cheese_greater@lemmy.world
on 20 Sep 2024 12:54
nextcollapse
Was kinda wondering when they were gonna cut the cord, Telegram is likely thoroughly compromised and compromising
gedaliyah@lemmy.world
on 20 Sep 2024 13:06
nextcollapse
Wait, the centralized service that security experts warned for years could be easily compromised because a centralized messaging service is inherently insecure has now been compromised? Surprised Pikachu face
MehBlah@lemmy.world
on 20 Sep 2024 13:30
nextcollapse
Owned by a fake rebel russian who has somehow managed to keep from falling out of a window on a high floor. Cough, cough plant.
melroy@kbin.melroy.org
on 20 Sep 2024 17:08
nextcollapse
Not to discredit your arguement but isn’t Signal also centralised?
gedaliyah@lemmy.world
on 20 Sep 2024 18:11
nextcollapse
The data is not centralized in the same way, making it slightly better, but yeah. A lot of the same pitfalls of centralization happen there. The whole system doesn’t operate without the corporate servers in the middle, even though they don’t see or store the data. They have total access to Metadata. The organization could be sold for profit, shut down, change terms, etc.
If security is important, you’re better off with something decentralized like matrix. I’m not an expert, so hopefully, a lot of people here who are smarter than me will fact check these statements, but at least those are my impressions.
MiltownClowns@lemmy.world
on 20 Sep 2024 18:12
nextcollapse
It is, which is why the comment didn’t advocate for it. Signal has more robust encryption than telegram, but its not zero-trust. They should really be using private hosted services instead of public or pgp, but when battle kicks off you use whatever works and then go back and revise as needed when you’re not dodging bombs.
lemmylommy@lemmy.world
on 20 Sep 2024 20:38
collapse
It is. But it is open source and the encryption is solid. All communication data is end-to-end encrypted. They have been subpoenaed before and all they could provide was when the account was first registered and when it was last used.
The signal protocol is well documented and open source. The foundation and LLC behind it are registered in California and are run by reputable people.
Telegram is run by shady people, supposedly out of Dubai, while it is registered in the British Virgin Islands. Its clients are also open source, however the encryption, if enabled, is of the home cooked variety, although it was improved over time. Unfortunately it is not enabled by default, you need to enter a „secure chat“ for that, which only works with single contacts, not with groups. Despite having access to everything else, and working like a social media-messenger-hybrid, telegram is very reluctant to get rid of clearly illegal content.
sunzu2@thebrainbin.org
on 20 Sep 2024 13:07
nextcollapse
Do Viber next lol
cheese_greater@lemmy.world
on 20 Sep 2024 13:11
collapse
Why do people use Viber over like Signal and Threema or worst-case scenario Whatsapp?
sunzu2@thebrainbin.org
on 20 Sep 2024 13:17
nextcollapse
Network effects... Once community picks the app, it ain't changing.
It pretty amazing that two years into the war this is still an issue in Ukraine especially at government/military level.
I get plebs giving fuck all due to poor understanding, the state taking this long doesn't make sense. These issues were brought from the start of the invasion.
helenslunch@feddit.nl
on 20 Sep 2024 16:11
collapse
Network effects… Once community picks the app, it ain’t changing.
I think you’re sidestepping the question though. The question is why the community picked the app.
sunzu2@thebrainbin.org
on 20 Sep 2024 16:16
collapse
Because Russian corpos shoved into their faces and the state was too stupid to see the issue with it despite being at war with Russia since 2014.
People who criticized this were mercelessly mocked by the normies...
Aka the same thing happening in the US, at least consequences aint bad here... For now
Maybe choosing your poison? Viber belongs to the Japanese company Rakuten, so it may be more interesting geopolitically, depending on your country.
sunzu2@thebrainbin.org
on 20 Sep 2024 16:17
collapse
Viber is Israeli based with connection to Russian security services.
Korkki@lemmy.world
on 20 Sep 2024 13:14
nextcollapse
I would never risk any third party messaging service in military or critical state matters. It’s just common sense, even for a layman. Everything is compromised, Telegram is, Whatsapp is, Signal is, all of them are.
TheTechnician27@lemmy.world
on 20 Sep 2024 14:11
collapse
It’s not, unless they’re some sort of cryptography expert with a peer-reviewed white paper pending publication. The Signal protocol (GPLv3) is extremely robust and has almost no capacity for metadata generation, and both the app and server-side code are under the AGPLv3 (technically if they were compromised they could use different, unaudited server-side code, but refer back to “basically no metadata”). Signal has essentially no capacity to be compromised; they can’t even bait and switch users with a pre-compiled app whose source code isn’t the publicly available one and actually has a backdoor because their builds are reproducible and it would be caught immediately.
Maybe they take issue with the crypto bullshit, which is valid but doesn’t compromise messaging security. Maybe they don’t like that they took away SMS, which I completely agree with, but also actually makes it marginally more secure. Either way, I seriously doubt if they had any mathematical insight into Signal being “compromised” that they would be here hanging around on Lemmy right now.
kwozyman@lemmy.world
on 20 Sep 2024 14:49
collapse
Be that as it may, it’s still an incredibly short sighted decision to use a centralized service that is under 3rd party control for real security sensitive applications.
sugar_in_your_tea@sh.itjust.works
on 20 Sep 2024 15:14
collapse
Yeah, that does bother me. But it’s also a lot easier to build a centralized service like that than to get people on a decentralized one.
If you really want something private and are willing to jump through a few hoops, Simplex exists. But most people aren’t willing to jump through a few hoops, and even Signal (a pretty low bar) is a hard enough sell as it is. And that’s why I use Signal, because it’s my best chance to get people onto something better. In other words, don’t let perfect be the enemy of better.
helenslunch@feddit.nl
on 20 Sep 2024 16:16
collapse
But it’s also a lot easier to build a centralized service like that than to get people on a decentralized one.
Is it? No one seems to have problems using email.
sugar_in_your_tea@sh.itjust.works
on 20 Sep 2024 16:22
collapse
Yet pretty much everyone uses the same one: gmail.
helenslunch@feddit.nl
on 20 Sep 2024 16:24
collapse
not true. Plenty of people use Yahoo, Outlook, Proton, and some even use AOL!
sugar_in_your_tea@sh.itjust.works
on 20 Sep 2024 16:43
collapse
Sure, and I use Tuta. Those are outliers, the vast majority use gmail, or at least the vast majority in my circles do.
It’s the same thing as the network effect, just a little less ubiquitous, people will tend to use whatever everyone else uses. Getting something new like email (SMTP) is a huge endeavor, it’s a lot easier to just build a centralized service and get people to use that, and most people will use the same provider anyway.
I don’t like it, but I understand why it works and is so common.
helenslunch@feddit.nl
on 20 Sep 2024 16:46
collapse
Those are outliers
…I don’t understand your point. Do outliers make it not decentralized?
sugar_in_your_tea@sh.itjust.works
on 20 Sep 2024 17:05
collapse
No, those being outliers means the email argument isn’t particularly strong, especially when talking about a new standard. If most people use a single service anyway, why would a company go out of its way to make something decentralized? And for something like encrypted chat, that’s a lot of extra work.
helenslunch@feddit.nl
on 20 Sep 2024 17:09
collapse
If most people use a single service anyway, why would a company go out of its way to make something decentralized?
Same reason they did it for email?
sugar_in_your_tea@sh.itjust.works
on 20 Sep 2024 17:16
collapse
What, by starting as a government system using a completely different protocol, then adapting to always-online network connections (i.e. universities) at a time when spam didn’t really exist?
The 70s and 80s were a very different time, and regular consumers didn’t use email until it had gone through several iterations. Even so, most people used a single implementation (sendmail on BSD) for quite some time before anyone else got involved.
The internet today is a very different beast, you can either try for an open standard, or you can try for user acquisition. Almost nobody seriously goes for the open standard anymore, unless it’s an iteration of an already existing open standard.
melroy@kbin.melroy.org
on 20 Sep 2024 13:47
nextcollapse
Matrix chat is not :)
rottingleaf@lemmy.world
on 21 Sep 2024 06:48
collapse
I would never risk any third party messaging service in military or critical state matters.
Ah, so mister genius would write his own, have I heard that right? Would he use XOR twice when encrypting a message, just to be double safe?
How secure something is an spectrum. Sure self hosted matrix is a lot safer than sending your messages through meta servers for example. It’s about what is the threat levels of what one is doing. Total tinfoiling like writing your own quantum proof multi encryption ciphers and sending that over an tamper proof usb stick with self destruct mechanism by a carrier pridgeon is not necessary or practical for average people who just want privacy, but for critical government applications and especially the military it might be. That is what we are talking about here.
rottingleaf@lemmy.world
on 21 Sep 2024 07:14
collapse
Sure self hosted matrix is a lot safer than sending your messages through meta servers for example.
A lot safer in which case? I can imagine a few very real ones where it’s not.
Self-hosted Signal (requires patching the client, but it’s straightforward) server I would understand.
but for critical government applications and especially the military it might be. That is what we are talking about here.
Signal devs have a few papers describing how and by what logic they are addressing these problems.
Again, self-hosting (because accounts can be blocked by Signal) their solution is a better idea.
LaFinlandia@sopuli.xyz
on 20 Sep 2024 14:51
nextcollapse
I presume this will have zero effect, especially since it includes this huge exemption.
