Hacker News new | ask | show | jobs
by emptysongglass 1294 days ago
I don't think you understand how Telegram encrypts its chats. MTProto is also used to encrypt Cloud Chats at rest. It's not just transport. Cloud Chats are not e2ee because the keys are held by Telegram.

Moxie also "rolled his own crypto". "Rolling your own crypto" is typically used disparagingly by those who claim moral or intellectual superiority over the competition. The Signal Protocol was rolled by someone, yes? The version of MTProto that had vulnerabilities discovered was deprecated many years ago.
2 comments
ls15 1294 days ago
> the keys are held by Telegram

This is where the privacy promise falls apart. From a user's perspective on-disk encryption makes no difference, because there is no real enhancement of privacy for them. If a third party holds the key, they hold the key. If you put something into the hotel safe, the hotel could still steal it from you. As far as I can tell, most TG users are not aware or do not care, but for those who are not aware, but actually do care, this should be made much more clear.

> Moxie also "rolled his own crypto"

Besides Moxie being a bit dubious himself, the more interesting question is: was there something that was already verified by many people that could have been used instead?

link
abyssin 1294 days ago
I’m interested to know about what makes Moxie a bit dubious, can you share more information? I have to say I’m slightly fascinated by the character, but it’s true it doesn’t tell anything about why I should trust him.
link
ls15 1293 days ago
I have to say that I find him fascinating too, but there are a few things that raise my suspicion, but of course do not convict him of anything:

The way he is attacking this alternative Signal client and rules out interoperability:

https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

Signal was a word before he decided to turn it into a brand.

The signal server source code repo was not updated for a year. Communication intransparent.

https://www.androidpolice.com/2021/04/06/it-looks-like-signa...

I am not even against crypto integration, but I found the choice of MobileCoin odd. Instead of integrating an existing privacy coin or working with the community, he decided to integrate MOB and to be one of their "advisors":

https://techcrunch.com/2018/04/24/mobilecoin-moxie-marlinspi...

https://www.coingecko.com/en/coins/mobilecoin

link
emptysongglass 1294 days ago
I think you are being far too uncharitable and you've simply gotten the facts wrong a number of times, which I've needed to correct you on.

Use another messenger if you like but e2ee encryption is not some moral imperative that must be done. There are always trade-offs. I appreciate Telegram for the purposes I use it for. If I want e2ee, I turn on a Secret Chat.

link
ls15 1294 days ago
> I think you are being far too uncharitable

I just think that Telegram tries to position itself as some kind of subversive and secure messenger (successfully so), which it isn't and I find that dubious. I can see that many people prefer it for its user experience, which is fair, but people should not be lured by a false sense of security.

> e2ee encryption is not some moral imperative that must be done.

It is not a moral imperative, but a protection against many evils, that most people probably would benefit from if used consistently. I've got low tolerance for trying to artificially limit e2ee though.

link
ViViDboarder 1293 days ago
Rolling your own crypto is bad, unless you’re an authority on crypto. Moxy certainly is. Also, Signal Protocol isn’t an encryption algorithm. As far as I know, it still uses AES and Curve25519 for the actual encryption.
link