Big flaws in Telegram's encryption system

Bryn said:
I'm not surprised something like this eventually made the news. It would be preferable for Telegram to adopt an encryption standard. Considering how difficult implementing any of these vulnerabilities would have been, calling the existing security 'brittle' seems dumb though. Especially when WhatsApp has genuine vulnerabilities that are far, far more serious.

But it's good that researchers are poking holes. Maybe it will cause Telegram to make the switch.



Why would you have a problem with Telegram? It's almost identical to WhatsApp but with loads more useful features, such as untethered desktop apps, cloud storage, huge group limits, better group admin controls and so on. Telegram is awesome.
Click to expand...
It may well have wonderful features (I like that the desktop client is not tethered to your phone) but Telegram is just kuk out of the box - you install it and immediately start being spammed with 'that poephol you happened to speak to 7 years ago has joined Telegram'

Blech!
 
AfricanTech said:
It may well have wonderful features (I like that the desktop client is not tethered to your phone) but Telegram is just kuk out of the box - you install it and immediately start being spammed with 'that poephol you happened to speak to 7 years ago has joined Telegram'

Blech!
Click to expand...
Yeah, that should be off by default. It is annoying. Hardly a serious thing though when it takes about 1 min to crawl through the settings and configure things to your liking.
 
Bryn said:
Yeah, that should be off by default. It is annoying. Hardly a serious thing though when it takes about 1 min to crawl through the settings and configure things to your liking.
Click to expand...
Did that, then went on to the "chat" page, and guess what, it's chock full of "xyz joined Telegram" messages

Like I said, blech!!!

Edit: I am of course exaggerating for effect :p
 
r00igev@@r said:
Never liked Telegram. Why the infatuation by some people?
Click to expand...
It's not about security but features. Pick what works for you. If you go by security you'll be disappointed. WA being closed source you have no idea if it's sharing info with the server and you're essentially trusting Facebook.

And let's be honest, for normal day to day conversation it doesn't really matter. If someone wants to go to endless trouble to see a bunch of cat pictures they are welcome. If security really matters you shouldn't be using a chat app in any case and only your own solutions and email. Even SSL isn't secure if someone is really determined.

Telegram should just implement an open encryption standard as it's entirely irrelevant here.

Jan said:
Imagine you send four messages in the following sequence:
  1. I say yes to all the
  2. pizza
  3. I say no to all the
  4. crime
The vulnerability lets attackers change the sequence the messages are received so the context can be changed to:
  • "I say yes to all the crime"; and
  • "I say no to all the pizza"
Naturally this will immediately result in the TSA pulling you aside for an "enhanced screening" to ask what kind of monster you have to be to say "no" to all the pizza.
Click to expand...
That would require them to know the messages though or else it would just be a bunch of jumbled up garbage. They'd also need to intercept them if I'm not mistaken?
 
Signal, Signal or Signal. Those are your choices when it comes to secure conversations.
 
WhatsApp has the most users, so it stays the most used.
 
RE: Whatsapp, I doubt the metadata contains only location/identity or whatever. I've noticed that some of my chats ends up triggering advertising in facebook. Friend and I were discussing the possibility of using honey on a pizza for a competition he had at work, we discussed it for maybe 10 minutes with quite a few mentions to honey, and all of a sudden I had several "honey manufacturers" and "tools" pop up in my Facebook advertising feed (I call it advertising feed, not news feed)

Doesn't matter how secure you think something is, as long as that company needs to make money, there will be some kind of doorway into your data for them to exploit for $. The only thing that would actually remove that incentive is a monthly subscription cost for the service. Keeps the creators happy because they're making money and can profit as their user base grows...well, that's the hope.... but people are sheep.

