There's so much FUD here about how this must mean Telegram is now insecure, backdoored etc. I sure hope those voicing these opinions actually have used Telegram and understands how it works:
- Telegram does log chats server-side if you want them to (to be able to see your chat history across devices). You don't have to. Telegram supports end-to-end encryption ("secret chats") with no logging -- as far as I know there is no proof that these chats are untrustworthy.
- Telegram groups have never been sacred and they are deleted if they spread illegal information. This is not the same thing as leaking someone's personal chat history, which to my knowledge has still never been done.
I'd be glad to be proven wrong on any of these counts, I use both Telegram and Signal and trust the latter more for obvious reasons (it's completely open source) -- but the fact that Telegram is not perfect in every way does not make it insecure by default.
The Pentagons guideline for secure military conversations allowed to chose between threema, whatsapp or signal - but they explicitly forbid usage of telegram.
At the time I knew about the voice call remote exploit in whatsapp due to their outdated hardfork, and I knew about the XSS RCE bug in signal’s innerHTML mess... so my personal assumption is that telegram is the only messenger where five eyes has at least no protocol level access and have to exploit the OS it is hosted on.
You can meanwhile look that information up on vault7 or snowden leaks, so it’s already publicly disclosed.
Anyways, if you feel safe using a stock Android ROM that isn’t AOSP and is still using legacy 3.x or 4.x kernels... your general assumption on what is secure is wrong.
Having said that, I don’t know whether palantir’s gotham has access to telegram’s servers. But given their workforce and sheer amount of RE they hire, the likeliness of telegram being a target is very high.
So with all that in mind I’d recommend telegram only with AOSP head and only with secret chats. You don’t stand a chance if you are using the public clearnet routing protocols either way.
And this is assuming that you don't use Windows and something like a hardened Kali or Arch-based distro that is updated regularly and uses both a secure transport layer for pacman and doesn't allow "some random guy's" gpg signatures, aka you'd have to manually check every source from AUR. If you use Windows 10, you can forget security. If you use Ubuntu or Debian, you can forget security. If you use Steam, you can forget security. If you play any networked games on any of your machines, you can forget security.
Joyful times where private organizations with nearly unlimited resources "hack the planet" and seemingly get away with it.
> so my personal assumption is that telegram is the only messenger where five eyes has at least no protocol level access and have to exploit the OS it is hosted on.
This is a very strange assumption, you mean that the "Pentagons guideline for secure military conversations" is actually not a guideline for secure conversations, but exploitable conversations?
Why would the Pentagon tell their own people to use exploitable communications? There's no way of knowing if you are the only one with the capability.
In my eyes this information (which I haven't verified and don't have time to dig into) would rather indicate that the Pentagon believes Threema, WhatsApp and Signal to be secure while they are doubtful about Telegram -- maybe because they know something we don't, or simply because it's harder to audit.
The underlying question really is when the point is reached between "security through trust" and "security through audit".
I'm not anyhow claiming that Telegram is secure. But given the problems that legal courts have when the FBI and other three letter agencies want to get access to Telegram data (and the fact that the company moved their HQ around Europe every time a state wanted access) seems to me much more trustworthy than say, any Facebook software.
And I would also argue that given the fact that Gotham has full administrative access for anything Facebook sends and that the end-to-end encryption cannot be verified as both clients never actually connect directly would speak also contra WhatsApp when it comes to their security claims. (install a Firewall on Android and you'll see the whatsapp gateways/proxies).
To be honest, I doubt that the Pentagon would trust any software without having seen its source code or at least having full access to the data that's transferred. And I think that's a fair assumption.
The underlying issue is that the field of security has is actually that it's not a field of trust - but rather a field of mistrust. Currently I'm mistrusting the Pentagon more than some random dudes I've never seen; which might be the actual point of the discussion: Can we trust the Pentagon given their fuckups in the past?
> that is updated regularly and uses both a secure transport layer for pacman and doesn't allow "some random guy's" gpg signatures, aka you'd have to manually check every source from AUR.
To be fair, all three of those are the defaults on any distro I've ever used. You have to say explicitly "no, I do not want to inspect this PKGBUILD file" in pretty much every AUR helper (and it's worth noting AUR helpers aren't even the supported way of building AUR packages).
Critical security fixing time is years, not days. Also in practice, a lot of people use PPAs to get work done, and this is a critical component in an audited system.
If I run applications as a different user or in a chroot without root access how can there be security issues for any other users even if it's some game running through steam
Personally I wouldn't trust chroot alone. There were some privilege escalation bugs available in the past from "forgot to sandbox the cwd" [1] to more sophisticated exploits via "nsswitch in docker" [2].
But, of course, given the amount of bugs I'd say that chroot is as secure as it can get. But always take everything with a grain of salt, chroot developers also make mistakes, like everyone.
The problem with chroot is not chroot itself, but all the libraries linked in the binaries. And if I know any statement to be true, it's that game developers on Steam don't give a damn about correctly linking anything. I mean, they even don't get 64bit right. And we have 64bit architecture mainstream since 2005 or so...
> Telegram supports end-to-end encryption ("secret chats") with no logging -- as far as I know there is no proof that these chats are untrustworthy.
The argument I've heard is that Telegram uses their own encryption protocol. The rule of thumb in cryptography is "don't roll your own crypto".
The reason why that statement exists is because there are _countless_ examples of teams coming up with their own, new cryptographic mechanisms that either break (intentionally or not) or were written with a backdoor. People get incredibly clever when it comes to breaking encryption.
AFAIK the only way to be on the right side of this argument is to use a time-tested encryption protocol. However, there are even instances where some protocols have been live and in production for x years before discovering that a backdoor has been in the code since day one.
> The rule of thumb in cryptography is "don't roll your own crypto".
This phrase is tiring to hear in this form, and your understanding seems to be incomplete here. Signal also rolled its own crypto, but you don’t see anyone saying it’s insecure for that reason. That phrase is used to tell non-cryptographers not to roll their own crypto because of the high chances of vulnerabilities being introduced. In the case of Telegram, the company defends its protocol saying that it’s been created by people with PhD in mathematics (which is related to and is foundational for, but different from, cryptography). Telegram’s encryption protocol (the second version) has not been broken by anyone till date.
>In the case of Telegram, the company defends its protocol saying that it’s been created by people with PhD in mathematics (which is related to and is foundational for, but different from, cryptography).
It was created by Nikolai Durov who has a PhD in geometry. That's like a gynaecologist performing brain surgery. Specialization matters. Sure both took human anatomy 101 class in college, but somewhere along the way they went and spend their ENTIRE career doing different things. It's easier to get another decree in medical science sure, but in this case the gynaecologist did not, they just started cutting the brain with kitchen knife and just because their patients haven't died yet doesn't mean they have the credentials to abandon best practices.
MTProto 1 was the problematic protocol that continues to haunt Telegram despite its deprecation for MTProto 2 which is built on standard crypto primitives.
This is a fun phrase, that as a non-crypto person seems reasonable, but I always wonder if there's something of a confirmation bias.
> The reason why that statement exists is because there are _countless_ examples of teams coming up with their own, new cryptographic mechanisms that either break...