Those who use Telegram “part of their job duties” will not be affected by the move.
andrew_bidlaw@sh.itjust.works
on 20 Sep 2024 15:04
nextcollapse
SMMs for officials, volunteers and military would keep posting, right. It’s inside communications that are a concern. And as some ukrainians wrote, in some places it was an obvious rule from the very start.
I assume that is too cover the intelligence officers monitoring the Russian milbloggers.
triptrapper@lemmy.world
on 20 Sep 2024 14:54
nextcollapse
I know nothing about cyber security, but it’s funny to me that depending on the time of day these comment sections either mostly criticize Telegram or mostly support it. I have no idea what to believe or whether it’s safe for me to use Telegram.
Honestly curious, what was missing on Signal and what was complicated?
I can’t even remember the sign up process and never felt I was missing out on features, at least not on features available elsewhere
Oh, I never knew Signal had such humble beginnings. I think you would be very surprised if you ever give it another shot. It’s pretty much “install an app and talk” (with the pretty stuff!]).
Never heard of SimpleX, might give it a look someday. Thank you!
helenslunch@feddit.nl
on 20 Sep 2024 16:14
collapse
I think people want to support encrypted communication apps in general, not Telegram specifically. It’s just that there are many far more secure apps.
0laura@lemmy.dbzer0.com
on 21 Sep 2024 04:39
collapse
telegram chats are also not end to end encrypted to my knowledge, only the secret chats which have some limitations afaik. and group chats also aren’t encrypted. unless that changed recently. id even trust Whatsapp more than telegram, at least they say they’re end to end encrypted.
threaded - newest
Was kinda wondering when they were gonna cut the cord, Telegram is likely thoroughly compromised and compromising
Wait, the centralized service that security experts warned for years could be easily compromised because a centralized messaging service is inherently insecure has now been compromised? Surprised Pikachu face
Owned by a fake rebel russian who has somehow managed to keep from falling out of a window on a high floor. Cough, cough plant.
I know right.. <img alt="" src="https://kbin.melroy.org/media/cache/resolve/post_thumb/8d/00/8d0041aa68d937ecd20d6869c36c35f08029a1e3b078a6728734fc7a8e430da0.jpg">
Not to discredit your arguement but isn’t Signal also centralised?
The data is not centralized in the same way, making it slightly better, but yeah. A lot of the same pitfalls of centralization happen there. The whole system doesn’t operate without the corporate servers in the middle, even though they don’t see or store the data. They have total access to Metadata. The organization could be sold for profit, shut down, change terms, etc.
If security is important, you’re better off with something decentralized like matrix. I’m not an expert, so hopefully, a lot of people here who are smarter than me will fact check these statements, but at least those are my impressions.
It is, which is why the comment didn’t advocate for it. Signal has more robust encryption than telegram, but its not zero-trust. They should really be using private hosted services instead of public or pgp, but when battle kicks off you use whatever works and then go back and revise as needed when you’re not dodging bombs.
It is. But it is open source and the encryption is solid. All communication data is end-to-end encrypted. They have been subpoenaed before and all they could provide was when the account was first registered and when it was last used. The signal protocol is well documented and open source. The foundation and LLC behind it are registered in California and are run by reputable people.
Telegram is run by shady people, supposedly out of Dubai, while it is registered in the British Virgin Islands. Its clients are also open source, however the encryption, if enabled, is of the home cooked variety, although it was improved over time. Unfortunately it is not enabled by default, you need to enter a „secure chat“ for that, which only works with single contacts, not with groups. Despite having access to everything else, and working like a social media-messenger-hybrid, telegram is very reluctant to get rid of clearly illegal content.
Do Viber next lol
Why do people use Viber over like Signal and Threema or worst-case scenario Whatsapp?
Network effects... Once community picks the app, it ain't changing.
It pretty amazing that two years into the war this is still an issue in Ukraine especially at government/military level.
I get plebs giving fuck all due to poor understanding, the state taking this long doesn't make sense. These issues were brought from the start of the invasion.
I think you’re sidestepping the question though. The question is why the community picked the app.
Because Russian corpos shoved into their faces and the state was too stupid to see the issue with it despite being at war with Russia since 2014.
People who criticized this were mercelessly mocked by the normies...
Aka the same thing happening in the US, at least consequences aint bad here... For now
Maybe choosing your poison? Viber belongs to the Japanese company Rakuten, so it may be more interesting geopolitically, depending on your country.
Viber is Israeli based with connection to Russian security services.
I would never risk any third party messaging service in military or critical state matters. It’s just common sense, even for a layman. Everything is compromised, Telegram is, Whatsapp is, Signal is, all of them are.
How is Signal compromised?
