“It’s a free app, with no adverts, so what can they sell?”
They are sponsored by the Government Security Services who can read all their content. :-(
They should not be able to do so with ease, because tg is end to end encrypted.
Only groups (on whatsapp and tg) are sending data in plain text; difficult to achieve a secure conferencing solution. It can be done but you have to trust the server – there was a long thread where the “zoom vulnerabilities” were discussed. It isn’t practical to set up an end to end encrypted conferencing solution (where the server doesn’t need to be trusted, like the tg server does not have to be trusted for 2-person chats).
If the GCHQ cannot read all my internet comms then I would complain to the govt for not spending my tax money wisely 
Peter wrote:
They should not be able to do so with ease, because tg is end to end encrypted.
…and you know that is the case…. how?
We put a lot of trust into the providers of key security infrastructure. While we all can see how TLS / https is supposed to work, we can’t verify that whatever browser we are using actually implements it. Every day when I use a password manager which supposedly stores data end-to-end encrypted with absolutely no access to the key by the provider, I cannot verify that the software actually faithfully implements what their whitepaper says.
Short of only using open source software that every end user compiles him/herself (assuming the compiler has no built in backdoor generator) and an – again trusted – community of people to validate that the source code does what it is supposed to do, there is no practical way to implement end-to-end security without trust.
Cobalt wrote:
…and you know that is the case…. how?
Telegram is open source.
While we all can see how TLS / https is supposed to work, we can’t verify that whatever browser we are using actually implements it.
That’s true.
But security needs depend on who is the “enemy”.
If the national security agency is your enemy, they can bounce a laser off your window and get the audio. They can break into your house and bug it. Read the EM radiation from your wiring, monitors, etc.
If the GCHQ cannot read all my internet comms then I would complain to the govt for not spending my tax money wisely I expect them to have these capabilities.
If I was doing something criminal I would be appropriately more careful. But if my enemy was Mossad?
Mantra #1 is: there is no security without physical security. Prob90 you have a £10 Euro cylinder in your front door. Google on Euro cylinder lock picking. A good amateur will take a few mins. Or he can snap it in 10 secs (but then you will find out). You can get slightly more pick resistant – and much more snap resistant – ones from say Abloy for £100. Read Spycatcher. MI5 could pick absolutely every lock very fast – except some diamond dealer safes, in the 1950s.
A browser will only be as secure as the machine running it is physically secure, otherwise somebody can plant fake root certificates on it, plus a fake DNS server. I am working on a “box” now which, being embedded (no actual user interface on it) cannot possibly ever achieve this. It does TLS so can run an encrypted session, but cannot connect to say microsoft.com and be sure it is talking to the real microsoft.com IF somebody can plant a fake DNS server on the factory LAN. And all the time somebody could enter your house, or access the factory or office LAN (which can be done from a car parked outside, via dodgy wifi) your IT security is precisely zero also. It can be done with secure private key storage, but only for talking to a private server, on an IP, and that avoids needing a secure means of periodically updating the root certs.
Lend somebody your phone, laptop, PC, etc, for a minute and your comms security is zero. The industry has always struggled with this, hence the various physical tokens you carry on a chain around your neck, tamper-proof housings, self-destructing private key storage, etc.
So most comms security is an illusion – because 99.9% of people have absolutely no way to be sure of physical security of their hardware. But who cares? What I care about is that any tom dick or harry cannot gain control of my PC, and from there get into the EuroGA server and make a lot of work for me
Telegram is open source.
Indeed but 99.9% of users download the executable, and what if the server has been compromised?
Take Thuraya satphones. The satellite, and the early 7100 phones, is made by Hughes. Do you think Hughes would have got an export license to sell it to a Middle East country unless the NSA could read everything?
The whole world is like this. It’s an illusion, unless a lot of work is put into it. At the individual level, and if you are a bad enough boy to have somebody real out to get you, forget it.
@Airborne_again wrote:
Telegram is open source.
And you verify that the executable in the apps store actually is a compilation of that exact source – how? You trust whoever put it in the app store.
And even that does not help. Because in principle, it is possible to build and distribute a compiler or a security library that inserts security flaws or back-doors into the executable that are not in the source code. Not a capability within reach of anyone without the cooperation of the compiler builder and a lot of people on the way, fortunately, but available at Government-level (NSA, GCHQ + arm-twisting)
Cobalt wrote:
And you verify that the executable in the apps store actually is a compilation of that exact source – how?
I don’t but, I’m reasonably sure that there are vigilant people that do.
Peter wrote:
They should not be able to do so with ease, because tg is end to end encrypted.
(I’m not a telegram user and I haven’t had a close look at the telegram protocol – therefore this is an honest question)
How does telegram exchange the (public) keys required for that E2E encrypted privat chats? Do you enter the SHA-256 key manually after you received it from the other party by (snail-)mail?
How is a secure exchange of public keys orchestrated after a client device (and therefore its private keys) got compromised? Again: Do you get a snail mail notification that a device got compromised (and who sends this notification) including a new public key?
Background of those questions: The most simple attack vector against so called “end 2 end encrypted” communication is not to attack the encryption itself (which can be done in quite secure way) but to perform a simple man in the middle attack when the (public) keys required for the encryption are exchanged. If you control the servers, you typically have all the means to perform such a man in the middle…
Airborne_Again wrote:
don’t but, I’m reasonably sure that there are vigilant people
At least in the Apple-Universe there is no practical way to actually do that. The package delivered by the App Store always contains references to the publisher that are not public (and should not be public) and therefore you can not “compile” the sources and check if e.g. the MD5 of your result equals the MD5 of the package you get from the App Store.
Strictly speaking there is no such thing as open source in the Apple App Store (neither it is in the Google App store but with an open Android mobile you could theoretically compile the telegram sources by yourself and use this package)
The keys are generated on each session. The details are published somewhere.
A man in the middle attack is always possible unless you can do a certificate check, going all the way back to the root certificate(s), or you use a simple shared key and personally know and have shared the key with the other end.
This is moot anyway because you can join tg with a username of Vlad the Impaler. Actually no; just checked and there are 3 of these already, but you get my drift. There is clearly no user authentication; he’s been dead for a while. It’s the same with all IM systems, email, etc. With email you have DKIM which enables crypto “certainty” that the sender owns that domain (but no more). When we set up a tg group for one of our fly-ins, we always get a few people joining up with usernames which they made up on the spot.
And if you have independently verified the identity of the other person, you can just use a shared key, with AES256 or whatever. You don’t need PK crypto. At each end, the shared key has to be stored, and it will be no more or no less secure than the private key in RSA or whatever. Certificates just make it easy to revoke after x days, etc. And if I was setting up a terrorist group I would a) make sure we initially meet up face to face and b) give out the shared key then.
A lot of people go around in circles pontificating about comms security, when actually the really good solutions are trivial. They are just impractical for a widely deployed system, but with a widely deployed system you can easily have an imposter unless you use certificates.
Fortunately, most criminals are stupid. Just as well, since the police would never catch them otherwise 
Peter wrote:
The keys are generated on each session.
If key pair is generated per session, E2E encryption is no more than a marketing gimmick: Whoever gains control of the server immediately has access to the clear text of all newly started conversations.
