Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why You Should Stop Using Telegram Right Now (gizmodo.com)

Posted by msmash on from the curious-case-of-Telegram dept.

Earlier this week, The Intercept evaluated the best instant messaging clients from the privacy standpoint. The list included Facebook's WhatsApp, Google's Allo, and Signal -- three apps that employ end-to-end encryption. One popular name that was missing from the list was Telegram. A report on Gizmodo sheds further light on the matter, adding that Telegram is riddled with a wide range of security issues, and "doesn't live up to its proclamations as a safe and secure messaging application." Citing many security experts, the report states:One major problem Telegram has is that it doesn't encrypt chats by default, something the FBI has advocated for. "There are many Telegram users who think they are communicating in an encrypted way, when they're not because they don't realize that they have to turn on an additional setting," Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the American Civil Liberties Union, told Gizmodo. "Telegram has delivered everything that the government wants. Would I prefer that they used a method of encryption that followed industry best practices like WhatsApp and Signal? Certainly. But, if it's not turned on by default, it doesn't matter."The other issue that security experts have taken a note of is that Telegram employs its own encryption, which according to them, "is widely considered to be a fatal flaw when developing encrypted messaging apps." The report adds:"They use the MTproto protocol which is effectively homegrown and I've seen no proper proofs of its security," Alan Woodward, professor at the University of Surrey told Gizmodo. Woodward criticized Telegram for their lack of transparency regarding their home cooked encryption protocol. "At present we don't know enough to know if it's secure or insecure. That's the trouble with security by obscurity. It's usual for cryptographers to reveal the algorithms completely, but here we are in the dark. Unless you have considerable experience, you shouldn't write your own crypto. No one really understands why they did that."The list goes on and on.

9 of 68 comments (clear)

  1. It should be obvious... by __aaclcg7560 · · Score: 5, Funny

    The railroads are still here. Shouldn't be surprising that telegrams are still around almost two centuries later.

    https://en.wikipedia.org/wiki/Telegraph

    1. Re: It should be obvious... by __aaclcg7560 · · Score: 2, Interesting

      Nice try OP, your comment was straight garbage.

      I never post as AC. I don't have problem standing behind my opinions. Unlike some people.

  2. Why I *do* use Telegram by NotInHere · · Score: 4, Interesting

    Its the only messenger that:

    1. can be used without gapps spyware
    2. is halfway popular
    3. has the source code released under a open source license
    4. has authors who tolerate third party clients connecting to their server. This is not the case for Whatsapp, and also not the case for signal

    Thanks to 1 and 3, telegram is available in the f-droid app store. This is why I use it, and I don't want to install software from third party stores like google play or sideload apps.

    Yes, the encryption is not perfect, but I prefer that over having to install google spyware that would be required for signal for example.

    1. Re: Why I *do* use Telegram by amiga3D · · Score: 3, Insightful

      It's not paranoia if they really are out to get you.

    2. Re: Why I *do* use Telegram by johanw · · Score: 5, Informative

      You could always use Silence (https://github.com/SilenceIM/Silence): it is a fork of Signal that uses only sms/mms, so no gapps required or used. They forked after Signal dropped the encrypted sms option.

    3. Re:Why I *do* use Telegram by maztuhblastah · · Score: 2

      You mean aside from Silence, which

      1) Is entirely open source.

      2) Is based on SMS, not IP (plus or minus, depending on whether you view SMS as being the more universally-available transport in your area)

      3) Does not have a central server.

      4) Supports easy, in-person key exchange.

      5) Requires no Google anything, and is the default messaging app for several Android spins that have no Google integration.

      --
      The real litigious bastards...
    4. Re:Why I *do* use Telegram by derrickoswald · · Score: 2

      Is it just me or does anyone else view the timing between these reports and Google I/O a month ago launching Allo a little suspicious?

      Alphabet marketing person: "Yeah, it would be good in the timeline if there was a review the month after I/O, to legitimize Allo as one of the major players in the messaging App space."
      Intercept editor: "The optics wouldn't be good if it was just a review of one App. We could do a comparison of the 'top ten' Apps."
      Alphabet: "Make it the 'top three'."
      Intercept: "We would have to have the review about security then, otherwise we couldn't legitimately include Allo."
      Gizmodo editor: "We could follow up with articles about the ones excluded, like FB Messenger and Telegram."

  3. Re:Security by obscurity is fine by NotInHere · · Score: 5, Informative

    Also, it does not at all apply here. Telegram not just publishes documentation how their protocol works, but it also releases the full source code: https://telegram.org/apps#sour...

    So even if the mtproto documentation would have a flaw or be not precise enough to fully specify the behaviour (and that often happens!), you could still look into the source code to find out what actually happens.

  4. Better headline by dbIII · · Score: 5, Funny

    Why You Should STOP Using Telegram Right Now STOP