Users: "We want multidevice, always-on, end-to-end encryption, like OMEMO."

Telegram: "Here you have Image Search."

Users: "That's nice, but we'd really like to have encryp..."

Telegram: "Hey, we have new stickers!"

Users: "But good crypt..."

Telegram: "Chat Backgrounds."

@slp Honestly, if you don't find Telegram's unwillingness (over the years, this isn't new) to adopt a sane crypto policy a bit fishy, you weren't paying attention.

Show thread

@slp uhm I'm pretty sure that users asked exactly those things and not encryption. Techies want encryption. Most people find it annoying at best. That's bad but that's how it is.

@charlag Don't underestimate users. WhatsApp was universally praised when it added e2e encryption.

@slp I mean, like there's no Wire or Signal which have e2e always on. Users consider other things more important if they use Telegram. I speak of people I know.

@charlag Even if no one cared about encryption in Telegram, IMHO they should still implement it to honor their own social responsibility and protect their users.

@slp @charlag oh, that is instead an example of how average user is incompetent, because with closed source clients like the WhatsApp ones e2e encryption is pointless...

@alexl @slp @charlag isn't telegram actually closed source with an open client?

@charlag @alexl @slp Signal has 100% open source code for client and server, under the GPLv3 and AGPLv3 respectively.

@charlag @alexl @slp signals problem is how they handle themselves with forks and other people who want to work with their protocol.

they technically silo this information so even if they themselves cannot access it; its still all stored in one place which isn't good for decentralizing the web.

@oct2pus @charlag @slp it's pointless, to be actually useful it needs federation between servers, that is the concept Matrix is based on

@alexl @charlag @slp

you can say those words all you want but it isn't going to change the fact that signal won't federate and they're the most popular properly secured chat protocol.

matrix needs to improve their server performance or someone needs to build something better.

@oct2pus signal being most popular properly secure chat protocol is quite questionable in my opinion.

If I have to accept a compromise I would prefer a Telegram secret chat because I have a lot of contacts on Telegram but none on Signal.


your compromises are up to you; if I were to make a compromise I'd use xmpp with omemo encryption because it is infact open and secure and I know quite a few people use xmpp with omemo.

but signal has a properly open implementation and have 'put up' where it counted, whereas telegram has promised it would open its source for its server for half a decade and still has not posted it. Although perhaps i am being bombastic by proclaiming it to be the most popular properly secured chat. if we want to be very liberal definition that goes to whatsapp and if we go by a requirement for federation then yes, its (probably?) matrix.

My frustration is basically 'it needs to federate' isn't a helpful response and the conversation doesn't lead anywhere. esp when my own experiences with matrix i could describe it as 'something i'd not want to invite my friends to use'.

@oct2pus I think valuing Signal for open-sourcing their server-side code is ideological, that code is totally useless for all of us.

Also, if a service has open source clients and e2e encryption is already perfect from the privacy point of view. The point of self-hosting a (federated) server for IM communication is just technological soveregnity that is important too, of course.

But Signal's approach doesn't add anything in practice to the Telegram one.

@oct2pus @charlag @slp Mastodon doesn't support Markdown input but it display correctly text formatted as link. I can see your links (both "client" and "server") in Mastodon web UI and in Tusky client for Android.

The issue is on @charlag client...

@oct2pus @alexl @slp oh, wow, my apologies, I either forgot or missed that

@slp anecdotally, people who use telegram either don't actually care about security or just feel that russian security state tendrils are more cyberpunk than USG (fair)

@slp Reminds me of something To Roosandal said. He had a vision of 3D on the web for Blender, but the contributors were only interested in stuff that was actually useful. And they were right.

@slp There is E2EE, but only on mobile. It's opt-in and doesn't sync to all devices, just the devices that hold the private keys. So really, it only works phone-to-phone, but it works.

Telegram's ability to draw in the seagulls with shiny features isn't such a bad thing. I'm watching and waiting to see what they do when they've got more users interested in proper secure communications.

Will they go sideways, or will they deliver?

@trevdev People have been asking them for years to implement OMEMO (or equivalent tech), and they rejected it every time with poor excuses.

Why? Who knows, but sounds fishy...

My hope is their resistance is purely overconfidence. Apparently there's a $200 and $300 thousand dollar bounty on cracking their encryption model that no one has claimed yet. They seem very proud of their model for it's speed and efficiency.

On the other hand, just to poke the conspiracy theorist in you, Telegram was founded by the guy who made "Russian Facebook" (VK) so...

@slp @trevdev you talk about OMEMO like a modern and/or established technology

@alexl @trevdev The tech is mature, though there's some controversy around it, like happens with every crypto-related thingy in the world. 😉

@slp if you know it try to understand Telegram developers instead of taking for granted that implementing OMEMO is viable, worth and secure and blaming them for not doing so...

Instead I would like Telegram server to add support for Matrix protocol and so federate with Matrix servers. If they will do so with e2e encryption but keeping server code proprietary I would be OK with that, because we would have privacy (using e2eE) and soveregnity (running a Matrix server).

@alexl If Telegram would gave a compelling reason for not enabling e2e encryption by default, I would definitely stop bashing them.

But, instead of that, they gave this ridiculous excuse about backups (how is having vulnerable backups worse than vulnerable "everything") and overreacted disabling the "Issues" features from their GitHub's repos, one of the few places where users where able to post some feedback.

So much for their "openness".

@alexl As for myself, my use of Telegram is mostly anecdotic these days. I'm a happy user (XMPP).

Matrix is nice too, but back when I started switching IMs (~2 years ago), the reliability of their Android client wasn't great (pretty sure it has improved a lot over this time).

@slp the reason is that providing current Telegram features with e2e encryption is actually a challenge. How is search for messages going to work if each client has to perform indexing by it self?

If you don't care about Telegram features that are not going to work with e2eE but you care more about e2eE just use something else, but stop saying "why is Telegram not enabling e2eE by default" because it's a noob question and I'm sure you can understand it.

@slp also please notice how much Telegram improved the situation with a pragmatic approach and not an ideological one:

Before Telegram — I can message people on WhatsApp or Facebook Messenger or start e2e encrypted chats with my imaginary friend.

After Telegram — millions of people message with Telegram and I can start a conversation with a contact of mine with e2eE using "secret chat".

Come on, Telegram did the best improvement in decades.

@alexl You can also look at this the other way around: Telegram is blocking the way to other, truly open alternatives, like Matrix.

@alexl The main point of disagreement here is that you think there are technical blockers for implementing e2e encryption without sacrificing features, while I don't.

We could discuss each challenge (text indexing is not the hardest one, by far) in depth, but that could take a looong time and we aren't getting paid to do it, so I'm going to pass. 😁

Telegram's omission of e2ee, and their final decision not to release server source code (as they once promised), clearly means something: they want to sell/use your data. Be careful...

@bauglir @slp e2ee with features most users expect is not trivial and it's still a tech challange.

AFAIK they still want to release server-side code at a certain point. Some people think Telegram is just a way to deploy and test MTProto for very large userbase and they can't release server-side code because they don't want to reveale the future use of MTProto.

I won't say e2ee is easy, but much smaller companies, like OWS, New Vector, Savoir Faire, and many others, did it, so the reason is not a matter of difficulty but a lack of intention.
Regarding Telegram's reasons not to share server's code: IMHO, a closed system is an insecure one, no matter the reason why it's closed. We shouldn't have to rely on the good will of unknown people to be able to trust on a system; it should be reliable by design.

@bauglir as I said many times, keeping actual Telegram features with e2e encryption is a tech challenge

@transcaffeine Matrix is nice, but I prefer (XMPP on steroids).

@slp Telegram has e2e encryption, what's the point of having it on by default? Implementing it keeping actual capabilities about history (including search) and groups management is not trivial as adding UI goodies like stickers and background editing.

@tursiops I do. I'm a happy user. 😁

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!