Signal/Telegram Discussions

Discussion in 'privacy technology' started by BriggsAndStratton, Apr 13, 2020.

  1. BriggsAndStratton

    BriggsAndStratton Registered Member

    Joined:
    Aug 28, 2018
    Posts:
    91
    Location:
    A Galaxy Far Far Away.
    You have the option not to give it access to your contact list. If you give it access, you can remove all of your contacts from their servers anytime. I am comfortable with not having e2ee chats by default. Most people are aware. What people like you always fail to mention, is that the chats that are not encrypted e2e, that is, the default chats, the encryption key is fragmented on multiple servers in different countries. I feel safe with using telegram. It is certainly more open source than whatapp. We have already seen the chaos that 'bugs' in whatsapp have caused. To be honest, I am not 100% sure, that in all cases it is better for the private keys to fully reside on a user's phone. hmmmm

    I also use Signal, and now Session
     
    Last edited: Apr 23, 2020
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Yes, you do, but even if most of your contacts are privacy conscious enough to do this as well, it only takes one person who do gives it access, and all those names and numbers are up there anyway.
    And imo there is more to this as well. Telegram claims it needs to do this, so you can have notifications when someone from your contacts joins Telegram. I'd rather have they prefer privacy over some unnecessary feature. Their claim is also not true, as Signal for example generates those notifications locally, storing that information on the server is not necessary.
    The encryption key may be fragmented, but you can do nothing with encrypted data, it has to be decrypted at some point to be able to use it, that means the encryption key will be in memory.
    If the user's phone is compromised, it is game over anyway. The messages need to be decrypted to be able to read them, that means an adversary can as well(Doesn't matter where the keys are stored). Plus, if an adversary gets access to a messaging service infrastructure where the messaging service stores the keys, they get access to all millions of users messages and keys. If the keys are only on the users phone, they have to get access to millions of phones instead to obtain the same result.
    Also, all software will have bugs that are exploitable.
    Don't get me wrong, I'm not saying I recommend WhatsApp, but I don't think Telegram is a good alternative.
     
  3. BriggsAndStratton

    BriggsAndStratton Registered Member

    Joined:
    Aug 28, 2018
    Posts:
    91
    Location:
    A Galaxy Far Far Away.
    When you first install telegram, it gives you the option not to share contacts, thats up to each individual user. i give people my user id and not my phone number for them to contact me.

    You talk about an adversary getting access to 'the server'. There is NOT just one server... there would be multiple servers an adversary would need access to.

    I get your point, but it's much easier to get people on telegram than on Signal.
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Yes, I know. Privacy conscious users might not share contacts, but most users probably will. You only need a small portion of the users that enable sharing contacts, and then almost everyones name and number will be uploaded to Telegram.
    Btw, do you have a source of the fragmented keys? I couldn't find anything about it on their website.
     
  5. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    580
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Yes, I 'm trying out Session since last week. Unfortunately I have only 1 contact on Session :argh:
    However, I'm using Signal with more and more people, the number is steadily growing.
     
  7. BriggsAndStratton

    BriggsAndStratton Registered Member

    Joined:
    Aug 28, 2018
    Posts:
    91
    Location:
    A Galaxy Far Far Away.
    Yes, here, read the paragraph below the question 'Do you process data requests?'
     
    Last edited: Apr 27, 2020
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Thanks! I just ran this by a friend who works at a hosting provider. He says that what matters is the jurisdiction where Telegram or any other service is located. Even though a company may have servers located in other countries, the government where the company is located can still legally force that company to hand over all data on the servers. There can also be more parties involved depending on the server setup. For example if you hire servers at a hosting provider, the hosting provider can also be legally forced to hand over the data.
    Regarding compromising the server, they probably user a largely similar server configuration for their servers. So however they got inside server number 1, they can probably use the same method to get in server number 2 etc. Apart from attacks from the outside, an employee with malicious intent and access to the infrastructure (whether it is someone who applied for a job specifically to get access inside the company(3 letter agencies are known to use this tactic) or an employee who was paid or by or threatened by a 3rd party) can probably get access to the fragments of the encryption key and join them together.
    So looking at all the downsides Telegram has, I'd rather use WhatsApp where everything is end-to-end encrypted by default with the Signal protocol(even though Facebook may backdoor it), than Telegram to communicate with people who don't want to install Signal/Session or whatever messenger that has good security and privacy.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.