But aren't there _countless_ examples of this in crypto made by cryptographers?
I'm not playing devil's advocate, I don't really have a stake here. :)
Not a crypto expert either, but from what I've gleaned listening to e.g. Peter Guttman describe evaluating new crypto mechanisms, you'll see that:
1. Actual cryptographers usually design with a set of constraints that make their crypto work: those might be about compute power, or memory bandwidth, or what have you, that make an algorithm difficult to brute force.
2. The algorithm will typically be peer-reviewed to try to weed out mistakes, either fundamental mathematical ones, or in the assumptions.
3. The implementation then needs to be high quality.
There are certainly no shortage of examples where systems which pass 1 & 2 are undermined by failures in 3. All algorithms are susceptible to the context around 1 changing (changes in compute power or whatever).
When you go it alone, you're assuming that you won't make any mistakes any of these. That seems a pretty tall order.
What really sets cryptography apart is that for a non-expert, there is no way to tell whether it's correct or not. Most bad software has bugs that can be found by users. A bad ML model will do poorly in validation.
But a bad crypto implementation will work. For all intents and purposes, it will appear completely fine. Users will get their messages. The bitstream will appear completely random. At least, until somebody with expertise in breaking crypto systems digs into it.
>But a bad crypto implementation will work. For all intents and purposes, it will appear completely fine. Users will get their messages. The bitstream will appear completely random. At least, until somebody with expertise in breaking crypto systems digs into it.
And that applies even if they're using AES but wrong mode of operation. That applies even if they're using best practices like AES-GCM but the CPU doesn't support AES-NI and a cache timing attack allows key exfiltration.
Like Swiftonsecurity wrote:
"Cryptography is nightmare magic math that cares what kind of pen you use. Should math care what kind of pen you use to implement it? No, but Fuck You, this is Cryptography."
The attacks are incredibly subtle for even the best systems, and Telegram is so far away from even adaquate it's difficult to emphasize it so I'll try with my best restraint:
TELEGRAM FUCKING LEAKS EVERY GROUP MESSAGE TO THE SERVER WHICH IS THE EXACT EQUIVALENT OF A FUCKING BACK DOOR.
Group messages on Telegram and normal messages are explicitly not encrypted in order to allow multi-device operation. That is explicit. I don't see how that has anything to do with the security of MTProto.
Also notable is that it can't be fixed or patched in the way you'd expect for any other software -- once it's found broken, everything that ever used it is now broken unless they're re-encrypted. There's no migration path to the fixed version
Assuming that money is what they’re after. Are you reading Durov’s channel on Telegram? Also, having invented the Russian Facebook and forcefully selling it to the Kreml - I don’t think he needs any more money. He’s playing a totally different game. I don’t know which one though.
The thing about crypto is that it works in pieces. I'm sure it takes 12+ libraries to make an end-to-end encryption work. Signal has this same problem.
> Telegram does log chats server-side if you want them to
Trying to assume good faith here that this is accidental and not trying to deliberately mislead but the way this is phrased strongly implies that server-side logging is off-by-default. It is not.
Nor are secret chats prompted or prominently advertised in the UI (it's the 2nd option when you go to create a new group, never seen when initiating new 1:1 conversations).
I would wager most Telegram users don't know about secret chats, or if they have heard of them they probably assume they're on by default.
"Telegram does log chats server-side if you want them to"
No. Telegram forces you to log all Windows / Linux desktop client chats and all group chats to their server. You don't have a choice with those. Also all chats in general are logged by server by default.
For Signal, the server being able to eavesdrop on 100% of group messages would be complete failure, a backdoor that would cause everyone to abandon Signal. For Telegram it's the primary design principle. So Telegram is in fact bacdoored by design.
>Telegram groups have never been sacred
Yeah it says that right there on the front page. This "obviously" propaganda actually hurts people, and not just in the way I die a little inside from reading it
> This is not the same thing as leaking someone's personal chat history
This is no standard of anything. "Oh it's fine that Telegram and anyone who hacks their server spies on you, it's only problem if they intentionally leak your chat history". Screw this kind of thinking.
>which to my knowledge has still never been done.
I've never seen such moving of goal posts in my life.
>I'd be glad to be proven wrong on any of these counts,
You can't just define the context to your liking and then prance about when nobody can win the argument of your rigged rules.
>but the fact that Telegram is not perfect in every way does not make it insecure by default.
This is called nirvana fallacy. Signal isn't perfect either. But it's at least E2EE by default which is the norm these days.
Your comment is not thoughtful at all, it's indistinguishable from shill arguments. I hope you feel ashamed.
--
For profesional cryptographers and security experts, it's enough the first protocol wan't IND-CCA secure. That alone tells the professionals the app is no good to any extent. Telegram loses at that point and it'll never advance to some next round. There will never be a community based code review or stamp of approval, that ship has sailed. The developers have lost face permanently.
The evidence of this is no professional cryptographer has recommended Telegram at any point. Instead, world-renowned experts like Schneier and Matt Green have adviced against using Telegram. There's nothing Telegram developers or the community can ever say that undoes expert opinion.
The most likely reason is that Telegram is too convenient and too useful.
Every agency in the government has an official account. The president’s spokesman uses it to communicate with members of the media. Most recently it was successfully used to disseminate guidance on COVID-19.
> Most recently it was successfully used to disseminate guidance on COVID-19.
Or propaganda, given the (credible) accusations against Russia on misinformation campaigns.
edit: I'm referring to the fact that Telegram is the most popular service for German conspiracy myth spreaders (e.g. former stars Attila Hildmann and Xavier Naidoo), especially in regard to the COVID19 crisis. Unfortunately I'm unaware of decent English articles, but here's a good German starter: https://www.br.de/nachrichten/netzwelt/messengerdienst-teleg...
That's exactly why you want to use something like Telegram if you're in the West: it's not controlled by a Western government.
I don't care much for the conspiracy nuts, but their ability to communicate with each other would surely have been terminated had they used WhatsApp.
It's fine to use WhatsApp to praise Obama, Merkel or anything else that is widely accepted in your society etc, but it's a terrible choice if you're on the shit list of the government.
>That's exactly why you want to use something like Telegram if you're in the West: it's not controlled by a Western government.
Telegram has headquarters in the UK, a Five Eyes country. It's not unreasonable to assume that its unencrypted comms are monitored by Western gov agencies.
Good point. Also, two of its servers reside in the US. And in Malaysia, the server is "fair game" to NSA hackers (as well as any other foreign government).
The non-E2EE comms are a joke and a liability of insane proportions.
That doesn't mean it can't be trivially hacked by a Western government. When you're using service that isn't using E2EE, you're just making two statements:
1. I don't trust Western companies
2. I haven't the foggiest wrt computer security or cryptography
You can do whatever you want using Whatsapp (it has a proven solid e2e encryption), the key difference to Telegram is it requires a phone number to use which instantly reveals your real identity to any snoop, snitch or government mole.
If it were that easy to influence Whatsapp, India would not have a real problem with Whatsapp-mobilized lynching mobs.
Correct. It then goes on to - by default at least - upload everyones messages unencrypted to Google Cloud.
> the key difference to Telegram is it requires a phone number to use which instantly reveals your real identity to any snoop, snitch or government mole.
