320

Finally got rid of telegram, congratulations to me (sh.itjust.works)

submitted 8 months ago by Gooey0210@sh.itjust.works to c/privacy@lemmy.ml

151 comments fedilink hide all child comments

It was a many months transition, and it's finally done

Fun thing, you can actually make a backup of all* your messages, groups, contacts, etc. So before leaving you can have all of your data in case you need that one contact or something

The final red flag was as that allegedly Russian authorities were messing with people's deleted messages. Not for the first time there are news that they could read, modify, delete, see location, and etc. Screw it, this is unsafe, I'm out.

Also, these days telegram is really at the state of a pile of garbage, bloated, buggy, and shady messenger.

you are viewing a single comment's thread
view the rest of the comments

[-] BearOfaTime@lemm.ee 60 points 8 months ago* (last edited 8 months ago)

The final red flag was as that allegedly Russian authorities were messing with people's deleted messages.

I don't know about "Russian authorities", but the fact remains that if you can login anywhere and see your messages, then your ~~public~~ private key is stored in the server.

Since Telegram requires authorization from an extant connection, I don't know if that means your public key isn't stored on the servers and it's being sent from the authorizing device, or if that device is merely authorizing the Telegram servers to transmit that key to the new device.

Since they have a full e2e chat feature (Private Chats), I'm going to assume the latter.

So anyone who can get those keys can gain access to your chats.

I still say Telegram is far superior to anything from Fuckbook/Meta, because it's not integrated into everying you do (even those of us who've never once been on Facebook, and yet have ghost profiles), not to mention the Facebook app integrated into Android on many vendor phones.

Even so, know Telegram for what it is - not ideal, just better than WhatsApp, and a step along the path to moving to more secure and privacy-respecting apps.l

[-] bleistift2@feddit.de 40 points 8 months ago

then your public key is stored in the server

Did you mean private key?

[-] Synnr@sopuli.xyz 9 points 8 months ago

I automatically read it as private key, good catch

[+] Gooey0210@sh.itjust.works -31 points 8 months ago

Comparing telegram to WhatsApp is something really 2015 😅

Now we have many alternatives, and let's just switch, fb and telegram both suck compared to signal, simplex, session, or even matrix (wait for the new matrix' update where they add some new encryption stuff)

[-] Synnr@sopuli.xyz 11 points 8 months ago* (last edited 8 months ago)

Session was at first a fork of Signal without usernames.

Now by design it uses their own custom tor-like service (instead of just... using tor) and does not support forward secrecy or deniable authentication, so anyone who collects the messages in transit can either find a vulnerability in the encryption scheme, or spend enough GPU resources to crack it, and they have confirmation of who sent and received the message and what the contents of the message are. And is headquartered in Australia, which is 5EYES and much more against encryption than the US. Oh, and the server is closed-source.

Regarding Australia's 2018 bill...

The Australian Parliament passed a contentious encryption bill on Thursday to require technology companies to provide law enforcement and security agencies with access to encrypted communications. Privacy advocates, technology companies and other businesses had strongly opposed the bill, but Prime Minister Scott Morrison’s government said it was needed to thwart criminals and terrorists who use encrypted messaging programs to communicate.

Regarding the 'vulnerability or cracking them later' bit...

Messages that are sent to you are actually sent to your swarm. The messages are temporarily stored on multiple Service Nodes within the swarm to provide redundancy. Once your device picks up the messages from the swarm, they are automatically deleted from the Service Nodes that were temporarily storing them.

From Session's own FAQ:

Session clients do not act as nodes on the network, and do not relay or store messages for the network. Session’s network architecture is closer to a client-server model, where the Session application acts as the client and the Service Node swarm acts as the server. Session’s client-server architecture allows for easier asynchronous messaging (messaging when one party is offline) and onion routing-based IP address obfuscation, relative to peer-to-peer network architectures.

I wouldn't touch it with a 12ft ladder.

[-] LWD@lemm.ee 2 points 8 months ago* (last edited 8 months ago)

Between forking Signal to make their desktop and mobile clients, and forking Monero to make their cryptocurrency... I'm surprised they came up with Lokinet.

Edit: I'm pretty Session doesn't even use Lokinet. So much for the claimed resiliency from "hackers"

[-] Synnr@sopuli.xyz 1 points 8 months ago* (last edited 8 months ago)

Session does use the Oxen network which is the renamed Lokinet, unless they made a change I'm wholly unaware of.

[-] LWD@lemm.ee 2 points 8 months ago

I must have been thinking of their past implementations. Their FAQ says things were different:

Proxy routing was an interim routing solution which Session used at launch while we worked to implement onion requests. When proxy routing was in use, instead of connecting directly to an Oxen Service Node to send or receive messages, Session clients connected to a service node which then connects to a second service node on behalf of the Session client... The proxy routing system has now been replaced by onion requests.

It was even less clear to me because this is what it says in the app itself:

Session hides your IP by bouncing your messages through several Service Nodes in Session's decentralized network.

Not "the Oxen network" but "Session's network."

And then it has a graph of

• You

• Entry Node

• Service Node

• Service Node

• Destination

[-] Synnr@sopuli.xyz 2 points 8 months ago* (last edited 8 months ago)

You're not wrong. Lokinet and Session are both products from the same parent company. Lokinet was renamed to the Oxen protocol, and they run all the servers AFAIK, so it would be like tor, if tor ran every guard, entry, and exit node. AKA worthless. So you're spot on, it's a joy to the intelligence community and after the Encrochat debacle and Session stopped using Signal's encryption algorithms and code, I would suggest no one use it for anything sensitive.

[-] Vilian@lemmy.ca 10 points 8 months ago

i use telegram, but i agree that signal and matrix is superior from both(i don't about the others)

this post was submitted on 06 Mar 2024

320 points (87.2% liked)

Privacy

32111 readers

656 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS