Moxie on Telegram Encryption(twitter.com)
twitter.com
Moxie on Telegram Encryption
https://twitter.com/moxie/status/1474067549574688768
30 comments
Aaand, I have said it many times that E2EE does not exist for desktop.[1]
Telegram's UI is pretty. I would use it as a replacement for WhatsApp, but it is not a replacement of Element, XMPP, Briar, Wire, Ricochet, and so forth.
Telegram is not an IM for secure communication where privacy matters. Do not use it as such.
[1] https://tsf.telegram.org/manuals/e2ee-simple#2-why-are-there...
Telegram's UI is pretty. I would use it as a replacement for WhatsApp, but it is not a replacement of Element, XMPP, Briar, Wire, Ricochet, and so forth.
Telegram is not an IM for secure communication where privacy matters. Do not use it as such.
[1] https://tsf.telegram.org/manuals/e2ee-simple#2-why-are-there...
Most people use Telegram for its superior set of features and convenience. The fact that everything is stored on the server-side actually works in favour of its user base by giving them a functionality many desperately need - that of accessing all chats and records ubiquitously, from wherever you want, at any time, from any device. The ability to make channels and groups of thousands of people only works into making it a pseudo-social-media super-app that appeals even more to its users. Besides, it allows you to remain anonymous on its platform despite requiring a phone number for registration.
I have seen so many people going through the horror of losing everything on WhatsApp whenever they switch phone platforms - the chat backups it creates are not transferable across Android and iOS for some reason and there is no way to recover your conversations at all in such a case. Telegram covers many things where its alternatives fall short, but privacy and security are not one of them.
I have seen so many people going through the horror of losing everything on WhatsApp whenever they switch phone platforms - the chat backups it creates are not transferable across Android and iOS for some reason and there is no way to recover your conversations at all in such a case. Telegram covers many things where its alternatives fall short, but privacy and security are not one of them.
Please check out Matrix.
You will get what you described without even needing a phone number and WITH E2EE
You will get what you described without even needing a phone number and WITH E2EE
[deleted]
Sry Moxie, you lost my trust when you temporarily took the signal codebase closed source to integrate some cryptocurrency scams into it. Now your criticism just sounds like whining about a more successful competitor. Why is Telegram winning against Signal ? Mainly because the app is more stable and doesn't dictate its philosophy to the user. Proper e2e encryption has tradeoffs. Why shouldn't the user decide for which conversations he is willing to place convenience over security ? Why does Signal force users to use a pin even if they don't want to ? Why do you lose your history when you switch between android and ios ? why would I choose a messenger that requires a phone number over another that does not ? I was an enthusiastic evangelist for signal. But over the years you just lost me. I still use it but I don't recommend it anymore. I know, I'm not the only one. Apparently you seem to think, you can make up for it with paid advertising that you plastered my city with (repeatedly). I would have preferred to see that budget allotted to developing a more stable client and new features, but I'm not calling the shots.
> Sry Moxie, you lost my trust when you temporarily took the signal codebase closed source
It never was closed source. They simply implemented a feature before uploading the code. Is there a rule to how how many commits need to be made in a time period? No.
> to integrate some cryptocurrency scams into it.
You clearly haven't read enough about why they chose to implement a payment system and why they chose to create their own. There are very good reasons they did both. Don't be salty because they didn't use the one you hold.
> why would I choose a messenger that requires a phone number over another that does not ?
Unless something has changed recently, telegram absolutely required my phone number. Signal is also working on replacing phone numbers with usernames.
> Mainly because the app is more stable and doesn't dictate its philosophy to the user. Proper e2e encryption has tradeoffs. Why shouldn't the user decide for which conversations he is willing to place convenience over security ?
One can't claim to be a secure encrypted chat app but then not enable it by default. It's completely fine to not have encryption, but it's not ok to mislead people into believing it's encrypted all the time.
> Why do you lose your history when you switch between android and ios ?
Mostly because signal doesn't store your messages. There is no central server that has all your info and chat history like telegram does. It makes this harder
It never was closed source. They simply implemented a feature before uploading the code. Is there a rule to how how many commits need to be made in a time period? No.
> to integrate some cryptocurrency scams into it.