I usually defend Telegram but here I think you are wrong. Telegram also requires a phone number to sign up.
Session (Signal fork) doesn't require any information. It's end-to-end encrypted by default, and it connects via an onion routing network (LokiNet). And so only LokiNet nodes see the IP address that you connect through. But of course, you connect to them through VPNs or nested VPN chains.
Seems to somehow be associated with the working group for Loki cryptocurrency, but not using blockchain to store messages or message contents, per FAQ.
As I understand it, Session uses LokiNet, and there are also sites, analogous to Tor onion services, and potentially other services. However, running LokiNet nodes requires a substantial stake, which is payable in Loki. The stake is at risk for malicious behavior, and nodes get paid in Loki for services that they provide to the network. Perhaps some features require user payments, but I haven't researched that.
I've looked into a bit more. It uses a crypto based on monero called Loki. Service servers are to be paid out for maintaining the network. It's also possible to mine the crypto. There seem to be software wallet apps available for iOS and Android.
LokiNet reminds me of a self-funding P2P decentralized anonymous analog with massively more functionality to Google Jigsaw[1] project called Outline[2], which runs shadowsocks[3] on Digital Ocean droplets or your own Linux infra.
> TL;DR edition: an onion router with a tun interface for transporting ip packets anonymously between you and the internet and internally inside itself to other users.
> "What if I2P was made in the current year (2018)? What would be different?"
> In short we want to permit both anonymous exit and entry network level traffic between LLARP [aka LokiNet] enabled networks and the internet.
> In short, I want to take the "best parts" from Tor and I2P and make a new protocol suite.
> You can do whatever you want using Whatsapp (it has a proven solid e2e encryption), the key difference to Telegram is it requires a phone number to use which instantly reveals your real identity to any snoop, snitch or government mole.
Both Telegram and WhatsApp required a phone number last I checked, but you can install Telegram on a Desktop using a dumb phone for activation, you don't need to run the app.
> If it were that easy to influence Whatsapp, India would not have a real problem with Whatsapp-mobilized lynching mobs.
India has no jurisdiction over WhatsApp. They can ask Facebook nicely, but that's about it.
To stop communication you don't need to read WhatsApp-chats. You just disable the accounts that you want silenced. And you can't do that if you don't have control over the service (hence Western extremists use of Telegram).
If you're Russian and you want to talk about how free yourself of Putin, use WhatsApp or Signal, that is: an American provider. If you're American (or living in an American province) and you want to talk about how to free yourself of Washington, you use Telegram (or a Chinese messenger). Even if none of them can ever read your chats, they can a) use the meta data and b) disable your ability to communicate.
This also applies if you're a common criminal: US cops will have a much easier time getting meta data on your communication from WhatsApp than from Telegram. It's generally a good idea to know your threat model. Unless you're a Russian Oligarch or Ex-FSB, the FSB is not your problem. But your local domestic intelligence service may be, if you ever step out of line.
> instantly reveals your real identity to any snoop, snitch or government mole.
Yeah, WA isn't anonymous. The problem is with Telegram storing all your private messages on their cloud, by hacking the server, just knowing your username the state level attacker learns everything about you, metadata, and content, and because there's no forward secrecy, it will date back basically forever unless you're constantly deleting logs, and even then you can only hope Telegram also erases their backup tapes.
>If you're American (or living in an American province) and you want to talk about how to free yourself of Washington, you use Telegram
That's just stupid, why would you want less secure architecture to criticize Americans? NSA can trivially hack Telegram servers to see your criticism if they want. You want E2EE for your dissident group no matter what, thus Signal will always remain a better choice.
That's true, yes, but I believe it only applies if you are a high-ranking official or work in a very sensitive position. Either of those are usually a good indicator that you're okay with "the system", are not a threat to it and your country's intelligence services won't go after you.
I don't think the average citizen has to worry about the FSB finding their kinks and blackmailing them. You don't kidnap poor people's children for ransom, you don't blackmail people who have no special powers.
> It's fine to use WhatsApp to praise Obama, Merkel or anything else that is widely accepted in your society etc, but it's a terrible choice if you're on the shit list of the government.
That's actually not always true. Racism is widely accepted in many areas of American society, but, online platforms are beginning to make more of an effort to restrict outright hate (Twitter, for example).
LOL also I would like to point out the current President of the United States is the archetypal Obama-hater, so ... I dont know if it makes sense to talk about the government coming down on people who don't praise Obama. I would imagine President Trump also talks a lot of trash about Merkel, so, again, the current chief executive of this one particular government very publicy espouses the beliefs you claim that same government would crack down on.
I mean, there's also Fox news. Not praising Obama or Merkel. Very much active.
My point is, even if your point may be true, the examples you chose, when compared against some real-world data-points, undermine your own position.
Obviously President Trump would prefer Twitter to Telegram, at least if he's still on a bleach & laser kick, given that the original URL says "propagandizing suicidal behavior" is one of their blacklist categories. :-)
One of the big reasons was also the fact that they failed to ban it. They could not enforce it at all, without blocking half of the websites, because of Telegram's clever networking shenanigans, so everyone was still been able to use it (without vpn or anything).
Even russian government officials have official Telegram channels. All the "news" sources quote Telegram channels all the time. All pro-gov celebrities and stuff.
It was not a ban, but a farce that made the regime look like incapable fools. Not that they are not, but they don't want to emphasize that so much. Not that they don't, but at least not make it that obvious. Not that it isn't, but...
Let's be honest the real reason to use Telegram wasn't security, I mean whenever the topic comes up here moxie (or his advocates) pops up and tells us it's trash and we should all use signal instead.
The real reason to use telegram is that it's miles away the best messenging program out there. It's as user friendly as whatsapp while having completely seamless desktop/mobile integration (something whatsapp and signal have failed to do), it only requires a phone number for the initial signup, and generally speaking it has all sorts of cool features and less bullshit than alternatives.
Then there are the little things - you can create multiple accounts and switch seamlessly, you can delete whatever message from whomever for everyone without leaving a trace (if it bothers you just switch to secret chats), all links are listed in each convo, you have pretty much unlimited and unrestricted cloud storage, etc.
Then you have all the gravy like cool tools for groupchat admin, channels, and bots of course. You can order a taxi or search up a book on scihub (bypassing countrywide blocking) with telegram. You can even do bizarre stuff like discover people around you or verify your identity on a service with telegram.
Yeah my texts are probably being read by the FSB. So what? Better that than the NSA, frankly. If I really want secrecy I'll use Tor or Signal.
Let's say you say something less than pleasant about China, or you like Winnie the Pooh.
China has already demonstrated the will and influence necessary to extend pressure on other companies, governments, and etc to deal with such things.... and you have far less recourse (if any) to deal with (or know about) it than most anything.
I post this a lot but it's true:
“Injustice anywhere is a threat to justice everywhere. We are caught in an inescapable network of mutuality, tied in a single garment of destiny. Whatever affects one directly, affects all indirectly.”
― Martin Luther King Jr.
But let's also be clear that much like your data being held by a corporation, leaks, etc all happen... if Russia has it, so may someone closer to you.
