#Telegram and #Durov are once again in the media, so I translated my May piece about the service to English:
Telegram is neither "secure" nor "encrypted"
https://rys.io/en/171.html
Calling Telegram "secure" or "encrypted" is misleading, and is journalistic malpractice.
Telegram itself seems to mislead about it on purpose.
Telegram's encryption protocol is suspicious and transmits cleartext device identifiers with every message.
They have been called out for it many times, and refuse to change.
@rysiek also #Telegram - like @signalapp - demand and collect #PII like #PhoneNumbers which ain't possible to acquire anonymoisly in more and more juristictions.
Using #XMPP+#OMEMO by contrast is secure and adding @torproject / #Tor to tunnel it makes it even more anonymous.
Cnsider every #Messenger that doesn't #decentralize and support #Tor oit of tue box to be insecure!
@kkarhan I consider a service that actively, relentlessly misrepresents its security and encryption stance way worse and more harmful than a service that does not.
@rysiek Agreed.
Tho I'd say that @signalapp is just marginally less shit in execution AFAICT, not in concept tho...
@kkarhan I have criticized @signalapp publicly for a bunch of things.
But saying that Signal is "marginally" better than Telegram is simply wrong. Signal is leaps and bounds better than Telegram, in execution and in concept.
Telegram's concept is "let's implement just enough e2ee to be able to lie our way into pretending we're an e2ee IM, while being nothing of the sort."
They do this *on purpose*, knowing this puts people in harm's way.
Making any sort of equivalence here is not justified.