> WhatsApp had a severe vulnerability for groups disclosed not so long ago.
It had a vulnerability, but not a severe one, and certainly not one that could be exploited silently or lead to retroactive message decryption.
The vulnerability was: If you pwn the server, you can join a group without being invited, which means subsequent messages would be plaintext to you. However, everyone gets notified of a new arrival.
> Telegram has had no such vulnerabilities as far as I'm aware.
That's because Telegram doesn't encrypt groups or channels at all.
> This reinforced my impression that HN's mantra that "Telegram's encryption is bad" is more a personality cult to moxie than an informed opinion.
I don't particularly like Moxie, personally, but his work stands on its own merits.
EDIT: Because the wording was ambiguous, I want to clarify: I don't particularly dislike Moxie, either. I'm neutral to his personality, largely due to a lack of personal interaction with the man.
The problem I have with WhatsApp is not a question of vulnerabilities, it's a problem of trust in ownership of the app's code. There's no way I would ever trust Facebook with anything sensitive enough to require the Signal protocol because the endpoints might be compromised at some point straight from the app itself.
Facebook decides that "their users are better served" by scanning messages locally on the client device and requesting ads based on that content, thereby introducing a privacy and information leak and potentially opening the door to other problems.
I don't necessarily think that's likely, but it's also not entirely implausible that they would do something, intentionally or not, that subverts the threat model/privacy assumptions of its users.
Facebook's interests are not aligned with users when it comes to privacy.
Does Facebook always detail their tracking and analytics platform updates? In any case, my point is that it doesn't need to be malicious for FB to invalidate the privacy expectations that users of encrypted messaging might have.
If it was malicious, they already control the client code and therefore have access to the plaintext anyway.
> The vulnerability was: If you pwn the server, you can join a group without being invited, which means subsequent messages would be plaintext to you. However, everyone gets notified of a new arrival.
If to you owning server => accessing group is not severe, then you should be happy with Telegram's default encryption: it's run of the mill SSL by default, just not E2E. If you own their servers you can read people's conversations too.
> I don't particularly like Moxie, personally, but his work stands on its own merits.
I hear you. What I meant is that although I know the guy has an excellent reputation, I know that because I heard other people say. I don't really have the technical knowledge to evaluate it myself, and I suspect 99% of the people in HN are in the same position. Therefore, if I were to say "Signal's security is excellent" I would be falling for the cult of Moxie myself, not an informed opinion.
Wait a second. No. You just said, one message upthread, that a reason to pick Telegram was that WhatsApp had a "severe vulnerability for groups" that Telegram didn't have. Forget about the fact that the vulnerability might not have been "severe". Scott points out that you're offering security advice about what group messenger to use despite the fact that you're unaware --- like many people --- that Telegram doesn't encrypt group messages.
Please acknowledge that this happened before continuing to offer more opinions about this subject.
> They do encrypt group messages to their servers, just not E2E.
Transport-layer encryption that leaves messages totally readable to the service operator should not be classified as "they do encrypt". It muddies the water and will confuse users.
For the sake of communicating risk effectively, only E2E should count when we talk about encryption. Lack of transport-layer security (TLS, Noise, etc.) simply demonstrates severe negligence and/or incompetence.
> I'm not offering security advice.
Above you said:
> WhatsApp had a severe vulnerability for groups disclosed not so long ago. Telegram has had no such vulnerabilities as far as I'm aware.
A casual observer might read this and think, "Wow, WhatsApp is vulnerable and Telegram isn't. I should use Telegram" despite being even more at risk by choosing Telegram.
Whether it was your intention or not, it will have the same effect on HN readers as formal security advice from any other commenter.
I don't know how many different ways I can explain why this conclusion is false, but I suspect none of them would sink in.
Maybe the question to your "true or false?" comment to 'tptacek will elucidate adequately why the worst case of the WhatsApp vulnerability is still miles above what Telegram offers in terms of privacy, and even aside from Telegram, would be most generously a sev:medium (but by most measurements a sev:low).
By that definition, AOL Instant Messenger was encrypted too, just not E2E.
It's fine not to keep up with this stuff and not to have solid answers for basic questions about it. I just think you should use a lot more question marks when you write about it.
> I don't really have the technical knowledge to evaluate it myself, and I suspect 99% of the people in HN are in the same position. Therefore, if I were to say "Signal's security is excellent" I would be falling for the cult of Moxie myself, not an informed opinion.
Sure, but that's not what's happening when people whose day-to-day involve applied cryptography and/or application security are commenting on MTProto and Telegram.
It had a vulnerability, but not a severe one, and certainly not one that could be exploited silently or lead to retroactive message decryption.
The vulnerability was: If you pwn the server, you can join a group without being invited, which means subsequent messages would be plaintext to you. However, everyone gets notified of a new arrival.
> Telegram has had no such vulnerabilities as far as I'm aware.
That's because Telegram doesn't encrypt groups or channels at all.
> This reinforced my impression that HN's mantra that "Telegram's encryption is bad" is more a personality cult to moxie than an informed opinion.
I don't particularly like Moxie, personally, but his work stands on its own merits.
EDIT: Because the wording was ambiguous, I want to clarify: I don't particularly dislike Moxie, either. I'm neutral to his personality, largely due to a lack of personal interaction with the man.