It’s already been proven that the NSA also surveils on US citizens via PRISM and so on, I think what he’s trying to say is this should be a bigger concern than some foreigners.
But I think it is also unhelpful / inaccurate for every non free nation that comes up we get these sort of "What about this place!?!?" false equivalency arguments.
Based on historical statistics, there's an approximately 5 in 8,000,000,000 chance of this actually happening, and if you've never talked to a Russian in your life, the statistic drops to 2 in 8 billion (those poor souls who were injured accidentally)
I think the actual danger to me from either organization is approximately nil. So it makes little sense to rank them this way.
Also the FSB would probably report on you to the US govt anyway, if you were actually up to something big enough that the NSA would have taken interest.
Internet Research Agency (October 2018) - 3613 accounts
Tweet information (1.2GB)
Search,
mytwitterusername
And there it is, Russia's efforts at influencing my account or using it's messaging to influence others. Targeted attempts to get users to click rigged links. Psy-op mind fucking.
Do I really want to give this type of government more data to fuck with me or people in my orbit? Just because "better than NSA," whatever that means?
No I'll pass on that give me privacy from all the alphabet boys please.
I agree with your conclusion. I am simply not sure what an average person can realistically do against a state actor. Right now, I read parent's comment as 'play them against one another in hopes they won't share data'.
I'd add to that: actually native client, not just some slow Electron thing, you can scale the font in the client(!), easy to work with bot API, allows other clients to access their servers.
The one thing that keeps me from using Telegram as my primary messenger is the low maximum line-width that makes it feel like you're on mobile even if you're using the desktop client. But UX, especially speed, is just amazing.
More than just one native client, depending your platform, there are multiple clients! So if the official client doesn't do it for you, you've got a choice, and if you're so inclined you could even write your own!
On macOS I use the semi-official Swift/Cocoa client instead of the main Qt-based one.
Other messaging apps wouldn't be so bad if alternative clients were a possibility, because inevitably someone would build better clients. Messaging app platforms should have open APIs and welcome third party client devs, not chase them away.
There is no reason to believe telegram is in bed with the FSB.
The company does not have servers in Russia, the software wasn't developed in Russia, etc.
The only reason one could make the connection is that it was developed by a Russian. A Russian that gave up a lot specifically not to cooperate with the Russian government.
But it was developed in Russia. Durov was lying to the world that developers were abroad out of reach of russian authorities, when in practice they were in Saint Petersburg just a floor below VK.com developers (a previous company by Durov, now controlled by russian government via proxy pocket oligarchs)
Would you rather have the cops with jurisdiction over where you live read your mail or have the cops who have jurisdiction over somewhere that has no affect on you read your mail?
He probably lives in the USA where the FSB is less likely to oppress him than US government agencies are.
It's a little funny though: living in the US means the FBI needs a warrant to read your messages and the NSA isn't supposed to at all (there was a huge scandal when they did!).
On the other hand, it's the NSA's job to read all the FSB's data. So by using the non-US-based program, you make it easier for the US government to spy on you.
Isn't that one of the reasons for Five Eyes? The NSA isn't supposed to spy domestically but thankfully MI6 can do it for them and vice versa. Problem solved!
Are you a high profile enemy of the Russian state? Probably not. People seriously have a strange idea about how important they are to some intelligence agency. There are billions of messages being sent every day and I guarantee you the FSB or the NSA don't crawl through your grocery list
Every time these discussions come up people sound like they think they're El Chapo or Ai Weiwei in which case yes don't use telegram. If you're an average citizen these agencies couldn't care less what youtube videos you share
This should be a top comment in each Telegram privacy-related post or thread.
Everyone is ok, that Google may read their e-mails and has full access to search details, Facebook might read their messages, 3-rd party ad-companies profile them through pixels, but at the same time start complaining, that FSB may read their Telegram messages (not proven btw).
Google and Facebook “read” that personal information by algorithms and by robots not by humans (except rare mistakes) to show you better advertisements.
FSB would try to read that information to try to damage the countries, to spy, to steal databases, to hurt people and so on.
If FSB could read private messages of US citizens it would be 1000 times worse than Google or Facebook reading them even accounting for leaks and misuse in G and FB.
G and FB is thousands engineers who love unicorns and rainbows and are extremely offended when the see a person wearing MAGA hat. FSB is men who regularly drink vodka, who are trained kill, who are not allowed to leave Russia, who are constantly told that Russia is surrounded by enemies.
You need to have really pissed them off for them to poison you, much like how you really need to piss the Department of State off for them to drone strike you, or to throw you in a sack, mark it 'DIPLOMATIC MAIL', and ship you to Gitmo.
Yeah but there's not gonna open that can of worms on a whim whereas if the ATF catches wind of all that fertilizer you bought they're gonna incompetently shoot your dog regardless of the fact that you just want to peacefully break up some boulders into small enough pieces for your tractor to move.
There's a spectrum between the Russian state is willing to risk people, money to kill me, and the Russian state is willing to have local Russian police throw me in prison (or local right wing thugs beat me up) because I'm openly gay ...
>Let's be honest the real reason to use Telegram wasn't security
Yet the VERY FIRST feature presented in Telegram's front page is privacy: "Telegram messages are heavily encrypted and can self-destruct."
Heavily encrypted is a complete lie, but people who want privacy don't know that, they will download Telegram thinking it's secure. You're wrong and you're doing harm by spreading claims like that.
>or his advocates) pops up and tells us it's trash and we should all use signal instead.
Yeah, everyone should fight the propaganda machine shilling a really, really dangerous product.
Every time someone recommends Telegram it's due to features, the marketing strategy is clearly "if we can get them hooked on features, they will forget about the fact every feature is designed to spy on them".
>The real reason to use telegram is that it's miles away the best messenging program out there.
Ooh you're one of them. See here's the thing: the features that aren't really private, aren't really features. Telegram is a collection of trojan horses: seemingly useful things that actually hurt you by spying on you. When you measure Telegram's E2EE features against that of Signal's you'll immediately see who has more features. Telegram doesn't even have group messages.
>It's as user friendly as whatsapp while having completely seamless desktop/mobile integration
It doesn't. There is absolutely no desktop mobile integration for anything that's E2EE. For Signal, everything is.
>Then you have all the gravy like cool tools for groupchat admin, channels, and bots of course
No there are no private group chats with any kind of management in Telegram.
>Yeah my texts are probably being read by the FSB. So what?
To me it sounds like you're a privileged person who doesn't have to care about these things. You're not doing anything that will ever rock the boat, so you're pretty much immune. The only real question is, what is your legacy?
Also why did you come here to tell us about your privilege and to list Telegram's dangerous features? Because you're a good Samaritan?
Just want to point out that telegram has the same security model as email. Google can read all your emails. So can microsoft if you use them. NSA can find its way into those companies.
Do you use email despite it's lack of end-to-end encryption? I would bet that 99% of these privacy people still use email.
>I would bet that 99% of these privacy people still use email.
The question is, what is email being used for? Communicating with people who we don't have private interaction with? Having academic discussion on mailing lists? That stuff doesn't really require confidentiality.
Telegram by default does not utilize end-to-end encryption. You have to start a secret chat with another user. Both of you need to be online at the same time, and there's no support for secret group chats.
