It had a vulnerability, but not a severe one, and certainly not one that could be exploited silently or lead to retroactive message decryption.
The vulnerability was: If you pwn the server, you can join a group without being invited, which means subsequent messages would be plaintext to you. However, everyone gets notified of a new arrival.
> Telegram has had no such vulnerabilities as far as I'm aware.
That's because Telegram doesn't encrypt groups or channels at all.
> This reinforced my impression that HN's mantra that "Telegram's encryption is bad" is more a personality cult to moxie than an informed opinion.
I don't particularly like Moxie, personally, but his work stands on its own merits.
EDIT: Because the wording was ambiguous, I want to clarify: I don't particularly dislike Moxie, either. I'm neutral to his personality, largely due to a lack of personal interaction with the man.
The problem I have with WhatsApp is not a question of vulnerabilities, it's a problem of trust in ownership of the app's code. There's no way I would ever trust Facebook with anything sensitive enough to require the Signal protocol because the endpoints might be compromised at some point straight from the app itself.
If to you owning server => accessing group is not severe, then you should be happy with Telegram's default encryption: it's run of the mill SSL by default, just not E2E. If you own their servers you can read people's conversations too.
I hear you. What I meant is that although I know the guy has an excellent reputation, I know that because I heard other people say. I don't really have the technical knowledge to evaluate it myself, and I suspect 99% of the people in HN are in the same position. Therefore, if I were to say "Signal's security is excellent" I would be falling for the cult of Moxie myself, not an informed opinion.
