I don’t want to see PGP rejection based on usability. So, to level the field at user level we take Delta Chat, which uses PGP. If I understand that correctly.

I have no knowledge of telegram security at all.

  • Snot Flickerman
    link
    fedilink
    English
    arrow-up
    29
    ·
    edit-2
    2 months ago

    Beyond the fact that security on Telegram is a joke (E2EE not enabled by default, only available in 1-to-1 chats, groups chats are all unencrypted, homespun encryption algo), they have never had a full, independent audit of their encryption standard.

    It looks like there are a handful of papers that looked at parts of the earlier standard Telegram used (MTProto 1), but nothing on the current version (MTProto 2).

    https://courses.csail.mit.edu/6.857/2017/project/19.pdf

    https://eprint.iacr.org/2015/1177.pdf

    https://eprint.iacr.org/2015/1177.pdf

    Anyway, long story short, Delta Chat has had independent audits several times. I’d say that says it all, really.

    https://delta.chat/en/help#security-audits

    (Also, thanks for introducing me to Delta Chat, was unaware of the project up to now. Neat stuff.)

    • BearOfaTime@lemm.ee
      link
      fedilink
      arrow-up
      4
      ·
      2 months ago

      Agreed.

      No audit…then we don’t know.

      Have you seen an audit for SwissCows’ Teleguard?

      I’ve been testing it for a few days now, after a comment about it here.

      They claim to not store your chats, they’re deleted after delivery. To sync a new device requires an encrypted backup from an existing device.

      I’ve tested this by restoring a backup from yesterday to sync a new device, and it only has data from yesterday.

      That said, I really don’t know how trustworthy they are.

      • Snot Flickerman
        link
        fedilink
        English
        arrow-up
        5
        ·
        2 months ago

        Nice, I hadn’t heard of them until now, either.

        I’m just excited that end-to-end-encrypted services have become in such high demand that we’re seeing lots of different implementations.

        It took a while, but it looks like Veilid finally has a basic chat built in their protocol as well. It says it’s secure, but I can’t find any info on its particulars.

        https://gitlab.com/veilid/veilidchat

        • BearOfaTime@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          2 months ago

          Meh. I only read a translated version, so it’s hard to tell nuance.

          But nothing in there is inaccurate. Maybe overstated.

          Personally Signal seems trustworthy, but… I have some ambivalence, given their bullshit reasons for dropping SMS support. They claimed it cost them engineering, which is at best wrong, at worst a flat out lie. Signal has nothing to do with how SMS is managed - it merely hands the message to Android’s SMS system. It’s trivial. So why would they drop support and use that lie?

          When I’m being misled, I start to look at everything else as having a bit more validity.

          Plus UI/UX on signal sucks. It’s no better than the lamest SMS app. Hell, old SMS apps are better. And no multi-device sync. They claim it can’t be done and maintain encryption. Right. Clients just need to use the same encryption key…like Telegram does, and now Teleguard - and they’re claiming full e2e at all times.

  • Rose@lemmy.zip
    link
    fedilink
    arrow-up
    12
    ·
    2 months ago

    I’ve never seen anyone use Telegram’s e2ee. Not even by the users outside the legal realm, to put it mildly. Not only is it opt-in but it also works in the mobile app only.

  • Daemon Silverstein@thelemmy.club
    link
    fedilink
    arrow-up
    4
    ·
    2 months ago

    Regarding privacy, PGP is far better than out-of-the-shelf IM-embedded encryption, if used correctly. Alice uses Bob’s public key to send him a message, and he uses his private key to read it. He uses Alice’s public key to send her a message, and she uses her private key to read it. No one can eavesdrop, neither governments, nor corporations, nor crackers, no one except for Alice and Bob. I don’t get why someone would complain about “usability”, for me, it’s perfectly usable. Commercially available “E2EEs” (even Telegram’s) aren’t trustworthy, as the company can easily embed a third-party public key (owned by themselves) so they can read the supposedly “end-to-end encrypted” messages, like a “master key” for anyone’s mailboxes, just like PGP itself has the possibility to encipher the message to multiple recipients (e.g. if Alice needs to send a message to both Bob and Charlie, she uses both Bob’s and Charlie’s public keys; Bob can use his own private key (he won’t need Charlie’s private key) to read, while Charlie can use his own private key to do the same).