All of that to say, I guarantee the majority of Telegram users aren't utilizing E2E-encryption so the Gmail comparison is valid in that light.
Though my counterpoint would be that privacy advocates likely know how to use PGP and use it to securely communicate with fellow privacy advocates via email.
telegram's link preview is always on and there is no way to turn off, so my phone's screen is always filled with just one or two context, hard to read meaningful text and titles in these busy days. I hope they can let me turn off the preview totally.
Joining a conversation with throwaway account to list shill points that encourage people to use a dangerous unencrypted communication tool for everything is anything but acceptable.
Telegram does have E2E encryption if you toggle secret chats, it's just not by default because most users don't care about privacy and just want the cool features.
In 5 years of using telegram, I'm yet to see a person who would initate a secret chat with me. Everyone who loves Telegram hypes how cool it syncs all their messages on all devices, including browsers, yet, being happy of using the most secure end-to-end encrypted messaging. Sad.
Stickers do work in Telegram secret chat, though. Only animated stickers don't, presumably in order to avoid leaking IPs. But a lot of cool features do work in secret chat.
The issue was that to block Telegram they had banned a few IP blocks, around 10 million ips[1]. These blocks were used in both Digital Ocean and AWS. So if your website or service used any of these blocks, it wouldn't be available in russia.
TG LLC got 1.7 bil USD with two rounds of investment. US based investors are returned 72% of original fund. Those 28% are 500 mil USD.
It's rumored that TG CEO got 300 mil selling his share of VK, so in the end he returned all personal investment on TG development. Who's behind all those funds, private investors etc. How many of those are under US sanctions really?
And now, upon failing to submit the reasonable paperwork even thought they had quite expensive and experienced lawyers, Pavel suddenly calls for unban in Russia. Like a week later a legislation appears and almost immediately after that the deal is done.
Reconciliation happened unbelievably quick. Or his words have so much power now?
Just think Crypto AG serving the purposes of BND and CIA when you talk about Telegram.
1) European Court of Human Rights will publish a set of decisions about Russia blocking access to different websites. [0] All those decisions are expected to be in favour of plaintiffs.
2) Court would soon communicate first case about blocking of Telegram by collateral party.
3) Communication of primary case by Telegram LLC [1] is a matter of weeks, it was delayed due to company restructurizing.
Russia gonna face direct lifting order from ECHR and that would be a Zugzwang: position, from which any move is losing.
Besides, blocking of Telegram for at leas last year and a half was inefficient, if not nonexistent. It is a common subject of satire towards state actors responsible for blocking.
So, I take it as a face-saving move, according to Hanlon's razor.
The jurisdiction of the court extends to nearly all European states, with the exception of Belarus, the Vatican City, and the predominantly Central Asian Kazakhstan.
But,
In 2015, Russia adopted a law allowing it to overrule judgements from the ECtHR, codifying an earlier Russian Constitutional Court decision which ruled that Russia could refuse to recognize an ECtHR decision if it conflicted with the Russian Constitution.
Compare,
Other countries have also moved to restrict the binding nature of the ECtHR judgments, subject to the countries' own constitutional principles. In 2004, the Federal Constitutional Court of Germany ruled that judgments handed down by the ECtHR are not always binding on German courts.
Yes, Russia is (still?) a signatory to the European Convention on Human Rights, in which it agrees to be bound by decisions of ECHR. There have been quite a few ECHR cases where monetary compensation was awarded from Russia to someone, and up until now Russia has been complying with these decisions and paying these compensation amounts.
Russia in the process of amending the constitution right now to, among other things, specifically declare priority of Russian law over any decision of international courts.
This is not correct. The amendment text is about priority of Constitution, not all laws. So that mostly means no same sex marriage for Russian citizens.
Pavel has a history of sketchy behavior, some leaked info by insider [1] has uncovered that many things Durov said about the location of the developers and Telegram development is false , and Durov's response to these allegations were extremely unconvincing.
I'm in a camp who thinks that this 'ban' was just a PR stunt coordinated with Roscomdanzor, which was known to be futile from the start and instantly raised the credibility of Telegram and cemented the myth how 'protected' it is.
There's no evidence the ban was a PR stunt, but it did play into Durov's hands, and through that, into the hands of the Kremlin when every dissident flocked to a service with centralized attack point to compromise all group chats -- the Telegram server.
For starters, the citizenship that was acquired for $ 250k something is from Saint Kitts and Nevis, known for it's abuse of human rights. To me it's a classical double standard behavior.
He's vocal on not being able to conduct business in Russia as he pleases and it's a clear violation in his purview. Never heard him being involved with fighting inequity of the new home country.
Second of all, Saudi Arabia, the unofficial Telegram HQ, is tax exempt for hi-tech, but don't quote me on it.
> For starters, the citizenship that was acquired for $ 250k something is from Saint Kitts and Nevis, known for it's abuse of human rights. To me it's a classical double standard behavior.
Blame the UK and EU who allow visa-free travel with SKN but not with Russia and don’t sanction it.
It is a country with a population of 50 000 people. The only reason it is not extremely poor is because its business model is giving citizenship to businessmen to avoid taxes and allow them to travel freely.
Fighting an obviously lost fight against SKN and jeopardizing your whole life sounds even more stupid than fighting windmills.
Known for its abuse of human rights? The only thing I could find was that male homosexuality is illegal there. You may regard that as abuse of a particular human right, but to me, it's considerably less than it sounded like you meant.
There's quite popular conspiracy theory in Russia that says that Telegram was FSB-backed project from the start, and the whole failed ban was implemented to promote it. However, there's still no concrete proof that government has backdoor access to it, so if they do, they're being very careful about it.
The most obvious fact is that Mr. Durov is not walking with a hole in his head, as a double digit portion of anybody who had balls to be audacious about their opposition, and is not known to have an extensive security detail.
The mob has sent hitment to people whose offences were way lesser than that.
Their ways are unyielding, and uncompromising. Putin has a record killing people who grieved him more than a decade ago, keeping trying for years on end. People he killed some times survived 2-3, even 4, assassination attempts over years, just to be eventually killed by yet another one.
Knowing that, it's hard to explain how Telegram kept maintaining an office in Russia.
It's not that you're wrong; it's that that I wouldn't be so sure that you're right about it.
Russia's leadership is not monolithic, and it's decisions are not rational. Some critics are killed even though they do not pose a significant threat. Some are able to continue their fight. Some have allies on the inside; some are said to actually be controlled by the government.
If anything, history of such politics teaches me that it's chaos all the way down and almost no one has the full picture, neither knows what he's doing.
This is the most important thing to understand: non-Russian media loves to persist a never-ending charade that the whole of the Russian government is a direct limb of Putin and controlled wholly by him, which is quite far from true. It makes for a good narrative though, and since the Russian government is perhaps closer to that model than others, passes by readers unnoticed.
There are very much parts of the Russian political elite that will use violent and coercive means outside their official mandate to silence individuals. Roskomnadzor isn't really one of those, and is mostly limited to spewing more things onto blocklists to the chagrin of ISPs and people who actually understand the internet.
More likely Telegram is unblocked because someone higher-up finally got around to telling Roskomnadzor to fuck off and stop being a nuisance here, since its order never succeeded in actually blocking Telegram and mostly served to disrupt access to cloud service providers (breaking other, non-Telegram applications) as RKN ineffectually tried to issue block orders for entire AWS and GCP network ranges. Other parts of the government clearly didn't care much about the order (they continued to use Telegram for official business after the block), and it seems like it was either RKN attempting to flex its muscles to impress higher-ups or an unsuccessful attempt to put pressure on Telegram that the government has finally given up on.
I took a time and read it and also read much more.
It is a good example of "he said she said". But Igor Ashmanov considers Rosenberg a good source on Durov brothers and lets say information above is correct.
That means that Durov is used a part of the real estate he had access to to help development of Telegram. It does not mean that Durov is (not) affiliated with Russian government it just means that for Durov it is useful to use Russian real estate he knows and adores and to use Russian talent.
It looks like Telegram servers are somewhere in Europe, BTW.
>The most obvious fact is that Mr. Durov is not walking with a hole in his head, as a double digit portion of anybody who had balls to be audacious about their opposition.
I think you are talking about Clinton Foundation, aren't you? A joke, of course.
Can you help me to access statistics from which you inferred "double digit portion"?
Not that I am pro-Russian-government, I am not. I just sense here something that is not completely right with my view of the world and I want to get better in that regard.
If you're seriously going to downvote me and claim that Russia hasn't been assassinating people then you're either being paid by their government or you're just being a troll. If you want to dispute the list Wikipedia posted, then dispute it. The "But the US kills people too!" is literally completely irrelevant. And if you want to cite a list of US journalists who have been hunted down and assassinated by direction of the President, be my guest - please just hold your breath until your list hits 5 names.
The idea isn't that Russia doesn't assassinate people, it does. The idea is that Russia assassinates everyone that opposes it even when it is against their interest.
So... we're moving the goal posts? Because OP said he didn't believe that double digit people had been assassinated by Russia, so I provided his proof. I haven't seen anyone claim "Russia assassinates EVERYONE that opposes it" besides you.
The claim was not that more than 9 people were assassinated by Russia, but that 10% or more of the entire opposition was assassinated. Which is absolutely not supported and would lead to at the very least hundreds of thousands of assassinations.
And now I'd like to see a list of living Russian people who oppose Russian government. The problem, for me, was the claim about double digits part (I think it was about percentage - the double digits thing).
Is it Nemtsov "an audacious opposition" in your opinion? As much as I don't like the Putin rule, Nemtsov popularity was really minor to influence anything. If anything it was the "non-systematic opposition" who won most from his death.
Sorry, but you managed to write both grotesque and extremely simplified description of Russian political practices.
There's absolutely no point in making any physical moves against Durov even if he was openly anti-Putin and supported opposition in any way. It's never done like that. He's already forced out of the country and is not considered a direct threat. He or his remaining actives may be considered a future asset, on the other hand.
> even if he was openly anti-Putin and supported opposition in any way
This implies he does not support opposition in any way. This is not true. He does support opposition rallies—when they are held to support his cause, true, but such is political climate in Russia that publically supporting those who vocally oppose the state policy is a domain for very few and quite brave.
When Libertarian Party of Russia was organizing a rally in 2017 to protest Telegram ban, Durov contacted the Party himself. (I'm a member of LP RU.)
I don't count on Telegram security but Durov's public image and actions are certainly noticeable and appreciated by opposition.
> This implies he does not support opposition in any way. This is not true.
It implied just that I don't know for sure and it does not change a lot. Even Khodorkovsky is not considered a threat worthy of eliminating - he much better serves the cause being a propaganda target. Durov has even more to offer to Russian gov't (digital technology is the new arms race) so he has even lesser chance of bodily harm.
But isn't it remarkable that Telegram after all of these years still doesn't do E2EE by default, Telegram rolls its own crypto (of which the first version had significant problems) and still Telegram is used so much in Russia?
Minor correction. Telegram does not use its own crypto, it uses well-known cryptographic primitives. (However community criticised telegram for the poor choice of those well-known primitives)
>However, there's still no concrete proof that government has backdoor access to it, so if they do, they're being very careful about it.
Sadly I feel like that is a very real possibility for any software / hardware produced in any significantly non free country.
It can happen in other countries, but the likelihood of you hearing about it seems much much higher.
It's a sad situation as I don't like the idea of being suspicious by default of other developers / products simply because their country of origin, but I have trouble avoiding the obvious fact that even a well meaning developer / company based in those countries would / could easily be pressured into introducing some sort of access (doesn't matter how) and it's simply unlikely we'd know.
Most developed countries have access like that already baked in by law [0], some countries even go as far as denying any reasonable expectation of privacy for data you share with third-parties [1] so the data-Kraken of intelligence services can just slurp it all up in bulk [2].
In that context, in a post-Snowden world, it's kinda grating to still have people talk about all the evil things that supposedly happen in "non free countries", while mostly being completely unaware about what their own, supposedly "free", countries are doing, often on a global scale because they are supposedly way more likely to "hear" about it, while still not being able to change anything about it.
It's only up to Snowden because he managed to successfully evade getting captured, even tho the US went trough quite some lengths [0] trying to capture him and already had a plane ready to rendition him back to the US [1].
If they caught him, he would not have been able to properly defend himself because US law would prohibit him from making his case [2].
Heck, if they would have caught him before his Hong Kong meeting, they could simply have "vanished" him and nobody would have been any the wiser, as Greenwald, Poitras, and MacAskill would have had a very difficult time proving the legitimacy of the leaked documents.
So no, neither the Snowden of the US, nor of China gets any of these options, that's why this whole false dichotomy of "free countries vs nonfree countries" is just another facette of the constantly going on propaganda war.
The best chance whistleblowers like that have is trying to escape the sphere of influence of whoever they blew the whistle on. For Chinese, Russian, Iranian, and others that's large parts of the world they will be welcomed in, for US whistleblowers it's pretty much only a handful of countries out of whom only a very few are actually able to keep them save/not straight up hand them over.
I suspect if the US wished to vanish him, it would be done.
There's a whole world of talk of Snowden and others supposedly going to be vanished and it for whatever reason the fact that it hasn't happened seems entirely lost on folks who talk about it.
> "free countries vs nonfree countries" is just another facette of the constantly going on propaganda war.
I don't know what you're trying to say about that. I think there are real differences between freedoms allowed in different nations and they have real impacts.
> Like I said it can happen anywhere, but the likelihood and ease of it happening in less free countries seems significantly different.
Why? Bureaucracy, Intelligence Services and state-level paranoia transcends political ideologies and systems.
> The amount of news / data about it will of course be higher in more free nations.
On the other hand, we'd hear a lot more about anything from Moscow in our media, so I doubt there's a lot to be talked about as of now. It's only one big leak away, of course, but so far, I don't see a lot of support for your theory.
Because in free countries there's a actually the potential for individuals and groups to refuse to cooperate and make the request known.
If China comes to you and tells you to hand over the keys, you don't go to court or the news media ... in the west you can actually refuse and we see that happen and play out in the courts and etc.
> In free countries there are court cases about such things. Not in less free countries.
