[tptacek]

Signal Protocol won the Levchin Prize at Real World Crypto, which was awarded by a panel of several of the most renowned academic cryptographers in the field (including Dan Boneh and Kenny Paterson). Other winners include Bellare, Krawczyk, and Joan Daemon. The protocol has been extensively analyzed and is the current gold standard for messaging encryption.

Telegram's protocol... is not that.

[maqp]

This. It's not the Durov brothers who are moving the field of secure messaging onwards, or talking at conferences. They're complete amateurs surrounded by fanboys who don't understand the very basics of the field, and who think copy-pasting from https://tsf.telegram.org/manuals/e2ee-simple makes them useful as opposed to spreading propaganda.

[read_if_gay_]

But the standard we should apply to secure chat protocols isn't how many awards it won, but whether it's watertight. Obviously winning a prestigious prize means it's watertight, but the converse doesn't follow. A protocol can be safe for practical use without winning any prizes.

[maqp]

It can, but given Telegram's history and professional cryptographers like Schneier[1] and Green[2] saying DO NOT USE IT, it's obvious it's _anything_ but watertight.

[1] https://www.schneier.com/blog/archives/2016/06/comparing_mes...

[2] https://twitter.com/matthew_d_green/status/72642891296898252...

[read_if_gay_]

Both four years old. Did they not improve since?

[maqp]

No. Still not E2EE by default, still no E2EE for groups, still no E2EE for desktop clients. Why do you want to imagine Telegram magically got better when it's so obvious it didn't?

[read_if_gay_]

Because they “magically” updated and improved tons of stuff in the last four years. So I think it’s not unreasonable to consider whether their encryption improved too.

But yes, not having encryption on by default speaks poorly of them. OTOH it’s not concrete proof that the encryption still sucks as of now.

[maqp]

Don't get me wrong, I'm not saying the E2EE encryption itself is flawed. I'm saying it's not being used at all by default. And I'm saying it's not possible to use it for groups or desktop clients. That's _the_ travesty, and the proof that this is the state of things is so obvious people don't realize how serious it is. And my concern is that will lead to a tragedy.

[swinglock]

Of course not. You have to first admit you have a problem to be able to improve.

[tptacek]

Does this comment have anything to do with the question I was responding to?

[read_if_gay_]

No, and obviously it doesn't have to, because I'm replying to you. You hint at Telegram's protocol being inferior based on the number of awards it won, a heuristic that isn't too relevant in practice.