Free = I'll hand over any data you want for me to use your app
 
envo said:
RE: Whatsapp, I doubt the metadata contains only location/identity or whatever. I've noticed that some of my chats ends up triggering advertising in facebook. Friend and I were discussing the possibility of using honey on a pizza for a competition he had at work, we discussed it for maybe 10 minutes with quite a few mentions to honey, and all of a sudden I had several "honey manufacturers" and "tools" pop up in my Facebook advertising feed (I call it advertising feed, not news feed)

Doesn't matter how secure you think something is, as long as that company needs to make money, there will be some kind of doorway into your data for them to exploit for $. The only thing that would actually remove that incentive is a monthly subscription cost for the service. Keeps the creators happy because they're making money and can profit as their user base grows...well, that's the hope.... but people are sheep.

Free = I'll hand over any data you want for me to use your app
Click to expand...
Maybe it's your keyboard sharing it with Facebook?
 
  • Haha
Reactions: Swa
Myjisses these headlines... :rolleyes:
Well done outrage algorithm, you got me to read... now can I have my time back please.

"First the researchers showed four attacks on Telegram’s encryption scheme.
It should be noted that Telegram patched all of these vulnerabilities before the researchers disclosed the flaws."

1> crime-pizza vulnerability
“I say yes to”, followed by “pizza”, and then “I say no to”, followed by “crime”.
If the order of the messages “pizza” and “crime” is reversed, it would appear that the client is declaring their willingness to commit a crime."
2> The second attack was mostly of theoretical interest
"The vulnerability allows an attacker on the network to detect which of two messages are encrypted by a client or a server."
3> could, in principle, allow attackers to recover some plaintext from encrypted messages.
"While this seems alarming, it would require an attacker to send millions of carefully crafted messages to a target and observe minute differences in how long the response takes to be delivered."
4> man-in-the-middle attack
"Luckily, this attack is also quite difficult to carry out, as it requires sending billions of messages to a Telegram server within minutes,” the researchers stated."
 
Last edited:
AfricanTech said:
It may well have wonderful features (I like that the desktop client is not tethered to your phone) but Telegram is just kuk out of the box - you install it and immediately start being spammed with 'that poephol you happened to speak to 7 years ago has joined Telegram'

Blech!
Click to expand...

You realise it just means they have your number right?

So they could use it on any other messenger like WhatsApp or even call you. The horror.

I actually like being informed about who has me in their contacts.
 
IMO you cannot use these tools, for free, and still expect any kind of privacy, or any commitment from the owners whatsoever really.

Snowden really made it very clear: if it can be done, it is being done.

Best to do your thing with that in mind.
 
SauRoNZA said:
You realise it just means they have your number right?

So they could use it on any other messenger like WhatsApp or even call you. The horror.

I actually like being informed about who has me in their contacts.
Click to expand...
It's not that, it's that before you went digging you'd be spammed by a completely spurious and unnecessary notification that your number is in someone else's phone - who cares? (besides you of course)

We already have so much info overload...

Anyway, it's really not a big deal - I was more taking the piss than anything else...

:laugh:

Edit: Just opened Telegram now and lo and behold, up a pops a message "xyz - who I last spoke to 8 years ago - has joined Telegram" and it's now cluttering up the chat window - eish...like I care that xyz is using Telegram...
 
AfricanTech said:
It's not that, it's that before you went digging you'd be spammed by a completely spurious and unnecessary notification that your number is in someone else's phone - who cares? (besides you of course)

We already have so much info overload...

Anyway, it's really not a big deal - I was more taking the piss than anything else...

:laugh:

Edit: Just opened Telegram now and lo and behold, up a pops a message "xyz - who I last spoke to 8 years ago - has joined Telegram" and it's now cluttering up the chat window - eish...like I care that xyz is using Telegram...
Click to expand...

Yeah they could at least put the notification pop up off by default or ask you during onboarding what you prefer.
 
SauRoNZA said:
Yeah they could at least put the notification pop up off by default or ask you during onboarding what you prefer.
Click to expand...
and give you the option of it not automatically showing in your chat window as a 'chat' - you can't even quickly swipe it away - when you swipe you get another popup asking to confirm that you want to delete* the 'chat' - it's not a chat, it's a notification from the app.....blech

That said, if you swipe and archive (as opposed to delete) then it doesn't ask for additional confirmation

The reality is that 99.9 percent of my contacts still use whatsapp even though they have Telegram loaded
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X