Russia literally had court proceedings about Telegram, which this post is about. Is Russia not a "less free country"? Or are those not "real court cases" while "ours" are totally real (but you can't talk about them and must play charades, and the opposing side has super powers written into the law)? If you need help carrying those goal posts, let me know.
> The Snowden of China doesn't get his day in court, maybe never talked if his family back home was at risk.
Neither does the Snowden of the US of A, you know, that one guy... right, Snowden, who has to hide in Russia of all places to not get shipped off to Gitmo. And even if he took that route, I'm sure the apologists would say "well, this is one of those small imperfections but he's fortunate that he's not in Russia".
Implausible undeniability, a brilliant way to plant the seeds of uncertainty. For the people who have enough reasons to be concerned about intercepted communications, the ones who were the core reason for the blocking (like activists) this can't sit well.
Of course I'm not sure. But activists are usually a safe bet in such cases. Whoever the reason for the ban they're probably having some doubts right now.
This ban is useless.
Telegram keep working without issues.
I haven't hear about any issues about connecting to Telegram servers in RF. Some govn't entites are using Telegram, some high profile people from Ministry using Telegram.
IIRC Telegram always was willing to share with security services message history from non-secret chats and groups. The problem was the idiotic requirement to give keys for E2EE chats.
Telegram say they have gone pretty far to make sure they cannot get hold of private messages - even the ones who aren't E2E-encrypted.
How? As far as I understand by having the client download encrypted messages from one Telegram server and keys from another and then place those servers in different datacenters in different jurisdictions.
FTR: of course I am aware that unlike E2E-encrypted messaging in this case you have to trust the vendor. If you do is up to you. I trust them more than WhatsApp (who are E2E-encrypted but backup to NSA^HGoogle and try to extract all kinds of metadata) and less than Signal (even though Signal has had at least one horribly security glitch).
One more thing: Telegram are also pretty open on the fact that they take down public terrorist content.
I read the court case in translation at the time. The opposite is true. The government acknowledged in court that keys for E2EE chats were not possible to surrender, but they had terrorists using non-E2EE groups to coordinate an attack and Telegram didn't produce those keys either.
Can you link it? The relevant law written in a really stupid manner, it requires to give keys for decrypting communications, which in case of TLS means session keys. Of course no sane company would log them, so they have nothing to give in the first place. But refusing to share keys speaks nothing about sharing messages themselves.
One justification for sharing keys could be that security services want to use data recorded by SORM (and nowadays we also have the goddamn Yarovaya law) as an evidence and to do that you have decrypt it. Luckily for us modern security frameworks are built around ephemeral keys and forward secrecy.
Or it may mean, that they decided to stop budgeting effort that led to almost zero result. RossTelekomNadzor was banning IP-ranges from the main cloud providers, that resulted in major outages of other services (that were not multi-clod) except Telegram.
People, who used Telegram did not stop using it since the very first day of official ban.
Someone should run a service where they have a chatbot pretend to be a terrorist on every chat app on every country and if the police reacts it means messages are being intercepted, like a status page of how much communication is being tracked.
It would undoubtedly bring some heat, one would have to do it anonymously and also do so from a country with strong free speech laws, where you can either argue in court it was for research purposes or that role-playing a terrorist does not constitute a crime.
If someone were to do it, wouldn't it defeat the whole purpose of the system by answering "yes" to this question and letting the backdoor users know that someone is now laying traps to catch them using those backdoors in the act?
However, the effort of setting this up could be better spent on making (or contributing to) a messaging app that's open-source and secure by design, where you don't need such setups to detect backdoors because they are near-impossible to introduce (open-source code and lack of a central server).
> The company refused to hand over encryption keys, arguing that it would violate users’ rights to privacy and would not help weed out terrorists.
Take note on how it feels to read this line when it's about a country that isn't yours. When the United States pushes the same argument, the rest of the world's privacy is at risk.
This is why European governments increasingly try to keep their data on European soil, and to trust businesses bound to EU laws.
Russia never actually intended to fully block Telegram. Otherwise they would just make Google kick it from Russian version of App Store and Google play, but they never did it.
I'm not for any of conspiracy stories, but we need to be clear about this ban story.
Both Google and Apple do block apps for certain countries though especially those used for distriution of copyrighted materials. Russia certainly can force Apple to comply if there was wuch a goal. Or at least RKN can just break push notifications for everyone.
I'm not the one for conspiracy theories though. Most likely they never intended to actually block it simply because they are using it themselfs and that's just it.
> Russia certainly can force Apple to comply if there was wuch a goal. Or at least RKN can just break push notifications for everyone.
Obviously, they are not mad enough to break everyone's phones just to block Telegram.
> I'm not the one for conspiracy theories though.
Yeah, that was my thought. You did not provide any evidence to the claim that RKN only pretended they want to block Telegram, while there's a lot of evidence they actually wanted to block: they blocked millions of IP addresses and they threatened Apple to block App Store.
> simply because they are using it themselfs
If they really wanted to use it themselves, they would not block AWS and DO.
Some of our game servers were impacted by this and we ended up having to do elaborate message forwarding for Russian players. I find it staggering that it took 2 years to be lifted given how much collateral damage it caused.
It never was actually successfully blocked. I was in Russia while it was blocked - it worked OK, just seemed slower than usual. A lot of people use Telegram there, for both messaging and for reading the news outside the entirely government-controlled mainstream using "channels". Nowadays even some government agencies have their own channels on it, in spite of the "ban". There's a saying in Russia: the strictness of Russian laws is compensated by optionality of compliance.
> Nowadays even some government agencies have their own channels on it, in spite of the "ban". There's a saying in Russia: the strictness of Russian laws is compensated by optionality of compliance.
Technically speaking there was no law prohibiting telegram for citizens or government officials. “Optionality of compliance” does not apply here because no user of telegram broke the law.
I don't think my timezone idea is particularly likely, not only because the site gives a Moscow address, but also because that (eastern) area of Russia is a backwater's backwater.
There is one certain thing - they are getting something out of that and they want people to use it. I'm not sure what exactly. They either found a backdoor or a struck a deal. Things like that aren't a joke in Russia. Mass control and surveillance is a real thing, there are many reports of people being put in jail for writing something against the government on Facebook or other platforms.
Could this be an attempt to baby step closer access to infiltrate to the Telegram team by presenting good will? As someone else commented this could have been agreed upon through blackmail. How are these systems ultimately safe guarded? Is it even possible while there are bad actors attempting to control?
Non-Russians often assume some sinister motive behind actions like that, but reality is much simpler.
The authorities failed to shut Telegram down while making active use of it themselves. So now they are giving up because there’s not much point in continuing the efforts.
By doing so they would send the wrong message though "feel free to use it against us; we're neither closing nor monitoring it", which would be like shooting in their feet. Unless they're just pretending it.
Every government fears what it cannot control, especially communications networks that could be used to subvert the status quo; this applies to all governments in all countries, including so called democratic ones.
To me they're still actively monitoring it, and I'm 100% sure they have the means of shutting it down just in case of real necessity.
On the other hand: if you force people to use VPNs to use Telegram ... you're forcing people to learn to use VPNs.
