MTProto is not end-to-end. MTProto is their obfuscated client-server transport encryption.
What the commenter above is referring to is Telegram defaulting to saving your messages on the server in plaintext. You can use a “secret chat” which enables end-to-end encryption, but that is separate from MTProto.
Your sentiment is correct though. Messages should not be visible in plaintext to the server.
yeah, that means not encrypted. When speaking to a web server, you are one end, and the server is the other. Tls ensures that there isn’t a man-in-the-middle.
In case of telegram, you are one end another user is the other end. Telegram themselves are, by design, a man-in-the-middle in this case. I’m not concerned about a different middleman intercepting communications between me and telegram. I’m concerned about any middleman (which includes telegram themselves) intercepting communications between me and my friend.
So no, telegram chats are not encrypted by default. Telegram can read them.
Thank you! It winds me up so much when people parrot that claim.
Telegram is encrypted in transit and encrypted at rest on their servers. At no point is any data stored or transmitted without encryption. Whether you believe their claims of never giving out encryption keys is another matter.
My view is that if the feds wanted my chat logs that badly they wouldn’t go after Telegram, they’d go after me and my device directly, and at that point all bets are off.
if a messenger is truly 0 trust end to end encryption, it doesn’t matter who owns the servers or the legal protections of data because they won’t have any data anyway. that’s why signal is so good, when they get subpoenaed the only information that they actually have is the last connection and message sent unix times or something. still secure regardless of being in the US and being run on centralized Amazon, google, and cloudflare servers.
Are there still apps that arnt encrypted?
Telegram, for all their security claims, is basically not actually encrypted at all.
This is incorrect. Telegram is not end to end encrypted by default. But it is encrypted to and from their servers.
TLS isn’t sufficient for messaging apps in 2024
Except Telegram doesn’t use TLS :) They use MTProto.
This is not me endorsing Telegram. I’m just pointing out your mistake. Telegram has other issues but it definitely does have transport encryption.
The above commenter said that their end-to-end MTProto protocol is not enabled by default.
Defaulting to just using transport encryption like TLS on a messaging app isn’t sufficient in 2024.
MTProto is not end-to-end. MTProto is their obfuscated client-server transport encryption.
What the commenter above is referring to is Telegram defaulting to saving your messages on the server in plaintext. You can use a “secret chat” which enables end-to-end encryption, but that is separate from MTProto.
Your sentiment is correct though. Messages should not be visible in plaintext to the server.
I dont know much about it, but Wikipedia says that MTProto is specifically for “secret chats”:
https://en.m.wikipedia.org/wiki/Telegram_(software)#Architecture
Maybe Wikipedia is misleading here
You’re right, it is misleading. There are different “flavours” of MTProto. See here:
https://core.telegram.org/mtproto
(The major difference is simply whether the server and client share a key or two clients)
yeah, that means not encrypted. When speaking to a web server, you are one end, and the server is the other. Tls ensures that there isn’t a man-in-the-middle.
In case of telegram, you are one end another user is the other end. Telegram themselves are, by design, a man-in-the-middle in this case. I’m not concerned about a different middleman intercepting communications between me and telegram. I’m concerned about any middleman (which includes telegram themselves) intercepting communications between me and my friend.
So no, telegram chats are not encrypted by default. Telegram can read them.
Luckily I misuse Telegram only as a system notification program.
Thank you! It winds me up so much when people parrot that claim.
Telegram is encrypted in transit and encrypted at rest on their servers. At no point is any data stored or transmitted without encryption. Whether you believe their claims of never giving out encryption keys is another matter.
My view is that if the feds wanted my chat logs that badly they wouldn’t go after Telegram, they’d go after me and my device directly, and at that point all bets are off.
There are many where the server owners can see the messages, just not anyone else between the sender and receiver.
Threema and Signal are good options that don’t do this.
maybe not threema
Signal being an American company is also problematic.
These two are the best balance of security/convenience, however.
You can create and run your own Signal server if you don’t trust Signal.
Interesting. Are the server and client open source? Is a self-hosted server interoperable with the main ones?
Signal is completely open source and auditable by anyone: https://github.com/signalapp
if you were to create your own clone, it would not interoperate with the real one.
server location and legal jurisdiction shouldn’t matter for any truly secure messenger
What do you mean?
if a messenger is truly 0 trust end to end encryption, it doesn’t matter who owns the servers or the legal protections of data because they won’t have any data anyway. that’s why signal is so good, when they get subpoenaed the only information that they actually have is the last connection and message sent unix times or something. still secure regardless of being in the US and being run on centralized Amazon, google, and cloudflare servers.
Then the jurisdiction of software development matters. Don’t want a back door being forced into an update by the FBI.
The FBI can’t just force them to add malicious code. A bad actor could try to contribute bad code, but Signal’s devs would likely catch it.