Comment by tptacek
11 hours ago
Reminder that Telegram has "end to end" encryption only for direct messages; the rest is client-server, which they seem to believe is just as good as end-to-end.
11 hours ago
Reminder that Telegram has "end to end" encryption only for direct messages; the rest is client-server, which they seem to believe is just as good as end-to-end.
*for direct messages in secret chats, which you have to enable explicitly and which reduces user expericence in comparison to normal chats.
*only on non-GNU/Linux systems.
You've said this a lot in this thread, but my client on Arch seems to have secret chats.
https://i.imgur.com/Pft8r3B.png
4 replies →
client-server is good enough, if you trust the server.
If you don't trust the server, then you shouldn't trust them to supply you a client either. Since a client is basically "whatever code they decided".
Very few people are building from FOSS, and those that do will include binary blobs too. It's theatre.
There are basically zero practicing cryptography engineers who would agree with the logic you've used here, but I acknowledge this is also someting Durov believes.
I know it's trite to bring in logical fallacies, but you're hinging a response on an appeal to authority without tackling the logic head on. Worse so, you're also engaging in a bit of hyperbole.
E2EE provides strong theoretical guarantee's, but not so if the client is under the network providers control. Governments have already pressured companies to alter clients (Australia's "Assistance and Access Act" allows compelling backdoors in software).
If you don't trust the operator, it's irrational to trust the client they supply, they can do anything before E2EE even kicks in.
I'm not saying E2EE is useless technology, it's just useless in cases where the provider and the network are the same thing. You are gaining very little over TLS in those cases. You can configure "self-deleting" messages if you're worried about other clients logging in.
Regardless, most reasonable security researches I know are actually more concerned with supply chain attacks than ensuring E2EE everywhere, which is precisely what I'm arguing.
10 replies →
Isn't the point of a protocol that you can bring your own, trusted clients?
Aren't there other telegram clients?
Yep. Lots.
* Plus Messenger (Google Play)
* Nicegram (App Store/Google Play)
* Nekogram (via TG channel or GitHub)
* Neko X (f-droid)
* Forkgram (f-droid)
* Mercurrygram (f-droid)
* AyuGram (both Desktop & Mobile)
* 64Gram (Desktop/GitHub)
* Kotatogram (Desktop/GitHub)
everything listed here: https://telegram.org/apps
and a bunch more that I don’t remember off the top of my gead
It's weird that you can delete a message for you and for the other person too.
I doubt client-server is the only way to accomplish this.