this post was submitted on 28 Aug 2024
0 points (NaN% liked)

GrapheneOS [Unofficial]

1712 readers
2 users here now

Welcome to the GrapheneOS (Unofficial) community

This feed is currently only used for announcements and news.

Official support available on our forum and matrix chat rooms

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility.

Links

More Site links

Social Media

This is a community based around the GrapheneOS projects including the hardened Android Open Source Project fork, Auditor, AttestationServer, the hardened malloc implementation and other projects.

founded 3 years ago
MODERATORS
 

Telegram has full access to all of the content of group chats and regular one-to-one chats due to lack of end-to-end encryption. Their opt-in secret chats use homegrown end-to-end encryption with weaknesses. Deleting the content from the app likely won't remove all copies of it.

Telegram has heavily participated in misinformation campaigns targeting actual private messaging apps with always enabled, properly implemented end-to-end encryption such as Signal. Should stop getting any advice from anyone who told you to use Telegram as a private messenger.

Telegram is capable of handing over all messages in every group and regular one-to-one chat to authorities in France or any other country. A real private messaging app like Signal isn't capable of turning over your messages and media. Telegram/Discord aren't private platforms.

A major example of how Telegram's opt-in secret chat encryption has gone seriously wrong before: https://words.filippo.io/dispatches/telegram-ecdh/.

The practical near term threat is for the vast majority of chats without end-to-end encryption: 100% of Telegram group chats and the regular 1-to-1 chats.

Companies should treat user data as toxic waste rather than as something they want to gather and hoard for business models like targeted advertising. It's not a good thing to have a bunch of sensitive data which could be obtained by adversaries or requested by a government.

Not using E2EE creates a lot more legal risk than using E2EE at least while E2EE is still legal in most of the world. Not using E2EE gives the technical capability to moderate, provide data, etc. and therefore governments expect that to be done. That's why they hate E2EE.

Apps like Signal and SimpleX can't access messages, media and profiles. Telegram has access to all content in private group chats and regular private messages unless people used a secret chat. They can automatically scan it, moderate and provide data to authorities based on it.

Telegram chose to have the technical capability to see all private group chats and regular direct messages. In doing so, they put private user data at risk of seizure by governments. The scramble to try to delete data shows lack of basic threat modelling:

https://x.com/sambendett/status/1827712700299821277

Even Facebook's WhatsApp uses end-to-end encrypted direct messages and group chats and WhatsApp is clearly not a private messaging app. It's not a niche feature. Telegram shouldn't have been heavily marketed as private/encrypted when most user data can be handed to governments.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 2 months ago* (last edited 2 months ago) (1 children)

Sorry to stray from the topic, but not sorry enough but to ask:

Anyone around here have evidence that WhatsApp actually does E2E?

I'm unwilling to accept Meta's public claims, which could easily result in a tiny slap-on-wrist fine someday if Meta is lying. I consider Meta's history of honesty about their security to be dubious.

With a closed source app, I figure we can see it's encrypted as it leaves the device...

But I, personally, wouldn't bet $25.00 that Meta doesn't decrypt, sniff, data mine and then re-encrypt, at the server side.

I'll admit, I am known to be a bit on the paranoid side.

Are we just repeating Meta's claim? Or is there a reason I should I be giving Meta more credit?

This is a sincere question - Meta produces some fantastic open source products, so I do try to only dunk on them the correct amount...

[–] [email protected] 1 points 2 months ago (1 children)

General thought is that if meta was lying about E2EE, due to their massive size, it would likely be leaked to the general public that they were lying. The app also has such a large userbase of skilled security researchers that can and do reverse engineer it, so they'd also find if meta lied.

[–] [email protected] 1 points 2 months ago

They had a flat text file with millions of users names/passwords in the office for almost a decade. I'm not so sure whether internal implementation details leak quicker than that or not