You clearly haven't read enough about why they chose to implement a payment system and why they chose to create their own. There are very good reasons they did both. Don't be salty because they didn't use the one you hold.
> why would I choose a messenger that requires a phone number over another that does not ?
Unless something has changed recently, telegram absolutely required my phone number. Signal is also working on replacing phone numbers with usernames.
> Mainly because the app is more stable and doesn't dictate its philosophy to the user. Proper e2e encryption has tradeoffs. Why shouldn't the user decide for which conversations he is willing to place convenience over security ?
One can't claim to be a secure encrypted chat app but then not enable it by default. It's completely fine to not have encryption, but it's not ok to mislead people into believing it's encrypted all the time.
> Why do you lose your history when you switch between android and ios ?
Mostly because signal doesn't store your messages. There is no central server that has all your info and chat history like telegram does. It makes this harder
>It never was closed source.
The server-side code in the public repo was not updated between April 20, 2020 and April 6, 2021. The Signal Servers were updated in the meantime. The code that was running on those servers was not Open-Source.
>You clearly haven't read enough about why they chose to implement a payment system and why they chose to create their own.
I've read more than I ever wanted to read about this subject and I still find the arguments for why my privacy friendly messaging service would benefit from being co-mingled with a(soon to be heavily regulated) financial platform entirely unconvincing. Moreover setting aside the goals: the way they went about it, in total secrecy, does not engender trust.
>Unless something has changed recently, telegram absolutely required my phone number. Signal is also working on replacing phone numbers with usernames.
Signal has "been working" on this issue for an awfully long time. A Plethora of Matrix Clients have had this Feature from day 1.
>One can't claim to be a secure encrypted chat app but then not enable it by default.
enabling it (by default) and forcing the user to use this as the only option are completely distinct.
>There is no central server that has all your info and chat history like telegram does.
You seem to consider this to be a feature. To me the absence of an (optional) central server is a bug.
The server-side code in the public repo was not updated between April 20, 2020 and April 6, 2021. The Signal Servers were updated in the meantime. The code that was running on those servers was not Open-Source.
>You clearly haven't read enough about why they chose to implement a payment system and why they chose to create their own.
I've read more than I ever wanted to read about this subject and I still find the arguments for why my privacy friendly messaging service would benefit from being co-mingled with a(soon to be heavily regulated) financial platform entirely unconvincing. Moreover setting aside the goals: the way they went about it, in total secrecy, does not engender trust.
>Unless something has changed recently, telegram absolutely required my phone number. Signal is also working on replacing phone numbers with usernames.
Signal has "been working" on this issue for an awfully long time. A Plethora of Matrix Clients have had this Feature from day 1.
>One can't claim to be a secure encrypted chat app but then not enable it by default.
enabling it (by default) and forcing the user to use this as the only option are completely distinct.
>There is no central server that has all your info and chat history like telegram does.
You seem to consider this to be a feature. To me the absence of an (optional) central server is a bug.
It is the the most important feature in an encrypted messaging client, that the provider cannot see the cleartext of your message content.
Any vendor that claims their product to be 'encrypted', plays this up in marketing and lets its users believe they are communicating confidentially, yet captures 99% of their communications -- it is not a bug, it is malicious.
Any vendor that claims their product to be 'encrypted', plays this up in marketing and lets its users believe they are communicating confidentially, yet captures 99% of their communications -- it is not a bug, it is malicious.
> Why do you lose your history when you switch between android and ios ?
>> Mostly because signal doesn't store your messages. There is no central server that has all your info and chat history like telegram does. It makes this harder
This can be solved by sharing keys between your two devices, or approving your device from another. Element does this. You do not lose history. In any case, this is a solved problem.
>> Mostly because signal doesn't store your messages. There is no central server that has all your info and chat history like telegram does. It makes this harder
This can be solved by sharing keys between your two devices, or approving your device from another. Element does this. You do not lose history. In any case, this is a solved problem.
Or the “NFT derivatives” thing. Idea was interesting but code had bugs that weren’t corrected.
Anything posted anywhere about criticism of Signal is either downvoted or "banned". The entire thread sounded like whining. Most of my contacts have left Signal anyway.
