DEV Community

Cover image for Why Telegram is the One True King of Messengers

Why Telegram is the One True King of Messengers

Sarthak Sharma on May 24, 2019

We at Team XenoX love Telegram as much we love Dev.to. Telegram is our go-to place for day-to-day team chats, whether formal or informal. We tried ...
Collapse
 
rhymes profile image
rhymes

Telegram sticker collection and programmability seem cool but I've managed to stay away from it until now, mostly because they don't have end to end encryption on by default and don't use a peer researched protocol ;)

Has the situation changed :D ?

Collapse
 
nikoheikkila profile image
Niko Heikkilä

I hope they will never default to end-to-end encryption if it means I can't seamlessly switch from mobile to desktop and vice versa for continuing my conversations anymore. Secret Chats are a good feature as any but you must drag the cloud syncing off from my dead cold hands.

It's the single most enjoyable feature of Telegram and makes competitors like WhatsApp so irritating to use.

Collapse
 
sanctionedparts profile image
sanctioned_parts • Edited

Thing is, you actually can do that even with e2e encryption. Wire does it, Keybase does it. Signal and Whatsapp still go the odd you-need-a-phone-route, but Wire and Keybase don't. So there's actually no excuse for Telegram's self-rolled encryption, especially without e2e encryption on by default.

Heck, you can even do it with XMPP/Jabber and Omemo.

And Wire even offers the full set of video and voice calls. e2e encrypted, too.

From a security focused point of view, Telegram just doesn't cut it. The only thing I see where Telegram is still ahead is with regards to bot support. While many alternatives have some variation of it, it's most mature with Telegram. But for everything else, it's a nope from me.

/edit

Something else about the validity of the criticism with regards to the encryption of Telegram: It's less about "do they use the same algo/libs as Signal" and more about "do they use algos/libs with a proven track record and review". With cryptography/cryptanalysis it's traditionally seen with scepticism when someone "rolls their own algo", as the algorithms as well as the implementation might subtly make it insecure, and with proven and well-reviewed algorithms there's just a lot more of "yep, it's probably fine". Telegram went and wrote it's own, coming from a non-crypto-background. It might be the best algorithms there is, but when it comes to cryptography that's not enough, unless you have good reasons to write something new and until it is reviewed by people with expertise in the field. Signal's protocol (axolotl/double ratchet) pretty much heavily improved upon existing tech with focus on mobile messaging, dropping/changing connections and multiple devices/clients, which is why it's become the "de-facto standard" when it comes to "proper" encryption for messengers nowadays.

/edit

Ah, another edit, because why not. Just two more things: I get that people like Telegram a lot, mostly because it "just works". My focus is, obviously, a bit more on the security of the messengers, so I'm certainly biased. Still, Signal (on the phone) is nowadays pretty much a "drop in replacement" for SMS/Whatsapp/etc., usability-wise, as those things that made secure messaging user-unfriendly before (getting keys, checking fingerprints etc.) is either gone or optional (you can just use it, discover contacts TOFU-style and never care about what's going on, or you can go and actually verify fingerprints through a secure channel). Wire is a tiny bit more complicated, or rather: nudges you a bit more toward verifying/checking keys/devices, but not very much. Plus, you don't need a phone number for it, which is a plus for quite many people, compared to, say, Signal and Whatsapp.
So I'd probably not go out and say "don't use Telegram", but I'd be happy if Telegram wouldn't be marketed as a "secure" messenger. And if you use it, you should keep in mind that your communication might be somewhat secure (from you to the Telegram servers), but only in a limited fashion.

And lastly, for the interested: OTRv4 is actually being worked on, with (not only) the intention on improving on OTRv3 and the axolotl/double ratchet algo: github.com/otrv4/otrv4/blob/master...
A bit more about it github.com/coyim/coyim/issues/233, and a somewhat in-depth look at developments and background in that area (olm [matrix), signal, otr, omemo): blog.jabberhead.tk/author/vanitasv...

Thread Thread
 
utkarsh profile image
Utkarsh Talwar

Came for copper, found gold. Thanks for this wonderful explanation.

Collapse
 
rhymes profile image
rhymes • Edited

I'm not sure I understand what you mean here. I use WhatsApp's desktop client and the phone every day with e2e encryption enabled. Same with Signal. You mean the fact that the encryption goes through the phone so the phone has to be online?

