← Back to context

Comment by supermatou

11 hours ago

Excellent article about Telegram's encryption from Matt Green (cryptographer, for those who haven't heard of him):

https://blog.cryptographyengineering.com/2024/08/25/telegram...

I was gonna post "why do people keep calling it 'encrypted' if the encryption is not on by default?" It has always seemed odd to me that it is put into the same category as WhatsApp and Signal (which even those are a bit weird to compare).

What confuses me more is how passionate people are about Telegram. Weirdly I see those posts degrade into Signal vs Telegram and it really feels like apples and oranges but very one sided. I get that Telegram is more feature rich, and that's a good argument, but feels weird that many argue it is also more secure. Some of those arguments even appear in the thread r721 linked.

  • I like Telegram because it gets my friends & family to not do everything in SMS or iMessage. If I'm the only one using it, what's the point after all? Feature-wise, the app is nice to use, and one I can use on all platforms, even Linux.

    Since it has a public API, I can easily make a custom frontend if I ever want to. Most social media does not offer this or tries to lock you into their shitty ecosystem.

    I basically just treat it as unencrypted, but the pretend encryption features at least puts the company in a position where blatantly selling data would be a liability. In this respect, I place it on the same level as WhatsApp. Because even if WhatsApp has solid encryption, all it takes is one forced update from Meta to undo all that. They are like the inverse of each other.

    My uncle is the only one I know who refused to use Telegram, insisting Signal was better and because he didn't want to use something with vague connections to Russia. Yet even he did not actually use Signal, and simply insisted if we should all switch to something it's either that or he sticks to SMS. So well, when I couldn't sell Signal to anyone else, Telegram it is, sorry uncle, but Verizon is pretty transparent about how they sell all my data.

    • > vague connections to Russia

      Vague only if you don't follow the news. Telegram has added "third-party verification" [1] around January 2025 which conveniently and accidentally coincided with time when Russian authorities made it mandatory to register social network channels having more than 10K subscribers (I was secretly hoping Telegram would instead hide the subscriber count). Such channels are required to add a government bot with high privileges for verification. Note that announce for 3P verification doesn't mention Russia at all and contains some unrealistic examples instead, like a fictional game "Great Theft Starship" channel verified by "Bug-free Agency". Who on Earth would need that.

      But to be fair, the western companies are the same, once government hinted they need more control, the companies rushed to introduce face-based "age verification" which allows identification. I would rather use some other body part for this.

      [1] https://telegram.org/verify#third-party-verification

    • > Since it has a public API, I can easily make a custom frontend if I ever want to.

      Note that you need to get an API key for that, and there are additional conditions for getting it (for example, you cannot remove ads in your version, you cannot remove Instagram-like "stories", and so on).

I think he is professionally called Matthew Green.

Know about him for at least 3 decades as I read almost all of his published works.