| I think me and you agree to a large degree :-) > Firstly, there is no proof of this happening. I've been looking for the documentation and/or source code for this for more than five years now, and it's never been published. I haven't found anything more either. See also below. > Secondly, even IF it was happening, the server that strips the in-transit encryption has access to the plaintext, and can copy the message to anywhere it damn pleases. It can write it to "plaintext-messages.txt" for all it cares, that's like two lines of Python in the backend. Theoretically, couldn't the client send the message to one server and the keys to a different set of servers? Clients would request the encrypted messages from one server and the keys from another? It is still not nearly as good security as proper E2E-encryption but should still be possible to set up so that a single rogue sysadmin cannot get hold of messages. > Also, the servers creating database entries must by definition have the full database encryption key in its RAM, from where privileged processes can exfiltrate it (computer organization 101).
The thing is, there isn't technology out there that allows Telegram to do what it claims as securely as it claims. If they are indeed innovating on this, why aren't they publishing their research and proving their worth? See above. As long as they don't do serverside search or anything this should be possible? > "they seem remarkable competent at certain aspects of what they do"
Yeah, you can be great at UX design and shitty at cryptography. That's perfectly fine. Definitely. As mentioned before I prefer Signal. I actually like your answer. We need more of these answers and less: - X is definitely in the pocket of FSB. - E2E or nothing! - Use WhatsApp or nothing! Hey, even tptacek went as far as admitting this at some point: https://news.ycombinator.com/item?id=22371316 |
That would imply client-side encrypted cloud backups, with external key management which isn't the case in Telegram, if it were it could be shown from client-side code. Also, even if that would be the case, it would just need combining key and ciphertext in once place which is again the weak link.
Also, there's no way the search would work as fast as it does now if key /ciphertexts would have to be transported via servers, and finally, since it's a single server that can request data (I have checked the destination IPs), anything of the sort is not happening.
"should still be possible to set up so that a single rogue sysadmin cannot get hold of messages."
I'm afraid that's not possible. When the message arrives to server and the outer layer that is in-transit encryption is stripped, what must remain is the plaintext message, or a message that the server can not decrypt. Such technology already exists, it's called end-to-end encryption. If there was a simpler way to protect from malicious servers, there wouldn't be a need for E2EE communication ;)
"See above. As long as they don't do serverside search or anything this should be possible?"
So no that wouldn't work in practice. Proper cryptographic design in secure messaging apps doesn't distinguish between entities on server who have access to keys. "Jack has one part of the key and Jill has another, but they will never collude or get hacked at the same time" is very bad security rationale.
"- X is definitely in the pocket of FSB."
Well, the problem here is, if the scenario is this "Telegram is secretly in the pocket of the FSB and they're giving access to every message on their server" I can't say "No way, it's all end-to-end encrypted they have nothing to give". I can say that for Signal, however, so I'd rather recommend it instead, and actually, because I can't say Telegram definitely isn't in the pocket of FSB, I don't think it should be used. I hope you understand this requirement of verifiability. If Telegram really wanted to lock themselves from user data, the would've implemented E2EE from the get go.
"E2E or nothing!"
Not sure what to make of this, I haven't heard anyone claim no encryption is better than weaker encryption. But wrt. message confidentiality, since there is no difference when it comes to service provider obtaining the plaintext copy, it's hard to not say "don't use it if it's not E2EE".
"- Use WhatsApp or nothing!"
Another complex problem that boils down to trusting WA has not changed source code after Moxie helped implement Signal Protocol. Like I said earlier, there's maybe a 1..2% chance of backdoor that allows WA to snoop on it's E2EE. So if for some reason one would have to compare these particular ones (IRL this is what we'd call a false dilemma), I'd say
1. Telegram secret messages for one-on-one chats 2. WhatsApp group messages 3. Telegram group messages
WhatsApp may have 1..2% chance of backdoor, but with Telegram I know there's a front door with 100% probability.
If we forget the false dilemma, suddenly Signal solves all of our woes wrt. cross-platform private one-on-one chats and group chats.
"Hey, even tptacek went as far as admitting this at some point:"
Let's not put his words "almost literally any secure messenger is better than email."
Firstly, that assumes he considers Telegram a secure messenger. Secondly, encrypted email has serious problems with deniability (which we'll ignore this time) and forward secrecy: in those respects Telegram's E2EE is better, sure, but E2EE email for group chats (Assuming the client knows how to reply individually to all, and to use each individual's PGP key to protect it) is again more private than Telegram's group chats.