Hacker News new | past | comments | ask | show | jobs | submit login

I give them, or anyone, credit for trying to create a secure messenger. It is not easy. However, I just wish they would release the source code to their clients and server. They have not. That would go a long way.



Both OTR (ChatSecure on your phone) and TextSecure are good options. Telegram is not a good option.


Unfortunately, those are not real alternatives to Telegram. Telegram is meant to be a WhatsApp replacement.

WhatsApp thrives because in many places, SMS costs are prohibitive (so TextSecure is not an option). In addition, it requires no registration and doesn't rely on external services (so ChatSecure is also out of the question).


Textsecure for Android uses wifi/reg data and SMS if you want. Signal, the version for iOS with combined Redphone + TextSecure will be data too. Soon they will also allow email identity instead of only phone numbers. WhatsApp requires just as much registration as TS, and you have to allow WhatsApp full permissions to mine your entire device from reading SMS to /sdcard.


Then use WhatsApp!


Telegram allows you to use the same account on multiple devices, which is the main reason why I use it. It's also independent of Facebook, which many people don't trust.


Doesn't TextSecure use some non-conventional cryptographic constructs, too?

It's just that I heard some concerns about key exchange (that triple Diffie-Hellman exchange) not having a formal security proof, although I'm completely incompetent to evaluate whenever those were valid concerns or just some chatter.


Are you comparing the Axolotl key ratchet Trevor Perrin designed to the 1980s throwback block cipher mode Telegram uses?


Yes and no.

I have no idea whenever and how broken IGE is. I heard, nobody even cared to evaluate that. Boils down to "no formal proofs (but likely to be broken)".

At the same time, I heard the concern there are no security proofs on the key exchange and it may have issues. Since as a commoner I can't evaluate it any further than this, so boils down to "no formal proofs (although hoped to be fine)", too.

Those are surely different cases. I'm just concerned over what I use (TextSecure), though.


If it makes you feel any better, after the paper published last week, it looks like TextSecure is the closest of all the messaging applications to any kind of formal proof.


Not really. Sure, they may be more secure, but their user experience is really bad compared to Telegram.


because...?


http://www.cryptofails.com/post/70546720222/telegrams-crypta...

Because the designers have their heads firmly planted where the sun doesn't shine, for one.


as linked elsewhere in the thread, moxie offers an excellent explanation: http://www.thoughtcrime.org/blog/telegram-crypto-challenge/


[deleted]


Moxie is right. I barely know him and have no stake in TextSecure.


The majority of Telegram's source code seems to be released as free software: https://telegram.org/apps (scroll down)


No. Download the iOS app for instance. It is very very old to what is available in the app store. So thee is no way to really verify the client either today.


Just not the bit that matters (the servers).


Well, it is a client-side encryption app. If the encryption, public key authentication, etc. is being done well on the client, then the server's only purpose should be routing garbled ciphertext between users and managing things like login, etc.


I spectated this whole Telegram circus, and never for a moment thought they aren't disclosing the source code. This is hilarious!




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: