Someone on the privacy sub-reddit shared their experience:
I don’t use Telegram, but people trusting its 2FA might find this instructive.
2 Likes
Wow, Abhijit. Cyber security is a such a pressing need in India today. Do we have any cyber security researchers and trainers here on the forum? How do you see this issue?
So I’m not a telegram user but the biggest takeaway I have from this is that telegram is far from the privacy/security-focussed service it has gained a reputation for. There were always warning signs (default chats were not encrypted and their encryption is homegrown, which is frowned upon in the crypto community).
The consensus seems to be to use Signal if you are a relatively high profile threat. It is peer-reviewed and vetted for the most part.
The second conversation is about how sophisticated attacks are increasingly being used on citizens today, possibly by governments, since they have the resources. An independent journalist today would do well to treat themselves as a possible target of such an attack.
1 Like
Regarding the recent leak, the database was of an unofficial client application that was being used (both in Russia as well as the previous leak from Israel).
Telegram has transport encryption by default, i.e client-server/server-client encryption but end to end is enabled on all secret chats. This makes sense because telegram is a cloud messaging platform, thus enabling seamless sync by default. You cannot sync secret chats by default.
Although historically homegrown encryption are frowned upon in general, there’s no active vulnerability that can be exploited. Also telegram has an attractive bug bounty going on, which keeps bugs in check.
Although telegram has open-sourced only client side of the application , it is by no means an insecure app, nevertheless its interesting to see what business model they shift to once the funding runs out.
Furthermore, Signal is now working on getting rid of the phone number based user signup, which was always a down side of signal (read sim swapping attacks), telegram seems to be shifting to moving to a decentralized platform as a whole, keybase seems to be an interesting alternative as well, but too bad it got swallowed by zoom.
1 Like
If I understand correctly then the author’s issue is that their Telegram account was flagged for deletion & would be gone in 7 days. I don’t see how Signal would protect against this, the attacker could’ve simply unregistered the Signal account and it would get locked for 7 days.
telegram seems to be shifting to moving to a decentralized platform as a whole
Signal is now working on getting rid of the phone number based user signup
Can you cite the source for these?
the attacker could’ve simply unregistered the Signal account and it would get locked for 7 days.
So what I understand is a difference in how Signal and Telegram handle deletion timeouts.
When you request for unregistration, there is a 7-period grace time within which to cancel (on both services AFAIU).
On Telegram, to cancel you need 2FA via SMS (which is a bit short-sighted, since SIM-cloning is a relatively simple attack). The poster had assumed that 2FA would be their PIN, since they considered SIM/SMS used during registration as 1FA and this came as a rude shock.
On Signal, if any registered device is active within that week, the timer is reset. So even if your SIM is lost, you can connect over wifi and reset the cooldown, buying you time at least. They describe how it saved them in point 13.
I’m unclear whether Signal unregistration requires PIN.
Reading the comments, looks like you can initiate number change to cancel the deletion process.
The timer you are talking about is different from un-registration. If their sim was hijacked then the attackers could’ve un-registered their Signal account just like they initiated deletion for Telegram account. They just got lucky.
Actually Signal’s un-registration would’ve been worse because effective immediately they would lose access to account unlike Telegram where they had 7 days. Also, re-registration is not possible in Signal for 7 days which is good because it prevents attackers to hijack the account, at least for 7 days.
I don’t see how Signal is any better than Telegram in this case, if anything it’s worse because on Telegram at least they have their account for 7 days. There are other reasons to prefer Signal over Telegram, this isn’t one of them.
I’m unclear whether Signal unregistration requires PIN.
IIRC No, it doesn’t.
1 Like
I see.
If this is the case, the explanation for the attacker not unregistering Signal would be they didn’t even try, and OP has erroneously assumed that it didn’t work.
Reading the comments, looks like you can initiate number change to cancel the deletion process.
Yes, OP hasn’t updated though.
If their sim was hijacked then the attackers could’ve un-registered their Signal account just like they initiated deletion for Telegram account.
You’re saying it wasn’t a SIM clone? What else could it be? Their phone did go off-network.
For this one, from their blog post:
PINs will also help facilitate new features like addressing that isn’t based exclusively on phone numbers, since the system address book will no longer be a viable way to maintain your network of contacts.
A bit vague IMO, but looks like it’s on the roadmap.
If this is the case, the explanation for the attacker not unregistering Signal would be they didn’t even try, and OP has erroneously assumed that it didn’t work.
You’re saying it wasn’t a SIM clone? What else could it be? Their phone did go off-network.
No, I’m saying that maybe the attackers didn’t try un-registering their Signal account. Erm… yeah that wording wasn’t right.
They just got lucky that attackers didn’t un-register the Signal account otherwise they wouldn’t be able to use it either but Telegram would still have been useful for 7 days at least. Reading the post again, I don’t think they know about this.
1 Like
This discussion has been going on for a long time, what I was interested in is:
getting rid of the phone number based user signup
Are they planning to remove phone number based signups or keep it along with another option?
Do you folks remember the time when WhatsApp used to allow exporting backups (offline) ? Now it just stores them on google drive and the backup is not e2e encrypted! I think the least you could do if you really have to use whatsapp is to disable backups on google drive. Hope it helps somebody.
1 Like