Thread Thread
 
nikoheikkila profile image
Niko Heikkilä

Yes, and being an active user of Slack and other popular messaging applications makes the odd always-on approach of WhatsApp and Signal feel tedious and outdated.

I wouldn't also promote WhatsApp to be more secure than Telegram due to their tight coupling with Facebook but that's a whole another discussion.

Thread Thread
 
rhymes profile image
rhymes

Yes, and being an active user of Slack and other popular messaging applications makes the odd always-on approach of WhatsApp and Signal feel tedious and outdated.

I'd trade that with privacy anytime, my phone is always on anyway :) But it's okay to have different opinions.

I wouldn't also promote WhatsApp to be more secure than Telegram due to their tight coupling with Facebook but that's a whole another discussion.

I'm the last person to trust Facebook, but I trust peer reviewed encryption protocols. Telegram uses none by default as you said, and this is the current situation regarding security:

Telegram promised since at least March 2014 that "all code will be released eventually", including all the various client applications (Android, iOS, desktop, etc.) and the server-side code.[134] As of March 2019, Telegram still hasn't published their server-side source code.[135][136] Publishing the server-side code would allow anyone to audit the server's code and verify that it works correctly and handles user data securely, instead of relying on Telegram's claims that it's indeed secure.

So no, I don't trust Telegram :)

WhatsApp isn't perfect (Facebook mines metadata, which says a lot even without having access to the content) but the security protocol is solid. If they decide to weaken it to mine text messages I'll consider moving on to something else :)

iMessage is another service with e2e by default and always on, unfortunately Apple has no interest in creating clients for other platforms.

Thread Thread
 
nikoheikkila profile image
Niko Heikkilä

They have open-sourced their client library, though, along with their official clients so I would count that as positive. I agree that details regarding server implementation should be released as well but neither have any of the major competitors done so (correct me if I'm wrong).

GitHub logo tdlib / td

Cross-platform library for building Telegram clients

TDLib

TDLib (Telegram Database library) is a cross-platform library for building Telegram clients. It can be easily used from almost any programming language.

Table of Contents

Features

TDLib has many advantages. Notably TDLib is:

  • Cross-platform: TDLib can be used on Android, iOS, Windows, macOS, Linux, FreeBSD, Windows Phone, WebAssembly, watchOS, tvOS, Tizen, Cygwin. It should also work on other *nix systems with or without minimal effort.
  • Multilanguage: TDLib can be easily used with any programming language that is able to execute C functions. Additionally it already has native Java (using JNI) bindings and .NET (using C++/CLI and C++/CX) bindings.
  • Easy to use: TDLib takes care of all network implementation details, encryption and local data storage.
  • High-performance: in…

As for the peer-review, this is another odd argument which the majority of journalists tend to buy without any criticism at all. Anyone can take a look at this page and conduct their own review, and I believe most have. Yet many so-called "security experts" are rejecting this algorithm due to the fact that it's not the same that Signal uses which is... I don't even know what to say.

I admit to be a little defensive here but having followed discussion around Telegram for years where almost everytime people cite Edward Snowden's words about "use nothing else than Signal" makes me quite sceptic against the entire field of security. The root problem is, of course, today anyone can have a hot take on application security without comprehensive arguments and media will signal boost it without giving it even half a thought.

Thread Thread
 
rhymes profile image
rhymes

Ok, let's say Telegram e2e encryption is solid, the fact that it's not enabled by default it's still a no for me. It's 2019, come on.

Google tried to release a new messaging system without encryption and was blasted on day one.

The fact that we allow personal communication to go god knows where in clear just because they have better stickers is a no for me if I can avoid it.

I don't like that Slack is not encrypted or that email is not either. At least let me use one form of communication that is :-)

Thread Thread
 
nikoheikkila profile image
Niko Heikkilä

Feel free to continue as you were. I guess WhatsApp has stickers too? 🤞

It's 2019 but the rise of Slack, Discord, and other group chat apps shows that seamless usability is often more desired attribute than security for the masses. I can't fight them so I have joined them.

Collapse
 
mandaputtra profile image
Manda Putra

Not yet...

Collapse
 
utkarsh profile image
Utkarsh Talwar

Man, I knew about the "@gif" inline bot, but I recently discovered the "@vid" and "@wiki" functionality to quickly search Youtube videos and Wikipedia articles respectively. My mind is still blown at how awesome this is and how creative the Telegram user/developer base is!

