63
linuxxx
7y

So today (or a day ago or whatever), Pavel Durov attacked Signal by saying that he wouldn't be surprised if a backdoor would be discovered in Signal because it's partially funded by the US government (or, some part of the us govt).

Let's break down why this is utter bullshit.

First, he wouldn't be surprised if a backdoor would be discovered 'within 5 years from now'.

- Teeny tiny little detail: THE FUCKING APP IS OPEN SOURCE. So yeah sure, go look through the code! Good idea! You might actually learn something from it as your own crypto seems to be broken! (for the record, I never said anything about telegram not being open source as it is)

sources:
http://cryptofails.com/post/...
http://theregister.co.uk/2015/11/...
https://security.stackexchange.com/...

- The server side code is closed (of signal and telegram both). Well, if your app is open source, enrolled with one of the strongest cryptographic protocols in the world and has been audited, then even if the server gets compromised, the hackers are still nowhere.

- Metadata. Signal saves the following and ONLY the following: timestamp of registration, timestamp of the last connection with the server (both rounded to the day so not on the second), your phone number and your contact details (if you authorize it) (only phone numbers) in HASHED (BCrypt I thought?) format.
There have been multiple telegram metadata leaks and it's pretty known that it saves way more than neccesary.

So, before you start judging an app which is open, uses one of the best crypto protocols in the world while you use your own homegrown horribly insecure protocol AND actually tries its best to save the least possible, maybe try to fix your own shit!

*gets ready for heavy criticism*

Comments
  • 15
    Oh and: Pavel Durov == Telegram founder.
  • 5
    @linuxxx wasn't he also founder (or something like that) of VKontakte?

    And, I guess that his opinions are (somewhat) related to how the US government are taking actions against Kaspersky... I mean, yeah, perhaps he's a little butthurt about that (after all, compatriots) and just wanted to "express" that.

    But, I could be wrong... But as my mom says: "think the worst, and you'll be correct" (or, in Spanish: "Piensa mal, y acertarás" - I hope that my translation is correct)
  • 3
    @elcore I just read that. I don't think they understand what PFS means. IT DOESN'T MEAN THAT WHEN YOU HAVE MAAAAAAYBE ENCRYPTED A MESSAGE WITH A KEY A HUNDRED MOTHERFUCKING TIMES, YOU SHOULD GENERATE A NEW ONE. NO. NO. NO. IT FUCKING MEANS YOU GENERATE AN ENTIRE MOTHERFUCKING COCKSUCKING NEW KEY EVERY FUCKING TIME AGAIN FOR EVERY NEW FUCKING MESSAGE.
  • 1
    @araxhiel Yes he is the found of VKontakte! The whole kaspersky thing is bullshit imo but well their software is closed source so also not going to recommend it :P
  • 2
    @linuxxx fair enough 😂
  • 4
    @linuxxx "I might be wrong, but you seem a bit angry about this situation..."

    I'm glad you're here to keep us informed on this kind of news, BTW!
  • 5
    @Jilano A bit is an understatement! Especially since Telegram is very insecure and it's being marketed as a very secure messaging app!

    Thankies 😊
  • 2
    @linuxxx Why is Telegram insecure? I am really interested as I use it as my main app for communication and thought it was secure... I really wanna be informed and I trust your opinion.
  • 3
    It was a pain to get folks on telegram from WhatsApp. Signal is a non starter. WhatsApp has too large market penetration
  • 5
    But does signal have dozens of borderline porn furry stickers? Thats what i thought sticking with telegram.
  • 2
    @balaianu what it comes down to is that telegram uses its own (closed source) cryptographic algorithms which for all intents and purposes have not been audited. And they collect way more info than they should. Where as signal is open source, has been audited many times, and collects very little metadata.
  • 2
    Isn't hashing phone numbers effectively useless since there are so few combinations.
  • 0
    @balaianu All respect but i put sources in my rant for these kind of questions :)
  • 6
    Well security is just one of factor one has to consider. Yes it might be broken, but there are so many other features. And for me it is much more about the useability than about how secure it is. Telegrams features range from managing large groups to bots for checking train connections etc. Also there are channels which you can subscribe to for your daily news and a lot more stuff i can't even mention here. WhatsApp, Telegrams main contender (in Germany) is pretty useless for me. As an example: I recently configured a new phone for my friend and wanted to port the chat history from his old one, which used another operating system, to his new android phone and there is just no way to do that, which imo really sucks. WhatsApp has no bots, poorly executed backups, no API, no usernames, etc. It really is about features and usability for me and i cant use WhatsApp for my daily life and as someone else already said: Converting to a new messenger is hard, so i'll stick with Telegram (for now)
  • 1
    @Archsharp finally some that understands how the world works. I have to give up all my commodity and usability just for a blank app that no one uses. NO!
  • 4
    @balaianu It's secure enough as long as you trust the company behind it. It uses reasonable transport encryption (TLS, nothing special), but their e2e encryption is garbage.

    However they store all messages (except for the e2e encrypted ones) distributed over multiple servers in multiple countries, in such a manner, that you need access to more than one server to decipher a single message.

    It all boils down to the server owner having full potential access to the messages, but okayish security against external attackers.

    In my opinion, Telegram is reasonably secure against mass surveillance, but not necessarily against targeted surveillance from potent actors (like secret services).
  • 0
    @gitlab Thank you, I didn't know that.
    But it's still better than WhatsApp :p
  • 2
    @gitlab Over the last yeas or thow I convinced most of my non dev friends to move from WhatsApp to Telegram... So moving them to Signal will not go so smooth rignt now :))
  • 0
  • 2
    @elcore I totally respect this - although in this case it should be mentioned that there are good reasons to trust the developers of telegram more than many other companies :
    1. They give very clear statements about what they want to do with your data: nothing. Usually, companies who want to use them for profit will remain vague in that regard.
    2. Telegram is financed by donations - there is no commercial interest behind it.

    Of course it's still better to trust in technology than intentions of people - but the aforementioned reasons suffice for me to use Telegram for day-to-day conversations.

    For anything more critical I use either Signal or XMPP (usually the app Conversations).
Add Comment