Don't forget about drafts being synced between devices. I remember the first time I've noticed that: “Wait, didn't I write this on my phone? Why is this in my desktop client?”

That's actually the only feature that has a bug (the rest works flawlessly): when I connect my phone to the internet after I started writing a message, even if I have the chat open and I'm actively typing and internet just connects in the background, then it'll literally erase what I typed so far with no warning or anything. It'll see that the server has no draft or an empty draft or something, and it'll just get rid of my message so far and there is no way of getting it back.

Well, to be fair, there is also this other minor bug about encryption being off by default and only available on a few clients and not synchronizing between different encryption-supporting clients...

> Well, to be fair, there is also this other minor bug about encryption being off by default and only available on a few clients and not synchronizing between different encryption-supporting clients...

Here we go again.

Encryption is not off by default.

It is just not E2E encrypted, i.e. it works just like any bank, Gmail etc etc etc.

(except, based on what I've heard Telegram, unlike any mainstream bank, put the extra effort in to keep encryption keys not only on separate servers but in a different jurisdiction than your messages.)

Edit:

Now if we could stop spreading misinformation we could discuss one thing that might be the real flaw in Telegrams model and which I would consider trying to move to a different messenger over - if they fixed it while delivering the same experience:

The one huge issue I have with Telegram is the funding model.

Whatsapp more or less nailed this early on:

- low, reasonable price that still made them plenty profit

- possibility to pay for others (kids, friends etc)

Give me the same offer as Whatsapp once gave me:

I pay them, they deliver my messages, provide quality clients on all platforms, doesn't snoop, doesn't spam etc, and I'll download the beta today.

Provide a legally binding agreement that makes their company worthless and publishes the code under Apache or another liberal[0] license somehow if they sell out or becomes sleazy and I'll be walking around pondering how to help them.

[0]: yep, I want it to be as simple as possible to make a good chunk of cash from transporting my messages securely and elegantly from my device to other peoples devices as well as the other way.

E(nd to end)ncryption is off by default, that's not an opinion. Gmail (afaik) doesn't have that at all, so saying it's off in Gmail by default is weird. It's not the same thing. (It's like saying a car's radio is off by default versus a bicycle's (non-existent) radio.)

Anyway, I guess that's just semantics. We both understand what is the case, whether you like calling it a default setting or "just not encrypted". I do fully agree that Telegram is shady because it's just a money sink, and that WhatsApp had a great profit model (pre-Facebook of course). I did the math once (though that was just messages, not media) and a euro a year (times a few hundred million users, back then) was plenty to support a chat system with only a few developers as employees. If Telegram would adopt the same profit model, that would be great.

Alright, you got me, I said encrypted instead of end to end encrypted. I did not think it was necessary to specify that level of detail, given that everything is encrypted-to-the-server these days. I see what you mean, there is indeed a difference, but it feels to me like you're trying to trap me on words for the sole reason of being to say that you're right and I'm wrong about something.

> I see what you mean, there is indeed a difference, but it feels to me like you're trying to trap me on words for no reason.

I'm honest, my contact details is in also in my profile like you have in yours, and I'm not trying to trap you on technicalities of the language, but I think we should be very precise about what we mean.

Either communication is cleartext or it is encrypted.

If it is encrypted it is either end-to-end encrypted or it is not.

A number of people keeps repeating this idea that Telegram is not encrypted and while you obviously know the difference we shouldn't continue confusing those who don't.

It would be a shame if someone went with something even less secure because I keep trash-talking Whatsapp and others keep trash-talking Telegram. (I fortunately don't hear many trash-talking Signal, but it doesn't have enough marketshare here to matter yet.)

Telegram has shipped deliberate backdoors in the past, they can’t possibly be trusted https://m.habr.com/en/post/206900/

I can't read Russian well enough to understand that ;-)

What I know however is that I can't recall anyone except you[0] claiming that, not even tptacek.

[0]: Thought I remembered your nick and had to look up: https://duckduckgo.com/?q=Ryanlol+Telegram+site%3Anews.ycomb...

That is weird indeed, I never heard of this (and I'm relatively involved in Telegram-related thread / some tech groups on Telegram). It is fixed now, though. If it was ever a backdoor (which the thread does not conclusively say, just "backdoor looking" which sounds like either Telegram invented some unknown crypto that allows them to create a backdoor without anyone else having access, or an unfortunate mistake), it is no longer in there. As far as I know, this mtproto thing is weird but not broken. It is indeed something to be aware of though, I guess it's fair to bring it up, though I would not put it as black and white as "they backdoored it" when that is not actually certain. If you want to put it like that, you could also say that every vulnerability in the world could have been placed there intentionally. Which it could, but...

>It is fixed now, though

I think this is utterly irrelevant. Telegram deliberately shipped a backdoor, removing it after they got caught doesn't change anything at all.

>which the thread does not conclusively say, just "backdoor looking" which sounds like either Telegram invented some unknown crypto that allows them to create a backdoor without anyone else having access, or an unfortunate mistake

Look, I'm not going to speculate on what some individuals may or may not think about this in private. However, many people would not be comfortable making such direct accusations in public.

>though I would not put it as black and white as "they backdoored it" when that is not actually certain

This is as certain as it could ever be, I'll refer you to this comment that worded the explanation better than I would https://news.ycombinator.com/item?id=17621104

If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck.

What do you think would be sufficient evidence to call this a backdoor?

>If you want to put it like that, you could also say that every vulnerability in the world could have been placed there intentionally

That assumes this was anything like every other vulnerability, which isn't true.

So I disagree with a lot of what you wrote, but the basic claim about the backdoor was something I am interested in so I clicked through and translated some of the Russian.

That totally looks like a backdoor.

How is this not common knowledge? Like, if the reason is indeed against a bad RNG, then why not xor the server's "random" number into the private key instead? Since the server does not know the value of that (as opposed to the shared key it establishes with Bob) and (if my limited understanding of math is sufficient) the private key is what is protected by the discrete logarithm problem, there should (afaict) be no possibility of backdooring the resulting shared secret. You would be mixing the server's number into a random number, which with xor gives an equally unpredictable result. Or, y'know, solve the badly seeded RNG by adding a seed to the RNG (such as by xor'ing an output of the current state with the number from the server).

It looks like I started using Telegram about four months after this was posted on Habr, and I think I was relatively early in using it. Maybe Telegram just wasn't very well-known yet and therefore nobody cared enough to make a big issue about it? "Backdooring" is also quite a hype word, I noticed somewhere last year that every third vulnerability was being called a backdoor, so perhaps tech media wasn't as quick to use that word back then? Then again, the Snowden leaks were ongoing, so it's not as if mainstream tech media wasn't talking about backdoors already in December 2013. I don't know, it's weird, this totally looks like it could have been designed in a million different ways and this is quite likely to be intentional.

Thanks for the link to a post which links to the technical details (albeit in Russian) complete with an example of how it could be exploited, that is indeed what I "think would be sufficient evidence to call this a backdoor".

Some features, like syncing and group chats can be made more convenient in Telegram because it is not e2e encrypted. For me that doesn't feel like a very good long term compromise.

Wire (wire.com) has E2E encryption and syncs chats and group chats across devices. It’s not the best experience, has slow clients and the company (Wire) is focused on paying clients, but it mostly works with few nagging annoyances. I wish Telegram would adopt something like that and make E2E encryption the standard for all chats.

The only other app I know of that is this stable is iMessage. Some of the time (literally) Slack gets it right, but other times their notifications are outright broken.