The world seems to be shocked by the news that WhatsApp turned any phone into spyware. Everything on your phone – including photos, emails and texts – could be accessed by attackers just because you had WhatsApp installed [1].
This news didn’t surprise me, though. Last year WhatsApp had to admit they had a very similar issue – a single video call via WhatsApp was all a hacker needed to get access to all of your phone’s data [2].
Every time WhatsApp has to fix a critical vulnerability in their app, a new…
This is an article written by telegram’s founder and CEO Pavel Durov in 2019 on “Why whatsapp will never be secure”. Your thoughts?
They tell whatever they want until their claims can be validated with the source code. If we take it for granted that they use an original, unmodified version of the signal protocol programming libraries, there are still multiple questions:
how often do they update the version they use
what are they doing with the messages after local decryption (receiving), and before encryption (sending)
how are they storing the secret keys used for encryption, and what exactly are they doing with it in the code
Any of these questions could reveal problems that would invalidate any security that is added by using the signal protocol. Like if they use an outdated version of the programming library that has a known vulnerability, if they analyze the messages in their plain data form, or on the UI, or the keypresses as you type them, or if they are mishandling your encryption keys by sending them or a part of them to wherever
No. Whatsapp’s metadata is not encrypted and can be used by its parent company, also backups are not secure. While telegram’s is opt in (yeah that sucks and here’s there excuse for that https://tsf.telegram.org/manuals/e2ee-simple), they are as secure as signal’s (if not more).
I am not talking about mtproto lmao. I was talking about their opt-in e2ee feature.
Edit: Also the research you shared is based on mtproto 1.0 which telegram abandoned almost a decade ago and there have been No such defects found in mtproto 2 yet.
MTProto is what Telegram uses for “Secret Chats”, their opt-in end-to-end encryption. Normal messages aren’t encrypted at all. They’re stored in plain text on Telegram servers. The fact that E2EE is opt-in already makes this app ridiculous. On top of that, it isn’t even secure or private lol
the fact that E2EE is opt-in already makes this app ridiculous
in matter of privacy, yes. But it have cool features so.
They’re stored in plain text on Telegram servers
No, non secret chats use mptroto but with different schema, thats not plain servers. And no data breach have been reported in telegram yet if it was “that” easy to breach them. From my last comment:
“Also the research you shared is based on mtproto 1.0 which telegram abandoned almost a decade ago and there have been No such defects found in mtproto 2 yet.”
And that UX makes it a hard sell to non-tech/privacy folks.
I had a few converts, then they pulled SMS. My converts left.
Telegram has its problems, I completely agree the encryption issue is problematic. But how do you get non-tech people to use a tool like this when to have a new device get the history, or signing into multiple devices simultaneously, requires transmitting an encryption key? I really don’t know.
I know SimpleX is working on this very issue - their current approach requires switching between active devices by scanning a QR code (or sharing code between devices out-of-band). So currently only one device can be active with your credsntials/ID. It has an ok UI, I’d say slightly better than Signal. But it’s security and privacy are just about the best I’ve seen.
This seems to be the big hurdle - people want a simple login, most don’t care if their convos are stored in servers iut means they can just login.
I’m using telegram with a few people for just this reason, since it gets us off SMS. They like that they can use whatever device is in front of them.
Getting people to switch to Telegram is far easier than anything else, since it’s UI is much better than Signal, Wire, XMPP clients (which can be some of the best).
We know exactly how bad Whatsapp is from a privacy standpoint - I’d choose telegram over it any day.
Kills me I was running XMPP on my phone in 2010. Couldn’t get people off SMS to XMPP, though it synced with my desktop messenger even then! Yea, encryption hadn’t been fully sorted yet, but it’s not like SMS has encryption!
I’m not saying that WhatsApp is the good guy here, Meta sucks but compared to Telegram I rather trust them if I have to.
And the unencrypted backups are only problematic when you use the automatic Google Drive upload.
Telegram is a shell company and only offers mediocre, opt-in encryption. The thing I like most about them is their support for 3rd party clients.
I have to use their service for some contacts same as with WhatsApp but I would prefer more secure and privacy friendly alternatives.
You obviously haven’t seen the charts of the metadata that WhatsApp collects. And we know how anti-consuner, adversarial and anti-privacy Facebook is overall with their tracking pixels, ghost profiles, etc.
Telegram at least doesn’t have the FB dataset. FB knows about me, though I’ve never once in my life been on their website or used anything related to them. Not once. The first I heard of FB I saw immediately the privacy problem with them, and made sure to never have anything to do with them. But they know about me from other peoe posting pics and such, which they then correlate with sites I’ve been on that have tracking pixels. WhatsApp ads a metric shitton of metadata to that pile, with date, time, location, duration of conversations, businesses you’re near at the time, their operating hours, etc, etc. They have a massive, constantly growing dataset, which they can easily correlate elements.
WhatsApp may be encrypted, but I trust Zuck so little that I wouldn’t doubt they capture keystrokes in app before the message is sent. They have the capability as was shown in a recent research article (though no evidence of it happening).
Id rather not use Telegram, but it’s far lesser of the two evils. I’m trying to get folks to other apps. Signal doesn’t sell, SimpleX isn’t quite ready, I think Wire has the same stored encryption key issue, though I may be mistaken (I’m not fully clear how it’s managed).
