Originally published at: https://boingboing.net/2019/03/25/telegram-allows-you-to-unsen.html
…
5 Likes
I’d being using Telegram for months, my girlfriend abhors WhatsApp, and I have to recognise it is far superior in almost any aspect to WhatsApp.
Also, you can use the desktop version without the need to keep your phone connected to internet.
1 Like
Here’s hoping it doesn’t get gobbled up by a larger, soulless corporate monstrosity.
4 Likes
What are the odds the government does not have a door into Telegram’s data? Would Philip J Fry be shocked to find out Telegram was built and managed by government stooges all along? I’d honestly like to know your thoughts, paranoid or realistic?
They were pretty much under pressure by the Russian Government last time I looked, and didn’t so much as blink. Which is rather odd. Because staring is weird.
On a serious note, telegram is rather popular with a lot of people in Europe, and recently contacts pop up in my list which I never even dreamed about using something else than WhatsApp. However, most people don’t even KNOW that there’s an option for chats which are not stored on telegram’s servers, the so-called secret chats. Also, tying your account to a phone number is something that pisses me off.
FTR, same is true for other messengers like Signal, which I like very much, especially on Android since it also replaces the Messages App and encrypts the local messagebase, making it easier to keep other services’ accounts safe’ish when these are sending you unlock codes via SMS.
Since I’ve been working in Switzerland and Germany for a while, my threema contact list is also quite ok. Works without tying to a mobile number, message server is Swiss, but is closed source.
1 Like
Still waiting for an “Unread” button.
3 Likes
The way that modern messaging services typically work is that you can associate the copy on a given device with any number of phone numbers and email addresses (and probably other things). The app takes cryptographic hashes of those addresses, and associates them with the arbitrary internal ID number which is your “real” login. When it scans your address book, it generates hashes of all your contacts’ addresses, and asks the server if any of them have associated accounts.
If the system is designed to work securely, then the server never actually sees a phone number, and if the FBI asks for the phone numbers associated with an account, the messaging service provider can truthfully say “we don’t know”. Because it is not possible to work out the phone number from the hash. However, if the FBI asks what account is associated with the phone number 867-5309, the messaging company can answer that (otherwise you’d never be able to connect to anyone).
Another practical advantage to using multiple, secondary identifiers – rather than having to know a specific WhatsApp / Telegram / Signal username – is that it makes account management easier for both the user and the service. It causes problems if you stop using a phone number and someone else starts using it (which happens in the US and Canada because of the odd way they manage phone numbers), but you can learn to avoid that.
2 Likes
They’re not the biggest messaging service that says that.
But yeah, this is a selling point, and should be a selling point for more things.
I don’t really approve of “ephemeral messaging” as a privacy feature, though. If people were to get the impression that such a thing were physically possible – which it is not – that misinformation is a security issue in itself.
Yeah, I don’t really like this. My inbox is my inbox, and I don’t want any other party able to force-delete stuff out of it. I also know enough security to know that force delete only actually works if the targets software and hardware is out of there control, which I also don’t like. I’m also skeptical of forwarding restrictions, although it sounds like it only removes the username from the forwarded message not the body, which seems reasonable on its face.
1 Like
Wow I would Loooove for the FBI to request that information!
But couldn’t you, in theory, run through and hash all 10 billion possible phone numbers in a matter of hours or maybe days? I supposed it depends on what hash they used.
I once read a technical comparison of Telegram and Signal written by an actual cryptographer. It was pretty devastating, describing Telegram as a mostly amateur-level effort. If you want real security, you gotta go with an open* protocol!
*edited to add: perhaps I should have said “nonproprietary” protocol. They do have a protocol document.
That’s true, though you would at least hope it would be blocked through the public-facing API (the server should only ever receive hashes, not send them back to clients).
Of course, generally, if someone wants to know who a messaging account belongs to, it’s because they have access to the phone of someone who communicated with you.
I suppose it would be plausible to use a multiple hash so that it takes a phone, say, 100ms to process one string. Then it would take a phone 32 years to go through every NANP number, so even the NSA wouldn’t be able to do it routinely.
1 Like
They’ve been having fun with the FSB, hopefully it stays fun. They were asked for the keys to telegram and they sent them an old timey key-to-the-city pair.
I checked, earlier. They do it server side. Because otherwise, the hashing method would be known and someone would have done this already, I bet. All they have to do is use a secret salt.
How do we know that wasn’t just a show?
We don’t.
I want to believe I’m just paranoid. But yet I am also instructed that anything electronic that is mine is/can be snooped by someone else.
So when my friends be like… “no really, download an app, put your phone number in it, and then no one can see what you are sending”, I’m like hrmmm…
What’s the point? If you have already sent a message, the recipient might already have read it, and maybe even copied it. “Unsend” is not going to change that.
This topic was automatically closed after 5 days. New replies are no longer allowed.
