DEV Community

Discussion on: Why Telegram is the One True King of Messengers

Collapse
 
sanctionedparts profile image
sanctioned_parts • Edited

Thing is, you actually can do that even with e2e encryption. Wire does it, Keybase does it. Signal and Whatsapp still go the odd you-need-a-phone-route, but Wire and Keybase don't. So there's actually no excuse for Telegram's self-rolled encryption, especially without e2e encryption on by default.

Heck, you can even do it with XMPP/Jabber and Omemo.

And Wire even offers the full set of video and voice calls. e2e encrypted, too.

From a security focused point of view, Telegram just doesn't cut it. The only thing I see where Telegram is still ahead is with regards to bot support. While many alternatives have some variation of it, it's most mature with Telegram. But for everything else, it's a nope from me.

/edit

Something else about the validity of the criticism with regards to the encryption of Telegram: It's less about "do they use the same algo/libs as Signal" and more about "do they use algos/libs with a proven track record and review". With cryptography/cryptanalysis it's traditionally seen with scepticism when someone "rolls their own algo", as the algorithms as well as the implementation might subtly make it insecure, and with proven and well-reviewed algorithms there's just a lot more of "yep, it's probably fine". Telegram went and wrote it's own, coming from a non-crypto-background. It might be the best algorithms there is, but when it comes to cryptography that's not enough, unless you have good reasons to write something new and until it is reviewed by people with expertise in the field. Signal's protocol (axolotl/double ratchet) pretty much heavily improved upon existing tech with focus on mobile messaging, dropping/changing connections and multiple devices/clients, which is why it's become the "de-facto standard" when it comes to "proper" encryption for messengers nowadays.

/edit

Ah, another edit, because why not. Just two more things: I get that people like Telegram a lot, mostly because it "just works". My focus is, obviously, a bit more on the security of the messengers, so I'm certainly biased. Still, Signal (on the phone) is nowadays pretty much a "drop in replacement" for SMS/Whatsapp/etc., usability-wise, as those things that made secure messaging user-unfriendly before (getting keys, checking fingerprints etc.) is either gone or optional (you can just use it, discover contacts TOFU-style and never care about what's going on, or you can go and actually verify fingerprints through a secure channel). Wire is a tiny bit more complicated, or rather: nudges you a bit more toward verifying/checking keys/devices, but not very much. Plus, you don't need a phone number for it, which is a plus for quite many people, compared to, say, Signal and Whatsapp.
So I'd probably not go out and say "don't use Telegram", but I'd be happy if Telegram wouldn't be marketed as a "secure" messenger. And if you use it, you should keep in mind that your communication might be somewhat secure (from you to the Telegram servers), but only in a limited fashion.

And lastly, for the interested: OTRv4 is actually being worked on, with (not only) the intention on improving on OTRv3 and the axolotl/double ratchet algo: github.com/otrv4/otrv4/blob/master...
A bit more about it github.com/coyim/coyim/issues/233, and a somewhat in-depth look at developments and background in that area (olm [matrix), signal, otr, omemo): blog.jabberhead.tk/author/vanitasv...

Thread Thread
 
utkarsh profile image
Utkarsh Talwar

Came for copper, found gold. Thanks for this wonderful explanation.