Timeline for Is Telegram secure?
Current License: CC BY-SA 4.0
38 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jan 16, 2021 at 12:58 | comment | added | Niklas | I find "Math Ph.Ds are not cryptographers." to be very biased. On minimal to be cryptographer, you need to be beyond excellent on math. Everything is based on math. | |
| Jan 7, 2021 at 9:34 | comment | added | Olli Savolainen | WhatsApp privacy considered highly suspect. arstechnica.com/tech-policy/2021/01/… | |
| Nov 4, 2020 at 11:41 | comment | added | chefarov | @Apache How do you know? archive.vn/SIl9M | |
| S Aug 25, 2020 at 17:35 | history | suggested | Ale | CC BY-SA 4.0 |
Fix broken link with another archive
|
| Aug 25, 2020 at 14:07 | review | Suggested edits | |||
| S Aug 25, 2020 at 17:35 | |||||
| Jul 31, 2020 at 6:47 | comment | added | endolith | Also Signal is an open source volunteer project and pretty buggy and poor quality overall compared to the others. Their crypto may be theoretically invulnerable, but I don't know if I trust the app in practice. | |
| Jun 9, 2020 at 15:19 | comment | added | hobs | Unlike Signal, WhatsApp code is not open to independent review. This makes it less secure according to the EFF. Obviously that makes it possible for the FBI and NSA to work with Facebook to install back doors in WhatsApp, as it does with most other US app and hardware makers. | |
| Mar 7, 2020 at 18:12 | comment | added | acorello | @Bibbas The EFF scorecard link has been moved and it is worth noting it gave 7/7 to Telegram (secret chats), not to Telegram standard chats. Furthermore, if we want to listen to EFF (and I'm not saying we shouldn't), then note they are not recommending any other messenger but Signal in their security-self-defense how tos. | |
| Mar 4, 2019 at 15:29 | history | edited | AndrolGenhald | CC BY-SA 4.0 |
Replace broken links (the alexrad.me link may still work, but the server is timing out for me right now)
|
| S Dec 23, 2017 at 2:11 | history | suggested | Scott Arciszewski | CC BY-SA 3.0 |
No more CryptoCat.
|
| Dec 22, 2017 at 21:22 | review | Suggested edits | |||
| S Dec 23, 2017 at 2:11 | |||||
| Mar 25, 2017 at 23:56 | comment | added | XP1 | @Ken Van Hoeylandt Read Telegram's response here. Allegedly, the weakness is not Telegram's encryption but the SMS auth. Which is easier: breaking a wall or opening a door with no lock? The Russian government was able to hijack SMS from Russian service provider MTS and takeover any account. The same attack was done in Iran and Germany. Everyone should stop using SMS. SMS is not secure. Anyone, even a teenager, can hijack SMS. | |
| Mar 17, 2017 at 13:14 | history | edited | CommunityBot |
replaced http://security.stackexchange.com/ with https://security.stackexchange.com/
|
|
| Jan 18, 2017 at 13:26 | comment | added | ByteWelder | According to a recently leaked documents ("COMPANY INTELLIGENCE REPORT 2016/080" page 6) post on an NOS.nl article, Telegram is insecure: "His/her understanding was that the FSB now successfully had cracked this communications software". There are no details available yet about the validity of these claims. | |
| Feb 15, 2016 at 15:37 | comment | added | Sven Slootweg | Why does this answer still list Cryptocat as a 'real secure alternative'? Given its history, that seems quite a dangerous recommendation. | |
| Jan 14, 2016 at 13:39 | comment | added | Apache | So, more than a year later, the very insecure protocol and application is still not broken. :) | |
| S Dec 28, 2015 at 6:46 | history | suggested | Scott Arciszewski | CC BY-SA 3.0 |
Proposal: A quick answer for people who are skimming the page in a hurry, post Google search.
|
| Dec 28, 2015 at 5:18 | review | Suggested edits | |||
| S Dec 28, 2015 at 6:46 | |||||
| Dec 12, 2015 at 9:47 | history | edited | user10211 | CC BY-SA 3.0 |
added 130 characters in body
|
| Nov 12, 2015 at 22:31 | comment | added | Konrad Rudolph | @Bibhas I have no idea where that figure is from but it’s pure fantasy. For instance, it credits Telegram with having an open, auditable source code. But only parts of the code are (still!) open, and (like in most/all other programs) there’s no verifiable build process. The EFF scoreboard a farce, really. “Points for trying (or pretending)” are nice and all but not an indicator of security. | |
| Aug 25, 2015 at 5:54 | comment | added | Christian Strempfer | @Seth: There are several answers on news.ycombinator.com/item?id=6916860. They also updated their TechFaq. Telegram is not as secure as some alternatives, but it is not insecure. Even in the blog post on alexrad.me it is estimated that full attack costs will be in tens of millions US dollars. That's enough for most users. If you're life is at risk, use another messenger. | |
| Aug 25, 2015 at 0:59 | comment | added | Seth | @ChristianStrempfer Where is Telegram's reply? I can't find it on the blog. I'm really interested in seeing what they have to say. | |
| Mar 13, 2015 at 11:34 | comment | added | Bibhas | Just found out that EFF has given 7/7 of it's secure messaging checklist to Telegram secret chat eff.org/secure-messaging-scorecard | |
| Jan 12, 2015 at 12:15 | history | edited | user10211 | CC BY-SA 3.0 |
added 226 characters in body
|
| Dec 8, 2014 at 19:12 | comment | added | Hello World | @JanDoggen Threema is "trust our closed code to be doing what it's claiming to be doing". | |
| Dec 8, 2014 at 19:10 | comment | added | Hello World | The "Unhandled expression" article contains serious errors and is not a reliable source. Please consider not referencing it. An example of an error (out of many): "Encryption can happen end to end between clients, but there is no authentication, so the server can perform a MITM attack." unhandledexpression.com/2013/12/17/… | |
| Aug 18, 2014 at 11:54 | comment | added | Christian Strempfer | An update would be nice. Telegram responded to the linked blogs and it looks like a lot of accusations were based on an out-dated documentation or misunderstanding of it. They also adjusted rules for their hacking contest. Therefore this answer seems deprecated to me. | |
| May 21, 2014 at 14:36 | comment | added | anu | Using Cryptocat as an security exemplar is actually quite dangerous. It has a very controversial history, and lots of well known security professionals think it's actually dangerous. So, please remove that from your answer. You should also mention that Moxie worked for OpenWhisper. And that OpenWhisper don't have a usable iOS client. | |
| May 15, 2014 at 18:16 | comment | added | Hello World | You've proven that Telegram uses a non standard protocol, that, we already know. But who knows, it might turn out to be secure, no one has objectively examined MTProto yet. The only claim is "This is not standard, therefore this is not secure". | |
| May 8, 2014 at 20:04 | comment | added | Daniel Serodio | @Luc the point that Terry mentioned, which I wholeheartedly agree, is that if (when) an actual issue is found, it may be too late if it has already got critical mass, and because messages are stored on the server. | |
| Apr 5, 2014 at 19:23 | comment | added | Luc | @TerryChia I understand your point, and I too distrust any crypto in new apps, but I don't think this is the major concern when using Telegram right now. The protocol has been looked at by a few smart people and so far I've yet to hear actual issues, so that in my opinion that moves it from "distrusted" to "probably one of the lesser issues". Things like not having plausible deniability, leaking metadata, devices being pwned, people not comparing the encryption key out of band, etc. seem like much bigger issues when deciding whether one should say product X can be ultimately trusted. | |
| Apr 5, 2014 at 16:39 | comment | added | user10211 | @Luc I really wish I can downvote comments. Really? Non-standard crypto doesn't make you nervous? Do you want to encourage people to use crypto protocols without strong theoretical foundations? What happens when adoption reaches critical mass and a serious vulnerability is found? Yes, protocols need to be designed by people. But the people designing them should be trained cryptographers and the protocol needs to be peer reviewed by other trained cryptographers. | |
| Apr 5, 2014 at 16:27 | comment | added | Luc | Reiterates lots of the criticism, but so far I have yet to hear a non-theoretical vulnerability. Can anyone read encrypted messages as they go over the wire, change contents without the other party noticing (even if the attacker doesn't know what the decrypted output will be), or spoof the sender? If not, I don't see a problem with this self-designed protocol. All protocols have been designed by one team or another at some point. | |
| Apr 5, 2014 at 16:04 | comment | added | user13695 | Yes, Threema is 'trust no one': they don't have the keys so they cannot decrypt your messages. It costs $2 IIRC. Threema also does authentication on several levels, the strongest being that if you exchange QR code between phone displays, you know from that moment on that you are communication with that phone ('person' would be incorrect, someone could have stolen your contacts' phone). | |
| Apr 4, 2014 at 18:22 | comment | added | TwentyMiles | Also Threema: threema.ch | |
| Mar 11, 2014 at 9:22 | review | Suggested edits | |||
| Mar 11, 2014 at 9:26 | |||||
| Feb 4, 2014 at 7:33 | vote | accept | ilazgo | ||
| Feb 3, 2014 at 3:49 | history | answered | user10211 | CC BY-SA 3.0 |