I am liking how this time around a lot of people are outright calling the media out on their parroting Telegram's PR bullshit about how "encrypted, secure, private" the service is.
(it is not.)
As in, not just writing about how Telegram is neither of these things, but very clearly pointing a finger at the media and going: "stop spreading this misinformation, you are putting people in danger."
Keep this pressure on!
Yesterday I shared my own write-up on Telegram's failings, today I came across Matthew Green's stellar blogpost:
https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/
And this blogpost *starts* with calling the media out on this.
Fantastic.
At this point it's clear Telegram has no interest in fixing their stuff. We should not be talking to them, we should be talking about them to the media so that they stop promoting it.
Because as I said yesterday: that constitutes journalistic malpractice.
Great post, hits the nail right on the head. Thanks for sharing this @rysiek.
This kind of journalistic malpractice is usually caused by ignorance, in which case they need to be called in and patiently educated. But in some cases I think there is an intent to mislead, by people who ought to know better. They need to be contacted in private and given a chance to retract and apologise, and if they don't, they need to be publicly called out on their wilful malpractice.
"Indeed, it no longer feels amusing to see the Telegram organization urge people away from default-encrypted messengers, while refusing to implement essential features that would widely encrypt their own users’ messages. In fact, it’s starting to feel a bit malicious."
#MatthewGreen, 2024
#Telegram always smelt like a honeypot to me;
* centralised, tick (like Signal)
* encryption doesn't work for groups, only 1:1, tick (like Signal)
* opt-in E2EE for 1:1 chats while heavily promoted as "encrypted messenger", tick (unlike Signal)
* Roll-Your-Own cryptography, tick (maybe like Signal, but crucially...)
* no source code published for server, so no independent auditing of cryptographic primitives or implementations, tick (unlike Signal)
I can't fathom why anyone uses it.
One more honeypot quality of Telegrab;
* Setting up an account requires a working phone number, tick (unlike Signal as of Feb 2024)
In countries (eg China) that don't allow unregistered mobile connections ("burner" phone numbers), this associates a 'secure messaging' account with an identifiable person.
Signal had the same problem for most of it's history, and until Feb 2024, it shared the phone number with anyone the account chatted with;
https://www.androidcentral.com/apps-software/signal-rolls-out-usernames
*though they have a security hole where you can just copy your desktop client's directory and launch it on another device and signal will have zero problem with that and won't even alert that connection is now coming from a different device. it will just send messages to this session, even though that session is shared by different devices now. at least telegram desktop has ability to set PIN to protect against that, which encrypts all your data.
@brawaru
> it's the other way around, lol. signal and telegram both always required a phone number, but [details]
I appreciate the clarifications, but they're orthogonal to my point. Which is that speaking as a veteran of numerous direct action campaigns in the late 90s and noughties, both of these centralized chat silos smell suspiciously like honey to me.
This topic comes up a *lot*. I must finish that blog post laying out my take on it.
To add to this, the 2027 Steel Dossier included intelligence that Telegram's encryption was compromised but that little tidbit was overshadowed by the Trump 'pee-pee tapes' accusations.
@drewfer
> the 2027 Steel Dossier included intelligence that Telegram's encryption was compromised
I believe Matthew covered that in the blog post I linked. Must check that...
Michał "rysiek" Woźniak · 🇺🇦
Strypey
Braw ☕🏳️🌈
Mg. Tau
drewfer