Since there's a double step to remove your number completely, users who have deleted signal from their devices still show up as Signal users. The actual number of active users? No idea.
Telegram meanwhile grows steadily.
Moxie makes several concrete statements about Telegram's privacy or lack thereof. Did you have anything to say about that?
It would mean more if it wasn't coming from a player with a lot of skin in the game.
He is right in his technical concerns, but what I see is that Telegram is used in a different way around here. I and my friends don't use it for 1:1 chats. But for finding public chat groups on topics. For example I joined a public group where people mentioned drops of hard to get video cards. I got my Founder's Edition card for actual RRP because of that, instead of the inflated prices due to the shortages.
It's a bit similar in the way it's not a problem that IRC has no E2E encryption. The channels are meant to be public. Anyone can join them at any time.
I also use telegram for notifications because they're open to bots and you can even add images. So I have my own server notifications coming through there. Nothing sensitive in those. Signal in contrast does not allow any third party app on their network, moxie has said so many times.
I never use Telegram secret chats because they suck. Both parties need to be online at the same time and it can only be used on one device. But I don't view Telegram in the same way as Signal or Whatsapp. There's a place for both.
My real favourite is Matrix though. It does have good E2E encryption and also has good public channels (which don't need encryption). It's also decentralised, you can run your own homeserver with complete history right on your own system. It has bridges to other networks so you can reduce proprietary apps, and it welcomes third party apps. It's the best of all worlds IMO. Signal is still a walled garden even though it's a more private one.
He is right in his technical concerns, but what I see is that Telegram is used in a different way around here. I and my friends don't use it for 1:1 chats. But for finding public chat groups on topics. For example I joined a public group where people mentioned drops of hard to get video cards. I got my Founder's Edition card for actual RRP because of that, instead of the inflated prices due to the shortages.
It's a bit similar in the way it's not a problem that IRC has no E2E encryption. The channels are meant to be public. Anyone can join them at any time.
I also use telegram for notifications because they're open to bots and you can even add images. So I have my own server notifications coming through there. Nothing sensitive in those. Signal in contrast does not allow any third party app on their network, moxie has said so many times.
I never use Telegram secret chats because they suck. Both parties need to be online at the same time and it can only be used on one device. But I don't view Telegram in the same way as Signal or Whatsapp. There's a place for both.
My real favourite is Matrix though. It does have good E2E encryption and also has good public channels (which don't need encryption). It's also decentralised, you can run your own homeserver with complete history right on your own system. It has bridges to other networks so you can reduce proprietary apps, and it welcomes third party apps. It's the best of all worlds IMO. Signal is still a walled garden even though it's a more private one.
The use cases you mention for Telegram are fine, and no one has a problem with that. Moxie's comments aren't about use cases, but the fact that Telegram is called "encrypted". He's saying it shouldn't be sold that way and people shouldn't refer to it that way.
I subscribe to the conspiracy theory that Telegram is actually a plant by a security service (FSB?). The app seems to be constructed in bad faith. Presumably Telegram has the resources to increase their encryption/privacy level, yet they have not done so, so the question "why would anyone knowingly market an app as a private messenger without providing privacy" can only be answered by "because they want the data". And who would want the data of people who think they are communicating privately but are actually not?
I didn’t see any evidence that Telegram’s “secret chats” are vulnerable to snooping.
They are separate from regular chats and not available in the official desktop app, but they are secure.
Signal with their “we trust Intel SGX to be single point of failure” kinda smells like a government honey pot.
They are separate from regular chats and not available in the official desktop app, but they are secure.
Signal with their “we trust Intel SGX to be single point of failure” kinda smells like a government honey pot.
I also don’t see a lot of evidence that they’re bad, but it should be said that this is the wrong standard. I also haven’t seen a lot of convincing evidence that Telegram’s crypto is good (and plenty of past evidence of weird mistakes.) Overall what I’ve learned from examining Telegram’s crypto in the past is that the company does not really value outside expertise and analysis, nor do they make it easy to review their (very strange and non-standard) protocols.
Reviewing crypto is hard when you’re working with an organization that has good engineering practices and minimizes the possible risks. My early examination of Telegram crypto led me to the conclusion that Telegram was not an organization whose approach to crypto engineering is compatible with that standard, so it’s not worth the effort to try to vet their crypto when the company leaves so many weird question marks in their engineering approach. Meanwhile there are products with more professional crypto teams working hard to behave in ways that engender trust: I’d rather devote my limited effort to poking around over there.
