Is Telegram really an encrypted messaging app?

sugar_in_your_tea , 9 hours ago

No.

As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do.

woelkchen , 9 hours ago

As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do.

No, it’s not. It’s very easy. In the bottom right corner there is a pencil button to compose a new message and right there it asks which tpye of chat to start. Secret chat is the second topmost option after group chat. Really not hidden or complicated at all.

sugar_in_your_tea , 9 hours ago

It should be a setting to always use encrypted chat, and it should probably prompt you when you first login.

Better yet, don’t have an option to not have encrypted chats. I don’t see a reason to not have everything E2EE all the time.

woelkchen , 9 hours ago

It should be a setting to always use encrypted chat, and it should probably prompt you when you first login.

I don’t disagree but the claim that you quoted was that it’s complicated to initiate and as I explained it’s not. Also secret chats stay in the messages list, so you can go back to an initiated secret chat and pick up there without any additional fiddling.

sugar_in_your_tea , 9 hours ago

If you have to enable it every time, it’s complicated enough that most people won’t bother. Maybe they’ll do it once or twice out of novelty, but it’s not going to become a habit.

I only consider something “encrypted” if it’s actually encrypted by default, or at least prompts to enable it permanently on first launch. Otherwise, it’s not an “encrypted” chat, it just has the option to have some chats encrypted.

woelkchen , 9 hours ago

If you have to enable it every time, it’s complicated

But you don’t. As I already explained: secret chats stay in the messages list, so you can go back to an initiated secret chat and pick up there without any additional fiddling.

I have plenty of encrypted chats that I don’t have to enable every time I want to send one. I don’t understand where this misconception comes from.

sugar_in_your_tea , 9 hours ago

Surely you talk to more than one or two people, no? If you have to manually check a box or something every time you start a new message with someone, people are going to stop doing it.

It’s not an encrypted chat app. It’s an unencrypted chat app that has an option for encrypted chats. Whether something is encrypted or not depends on how most people use it and what the defaults are.

Signal is an encrypted chat app. E2EE is the default and AFAIK only behavior. Telegram can be encrypted, but it’s not by default, and defaults matter.

woelkchen , 8 hours ago

Surely you talk to more than one or two people, no? If you have to manually check a box or something every time you start a new message with someone, people are going to stop doing it.

Maybe you get acquainted to 100 new people every day, so your day is a constant chore of starting secret chats all the time. I don’t. I doubt regular people do. Just start the secret chat once and then pick it up later.

Signal is an encrypted chat app.

Except for the locally stored data which is not encrypted and Signal’s attitude is that device encryption is up to the user.

sugar_in_your_tea , 7 hours ago

True, device encryption should be up to the user. Mine is encrypted, and most smartphones have encrypted storage these days. I actually have mine reboot after a period of inactivity, which removes the encryption keys from memory.

That said, they should have an option for app data encryption, but that’s hardly a requirement IMO, because I care far more about data being encrypted in transit than at rest on my devices. I can encrypt data at rest on my machines, I can’t encrypt data in-transit unless that’s baked in to the service.

asdfasdfasdf , 8 hours ago

annoying != complicated

30p87 , 8 hours ago

But then you couldn’t get that juicy user and conversation data.

GBU_28 , 2 hours ago

As I understand it, public groups use server side encryption (so not robust), but private chats use e2e encryption that is client side. (More robust)

quaff , 9 hours ago

It’s three clicks. And it opens a separate chat from the existing one. It’s obscure enough that you could say the UX deprioritizes (which at best is not an actively malicious design choice) usage of end-to-end encryption.

woelkchen , 9 hours ago

It’s three clicks.

So it’s only three clicks, ergo easy.

And it opens a separate chat from the existing one.

I don’t see the problem. The secret one has the lock icon to clearly mark it. There’s no way one would accidentally pick the wrong chat. Delete the old, unencrypted one to be sure.

It’s obscure enough that you could say the UX deprioritizes (which at best is not an actively malicious design choice) usage of end-to-end encryption.

I agreed in another comment that there should be an “encrypted by default” option somewhere. I’m not claiming that it’s perfect but the claim in the blog that it’s super complicated is just not true. At least calls are P2P-encrypted by default.

quaff , 9 hours ago

If you’re talking to 30 people, it’s 90 clicks. It might be 3 clicks if you know where to look, but end of the day, even if you know where to find it, that’s still that many clicks times how many people you chat with. It’s not ideal. I wouldn’t say it’s complicated sure, but it’s not easy.

woelkchen , 8 hours ago

If you’re talking to 30 people, it’s 90 clicks.

Uh, so? A “compose message” button is the approach many communication apps use, including e-mail. Don’t get me started how many clicks it is to GPG-encrypt e-mails…

It’s not ideal.

I don’t know how many times I have to repeat myself that I agree on that part. You act as I would disagree. I don’t. It could be better but it’s also not a complicated nightmare as the blog author makes it out to be.

quaff , 8 hours ago

Right. But it’s also not exactly “easy” which is what you’re saying it is.

If easy was a sliding scale. Easy would be enabled by default. Hard would be making it obscure and hard to find. I would say it’s definitely closer to the harder to find side. But that’s just me. But 3 clicks, and having to switch chats and maybe delete the old one to avoid confusion, none of that is easy.

woelkchen , 8 hours ago

Right. But it’s also not exactly “easy” which is what you’re saying it is.

I said it’s as easy as tapping the compose button and selecting secret chat. I nowhere claimed that it’s easier than that but it’s also not more complicated than that.

quaff , 8 hours ago

It’s 100% not just two clicks. You make it sound easier than it really is. But there’s no way for a new or infrequent user to know where it is unless they explore a bit or even knew to look for it. It’s hidden away behind a hamburger menu.

woelkchen , 8 hours ago

You make it sound easier than it really is.

No, I gave a detailed tutorial how to initiate a secret chat and then explained that the procedure has to be done only once per contact. It’s exactly as easy or complicated as I explained. Not more, not less.

It’s hidden away behind a hamburger menu.

No, it’s not. Tap the pencil in the bottom right corner. That’s how I explained it and that’s how it’s done. Hamburger menu is an additional way but the compose button is the pencil in the bottom right corner.

quaff , 8 hours ago

Maybe it’s different on Android or Desktop/Web. On iOS it’s more than 2 clicks. And it’s tucked away. It would be surprising to me if the UI is that inconsistent across different platforms. But I can’t know for sure. So I will defer to the subject matter experts on Telegram.

bamboo , 5 hours ago

On iOS, you tap the profile, then tap “more”, then tap “start secret chat”. So depending on whether navigating to the profile counts, it’s also three taps. I agree it could be more direct, and should be included in the “New message” menu accessible from the pencil-on-paper icon in the top right of the main screen. I’ve used telegram on many platforms and the UI is in fact quite different. The iOS and android apps are totally different with different features, as are the Mac app, cross platform desktop app, and various web apps.

quaff , 9 hours ago

Ah good point, gotta delete the old unencrypted chat too to avoid confusion. That’s definitely more than just 3 clicks.

PhreakyByNature , 7 hours ago

Yeah I mean if you started one. If you went in with a secret chat in the first place then it wouldn’t be an issue. And so it’s one extra click vs. starting a normal chat. I hope it hasn’t inconvenienced you more than it’s taken for all these replies.

quaff , 9 hours ago (edited 3 hours ago)

If Telegram is considered an encrypted messenger, then FB messenger should be too. Works exactly the same. I don’t know about you, but being the same level as FB messenger should speak volumes to whether Telegram is “encrypted” or not 🙄

woelkchen , 9 hours ago

FB messenger should be too. Works exactly the same. 🙄

Facebook licensed Signal’s encryption: signal.org/blog/facebook-messenger/

quaff , 9 hours ago (edited 8 hours ago)

Yeah, the fact that FB messenger uses Signal protocol, means the encryption is better recognized than the one used in Telegram. But the lack of on-by-default or the need to drill in a few options before enabling secret chats… I mean it’s even named the same thing as Telegram.

woelkchen , 8 hours ago

the fact that FB messenger uses Signal protocol, means the encryption is better than the one used in Telegram.

MTProto 2 has not been cracked. MTProto 1 had a weakness and Telegram addressed it. That was many years ago. I’m not aware that MTProto 2 has ever been cracked in all these years. Telegram’s unwillingness to cooperate with governments is an additional security layer.

quaff , 8 hours ago (edited 8 hours ago)

In my OP, I was merely referring to how FB Messenger and Telegram functions the same.

Speaking to the protocol used for encryption is a moot point… because even if MTProto 2 was better, it’s still not enabled by default in both messengers.

TrickDacy , 3 hours ago

Then is not than

quaff , 3 hours ago

Good catch 🫡

noxy , 5 hours ago

When you can’t use secret chat at ALL on desktop, fuck no it isn’t.

Assuming end-to-end encryption is what’s meant in the question.

PriorityMotif , 2 hours ago

Somehow it has public groups and requires your phone number. Not really sure how to find the groups though.