this post was submitted on 05 Dec 2024
185 points (97.9% liked)
Cybersecurity
5847 readers
12 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Not using end-to-end encryption is the equivalent of using best practice developed nearly 30 years ago [1] and saying "this is good enough". E2EE as a default has been taking off for about 10 years now [2], that Telegram is going into 2025 and still doesn't have this basic feature tells me they're not serious about security.
Ridiculous? Yes, you're missing the entire point of end-to-end encryption, which you immediately discredit any security Telegram wants to claim:
Telegram (and anyone who may have access to their infrastructure, via hack or purchase) has complete access to view your messages. This is what E2EE prevents. With Telegram, someone could have access to all your private messages and you would never know. With E2EE someone would need to compromise your personal device(s). One gives you zero options to protect yourself against the invasion of your privacy, the other lets you take steps to protect yourself.
The problem here is that you should not be mixing secure contexts with insecure ones, basic OPSEC. Signal completely mitigates this by making everything private by default. The end user does not need to "switch context" to be secure.
[1] Developed by Netscape, SSL was released in 1995 - https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0,_2.0,_and_3.0
[2] Whatsapp gets E2EE in 2014, Signal (then known as TextSecure, was already using E2EE) - https://www.wired.com/2014/11/whatsapp-encrypted-messaging/
Yeah that's cool and all but you're strawmanning. Your original comment, that I hear parroted a lot, is that Telegram is (basically) unencrypted, and regardless of your feelings about the suitability of MTProto (not SSL) that's patently untrue.
There's no evidence that MTProto has ever been cracked, nor any evidence of them selling or allowing anyone access to their servers and recent headline news backs this up. Whether you choose to trust them with your data is up to the individual to decide. I'm just tired of seeing the "Telegram is unencrypted" claim in every instant messaging thread, made by people who don't know or care to know the difference between encryption and E2E encryption.
Google, on the other hand, routinely allow "agencies" access to their servers, often without a warrant, and WhatsApp - who you cite as a good example of E2E encryption - stores chat backups on GDrive unencrypted by default. They added the option to encrypt last year but nobody was forced (or possibly even asked?) to turn it on, and to this day no encryption of backups is still the default. And while you might encrypt your backups, can you be sure the same is true for the people on the other end of your chats?
The entire point is that you shouldn't have to put your trust that a third party (Telegram or whoever takes over in the future) will not sell/allow access to your already accessible data.
Just because it's not happening now does not mean it cannot happen in the future. If/when they do get compromised/sold, they will already have your data; it's completely out of your control.
Exactly my point. Google are using the exact same "security" as Telegram. Your data is already compromised. Side note - supposedly RCS chats between Android is E2EE although I wouldn't trust it as, like Telegram, you're mixing high/low security context, which is bad OPSEC.
Valid concern, but this threat exists on almost every single platform. Who's to stop anyone from taking screenshots of all your messages and not storing them securely?
[1] https://www.tomsguide.com/news/whatsapp-encrypted-backups