I am liking how this time around a lot of people are outright calling the media out on their parroting Telegram's PR bullshit about how "encrypted, secure, private" the service is.
(it is not.)
As in, not just writing about how Telegram is neither of these things, but very clearly pointing a finger at the media and going: "stop spreading this misinformation, you are putting people in danger."
Keep this pressure on!
Yesterday I shared my own write-up on Telegram's failings, today I came across Matthew Green's stellar blogpost:
https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/
And this blogpost *starts* with calling the media out on this.
Fantastic.
At this point it's clear Telegram has no interest in fixing their stuff. We should not be talking to them, we should be talking about them to the media so that they stop promoting it.
Because as I said yesterday: that constitutes journalistic malpractice.
Great post, hits the nail right on the head. Thanks for sharing this @rysiek.
This kind of journalistic malpractice is usually caused by ignorance, in which case they need to be called in and patiently educated. But in some cases I think there is an intent to mislead, by people who ought to know better. They need to be contacted in private and given a chance to retract and apologise, and if they don't, they need to be publicly called out on their wilful malpractice.
"Indeed, it no longer feels amusing to see the Telegram organization urge people away from default-encrypted messengers, while refusing to implement essential features that would widely encrypt their own users’ messages. In fact, it’s starting to feel a bit malicious."
#MatthewGreen, 2024
#Telegram always smelt like a honeypot to me;
* centralised, tick (like Signal)
* encryption doesn't work for groups, only 1:1, tick (like Signal)
* opt-in E2EE for 1:1 chats while heavily promoted as "encrypted messenger", tick (unlike Signal)
* Roll-Your-Own cryptography, tick (maybe like Signal, but crucially...)
* no source code published for server, so no independent auditing of cryptographic primitives or implementations, tick (unlike Signal)
I can't fathom why anyone uses it.
One more honeypot quality of Telegrab;
* Setting up an account requires a working phone number, tick (unlike Signal as of Feb 2024)
In countries (eg China) that don't allow unregistered mobile connections ("burner" phone numbers), this associates a 'secure messaging' account with an identifiable person.
Signal had the same problem for most of it's history, and until Feb 2024, it shared the phone number with anyone the account chatted with;
https://www.androidcentral.com/apps-software/signal-rolls-out-usernames
To add to this, the 2027 Steel Dossier included intelligence that Telegram's encryption was compromised but that little tidbit was overshadowed by the Trump 'pee-pee tapes' accusations.
@strypey just realized that I fat fingered 2027 instead of 2017. Apologies.
@drewfer
> the 2027 Steel Dossier included intelligence that Telegram's encryption was compromised
I believe Matthew covered that in the blog post I linked. Must check that...