Why is that? This latest revelation should give less faith in Telegram, not more.
Push notifications also work fine there, except on iOS they don't contain any message data, just "You have a new message", probably because server doesn't know what's inside encrypted message. Although havent tried their android client.
I've been using TextSecure for a while (as everyone on HN ruthlessly suggests) but guess how many encrypted texts I've sent? 0. That's because they have no iOS app and very few Android users.
There are two problems when it comes to creating a good, secure messaging app: strong, proven security and popularity! Hopefully Telegram either solves both or forces TextSecure to solve the latter.
They aren't making a reasonable effort to put out a secure chat app. If they were, then they would use some of that $200k to hire a company like Matasano to fly out and audit their architecture for flaws. Matasano probably would've caught this bug, because it was a pretty basic mistake.
After all, Matasano's tptacek obviously did spend some of his time inspecting and criticizing Telegram this week. However, he overlooked the 100K vulnerability that was later discovered by a Russian guy who considers himself a newbie in cryptography.
The other reason that makes me somewhat reluctant to spend money on hiring Matasano is the recent RSA-gate (and the strange role of tptacek in it).
What I applaud is their effort here and I hope it continues and moves in the right direction. This announcement makes it seem like they are in fact moving in the right direction.
I don't know whether user sillysaurus2 is connected to Matasano or not but... oh boy... this does come across as a shameless ad for that company.
Considering that they just raised 28mil and that CM is pretty much defacto for older androids, there is a very good chance that this might work.
This is great news. Contrast this with other security contests were finding out-of-scope security flaws weren't rewarded.
People in this thread: Good for Telegram, seems arbitrary, disingenuous, just for publicity.
Short of them being in a conspiracy with the researchers, I can't imagine how this is not good news for everyone. Cool it with the hate, people.
There's no hate for Telegram here. There's concern for people's safety. https://news.ycombinator.com/item?id=6949842
This article is good news, precisely because they show how willing they are to improve their service.
EDIT: Of course it's good PR. So what? That's how Google, Apple and most other big companies operate. They don't have to be altruistic to work and create value for people.
Don't people who run bug bounties publish their reward structure beforehand?
But you're right - they should have a clear reward structure.
To be clear, this bug was enough to compromise the security of every Telegram secret chat session. I can't think of a more serious issue.
On a side note, I am still not sure, if i will ever use this app. This is primarily because, I act on the internet in the same fashion as i do in real life. I won't do anything online, what I can't do in real life. Hence I don't and perhaps would never need an app like this.
As for sending someone 'secret' message, I always whisper that in the ears. It's an old fashioned trick but has proven to be most secured.
For me it is the same with my chat messages. If someone reads one or two, I don't mind: they aren't very sensitive. But I don't like it if someone can find everything I've ever written.
People over the internet, are little too much over-sensitive. I am not implying 'Privacy' has no value, but we have taken this issue bit too far over the 'internet'.
A prime example of so-called 'anonymity' over the internet is 4chan, you pretty much know what sort site that is.
I am not implying it's an illegal website, but frankly, anonymity mostly leads to creepy, drugs (silkroad), and everything else considered wrong and bad, than something good which is pretty rare. Snowden is an exception, but again, he committed a crime for a good cause. Most people however commit a crime for every possible wrong reasons.
Contact people that are actually in the crypto community and go the normal route. Once their betters tell them to love you there is actually nothing that you could do to make them stop.
They have a long way to go before anyone here trusts them but perhaps we could be more positive and constructive?
You find DanBC's comment interesting. It explains why there's been a general tone of negativity towards Telegram's security product. https://news.ycombinator.com/item?id=6949842
(Of course they won't formulate it that way in the post)
I always get a bit annoyed when apps use the phone number as the primary identifier.
As somebody that just moved to another country, I now end up with a situation where I can either decide to lose my German whatsapp friends or not being discovered by my American whatsapp friends.
I would love to see the ability to get some sort of ID number and then being able to register more than 1 phone number with it.
We believe in fast and secure messaging that is also 100% free. Therefore Telegram is not a commercial project. It is not intended to sell ads, bring revenue or accept outside investment.
If Telegram runs out of money, we'll invite our users to donate or add non-essential paid options.
Yeah, but where does there money come from?
[1] http://telegram.org/faq#q-who-are-the-people-behind-telegram [2] http://en.wikipedia.org/wiki/Pavel_Durov
Insanely complex software bugs go for less.
even if people are being unfair with these criticisms, what telegram should focus on is to make their designs more secure, and ignore all this publicity. if they truly believe in the "importance of keeping the [system] open", then they should understand that all this publicity (good or bad) is insignificant - especially as they say they have rich guys backing them, so they're not relying on public opinion influencing investors.
it's very easy to make statements like "Together we can make Telegram unbreakable"; harder to turn this into a reality. the current round of attention is a red herring, both for Telegram and for us commenters. let's give them a year and see what it's like after that.
Q: How secure is Telegram?
Very secure. We are based on the MTProto protocol (see description and advanced FAQ), built by our own specialists, employing time-tested algorithms, to make security compatible with high speed delivery and reliability. At this moment, the biggest security threat to your Telegram messages is your mother reading over your shoulder. We took care of the rest.
While Telegram may be on the way to a secure future it is not there yet and the FAQ needs to be less certain before I can applaud them.
Edit: Actually I think the FAQ been toned down a bit but I think some acknowledgement of how new the protocol is and the risks associated with that should be mentioned.
