[ConsiderCrying]

Can we stop using 6-year-old info for apps that get updated monthly? The problems they have with MTProto have been patched literally 5 years ago, the only other criticism comes from a direct competitor, and they recommend WhatsApp despite the fact that it's closed-source and nobody can verify if its encryption truly works.

Facebook is planning to merge Messenger, WhatsApp and Instagram, which makes it even more awful of a choice.

[heinrich5991]

Telegram still doesn't encrypt chats end to end (by default¹), which means it's not a strictly superior choice to WhatsApp.

Facebook can't read your WhatsApp messages (of course they can add an update any time to do that), but Telegram has access to all your messages right now.

¹ Yes, you can select the end-to-end encrypted sessions, but they're very crippled from a usability perspective. I don't remember the last time anyone used it with me, yet all my chats on WhatsApp are end-to-end encrypted without anyone doing anything.

[ConsiderCrying]

> Facebook can't read your WhatsApp messages

Are we sure it can't? Because WhatsApp is closed-source, its GDrive backups are unencrypted and Facebook's whole profit model is based around snooping. Unless they make the app open-source, I'm not trusting them even with a grocery list. People act like E2E is the be-all and end-all but trusting an incredibly shady company on its word is not something I'm comfortable with.

[heinrich5991]

Yes, people are reverse engineering the app. You can check the discussions on HackerNews when security of WhatsApp is discussed.

GDrive backups are not readable by Facebook, they're readable by Google. End-to-end, if properly implemented is the be-all and end-all. Except for metadata, which is a problem, but a different one, and Facebook definitely abuses that. But they don't/can't read the contents of chat messages (for now).

It's not merely trusting that shady company, but also realizing that the news of FB not having E2E-encrypted messages would definitely make the news, you'd be aware of it.

[shawnz]

> It's not merely trusting that shady company, but also realizing that the news of FB not having E2E-encrypted messages would definitely make the news, you'd be aware of it.

Right.. consider what your adversary would be giving up by revealing such a secret, even if it was true. That alone provides a not-insubstantial amount of security.

[baybal2]

> > Facebook can't read your WhatsApp messages

> Are we sure it can't?

Google can remotely uninstall, and install a trojaned version of any app regardless of app signature on an official Android distribution.

[maqp]

"Are we sure it can't?"

No, there's a 1..2% chance of backdoor.

The real question is, why is Telegram more secure? There's a 100% chance it can read your group messages, because it says so on their documentation that describes the cloud encryption. There is no E2EE at all for groups. There is no E2EE at all for desktop. Together these mean E2EE are completely neutered and useless. I'm a privacy researcher and I don't use them at all. Why would an average joe?

[shawnz]

Open source is not the be-all end-all of security either. Closed source apps can still be audited (with increased difficulty), and open source apps might still be impractical to audit even though they are open source.

[maqp]

Nobody's claimed that. Open source is not panacea for verifiable security, it is however a requirement of it.

[shawnz]

No, it is not necessary _or_ sufficient. That is what I'm saying. You can audit a closed-source app, and there also might be open-source apps which are impractical to audit despite them being open source.

[maqp]

If you have your closed-source app audited, everyone needs to trust the audit company. And I've seen some shit audits in my life that told absolutely nothing about the actual security.

Open source means anyone can audit and verify nothing was done after audit.

Moxie more or less audited WhatsApp's Signal protocol implementation, and people are right to be concerned about whether changes have been made since FB bought the app.

[newscracker]

> Facebook can't read your WhatsApp messages

Facebook does get your WhatsApp communication metadata, and has been for years now. As the three letter agencies showed, metadata is actually quite valuable in many respects without needing to trawl through massive amounts of content.

[Mediterraneo10]

Can’t Facebook read most people’s WhatsApp messages because cloud backups of chats are enabled by default, and only the tiny minority of users who disable that feature will get truly end-to-end encryption?

[heinrich5991]

No, that's not true as far as I'm aware. The backup is to Google, not Facebook.

[saagarjha]

I don't see the problem of using a hand-rolled encryption algorithm or the strange choices that went into that algorithm as "patched literally 5 years ago".

[maqp]

"Can we stop using 6-year-old info for apps that get updated monthly?"

The fact Telegram's E2EE has not been available

1. by default

2. on desktop apps

3. for group messages

for seven years tells you exactly how secure it is.

"the only other criticism comes from a direct competitor"

Fuck this attitude. Everyone has the right to criticize. If Telegram can't own their mistakes it's their fault, not that of the people who are beating them. Also, impartial professional cryptographers like Bruce Schneier and Matthew Green have told people not to use Telegram. Why is that if not because it's so horribly insecure. Why isn't there a single recommendation for Telegram from ANY cryptographer on the entire planet?

"they recommend WhatsApp despite the fact that it's closed-source and nobody can verify if its encryption truly works."

Because they've helped implement the encryption? Also if proprietary tools doing encryption are not secure, then why do Telegram users think it's ok for Telegram to use closed-source server that's doing the "distributed datacenter encryption" for group messages' at-rest protection. There's not even documentation available for this let alone source code.

[AsyncAwait]

> The problems they have with MTProto have been patched literally 5 years ag

Really? I haven't seen a single credible audit, nor a clear reason for rolling their own

[input_sh]

Fair point, but from my perspective, even if it was absolutely the best end-to-end encryption there is, it wouldn't mean much unless everyone's using Telegram for 1-to-1 communication using Secret Chats feature.

> Some of its channels helped unconnected, scattered rallies mature into well-coordinated action.

This line alone makes their encryption rather meaningless for this use case, since Secret Chats only work between two people.

[skyyler]

Which is why I'm confused people are even talking about their encryption in this thread.

This has nothing to do with secure chats and everything to do with Telegram's Channels feature. But a ton of people that have never used Telegram nor read the article don't know that.

[sam_lowry_]

And proxies. Telegram has great proxy support and virtually anyone can install their own MTProxy in 5 min.

A multitude of proxies, shadow optic cables over the border and a bit of whitelisting from the government to allow payment processing made Telegram invincible.

[maqp]

Where is their MTProxy tutorial?

[sam_lowry_]

https://github.com/TelegramMessenger/MTProxy