Signal Protocol won the Levchin Prize at Real World Crypto, which was awarded by a panel of several of the most renowned academic cryptographers in the field (including Dan Boneh and Kenny Paterson). Other winners include Bellare, Krawczyk, and Joan Daemon. The protocol has been extensively analyzed and is the current gold standard for messaging encryption.
This. It's not the Durov brothers who are moving the field of secure messaging onwards, or talking at conferences. They're complete amateurs surrounded by fanboys who don't understand the very basics of the field, and who think copy-pasting from https://tsf.telegram.org/manuals/e2ee-simple makes them useful as opposed to spreading propaganda.
But the standard we should apply to secure chat protocols isn't how many awards it won, but whether it's watertight. Obviously winning a prestigious prize means it's watertight, but the converse doesn't follow. A protocol can be safe for practical use without winning any prizes.
It can, but given Telegram's history and professional cryptographers like Schneier[1] and Green[2] saying DO NOT USE IT, it's obvious it's _anything_ but watertight.
No. Still not E2EE by default, still no E2EE for groups, still no E2EE for desktop clients. Why do you want to imagine Telegram magically got better when it's so obvious it didn't?
Because they “magically” updated and improved tons of stuff in the last four years. So I think it’s not unreasonable to consider whether their encryption improved too.
But yes, not having encryption on by default speaks poorly of them. OTOH it’s not concrete proof that the encryption still sucks as of now.
Don't get me wrong, I'm not saying the E2EE encryption itself is flawed. I'm saying it's not being used at all by default. And I'm saying it's not possible to use it for groups or desktop clients. That's _the_ travesty, and the proof that this is the state of things is so obvious people don't realize how serious it is. And my concern is that will lead to a tragedy.
Yeah, it’s true that not having E2EE makes Telegram a bad choice for the purposes of the protesters. Convenience and inertia wins out though. And when you have groups of hundreds of thousands of people, there aren’t too many choices in the first place.
The expectation of privacy loses it's meaning when the group size grows. It's more likely what you said remains private when you say it in a group of five people than if you say it in a group of 50, 500, 5000, or 500,000 people. IMO supergroups and channels don't need E2EE, normal groups in Telegram definitely do. It's not an all-or-nothing thing. E2EE where expectation of privacy can be assumed from group size isn't a problem.
Also, Signal has no upper group size limit but E2EE would make group with 100,000s a bit sluggish. But that's a problem that reduces with Moore's law.
No, and obviously it doesn't have to, because I'm replying to you. You hint at Telegram's protocol being inferior based on the number of awards it won, a heuristic that isn't too relevant in practice.
First of all, most of this goes back five years and things have likely changed, but basically MTProto used several non-standard and out of date security mechanisms (no AE and using SHA1 were fairly notable at the time) whereas Signal was purposing fairly standard and widely used mechanisms (OTR). It's possible that many of those failures have been addressed over the years, but I haven't followed it closely. It's worth noting that Signal has been widely vetted over time and is the underpinning of WhatsApp, whereas MTProto continues to have a poor reputation, it seems.
The very fact out-of-date security mechanisms passed into first version should tell the developers don't follow their field, or that they're complete amateurs. Both are flags so red Stalin would have a problem with it.
The Signal Protocol[0] is based on OTR, a technology which had already seen a number of implementations and informed scrutiny by the time Signal came along.
Also an important aspect is that it is open sourced, meaning others can audit it. I'm a little untrusting of people that say "trust me" but also "no, you can't look at it." (unless there is a good reason to hide it, which in this case I do not believe there is)
(DH-ratchet is still there. 1536-bit FF-DH was replaced with X3DH etc, but the basic idea is still there. Adding hash ratchet for non-round-trip messaging was a good idea, as was pre-keys stored on server. IMO it's fair to say it's been expanded around OTR)
