukrainians (including their president) used telegram to raise their voice.

          • DrFuggles@feddit.de
            link
            fedilink
            arrow-up
            0
            ·
            10 months ago

            If you’d read the linked sources, you’d know that it’s not just speculation. Regardless of Telegram’s user base, it cooperates with Russian authorities. That remains true whether or not Ukranians use it to communicate. I’m not blaming Telegram for cooperating with Russian authorities as it’s well known that not doing so leads to drastic authoritarian measures.

            But don’t take my word for it: Wikipedia: Blocking of Telegram in Russia

    • Salamander@mander.xyz
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this post was written) is just… 🤯

      Not only that, but I believe that they actively try to prevent VoIP numbers from being used to create accounts.

    • Gooey0210@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      Bravo, bravo, bravo!!

      Dude, see you on the same side of the barricades when the time comes to fight the centralized army of agent Smiths 👏👏👏

  • amanneedsamaid@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    0
    ·
    10 months ago

    “Here’s what someone who has never created a private messenger thinks about Whatsapp’s privacy.”

    Why would anyone care about what he has to say? 💀

      • amanneedsamaid@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        0
        ·
        10 months ago

        Never has been, no default e2ee, and those exploits that leaked a ton of users locations.

        Not to mention, no messenger is verifiably private unless it is fully open source.

      • datendefekt@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        10 months ago

        It’s been a while since I looked into it, and things might have changed since then, but some stuff off the top of my head:

        • Messages are stored on the server, not on the device
        • end-to-end encryption not enabled by default
        • uses proprietary encryption, making security audits difficult

        Apart from that it’s somewhat politically questionable, based in Dubai (I think), with dubious financial backing and Russian developers. Because it’s closed source and the encryption is proprietary, there’s no way of knowing how much info it leaks.

        • Clot@lemm.eeOP
          link
          fedilink
          arrow-up
          0
          ·
          10 months ago

          Messages are stored on the server, not on the device

          Yes.

          end-to-end encryption not enabled by default

          True that and telegram sucks big here

          uses proprietary encryption, making security audits difficult

          The MTProto isnt open source but its fully documented, there have been security audits on it.

          dubious financial backing

          No. Pavel Durov have always said since starting he paid for telegram’s servers from his pocket, in recent years telegram has started monetisation programs to cover its costs.

          Russian developers

          The founders were born in Russia, but they now have dual citizenship of UAE and France. If you are talking about politically questionable, even signal have been accused of having backdoors for CIA.