• notenoughbutter
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    6
    ·
    1 year ago

    telegram is encrypted, but not end to end encrypted by default

    • vrighter@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      edit-2
      1 year ago

      so, relative to pretty much all other messaging services, it might as well not be.

      You’re saying “by default not everyone can read your messages, only you, the recipient, telegram themselves and anyone who they might decide to share them with, with neither your consent, nor knowledge”

      When compared to “nobody except you and the recipient” that becomes effectively equivalent to “nothing”.

      also, not end-to-end ever when it comes to group chats

      • Liquid_Fire@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        1 year ago

        Almost all services in that list are closed source, so even if they use end-to-end encryption nothing stops the client from sending all your messages to anyone they like after decrypting (in fact some of them already have it as a built-in feature in the form of backups).

        • vrighter@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          that would be very quickly caught by a network sniffer, because it would have to be sent from your own device. Otherwise they’d just be sharing the undecryptable ciphertext you sent to their servers

          • Liquid_Fire@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Just encrypt it before sending it to their servers. How would you tell that apart from any other traffic it sends? (E.g. to check for new messages, to update who of your contacts is online, etc)

            • vrighter@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              what does that have to do with anything? if you have to encrypt your messages manually yourself, that kind of proves the point that the service itself is not secure. And it’ll still show up on a network sniffer that they’re sending it to two places

              • Liquid_Fire@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                1 year ago

                Ok, let me break it down because clearly I didn’t explain it well.

                What is supposed to happen, scenario 1: the client encrypts your messages with the public key of the recipient, sends it to the servers of WhatsApp (or whatever service) along with some encrypted metadata indicating the recipient, which then forward the message to the recipient.

                What could happen, scenario 2: the client does the same, but also encrypts another copy of your message with a public key that belongs to WhatsApp, and send both versions to the WhatsApp servers. They decrypt and keep the second version while forwarding the first one to the recipient.

                Or, scenario 3: they just never bother with end-to-end encryption, and always encrypt it with the WhatsApp key, still sending it to their servers which then reencrypt with the recipient’s key before forwarding.

                In all cases, messages are sent only to the WhatsApp servers, not two places. The only visible difference is in scenario 2 where the communication is larger. You can’t inspect the metadata of the message with your network sniffer, because it is also encrypted, so there’s no way to rule out scenario 3.

                If the protocol is designed to be transparent by not encrypting the entire payload sent to the servers, and you have access to the recipient’s private key (those are big ifs) then you could show that there is indeed an end-to-end encrypted message in there. But this is true for how many of these proprietary services? Maybe for WhatsApp.