Because telegram can access the messages. If the vendor can access the message data (eg: not end to end encrypted), anyone can. That is the bar. E2E||GTFO.
Let's stop saying that as it implies users are somehow aware the service provider has access to the content, and that they make an informed decisions wrt their privacy.
>Even your private messages only require you to enter an SMS code to view, so anyone that can intercept an SMS sent to you, can read your messages.
The 2FA password is something everyone should enable. It's still an incremental security improvement if you have to use Telegram and your threatmodel is a banana dictatorship doing SMS interception but not server-side hacking.
The right thing to do is get yourself and your loved ones the hell out of Telegram as soon as possible; Signal is your best bet here. Cwtch/Briar if you need to also protect metadata.
> The right thing to do is get yourself and your loved ones the hell out of Telegram as soon as possible; Signal is your best bet here. Cwtch/Briar if you need to also protect metadata.
No, this is not the right move. It's engaging with the ecosystem of messaging products balancing ease of use, ethics of the business and people behind it, and your own threat profile. Most will never be under threat of a state actor that necessitates getting their friends and family "the hell out of Telegram as soon as possible".
I also use Matrix but personally speaking I find Moxie Marlinspike a deeply unethical person who will gleefully slander the competition including up to suing them in his quest for supremacy. So I don't touch Signal because on my tripod of interests to balance, I don't want to go anywhere near his ethics.
Use Signal or Session or Element or Telegram but stop telling people not to use a thing because you believe E2EE is the next Jesus Christ. Only sith deal in absolutes.
E2E||GTFO. Anything else is tyranny. I don’t think you understand your adversary. Moxie is the most ethical individual in this space. Get the hell out of telegram, and get your other friends to do so asap.
Please don't do that here. It's both personally insulting and a motto used by fanatics, not an argument for anything.
Who is "my adversary" exactly and what do they want with me?
No, I don't think Moxie's past and current behavior is indicative of a person who subscribes to ethics. I think he's vain, eager to be in the spotlight and eager to profit off a cryptocurrency invented by a company he has a very complicated history with [1].
Your adversary wants the clear text of your messages. The clear text exists on server, or they exist on a client device. Client device is the only acceptable solution. Make it hard for them, they must hack your client, rather than send an email. It IS an argument against snake oil, server side “encryption”.
Sorry, this is a hacker board. I, and others hackers, agree with me. E2E||GTFO.
> Most will never be under threat of a state actor that necessitates getting their friends and family "the hell out of Telegram as soon as possible".
I think you should qualify that as "most people - in the western hemisphere/democracies - will never be under threat of a state actor that necessitates getting their friends and family "the hell out of Telegram as soon as possible"
Now imagine all the private messages you've shared to your SO or dearest friends. I bet there's gazillion times more stuff to extort you with for the rest of your life, than the notes about few sessions with your therapist, have.
So yeah, get the hell out of all "private" messaging platforms that aren't E2EE by default. You deserve the peace of mind of never having to feel like the TENS OF THOUSANDS of Vastaamo case victims.
>but stop telling people not to use a thing because you believe E2EE is the next Jesus Christ
Stop telling people to ignore best practices wrt security just because they cause your privileged life -- where you don't have to worry about actual oppression -- slight inconvenience. There's a good reason majority of top vendors for secure comms like Signal, Jitsi, Wire, Element, iMessage, Threema, Briar, Cwtch all default to E2EE.
Telegram is free to not E2EE, but they should be UPFRONT about it. Not say things like "heavily encrypted" when in reality it uses the messaging industry's bare minimum, that is client-server encryption.
Telegram devs also actively mislead by presenting two facts next to each other "Telegram uses E2EE called MTProto" and "All Telegram chats use MTProto". What a novice can't understand is "Telegram also makes the idiotic choice to call its non-E2EE cloud messaging protocol ALSO MTProto."
So it's not wonder why a LOT of my contacts have been flabbergasted to learn Telegram isn't actually using E2EE for everything like WhatsApp. Telegram's marketing had succeeded in telling them it was more secure than WhatsApp, and thus E2EE.
Whether or not this misconception was intentional, it's now Telegram's job to either make a public statement and correct the record, or preferably, make it E2EE:
There is no reason for Telegram to deploy E2EE for everything except supergroups. If all the other vendors can pull that off, so can they. Pavel Durov has so much money but the only cryptographer he ever hired was his brother Nikolai who isn't even a cryptographer but a geometrician. Durov has the money to hire Moxie for a year to deploy Signal protocol, yet he won't. You should be terrified of both why he won't, and what his foolishness in the context of Vastaamo can, and eventually will do.