Telegram group chats are not encrypted

811 views
Skip to first unread message

Alan Orth

unread,
Jan 11, 2018, 3:03:04 AM1/11/18
to nairobi-gnu
News of a vulnerability in the Signal protocol's group chat implementation surfaced yesterday[0], therefore affecting Signal itself as well as other messengers that use the protocol like WhatsApp. The attack seems largely theoretical and unlikely to be exploitable, but Open Whisper Systems has apparently said they are working to address this long term.

The most interesting thing about this for me was a comment[1] by Signal's author moxie on the Hacker News discussion thread about the news:

In contrast, Telegram does no encryption at all for group messages, even though it advertises itself as an encrypted messenger, and even though Telegram users think that group chats are somehow secure. An attacker who compromises the Telegram server can, undetected, recover every message that was sent in the past and receive all messages transmitted in the future without anyone receiving any notification at all.

Just yesterday I overheard someone telling their friend that "Telegram is encrypted so governments can't spy on you and stuff, that's why lots of 'crypto' [meaning coins, not encryption] and activist group use it."

*sigh*. Stay safe out there. Use Telegram if you must, but please do your part to correct this rumor that Telegram is some gift from the gods of privacy! You may as well use a group chat on Google Hangouts, as the encryption model is literally the same. If you need real client-to-client encryption you'd better use WhatsApp or Signal. Or go live in the forest and learn to speak to the squirrels.


--

Alan Orth
alan...@gmail.com
https://picturingjordan.com
https://englishbulgaria.net
https://mjanja.ch

Message has been deleted

Alan Orth

unread,
Jan 13, 2018, 11:24:07 PM1/13/18
to nairo...@googlegroups.com
WhatsApp is absolutely hoovering your contact data and only god knows what they do with it (to think of their social graph!). Signal does it too, but they are apparently doing it in a way that preserves your privacy. In 2014 they wrote a blog post about how hard contact discovery is[0] and in 2017 they wrote another explaining how they came up with a private way to do it[1]. So use Signal. :)

[0] https://signal.org/blog/contact-discovery/
[1] https://signal.org/blog/private-contact-discovery/

Regards,

On Sun, Jan 14, 2018 at 6:07 AM Kennedy Mwenja <mwen...@gmail.com> wrote:
I thought the weakness was in the ability of the server to inject members into groups without the admin's permission, a "trust the server" kind of weakness.
Apparently the only saving grace is the notification system that alerts existing members that someone new has just joined.
I imagine this attack would be very effective for large groups where most members don't pay attention to this.

I would also imagine that we should be more wary of Whatsapp because of its parent company's vested interest in vacuuming as much data as it can.
That is not to say Signal is innocent but at least "in Moxie we trust".
--
You received this message because you are subscribed to the Google Groups "Nairobi GNU/Linux User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nairobi-gnu...@googlegroups.com.
To post to this group, send email to nairo...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted

Alan Orth

unread,
Jan 20, 2018, 3:53:56 AM1/20/18
to nairo...@googlegroups.com
Don't think anything is getting deleted, though some posts do get flagged as spam by Google from time to time and I have to go manually approve them.

On Sat, Jan 20, 2018 at 10:50 AM Kennedy Mwenja <mwen...@gmail.com> wrote:
That's odd. My post seems to have been deleted.

Thanks for the links. Hadn't thought about that aspect of the problem (contact discovery).

Ken Mwenja

unread,
Jan 20, 2018, 11:37:20 AM1/20/18
to nairo...@googlegroups.com
Huh, guess I'm spam worthy.

To unsubscribe from this group and stop receiving emails from it, send an email to nairobi-gnu+unsubscribe@googlegroups.com.

To post to this group, send email to nairo...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

--
You received this message because you are subscribed to a topic in the Google Groups "Nairobi GNU/Linux User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nairobi-gnu/rw0CMvkqSkM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nairobi-gnu+unsubscribe@googlegroups.com.

Brian Njenga

unread,
Jan 20, 2018, 1:51:55 PM1/20/18
to nairo...@googlegroups.com

The overlords are onto you.


--
You received this message because you are subscribed to a topic in the Google Groups "Nairobi GNU/Linux User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nairobi-gnu/rw0CMvkqSkM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nairobi-gnu...@googlegroups.com.

To post to this group, send email to nairo...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Nairobi GNU/Linux User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nairobi-gnu...@googlegroups.com.
To post to this group, send email to nairo...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Some say he really tries to learn efficiently.
Reply all
Reply to author
Forward
0 new messages