253
Is Telegram really an encrypted messaging app? (blog.cryptographyengineering.com)
you are viewing a single comment's thread
view the rest of the comments
[-] sugar_in_your_tea@sh.itjust.works 151 points 3 months ago

No.

As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do.

[-] woelkchen@lemmy.world 48 points 3 months ago

As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do.

No, it's not. It's very easy. In the bottom right corner there is a pencil button to compose a new message and right there it asks which tpye of chat to start. Secret chat is the second topmost option after group chat. Really not hidden or complicated at all.

[-] sugar_in_your_tea@sh.itjust.works 64 points 3 months ago

It should be a setting to always use encrypted chat, and it should probably prompt you when you first login.

Better yet, don't have an option to not have encrypted chats. I don't see a reason to not have everything E2EE all the time.

[-] woelkchen@lemmy.world 23 points 3 months ago* (last edited 3 months ago)

It should be a setting to always use encrypted chat, and it should probably prompt you when you first login.

I don't disagree but the claim that you quoted was that it's complicated to initiate and as I explained it's not. Also secret chats stay in the messages list, so you can go back to an initiated secret chat and pick up there without any additional fiddling.

[-] sugar_in_your_tea@sh.itjust.works 12 points 3 months ago

If you have to enable it every time, it's complicated enough that most people won't bother. Maybe they'll do it once or twice out of novelty, but it's not going to become a habit.

I only consider something "encrypted" if it's actually encrypted by default, or at least prompts to enable it permanently on first launch. Otherwise, it's not an "encrypted" chat, it just has the option to have some chats encrypted.

[-] asdfasdfasdf@lemmy.world 10 points 3 months ago
[-] scarabic@lemmy.world 1 points 3 months ago

More steps required to perform something is very squarely within the definition of complicated, no matter how straightforward those steps are.

[-] woelkchen@lemmy.world 9 points 3 months ago

If you have to enable it every time, it’s complicated

But you don't. As I already explained: secret chats stay in the messages list, so you can go back to an initiated secret chat and pick up there without any additional fiddling.

I have plenty of encrypted chats that I don't have to enable every time I want to send one. I don't understand where this misconception comes from.

[-] sugar_in_your_tea@sh.itjust.works 13 points 3 months ago

Surely you talk to more than one or two people, no? If you have to manually check a box or something every time you start a new message with someone, people are going to stop doing it.

It's not an encrypted chat app. It's an unencrypted chat app that has an option for encrypted chats. Whether something is encrypted or not depends on how most people use it and what the defaults are.

Signal is an encrypted chat app. E2EE is the default and AFAIK only behavior. Telegram can be encrypted, but it's not by default, and defaults matter.

[-] woelkchen@lemmy.world 3 points 3 months ago

Surely you talk to more than one or two people, no? If you have to manually check a box or something every time you start a new message with someone, people are going to stop doing it.

Maybe you get acquainted to 100 new people every day, so your day is a constant chore of starting secret chats all the time. I don't. I doubt regular people do. Just start the secret chat once and then pick it up later.

Signal is an encrypted chat app.

Except for the locally stored data which is not encrypted and Signal's attitude is that device encryption is up to the user.

[-] sugar_in_your_tea@sh.itjust.works 4 points 3 months ago

True, device encryption should be up to the user. Mine is encrypted, and most smartphones have encrypted storage these days. I actually have mine reboot after a period of inactivity, which removes the encryption keys from memory.

That said, they should have an option for app data encryption, but that's hardly a requirement IMO, because I care far more about data being encrypted in transit than at rest on my devices. I can encrypt data at rest on my machines, I can't encrypt data in-transit unless that's baked in to the service.

[-] woelkchen@lemmy.world 1 points 3 months ago

That said, they should have an option for app data encryption, but that’s hardly a requirement IMO

So Telegram is not an encrypted messenger because there are types of messages that are not E2E encrypted but Signal is a encrypted messenger because encrypting local storage is optional. Got it.

[-] sugar_in_your_tea@sh.itjust.works 2 points 3 months ago

Yes, because the "encrypted messenger" metric is about sending and receiving messages, not storing messages. On the order of things I care about, E2EE is much more important than local storage. I can do something about local storage, I can't realistically do anything about E2EE.

[-] woelkchen@lemmy.world 1 points 3 months ago

Yes, because the “encrypted messenger” metric is about sending and receiving messages, not storing messages.

So whether or not the messages can be retrieved by criminals or law enforcement is not a metric. Got it!

[-] sugar_in_your_tea@sh.itjust.works 2 points 3 months ago

Law enforcement would require a warrant, and criminals would need to break into my device first (highly unlikely without it being a targeted attack, and that's not in my threat model at all).

And if they can break the encryption on my devices, they can likely break the encryption of the data at rest. Most people would probably use the same key for both anyway (biometrics or a PIN). If I need it to be more secure, I can create a special encrypted container for that service to store its data in.

load more comments (2 replies)
load more comments (2 replies)
[-] brrt@sh.itjust.works 6 points 3 months ago

Is it more complicated to achieve than in other e2ee messengers? Yes, thus saying it is complicated is justified.

[-] oktoberpaard@feddit.nl 8 points 3 months ago

They’ve implemented it in such a way that you only have access to an encrypted chat on a single device, so no syncing between devices. Syncing E2EE chats across devices is more difficult to pull off, but it’s definitely possible and other services do that by default.

load more comments (2 replies)
[-] Kekzkrieger@feddit.org 7 points 3 months ago

its some message for the users, having a secret chat kinda sounds bad, like doing something illegal and guilt trapping users into not using it

[-] 30p87@feddit.org 5 points 3 months ago

But then you couldn't get that juicy user and conversation data.

[-] pressanykeynow@lemmy.world 2 points 3 months ago

I don't see a reason to not have everything E2EE all the time.

You probably didn't ever meet non-IT person(or most of the IT people). To use e2ee means you need to keep your private key close and safe. 99.999% people can't do that. So when they lost their key their conversation history is gone and it's your fault not theirs.

[-] sugar_in_your_tea@sh.itjust.works 4 points 3 months ago

Signal does this by having your data be unencrypted at rest on your device, and I think that's a reasonable tradeoff because it protects the most import part: data in transit. Or you can be like Matrix and require/strongly encourage setting up multiple clients so you always have a fallback (e.g. desktop and phone). There are reasonable technical solutions to the problem of making an E2EE chat system.

load more comments (1 replies)
[-] curry@programming.dev 30 points 3 months ago

My man, have you ever worked in tech support? I admire your optimism.

[-] woelkchen@lemmy.world 6 points 3 months ago

That's my day job and I'm good at it. People understand when I explain three clicks.

[-] Saik0Shinigami@lemmy.saik0.com 12 points 3 months ago

People understand when I explain three clicks.

This is the problem. You have to explain it. Feel like talking to several million people to get them to use it?

[-] woelkchen@lemmy.world 4 points 3 months ago

Feel like talking to several million people to get them to use it?

I already made a one-line excessive tutorial in another comment. Feel free to link it.

load more comments (4 replies)
[-] curry@programming.dev 4 points 3 months ago* (last edited 3 months ago)

Fair enough. I've met both good and bad users.

[-] Kekzkrieger@feddit.org 20 points 3 months ago

Why would it even be an option to have a non-encryted chat if the app can do encrypted?

[-] timewarp@lemmy.world 1 points 3 months ago

Telegram isn't made to be a full E2EE messenger. They have things like public channels which you can't do with E2EE. What kind of idiots thought that Telegram was intended to be a fully E2EE messenger? People use it cause it is native and good for its purposes. It has secret chats if you need them at times. Why all the hate from the Signal CIA fanbois?

[-] tapo@lemmy.zip 4 points 3 months ago

The author makes the point that Telegram advertises itself as secure, but isn't except a hidden out of the way option that almost nobody will use.

The truth of the matter is Telegram has the full plaintext content of almost every message posted on that site.

[-] Petter1@lemm.ee 1 points 3 months ago

Yummy data for telegram AI

It sells you drugs and warns you from masks and vaccines

[-] Kekzkrieger@feddit.org 4 points 3 months ago

so make 1to1 conversation e2ee by default, what would be the downsite? Only one i can think of is they want to snoop in peoples convos.

im fine with public channels not being encrypted, thats fair.

[-] quaff@lemmy.ca 20 points 3 months ago

It’s three clicks. And it opens a separate chat from the existing one. It’s obscure enough that you could say the UX deprioritizes (which at best is not an actively malicious design choice) usage of end-to-end encryption.

[-] rottingleaf@lemmy.world 5 points 3 months ago

Anything harder than usual in the same application means it won't usually be used.

And encryption is about collective immunity. So everything should be encrypted.

load more comments (11 replies)
[-] rottingleaf@lemmy.world 9 points 3 months ago

Encryption is part of defense strategy, otherwise it's like a steel door in a house with wall panels made of paper.

That strategy involves all communications being encrypted. Otherwise rubber hose cryptanalysis becomes practical.

[-] fmstrat@lemmy.nowsci.com 5 points 3 months ago

It is not easy, as it's not even possible on desktop.

[-] umbrella@lemmy.ml 13 points 3 months ago

also their encryption is proprietary. you can't actually know its good.

load more comments (5 replies)
this post was submitted on 25 Aug 2024
253 points (95.7% liked)

Technology

59689 readers
1795 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS