[m12k]

Does anyone have any inside info on this? If we don't assume malice, what is the reason Telegram is rolling its own non-standard crypto like this? Were there no widely publicized E2E protocols that would fit the bill at the time Telegram was being developed? (i.e. was it started before Signal had become known, or does that protocol have limitations that Telegram found unacceptable?) Or did the team have someone in charge with a bit of not-invented-here-syndrome that was just gung-ho on rolling their own no matter what? (wouldn't be the first time something like that has happened). And has any effort been made to validate the protocol, despite being a bit weird, so we might eventually trust it as much as Signal?

[toyg]

If i remember correctly, Telegram pre-dates Signal by several months. It was well-established by the time Signal became usable. This said, the relationship between Telegram and the cryptography community has always been rocky, probably because they touted their E2E support as a differentiator from the start (Whatsapp, Messenger, and whatever-Google-had were not e2e at the time) but quite a few people pointed out their implementation was weird and broken (it has since changed).

[Findus23]

I think Textsecure[1], the predecessor of Signal, is even older (2010)

And Wikipeida also says that the first version of the Signal Protocol is from 2013[2]

[1] https://en.wikipedia.org/wiki/TextSecure [2] https://en.wikipedia.org/wiki/Signal_Protocol

[wyuenho]

So Telegram launched by about a month early, but the people behind Signal had released prior art earlier, and merely the protocol a few months later, but the Signal app didn't come out until 2015 according to Wikipedia.

[wyuenho]

They indeed were one of the first if not the first to come out with a messaging app that can e2e encrypt your chat. This was a time when WhatsApp was found using a plaintext protocol, and right after the Snowden revelations. They did move the needle a bit at the right time.

One of the most vocal critics was Moxie, who later founded Signal. It's ironic that 7 years after Snowden and Telegram, Signal the supposed more secure and privacy focused messaging app still has yet to gain any sizable foothold in the market. I think that says a lot about both Telegram and Signal's product strategies.

[bjoli]

The signal protocol is used in WhatsApp, and will be rolled out as a part of Google's latest RCS effort. Signal maybe didn't catch on, but Moxie's goal of making communications encrypted seems to have worked out all right.

[upofadown]

>They indeed were one of the first if not the first to come out with a messaging app that can e2e encrypt your chat.

Off The Record showed up in 2004 and was used over multiple instant messaging systems. OpenPGP was used over various IM systems before that...

[FDSGSG]

SCIMP also predates Telegram by several months https://web.archive.org/web/20150402122917/https://silentcir...

[wyuenho]

Well, if you go that far lol. I remember OTR on Pidgin and Adium back in the days. Not sure I'd consider these third party tacked on solutions e2ee messaging app that can e2e encrypt your chat. OpenPGP doesn't come with email and OTR doesn't come with GTalk.

[pseudalopex]

OTR did come with other apps. OpenPGP was a documented XMPP extension.

[bildung]

TextSecure (essentially the old name for Signal) is 3 years older (2010 vs. 2013), isn't it?

[wyuenho]

The timeline seems to suggest e2e had always been at the heart of the protocol, but I'm not sure if TextSecure and RedPhone were actually apps that people could install after Whisper Systems was acquired by Twitter. Regardless, instant messaging hadn't seem to be introduced until 2014. Tough call.

https://en.wikipedia.org/wiki/TextSecure#/media/File:Signal_...

[bildung]

TextSecure was available from Google Play for years, I've used it since release. The transformation to Signal was pretty seamless.

[FDSGSG]

No amount of effort to validate their protocol will make Telegram trustworthy. Telegram does not encrypt most conversations, you cannot compare it to Signal.

In regards to actually validating the protocol, the OP addresses this

>The current consensus seems to be that the latest version is not broken in known ways that are severe or relevant enough to affect end users, assuming the implementation is correct. That is about as safe as leaving exposed wires around your house because they are either not live or placed high enough that no one should touch them.

[wyuenho]

> Telegram does not encrypt most conversations, you cannot compare it to Signal.

I wish people will stop repeating this nonsense. Just because they don't do end to end encryption by default, doesn't mean they don't encrypt, which implies messages are sent in plaintext.

There are plenty of reasons why they did what they did, and these questions are all available publicly in their FAQ or the founder's Telegram channel. Whether you agree with the trade-off or their explanations is up to you, but facts are facts.

[pedrocr]

Do you really consider an "encrypted conversation" if you just do TLS to a central server that has everything in plaintext? Is Facebook Messaging encrypted messaging? Because that's the kind of thing we already had before this wave of apps and Telegram is marketed within this new wave but doesn't have any more security than what the previous wave already had, even if you trust their homegrown protocol.

[reitanqild]

Edit, first things first:

> Is Facebook Messaging encrypted messaging?

Facebook messaging is not "encrypted messaging" AFAIK.

But if you say it sends the messages unencrypted like people claim Telegram does I will probably point out that you are wrong even if I don't like Facebook at all.

end Edit.

--------

Tell me then: If you call point-to-point-encrypted "unencrypted", what do you call the old WhatsApp protocol from before Moxie helped them, which actually sent messages unencrypted? [1]

What do you call the files that Whatsapp store on my phone (messages.db or something) that I can transfer to my computer and open without any tooling besides a zip tool and SQLite?

Unencrypted -- ?

Even more unencrypted?

There is a reason why we keep repeating our plea to differ between unencrypted, point-to-point-encrypted and end-to-end-encrypted and it is not because we adore all of Telegrams decisions, at least not for all of us.

It is because precision often matters in engineering and I think especially for security work.

[1]: Irony over irony, I used to love them back then. I knew fixing the crypto part would be doable and they were such a nice company with such a nice business model which aligned so nicely with our interests as users.

[ryanlol]

> Unencrypted

Yes?

[wyuenho]

Sending plaintext in a secure transport is not what they do either. They do have e2e encrypted secret chat on day one, and the ends are bound to the devices, so even if you login from your desktop app, you won't see the secret chats on your phone, unlike Signal.

Seriously, please educate yourself first.

[pedrocr]

> They do have e2e encrypted secret chat on day one

I was specifically replying to your complaint that non-E2E encrypted chats should not be called unencrypted because they had encryption in transit to the server. You're now shifting the conversation back to the E2E encryption they do have.

[wyuenho]

Non-E2E encrypted chats should not be called unencrypted because they had encryption in transit to the server.

The contradiction is right there in the sentence.

[ryanlol]

Yes, they have opt-in e2e secret chats.

Oh, except the Windows and Linux clients don’t even support those.