I do recall Telegram building a very weird variant of Diffie-Hellman that effectively let the server modify the secret key (and thus conduct MITM attacks.) In fact they did this multiple times in different ways, either by accident or through malice. This happened a long time ago so it’s entirely possible that they’ve cleaned up their act, but it left a bad enough taste in my mouth that I’m afraid to poke around in their crypto and render any opinion. If I look at it and say “looks better now” I’m afraid I’d just be hurting people. Unless the company makes a real effort to bring their crypto engineering up to a higher standard, I won’t feel confident in any of it: there are too many non-standard bits of engineering where dragons might lurk.
Reviewing crypto is hard when you’re working with an organization that has good engineering practices and minimizes the possible risks. My early examination of Telegram crypto led me to the conclusion that Telegram was not an organization whose approach to crypto engineering is compatible with that standard, so it’s not worth the effort to try to vet their crypto when the company leaves so many weird question marks in their engineering approach. Meanwhile there are products with more professional crypto teams working hard to behave in ways that engender trust: I’d rather devote my limited effort to poking around over there.
I do recall Telegram building a very weird variant of Diffie-Hellman that effectively let the server modify the secret key (and thus conduct MITM attacks.) In fact they did this multiple times in different ways, either by accident or through malice. This happened a long time ago so it’s entirely possible that they’ve cleaned up their act, but it left a bad enough taste in my mouth that I’m afraid to poke around in their crypto and render any opinion. If I look at it and say “looks better now” I’m afraid I’d just be hurting people. Unless the company makes a real effort to bring their crypto engineering up to a higher standard, I won’t feel confident in any of it: there are too many non-standard bits of engineering where dragons might lurk.
Why can't Telegram and Signal both be honeypots? They both get your phone number, they both are centralized, they both have dubious security concerns, and they both have got a lot of traction without powerful people going after them.
> Signal with their “we trust Intel SGX to be single point of failure” kinda smells like a government honey pot.
It wouldn't matter if it was. I don't believe it is, but it wouldn't matter. Signals entire design is to NOT trust any server. Messages are encrypted on the device before it's ever sent to signals servers. This is verifiably proven since the code is all open source. Every signal message could be logged and it still wouldn't matter thanks to signals ratcheting algorithm.
It wouldn't matter if it was. I don't believe it is, but it wouldn't matter. Signals entire design is to NOT trust any server. Messages are encrypted on the device before it's ever sent to signals servers. This is verifiably proven since the code is all open source. Every signal message could be logged and it still wouldn't matter thanks to signals ratcheting algorithm.
Not hard to find https://buttondown.email/cryptography-dispatches/archive/cry...
> Signal with their “we trust Intel SGX to be single point of failure” kinda smells like a government honey pot.
Either you’re stupid or deliberately spreading lies.
> Signal with their “we trust Intel SGX to be single point of failure” kinda smells like a government honey pot.
Either you’re stupid or deliberately spreading lies.
[deleted]
There is a certain truth to that “conspiracy” theory.
Moxie obsession with Telegram is odd especially when he blocks anyone just a tat critical about signal. He seems to be unable to deal with any criticism even if constructive.
I don't trust him, sorry.
I don't trust him, sorry.
He is certainly weird in many regards. Does anyone know for example why is his personal site, moxie.org excluded from the Wayback Machine?
“ There is no other significance to these [uploaded] files.”
So sayth my canary.
So sayth my canary.
Why are so many of the comments on this thread not available to downvote?
You can’t downvote a comment that is older than 24 hours.
Oh, I hadn't even realised the article was posted two days ago! Thanks.
The feature is hidden, and old "secret chats" stop working after a while without any indication that messages cannot be delivered anymore. To start a "secret chat" one must access it from a menu entry stashed away in users' profiles. And you can only start writing a secret message when the other side "comes online" for the first time after starting a "secret chat".
All discussions about the technical implementation of e2ee in Telegram aside, this makes e2ee a pain, which is why it is rarely used (by most) if not desparately needed.