[dsacco]

> In contrast, Telegram does no encryption at all for group messages, even though it advertises itself as an encrypted messenger, and even though Telegram users think that group chats are somehow secure. An attacker who compromises the Telegram server can, undetected, recover every message that was sent in the past and receive all messages transmitted in the future without anyone receiving any notification at all.

I'm going to be honest, moxie. I'm a big fan of your work, and I basically agree with everything you've stated here as someone who works in the security industry. I don't particularly like Telegram, and I encourage use of Signal where possible. Just last week I was defending Signal on HN[1].

However, I think you shouldn't be bringing up Telegram here. The article does not mention Telegram by name, and I think that bringing it up here, as one of the developers of the Signal Protocol, distracts from your point. Holy war threads between Signal and Telegram bubble up on occasion on Hacker News, and people are basically aware of who you are. As an outside observer, bringing up Telegram in the way you did comes across as preternaturally defensive whataboutism.

I think you could have expressed your points about the security industry's disincentives (which are legitimate observations, in my opinion) without using Telegram as an example. But bringing up Telegram instantly shifts the focus away from Whatsapp, Signal and latent problems in the security industry; instead, it becomes the usual Signal vs Telegram circus. I don't think that's a particularly persuasive way to forward your points.

To reiterate: I agree with what you're saying, but I think that it's very likely your comment will be perceived in a way that you don't intend, to the detriment of persuasion.

___________________________

1. https://news.ycombinator.com/item?id=16064932

[hiq]

> I think you shouldn't be bringing up Telegram here. The article does not mention Telegram by name, and I think that bringing it up here, as one of the developers of the Signal Protocol, distracts from your point.

He quickly dismissed the idea that this vulnerability is a real one, and explained why. In the end it looks like a minor issue, blown out of proportion by this article.

The problem is precisely that this article does not mention Telegram even though it is in direct competition with Signal. If I didn't know better, I would assume from the article (and the paper) that Telegram is not subject to this vulnerability, and is probably "still" secure (if I thought it was before). Moxie addresses the issue, so this is not whataboutism; he just hints at what the article should have mentioned, that experts have been recommending Signal (and, after it, WhatsApp) over Telegram for ages, and that even though this recommendation could now take a hit, it probably won't budge with a vulnerability that small.

> Holy war threads between Signal and Telegram

"vim vs emacs" is a holy war; the fact that Signal is more secure than Telegram is not, when there is a consensus among experts about the question. IMHO, calling it such is misleading.

[temp-dude-87844]

There's a fine line between being outspoken [1] about one's concerns, and hammering the same points that every opportunity. Telegram's marketing is heavy with weasel words that multiple people -- journalists, tech experts, crypto experts -- have called on probably being empty posturing, and their implementation shrouded in opacity in the exact ways it shouldn't. No one except laypeople believe Telegram clears the bar set by Signal, Matrix, or any of the systems OWS consulted on, but there are lots of laypeople: millions of them.

When you're in the industry, especially a leading innovator in the industry, it's infuriating to see an inferior product being recommended, one that you can credibly suspect doesn't even deliver on the promises, but in your attempts to discredit that product you'll sometimes come off as a crusading zealot, to the detriment of other content you've packaged with your commentary.

There was little need to call out Telegram in the post by name, because it does instantly re-frame the conversation, and in a forum some of the conversation will continue down the new path, as it does now. That's a mistake in this format, and it does come off as a defensive misdirect made in the heat of argument. A place to reinvigorate this criticism in light of the new revelations is one's own personal -- or even professional -- blog, where you can start off on the high ground.

[1] https://hn.algolia.com/?query=by:moxie%20telegram&sort=byDat...

[raquo]

I don't think the link you posted helps your case that Moxie is "hammering the same points that every opportunity". The link shows that he mentions Telegram only a few times a year, often in response to a telegram-specific article, and the last time before this one being two years ago.

Maybe it would seem that way for someone who's religiously following what Moxie says, but that's sort of like complaining of hearing "you should charge more" too often if you're religiously following patio11.

I also think he made a valid point in his most recent post, and mentioning Telegram added valuable context to his argument.

[dsacco]

> "vim vs emacs" is a holy war; the fact that Signal is more secure than Telegram is not, when there is a consensus among experts about the question. IMHO, calling it such is misleading.

A holy war is determined by its propensity to raise "debates of attrition" in which both sides are so unyielding they may as well be (and sometimes are) ideological. Whether or not one side has a legitimate claim to superiority over the other is entirely orthogonal; such a debate is "holy" in nature because even if that superiority existed and was demonstrated, it would not be accepted. You cannot use reasoned expertise to decompose ideological adherence.

With respect to your other point:

> The problem is precisely that this article does not mention Telegram even though it is in direct competition with Signal. If I didn't know better, I would assume from the article (and the paper) that Telegram is not subject to this vulnerability, and is probably "still" secure (if I thought it was before). Moxie addresses the issue, so this is not whataboutism; he just hints at what the article should have mentioned, that experts have been recommending Signal (and, after it, WhatsApp) over Telegram for ages, and that even though this recommendation could now take a hit, it probably won't budge with a vulnerability that small.

I would have accepted this explanation, which is far more nuanced in presentation than the one we're discussing. You added all the context that would have safely negotiated those waters; but as stated, the comment does not achieve this purpose, in my opinion.