Telegram is fucked

signal > telegram
science proves it
cs.au.dk/~jakjak/master-thesis.pdf

Other urls found in this thread:

conversations.im/omemo/
github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217799118
github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217734068
twitter.com/SFWRedditImages

nice try but we're still not going to install google play services botnet, shill

/thread and sage
nobody will use bs that requires google shit

An abstract would've been nice.
stant messaging application Telegram has disregarded this rule and decided
to create an original message encryption protocol. In this work we have done
a thorough cryptanalysis of the encryption protocol and its implementation.
We look at the underlying cryptographic primitives and how they are com-
bined to construct the protocol, and what vulnerabilities this has. We have
found that Telegram does not check integrity of the padding applied prior to
encryption, which lead us to come up with two novel attacks on Telegram.
The rst of these exploits the unchecked length of the padding, and the sec-
ond exploits the unchecked padding contents. Both of these attacks break
the basic notions of IND-CCA and INT-CTXT security, and are conrmed to
work in practice. Lastly, a brief analysis of the similar application TextSecure
is done, showing that by using well known primitives and a proper construc-
tion provable security is obtained. We conclude that Telegram should have
opted for a more standard approach.


I don't give a fuck about signal, but shouldn't microg + xposed work just fine in lieu of GPS, or does it fuck up with it?

firstly, this isn't a 'signal' thread. this is a 'telegram is fucked' thread. look at the title or the accompanying image. so tell me, what do you use to securely message normies?

secondly libresignal exists so who gives a fuck about google?

original dev sabotages libresignal
also, a program that is BY DEFAULT evil and malicious should not be cheered and recommended, even if there is a free version available.

what's specifically evil and malicious about it? the gcm dependency for push messaging?

There is a fork on F-Droid.
However the main server is nonfree and they are using DIY crypto. Secret chats are end to end though and don't pass through the server. However it is pretty big at ~12.4MB.

then why does OP's abstract say

No shit OP.

...

Tox > other libre P2P IM stuff > conventional client-server libre IM stuff like XMPP solutions > libre client + proprietary server bullshit like Telegram >>>>>>>>>>> Whatscrap and the likes

Prove me wrong

Telegram was always shit but needing a phone number for Signal is a non-starter.

this. that shit is probably also centralized only using signal servers and no way to change that. only true best technology is XMPP.

and while XMPP is not ready for the masses I'm not telling anybody to switch to a half-baked shitty alternative like Signal, which isn't a real alternative because it's shit. they can as well continue using WhatsApp idgaf


tox is p2p, which is great but wastes a shitton of bandwidth on mobile phones. don't get me wrong, I love p2p, but for messaging it's probably less useful.

No, go away.

It already took ages to convince my friends to join Telegram instead of SkypeNet™
I don't have the time nor patience to convince them to switch to yet another platform just cause some danish faggot decided that Telegram's encryption isn't good enough for him and other cheese pizza connoisseurs.

12MB for a program that has the entire Android API at its disposal and sends text back and forth over a network is inexcusable
>he says while still using xabber

...

bumping because i just saw a telegram thread

How about neither? Signal requires you to put a telephone number to use it. Fukin privacy my ass.

So whats the alternative? And on F-droid preferably

Everybody with a brain already knew Telegram was garbage, but no, you knew better. The people pointing this out were just shills, right?

You are fucking retards and you deserve to get pwned for being fucking retards.

According to the GitHub discussions, m0xie will probably ban or take legal actions against LibreSignal for using the OWS servers and the name "Signal". He also opposes federation which makes third party applications unusable because nobody wants to be excluded from the userbase.. It's no wonder that he's taking money from Facebook.

XMPP/OMEMO is the way to go.

Get fucked, they're both awful.

Sadly Conversations is shit. It also has a horrible ui, no dark theme and no desktop client.

Is there anything good which uses OMEMO?

Got a link? I've seen him being pissy in the past but I thought he was OK with third party apps

...

Read conversations.im/omemo/
"OMEMO is an XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption. It is an open standard based on Axolotl and PEP which can be freely used and implemented by anyone."
to emphasize it: multi-client includes desktop clients


github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217799118
github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217734068

i agree with moxie tbh. he's trying to make a secure app usable by normies and that means certain compromises to usability. i still haven't seen him threatening legal action for using his servers, just the name. mozilla does the same thing with firefox so people don't start passing out shitty forks that make them look bad

if you're too autistic to run any google code then you're stuck with xmpp

s/^\S+/Matrix/

He could simply use WebSockets instead of GCM. Problem solved. No normie will notice.

It's pretty obvious that he threatens F-Droid for using his servers, just read the links I've posted. He could also block third-party clients.

"Signal" is a pretty generic name. The LibreSignal dev said that he will change the name nevertheless.

The problem is not the Google code because most people running LibreSignal or XMPP on their phone, already do use Google code, e.g. the AOSP. What you're talking about is the Google API, which can be used with free implementations such as MicroG, too. But GCM still requires a Google account. This is not just a problem for people who reject the Botnet, but also for others who have Google blocked in their country, e.g. China.

Yeah, he shouldjust implement his own battery draining push API instead of using the already existing, more efficient technology that everyone else uses and is only disliked for religious reason


OK
Sounds like he's cool with OS implementations as long as they don't fuck with what he's trying to do.
Oh yeah, so he's said he's OK with it, but just for fun let's speculate.


If he had actually threatened them they wouldn't be able to keep the project going. I have seen people making legal threats about GPL violations though. That seems pretty shitty when he's just trying to help normies and getting a bunch of shit for it.

Whatsapp™ by Facebook®

From my previous post: But GCM still requires a Google account. This is not just a problem for people who reject the Botnet, but also for others who have Google blocked in their country, e.g. China. (a big potential userbase who are in need of secure communication)

Well it should be possible to add an option in the app to choose between GCM and Websockets. But there aren't any signs of him doing that.

Yeah, he can write whatever he wants, but without being able to distribute it on a major platform like F-Droid, it's pretty much pointless.