[liberationtech] About Telegram

Jorge SoydelBierzo berciano at soydelbierzo.com
Wed Mar 19 06:14:55 PDT 2014 

Yeah, but there's a bunch of info to take in count:

1.- Telegram claims they don't have any relation with Russia in their FAQ.
This is not true.

Take a look to IP servers they use, from line 309:

https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/ConnectionsManager.java

They have servers in two U.S. datacenters, another in UK, one in Singapore
(american company owned) and two in Russia, the IP are from VK.com, company
sold to Putin's friend.

https://stat.ripe.net/95.142.192.66#tabId=at-a-glance
https://stat.ripe.net/95.142.192.65#tabId=at-a-glance

2.- Telegram domain is registered using an anonimizer service, no NGO or
company info in Telegram website. But they publish oficial app in Google
Play as Telegram LLC, a company registered in Delaware on May 2013.

Website is in U.S. datacenter

3.- As Brian told, server side software isn't opensource. We didn't really
know how it works, which info is storing and how this info is replicated to
another servers.

If I connect from Spain, the app connect to UK servers by proximity (app
uses a sort of heuristic algorithm to detect better server from your
location based on lag and hops). If I'm talking with a russian user
connected to VK servers, UK server must send messages to russian server.

This is when you use normal chat, not encrypted chat that is supossed to be
one-to-one with no server intervention. Encryption isn't used by default,
just when user ask for it.


4.- App don't check server certificates, so Man-in-the-Middle attack is
possible to intercept files and unencrypted chats.

I'm not whatsapp user and just used Telegram to check this.

If NSA was able to access whatsapp messages, with Telegram NSA also has
access, plus GCHQ in UK and russian FSB.

Chatsecure, Textsecure, Pidgin+OTR... we have enough app with proven
encryption to rely on an obsure organization like Telegram.


2014-03-19 13:45 GMT+01:00 Brian Conley <brianc at smallworldnews.tv>:

> It violates the primary principle many experts here depend on: the most
> important parts are not open source.
>
> I'll echo Natanels comments, no obvious reason not to recommend Chatsecure
> or TextSecure. What she's telegram have that these don't?
>
> Brian
> On Mar 19, 2014 12:36 PM, "sam de silva" <sam at media.com.au> wrote:
>
>> Hi there,
>>
>> So it's almost a month since this thread died.
>>
>> To me, it looks pretty good and while I am not a mathematician, Telegram
>> looks like a good solution to help improve digital security.
>>
>> But this list has the experts. What's the recommendation? Was there any
>> consensus about Telegram.
>>
>> Thanks and best, Sam.
>>
>>
>>
>> On 22/02/2014, at 1:05 AM, Tony Arcieri <bascule at gmail.com> wrote:
>>
>> On Friday, February 21, 2014, Maxim Kammerer <mk at dee.su> wrote:
>>
>>> All I see is snobbishness of people who have typical Western fear of
>>> steering from "authorized" engineering approaches. The people are
>>> quick to judge some unknown foreign developers incompetent
>>
>>
>> As far as I can tell, you are the only person speaking on this thread who
>> wants to spin it into a discussion of Westerners, xenophobia, etc.
>>
>> I'm talking about math.
>>
>> Telegram is not IND-CCA2 secure. Period. They have some extra sprinkles
>> they claim prevents adaptive chosen ciphertext attacks. They have no formal
>> proof of these claims.
>>
>> Authenticated encryption schemes are IND-CCA2 secure by design.
>>
>> Telegram's scheme is inferior. It's mathematically inferior. Period. It
>> has nothing to do with nationalism. It has everything to do with math.
>>
>> Telegram is an inferior design as compared to the standard designs being
>> used in common practice.
>>
>>
>> --
>> Tony Arcieri
>>
>> --
>> Liberationtech is public & archives are searchable on Google. Violations
>> of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator at
>> companys at stanford.edu.
>>
>>
>>
>> --
>> Liberationtech is public & archives are searchable on Google. Violations
>> of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator at
>> companys at stanford.edu.
>>
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140319/db172e56/attachment.html>

More information about the liberationtech mailing list