Yeah, but there's a bunch of info to take in count: 1.- Telegram claims they don't have any relation with Russia in their FAQ. This is not true.
Take a look to IP servers they use, from line 309: https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/ConnectionsManager.java They have servers in two U.S. datacenters, another in UK, one in Singapore (american company owned) and two in Russia, the IP are from VK.com, company sold to Putin's friend. https://stat.ripe.net/95.142.192.66#tabId=at-a-glance https://stat.ripe.net/95.142.192.65#tabId=at-a-glance 2.- Telegram domain is registered using an anonimizer service, no NGO or company info in Telegram website. But they publish oficial app in Google Play as Telegram LLC, a company registered in Delaware on May 2013. Website is in U.S. datacenter 3.- As Brian told, server side software isn't opensource. We didn't really know how it works, which info is storing and how this info is replicated to another servers. If I connect from Spain, the app connect to UK servers by proximity (app uses a sort of heuristic algorithm to detect better server from your location based on lag and hops). If I'm talking with a russian user connected to VK servers, UK server must send messages to russian server. This is when you use normal chat, not encrypted chat that is supossed to be one-to-one with no server intervention. Encryption isn't used by default, just when user ask for it. 4.- App don't check server certificates, so Man-in-the-Middle attack is possible to intercept files and unencrypted chats. I'm not whatsapp user and just used Telegram to check this. If NSA was able to access whatsapp messages, with Telegram NSA also has access, plus GCHQ in UK and russian FSB. Chatsecure, Textsecure, Pidgin+OTR... we have enough app with proven encryption to rely on an obsure organization like Telegram. 2014-03-19 13:45 GMT+01:00 Brian Conley <[email protected]>: > It violates the primary principle many experts here depend on: the most > important parts are not open source. > > I'll echo Natanels comments, no obvious reason not to recommend Chatsecure > or TextSecure. What she's telegram have that these don't? > > Brian > On Mar 19, 2014 12:36 PM, "sam de silva" <[email protected]> wrote: > >> Hi there, >> >> So it's almost a month since this thread died. >> >> To me, it looks pretty good and while I am not a mathematician, Telegram >> looks like a good solution to help improve digital security. >> >> But this list has the experts. What's the recommendation? Was there any >> consensus about Telegram. >> >> Thanks and best, Sam. >> >> >> >> On 22/02/2014, at 1:05 AM, Tony Arcieri <[email protected]> wrote: >> >> On Friday, February 21, 2014, Maxim Kammerer <[email protected]> wrote: >> >>> All I see is snobbishness of people who have typical Western fear of >>> steering from "authorized" engineering approaches. The people are >>> quick to judge some unknown foreign developers incompetent >> >> >> As far as I can tell, you are the only person speaking on this thread who >> wants to spin it into a discussion of Westerners, xenophobia, etc. >> >> I'm talking about math. >> >> Telegram is not IND-CCA2 secure. Period. They have some extra sprinkles >> they claim prevents adaptive chosen ciphertext attacks. They have no formal >> proof of these claims. >> >> Authenticated encryption schemes are IND-CCA2 secure by design. >> >> Telegram's scheme is inferior. It's mathematically inferior. Period. It >> has nothing to do with nationalism. It has everything to do with math. >> >> Telegram is an inferior design as compared to the standard designs being >> used in common practice. >> >> >> -- >> Tony Arcieri >> >> -- >> Liberationtech is public & archives are searchable on Google. Violations >> of list guidelines will get you moderated: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, change to digest, or change password by emailing moderator at >> [email protected]. >> >> >> >> -- >> Liberationtech is public & archives are searchable on Google. Violations >> of list guidelines will get you moderated: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, change to digest, or change password by emailing moderator at >> [email protected]. >> > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
