Friendly reminder that Telegram has always been a risky choice where privacy matters, even without the issue raised in the article. It uses homebrew encryption (which is always a red flag) and doesn’t enable end-to-end encryption by default (which makes accidental leaks likely).
Some misleading info here.
-
that homebrew encryption thing is a subject to security focused bounty program an there were positive results from that.
-
there is always some encryption by default, read their docs. If you mean the end to end encryption, it’s a fancy thing that doesn’t even have a standardized way to work in group chats. It works in a feature called secret chat, that you have to enable whenever you need it.
that homebrew encryption thing is a subject to security focused bounty program
That doesn’t change the fact that it’s homebrew, and therefore not examined, understood, or trusted remotely as well as ciphers and protocols that have been thoroughly vetted by the global cryptography community. A bounty program doesn’t change that, and it’s not misleading to point it out.
there is always some encryption by default, read their docs. If you mean the end to end encryption,
Sigh. Yes, I meant end-to-end encryption. (My use of the word “any” simply meant inclusive of homebrew.) I thought that would be obvious, since point-to-point encryption is commonplace, and is the default for even simple web sites these days, so hardly worth mentioning in this context. But since you didn’t pick up on that, or were concerned that someone else might not, I have updated my comment to be more specific.
It works in a feature called secret chat, that you have to enable whenever you need it.
In other words, not enabled by default. As I said.
You should probably also update the “leaks likely” part with a history of encryption related leaks from telegram over 10 years.
In other words, not enabled by default.
It’s not enabled by default because people expect their chat history to not get wiped every time they finish talking, in most cases.
I think it was clear from context that “accidental leaks” meant forgetting to enable e2ee, thereby exposing the conversation directly to Telegram, with not even the homebrew encryption protecting it.
Obviously, there is no recorded history of every time anyone has made that mistake, but your gibe about it does at least confirm that you’re arguing in bad faith, which makes this easier: Goodbye.
If you really mean that, the leak resulting from such a mistake will only happen if you missed the fact that your chat history is saved after a talk (even though it’s right there just like any other history), then enough time passed for your friend to change views on you and leak whatever they had saved (since you didn’t remove that part of chat history before that happened).
I’m sure that such a scenario is insanely unlikely. A much more likely scenario would be for you to not know that a friend of yours already changed their views and making records of all end to end encrypted content you make together by simple means, like another phone.
I like when people hate questionable stuff. But I hate when they do it for silly or made up reasons.
-
If you group chat on Telegram channel, then encryption doesn’t mean much…Your weak link is every user that can screen shot or copy paste your messages.
Your weak link is every user that can screen shot or copy paste your messages.
It’s the same for any chats (and apps) including telegram’s own secret 1 on 1 chat, isn’t it?
Yep, thats why encrypted chat is a false sense of security. Group ones being worse because you may not know if those joining are legit. You would need Session peer to peer with overlays( screenshots) blocked, but even then a person with another phone just tales a photo of the screen
“People can get your number and even understand that you are using telegram”
And they could always find that about a random telephone number if they wanted, it didn’t need to have anything to do with this specific feature/campaign.
I remember when Telegram Inc was aware that could cause some massive issues down the line, and their response was to ignore it.
Then a state level actor abused this, and Telegram declared there was no issue, and they had fixed the issue.
Welp, I wish there would be some massive movement against the feature of using the phone number as a login for any services.
This is the best summary I could come up with:
Telegram has introduced a controversial new feature that grants users a free premium membership in exchange for allowing the instant messaging app to utilize their phone number as a relay for sending one-time SMS passwords to other users attempting to log into the platform, raising concerns about potential privacy risks and the exposure of personal information.
The terms of service for this peer-to-peer login program notes that the company will send a maximum of 150 OTP messages per month.
Participating users, who may also be charged for local and international SMS usage, will have to hit a certain quota to be able to avail the complimentary subscription.
The terms indicate that people participating in the program won’t hold Telegram liable for any damages and give the company absolute indemnity from all claims related to peer-to-peer login.
The company launched a subscription service two years ago with features like transcription, exclusive stickers, reactions and other customizations.
However, users opting into the peer-to-peer login system have to think if giving out their phone number to strangers to save a few bucks is worth the hassle.
The original article contains 378 words, the summary contains 183 words. Saved 52%. I’m a bot and I’m open source!