WhatsApp’s e2e encryption is based on the Signal protocol and active by default. Telegram’s is opt-in. So much for Telegram’s superior privacy…
They tell whatever they want until their claims can be validated with the source code. If we take it for granted that they use an original, unmodified version of the signal protocol programming libraries, there are still multiple questions:
Any of these questions could reveal problems that would invalidate any security that is added by using the signal protocol. Like if they use an outdated version of the programming library that has a known vulnerability, if they analyze the messages in their plain data form, or on the UI, or the keypresses as you type them, or if they are mishandling your encryption keys by sending them or a part of them to wherever
No. Whatsapp’s metadata is not encrypted and can be used by its parent company, also backups are not secure. While telegram’s is opt in (yeah that sucks and here’s there excuse for that https://tsf.telegram.org/manuals/e2ee-simple), they are as secure as signal’s (if not more).
Definitely not. Telegram’s MTProto encryption protocol is garbage
The Signal protocol is far superior. Stop spreading misinformation.
That paper is eight years old and yet there has been no major hack of the Telegram protocol.
I am not talking about mtproto lmao. I was talking about their opt-in e2ee feature. Edit: Also the research you shared is based on mtproto 1.0 which telegram abandoned almost a decade ago and there have been No such defects found in mtproto 2 yet.
MTProto is what Telegram uses for “Secret Chats”, their opt-in end-to-end encryption. Normal messages aren’t encrypted at all. They’re stored in plain text on Telegram servers. The fact that E2EE is opt-in already makes this app ridiculous. On top of that, it isn’t even secure or private lol
in matter of privacy, yes. But it have cool features so.
No, non secret chats use mptroto but with different schema, thats not plain servers. And no data breach have been reported in telegram yet if it was “that” easy to breach them. From my last comment: “Also the research you shared is based on mtproto 1.0 which telegram abandoned almost a decade ago and there have been No such defects found in mtproto 2 yet.”
So what? If minimum requirements are not given, it can be as cool as possible. Only not so smart people think that’s a good deal.
deleted by creator
And that UX makes it a hard sell to non-tech/privacy folks.
I had a few converts, then they pulled SMS. My converts left.
Telegram has its problems, I completely agree the encryption issue is problematic. But how do you get non-tech people to use a tool like this when to have a new device get the history, or signing into multiple devices simultaneously, requires transmitting an encryption key? I really don’t know.
I know SimpleX is working on this very issue - their current approach requires switching between active devices by scanning a QR code (or sharing code between devices out-of-band). So currently only one device can be active with your credsntials/ID. It has an ok UI, I’d say slightly better than Signal. But it’s security and privacy are just about the best I’ve seen.
This seems to be the big hurdle - people want a simple login, most don’t care if their convos are stored in servers iut means they can just login.
I’m using telegram with a few people for just this reason, since it gets us off SMS. They like that they can use whatever device is in front of them.
Getting people to switch to Telegram is far easier than anything else, since it’s UI is much better than Signal, Wire, XMPP clients (which can be some of the best).
We know exactly how bad Whatsapp is from a privacy standpoint - I’d choose telegram over it any day.
deleted by creator
I’m not going to read it all but matrix managed to deliver on fully encrypted messages that you can have on multiple devices.
Not just Matrix. The one major XMPP clients use now, OMEMO, does that too.
×Years ago*.
Kills me I was running XMPP on my phone in 2010. Couldn’t get people off SMS to XMPP, though it synced with my desktop messenger even then! Yea, encryption hadn’t been fully sorted yet, but it’s not like SMS has encryption!
Incorrect. They are trivially breakable as it is unauthenticated DH which is as good as no encryption at all.
0 data breaches till date.
I’m not saying that WhatsApp is the good guy here, Meta sucks but compared to Telegram I rather trust them if I have to.
And the unencrypted backups are only problematic when you use the automatic Google Drive upload.
WHY?
Telegram is a shell company and only offers mediocre, opt-in encryption. The thing I like most about them is their support for 3rd party clients.
I have to use their service for some contacts same as with WhatsApp but I would prefer more secure and privacy friendly alternatives.
You obviously haven’t seen the charts of the metadata that WhatsApp collects. And we know how anti-consuner, adversarial and anti-privacy Facebook is overall with their tracking pixels, ghost profiles, etc.
Telegram at least doesn’t have the FB dataset. FB knows about me, though I’ve never once in my life been on their website or used anything related to them. Not once. The first I heard of FB I saw immediately the privacy problem with them, and made sure to never have anything to do with them. But they know about me from other peoe posting pics and such, which they then correlate with sites I’ve been on that have tracking pixels. WhatsApp ads a metric shitton of metadata to that pile, with date, time, location, duration of conversations, businesses you’re near at the time, their operating hours, etc, etc. They have a massive, constantly growing dataset, which they can easily correlate elements.
WhatsApp may be encrypted, but I trust Zuck so little that I wouldn’t doubt they capture keystrokes in app before the message is sent. They have the capability as was shown in a recent research article (though no evidence of it happening).
Id rather not use Telegram, but it’s far lesser of the two evils. I’m trying to get folks to other apps. Signal doesn’t sell, SimpleX isn’t quite ready, I think Wire has the same stored encryption key issue, though I may be mistaken (I’m not fully clear how it’s managed).