It’s not, unless they’re some sort of cryptography expert with a peer-reviewed white paper pending publication. The Signal protocol (GPLv3) is extremely robust and has almost no capacity for metadata generation, and both the app and server-side code are under the AGPLv3 (technically if they were compromised they could use different, unaudited server-side code, but refer back to “basically no metadata”). Signal has essentially no capacity to be compromised; they can’t even bait and switch users with a pre-compiled app whose source code isn’t the publicly available one and actually has a backdoor because their builds are reproducible and it would be caught immediately.
Maybe they take issue with the crypto bullshit, which is valid but doesn’t compromise messaging security. Maybe they don’t like that they took away SMS, which I completely agree with, but also actually makes it marginally more secure. Either way, I seriously doubt if they had any mathematical insight into Signal being “compromised” that they would be here hanging around on Lemmy right now.
Be that as it may, it’s still an incredibly short sighted decision to use a centralized service that is under 3rd party control for real security sensitive applications.
Yeah, that does bother me. But it’s also a lot easier to build a centralized service like that than to get people on a decentralized one.
If you really want something private and are willing to jump through a few hoops, Simplex exists. But most people aren’t willing to jump through a few hoops, and even Signal (a pretty low bar) is a hard enough sell as it is. And that’s why I use Signal, because it’s my best chance to get people onto something better. In other words, don’t let perfect be the enemy of better.
Is it? No one seems to have problems using email.
Yet pretty much everyone uses the same one: gmail.
not true. Plenty of people use Yahoo, Outlook, Proton, and some even use AOL!
Sure, and I use Tuta. Those are outliers, the vast majority use gmail, or at least the vast majority in my circles do.
It’s the same thing as the network effect, just a little less ubiquitous, people will tend to use whatever everyone else uses. Getting something new like email (SMTP) is a huge endeavor, it’s a lot easier to just build a centralized service and get people to use that, and most people will use the same provider anyway.
I don’t like it, but I understand why it works and is so common.
…I don’t understand your point. Do outliers make it not decentralized?
No, those being outliers means the email argument isn’t particularly strong, especially when talking about a new standard. If most people use a single service anyway, why would a company go out of its way to make something decentralized? And for something like encrypted chat, that’s a lot of extra work.
Same reason they did it for email?
What, by starting as a government system using a completely different protocol, then adapting to always-online network connections (i.e. universities) at a time when spam didn’t really exist?
The 70s and 80s were a very different time, and regular consumers didn’t use email until it had gone through several iterations. Even so, most people used a single implementation (sendmail on BSD) for quite some time before anyone else got involved.
The internet today is a very different beast, you can either try for an open standard, or you can try for user acquisition. Almost nobody seriously goes for the open standard anymore, unless it’s an iteration of an already existing open standard.
Matrix chat is not :)
Ah, so mister genius would write his own, have I heard that right? Would he use XOR twice when encrypting a message, just to be double safe?
How secure something is an spectrum. Sure self hosted matrix is a lot safer than sending your messages through meta servers for example. It’s about what is the threat levels of what one is doing. Total tinfoiling like writing your own quantum proof multi encryption ciphers and sending that over an tamper proof usb stick with self destruct mechanism by a carrier pridgeon is not necessary or practical for average people who just want privacy, but for critical government applications and especially the military it might be. That is what we are talking about here.
A lot safer in which case? I can imagine a few very real ones where it’s not.
Self-hosted Signal (requires patching the client, but it’s straightforward) server I would understand.
Signal devs have a few papers describing how and by what logic they are addressing these problems.
Again, self-hosting (because accounts can be blocked by Signal) their solution is a better idea.
I presume this will have zero effect, especially since it includes this huge exemption.
SMMs for officials, volunteers and military would keep posting, right. It’s inside communications that are a concern. And as some ukrainians wrote, in some places it was an obvious rule from the very start.
I assume that is too cover the intelligence officers monitoring the Russian milbloggers.
I know nothing about cyber security, but it’s funny to me that depending on the time of day these comment sections either mostly criticize Telegram or mostly support it. I have no idea what to believe or whether it’s safe for me to use Telegram.
.
Honestly curious, what was missing on Signal and what was complicated? I can’t even remember the sign up process and never felt I was missing out on features, at least not on features available elsewhere
.
Oh, I never knew Signal had such humble beginnings. I think you would be very surprised if you ever give it another shot. It’s pretty much “install an app and talk” (with the pretty stuff!]). Never heard of SimpleX, might give it a look someday. Thank you!
.
I think people want to support encrypted communication apps in general, not Telegram specifically. It’s just that there are many far more secure apps.
telegram chats are also not end to end encrypted to my knowledge, only the secret chats which have some limitations afaik. and group chats also aren’t encrypted. unless that changed recently. id even trust Whatsapp more than telegram, at least they say they’re end to end encrypted.