← Back to context

Comment by orbital-decay

3 years ago

Drug gangs widely use XMPP as a secure communication channel in combination with Tor. Hydra (the darknet market) has been taken down by German police in 2022 after trying to extend their "service" to the EU; something similar might or might not have happened here.

[flagged]

  • I'd like to add that MTProto is impossible to MITM because there are no trusted third parties. The handshake that happens before the user logs into their account includes a step with RSA. The public keys for that step are hardcoded into clients.

    To anyone who wants to complain about Telegram not encrypting chats by default and using "homebrew crypto" I'd like to say that it's XMPP we're discussing here. Telegram offers marginally better security than XMPP over TLS. The "homebrew crypto" is still not broken in 10 years and not for the lack of trying.

    • > Telegram offers marginally better security than XMPP over TLS.

      I think you should compare apples to apples, that is, end-to-end encrypted XMPP using OTR/OMEMO/PGP. However, I agree that many XMPP clients were UX disaster when using E2E.

      3 replies →

    • > The public keys for that step are hardcoded into clients.

      Yeah, and the private keys are shared with Roskompozor.

  • The same Telegram that leaks your IP?

    https://techcrunch.com/2023/10/19/telegram-is-still-leaking-...

    • > The popular messaging app Telegram can leak your IP address if you simply add a hacker to your contacts and accept a phone call from them.

      Peer-to-peer communication reveals people's IP addresses to each other, what a sensational revelation! By the way, water is wet.

      6 replies →

  • Has Telegram been audited? Does it encrypt by default?

    • Did audit help Let's Encrypt to prevent issuing fake certificates? Such audit is useless. SSL infrastructure security is in a much worse state than Telegram's yet nobody seems to notice it. If any large ISP can issue fake certificates by doing MitM then this system is compromised completely. What's the point of having SSL if basically anyone can MitM it?

      To be honest, Telegram using homemade crypto instead of relying on standard approaches like CA certs turned out to be good solution in the end. Apps should stop trusting CA and should hardcode public certificates instead.

      1 reply →

  • Telegram? Not Signal or Matrix?

    • Signal has massive usability issues: requires a phone number, requires a primary Android or iOS devices, can’t register multiple Android or iOS devices, requires Google Play services for notifications unless you get the APK which drains your battery (a fork, Molly, no supports UnifiedPush tho).

      3 replies →