Collapse
 
felipecotti profile image
𝒱𝒶𝒸𝒾𝓁ℴ𝓈 𝒸𝓊𝓇𝓉ℴ𝓈 𝒹ℴ 𝒞ℴ𝓉𝓉𝒾

"it cares about our privacy"

The server is proprietary software. Therefore, this sentence cannot be proven true - and chances are quite often against the user in these times. It's a fairly dangerous affirmative specially to innocent people that might be interested in the subject, so be careful, yes?

Collapse
 
spacemonkey profile image
Mitch Pirtle

This was the single most-important requirement for me, otherwise I might as well just use any other hosted service... If you can't self-host, there's no accountability - or TRUE privacy, for that matter. Will be interested to see what they decide to do moving forward on this front.

Collapse
 
davecranwell profile image
Dave Cranwell

An acquaintance of mine was fired for installing telegram on his work computer. Installation of software wasn't the problem, it's because Telegram is "for use by terrorists", apparently.

Collapse
 
bhupesh profile image
Bhupesh Varshney 👾

Wait what 🤯🤯

Collapse
 
sarthology profile image
Sarthak Sharma

Collapse
 
khophi profile image
KhoPhi

If that's what qualifies one as a terrorist to some, then the bar has been set very low

Collapse
 
bhupesh profile image
Bhupesh Varshney 👾

Clearly it is
Finally someone agrees
🔥
Looks like xenox and me have common interests 😅😃

Collapse
 
bhupesh profile image
Bhupesh Varshney 👾

There are many more awesome channels too

t.me/githubtrending
t.me/devchampions
t.me/thedevs

Also if someone wants to join and talk with random devs

t.me/randomdevs

Collapse
 
utkarsh profile image
Utkarsh Talwar

Good find, Bhupesh! Telegram rocks! 🤘

Collapse
 
olegthelilfix profile image
Oleg Aleksandrov

I use telegram as messenger and as simple error tracker for my work project. Telegram bot have white list of ids and send message if some error happened. (my team use another instruments for an error tracking)

Collapse
 
sarthology profile image
Sarthak Sharma

Wow, that’s new.

Collapse
 
thorstenhirsch profile image
Thorsten Hirsch

Since this is dev.to I was hoping to read something about the internals of Telegram. Massively scalable systems that need real-time latency are an interesting beast. I guess we all know that WhatsApp is built on Erlang/OTP, but what are the foundations of Telegram?

Collapse
 
thorstenhirsch profile image
Thorsten Hirsch • Edited

Alright, I did some research myself. The server is closed-source and its architecture seems to be a secret, as well as the programming languages. But since it's been written by the Durov brothers, who previously developed VK (the Russian facebook), it's very likely that a lot of parts are written in C/C++, since that's the technology stack they seem to be using mostly.

Now get ready for a sensation. Ever heard of TON, the Telegram Open Network? It's the Durlov's blockchain project and it's huuuuuuge! It's 1.7 Billion Dollar huge, to be precise. That's what some rich investors in the Bay area paid the Durlov brothers in an 2018 private ICO. Check out the white paper to see all the things they've promised, e.g. the blockchain architecture contains a master blockchain and as many worker blockchains as necessary, the consensus algorithm is PoS, and the promised speed is amazing (more transactions per second than Mastercard and Visa). Too ambitious, you say? Well, they better keep their promise, because one of the ICO terms is that TON must go live until November 2019 or else they will have to refund the 1.7 Billion Dollars ...or at least what's left.

Collapse
 
chiangs profile image
Stephen Chiang • Edited

I love telegram but didn't know about many of these channels, thanks!

I think the only thing that slack does glaringly better though is code formatting even when using the code fence markup.

Collapse
 
sarthology profile image
Sarthak Sharma

😊

Collapse
 
mandaputtra profile image
Manda Putra

t.me/bxjsweekly I would add this too if you love JS

Collapse
 
Sloan, the sloth mascot
Comment deleted
Collapse
 
imthedeveloper profile image
ImTheDeveloper

I actually made a side project to aid in moderation of telegram chats.

modr8.net 👍 quite popular too. Not a bad hobby project built in the few hours before work each day.

Collapse
 
mgh87 profile image
Martin Huter

Finally some people that share my opinion. Some new channels for the daily business, thanks for that.

Still on my todo list to write a telegram bot!