And if you're afraid of people talking about stuff without you knowing, the last thing you want it large parts of the population (or at least those parts you're interested in) using more encryption. Basically: you can't stop it, trying to stop it has negative side-effects, so stop trying.
I’m sure they are still actively monitoring, but I don’t think they have the means to surgically disable Telegram without shutting down all of internet in Russia. They’ve been trying unsuccessfully for the past few years.
It's strange that whenever telegram comes up, there's an unfounded suspicion that it has some kind FSB/Russian government connection simply because it was developed by a Russian.
This is insane and like pretty bigoted - not a good look for HN.
>In 2011, he was involved in a standoff with police in St. Petersburg when the government demanded the removal of opposition politicians' pages after the 2011 election to the Duma.
He's living abroad because he's either not allowed or does not feel safe entering Russia. VK was taken from him pretty much over his principals not to do what HN just assume telegram does. Telegram was developed outside of Russia to avoid being beholden to them.
The fact that Russia was actively blocking telegram should be proof enough. The reason they stopped is because when they did, they would accidentally blocked other services and it was kind of a disaster. They simply don't have the expertise to run their blocking campaign. It looked bad so they stopped.
Russians are more than one-dimensional Putin-driven fake news generating bad guys.
> This is insane and like pretty bigoted - not a good look for HN.
No, you're just projecting. This mindset of untrustworthy until proven otherwise is universally applied to all chat apps, from any country, it happens under pretty much every discussion of Facebook's Whatsapp and Messenger and it happens in discussions about WeiBo (and similar).
>He's living abroad because he's either not allowed or does not feel safe entering Russia.
He has since entered Russia. Also, Durov's warrant was dropped just two months after he went exile. Stop inventing things.
>VK was taken from him pretty much over his principals not to do what HN just assume telegram does.
HN isn't concerned over what he does, it's what capabilities he leaves himself and anyone who hacks his systems. If Durov really cared about his principles, he'd have deployed app-wide E2EE from the get go. He had the money to hire the people to do that.
>Telegram was developed outside of Russia to avoid being beholden to them.
Didn't stop it from being developed by non experts, almost equally bad considering there's now the equivalent in the backdoor that allows the server to read everyone's group messages.
>The fact that Russia was actively blocking telegram should be proof enough
If that's proof of Telegram's security, then the fact the ban was lifted means Telegram is now 100% compromised. So yeah, you have to make a choice here.
>The reason they stopped is because when they did, they would accidentally blocked other services
This is the actual reason they continued, and Telegram's security is not proven by the ban. They've had the capability to hack the server since day one. And if you disagree, you're either ill informed, or fooling yourself. If it's the former, start here https://en.wikipedia.org/wiki/Fancy_Bear
>Russians are more than one-dimensional Putin-driven fake news generating bad guys.
It's very probable Durov isn't actively trying to uphold the oligarchy from abroad by continuing his military training in propaganda and position in the Russian society by retreating to an oppressive country like UAE under the disguise of exile just when chat platforms start to overtake social media sites. I think that's very improbable.
But he's a useful fool for creating something that's trivial to hack, and that allows all intelligence establishments around the world to access Telegram's communication. We should've learned from Cambridge Analytica that ubiquitous E2EE by default is the only way to prevent future disasters. It's not like Durov can magically protect Telegram from all the state driven hacking organization and their insane budgets with no profit responsibility.
Articles: Anything about Telegram
Discussion: crypto baaad/all chats logged/insecure by default etc. etc.
Yes we got it you don't like telegram. Use whatever and move on. There is no need to constantly come up with the same BS. Cloud chats are in the cloud (which you probably hate too ryt?) and no, they are not e2e encrypted. Calling it a server side logging is just straight out FUD.
Also pretty sure 99+% of all telegram user never use the secret chat feature because telegram is mostly so useful because of all the rest. And people use it for all the rest (large community groups/channels/bots/games). I'm sure more than 99% of my telegram messages go to groups that are public or semi public (like you would find the link on another platform if you are part of the community there). Its absolutely unwanted to have any kind of nonsense encryption for such groups. Yet all the feature telegram can provide because it does not have nonsense encryption, like fast server side search or link to messages visible on the web, are the reason I and other use it. Just like y'all use hacker news and don't mind that your comments are "server side logged".
tl;dr
A tool isn't broken or insecure because it does not what you want it to do. It's just the wrong tool for you.
That's because on 2020-07-01 there will be a voting on constitutional changes. And Putin would like to give us a (false) hope that our life is going to become better and put his government in a good light.
Context:
In Russia we have a limit of 2 terms for presidents. Putin and his mafia don't like it, so he decided to be nullified and get additional privilegies (e.g. after he decides to resign, he will be able to dismiss a president).
Putin has even already signed the changes because he knows we are too scared of jail to protest IRL: even if you are protesting alone, police will likely beat & fine you (even if you are a girl or just holding a BLANK board) for an unauthorized demonstration. In one video the election chief almost laughed while saying everything is already decided and legitimate and they just want our opinion.
But for additional legitimization Putin set the voting. Probably he doesn't want the situation as in Venezuela. And he wants to increase his ego (his ego is very high, just compare inauguration of him and Obama/Trump).
He paid many famous people for short videos where they support some part of the changes, typical example: "I will vote yes because I like animals!" although we already have laws for animals.
And none of those videos mention that Putin would be the president forever. Only half people are even aware of this change (and many are forced by employers to make a photo that they voted yes). Oh, and our constitution doesn't work at all anyway. Gov-t people laugh at you when you mention anything from it. And there were news several years ago that a journalist got a suspended sentence (условный срок) of 4 years for extremism because he quoted the constitution.
P.S. >97% of Russian IT people seem to hate Putin according to the comments I read everyday. And Durov should hate him much more because Putin's mafia stole VK (that's our Facebook with nice UI/UX and awesome search) from his control.
> We positively assess the readiness expressed by the founder of Telegram to counter terrorism and extremism.
> By agreement with the Prosecutor General’s Office of the Russian Federation, Roskomnadzor removes requirements to restrict access to the Telegram messenger.
> We are ready to cooperate with all Internet companies operating in the country to quickly suppress the spread of terrorist and extremist information, child pornography, and the promotion of suicide and drugs.
> Currently, jointly with leading Russian and foreign Internet companies, on average weekly materials are removed:
> - propagandizing suicidal behavior 2,500;
> - extremist and terrorist nature 1,300;
> - propagandizing drug use, about places of their purchase 800;
We changed the url changed from https://rkn.gov.ru/news/rsoc/news73050.htm. We have deep respect for other languages, but HN is an English language site, and submissions here need to be in English so people can read what they're discussing.
.jpg){kind=link}
- Telegram does log chats server-side if you want them to (to be able to see your chat history across devices). You don't have to. Telegram supports end-to-end encryption ("secret chats") with no logging -- as far as I know there is no proof that these chats are untrustworthy.
- Telegram groups have never been sacred and they are deleted if they spread illegal information. This is not the same thing as leaking someone's personal chat history, which to my knowledge has still never been done.
I'd be glad to be proven wrong on any of these counts, I use both Telegram and Signal and trust the latter more for obvious reasons (it's completely open source) -- but the fact that Telegram is not perfect in every way does not make it insecure by default.