Telegram(telegram.org) |
Why Threema? It's proprietary, so you can't say if it's really more secure. Just use TextSecure and please, build some TextSecure federated services.
Can't we all just use XMPP already?
- first of all, their protocol is open
- XMPP is terrible protocol nowadays because of XML nature, it
costly to parse, big overhead for text and awful for binary
data
- I heard that recently XMPP require SSL mandatory,
but it wasn't from the start, as in Telegram
I prefer to consider that XMPP is as good as dead for mobile and probably for any new startups besides some enterprise.I don't want to be devil's advocate, their server code is closed. They have some stinky discussions in past. But XMPP never was good protocol.
[citation needed] I assume you also want us to move away from html and towards a simpler, ascii-based protocol?
AFAIK xmpp is already pretty simple for what it does[1].
> I heard that recently XMPP require SSL mandatory, but it wasn't from the start, as in Telegram
First, so you claim XMPP has evolved to be (more/as) secure, and still think that's an argument against XMPP? Second, SSL is generally only client-server (without authentication of the client) -- IMNHO you're better off layering OTR on top of XMPP. That said, SSL, VPN, IPSEC or other trusted transport is nice to have.
XMPP already has a standard for link-local messaging[2], supports other extensions, has many open and free servers and clients... I'm not saying it can't be improved on -- but you'd have to show some improvement before it made sense considering a different transport...
In all honesty, that makes theirs a pretty good business model (compared to much of Silicon Valley), IMO.
The key feature for me is that you can access messages through a web app, and through native desktop apps on Mac and Windows. This means that I can really use it with people who aren't on Macs/iOS all day for iMessage, which is most of the world outside of tech unfortunately.
The open protocol means that anyone can write their own client and pull out message transcripts.
The business model is a little sketchy (donated Russian social network money I think) but at some level who cares: if it disappears I can just switch to something else (that probably won't be as good unfortunately).
I know there has been some controversy about their encryption, but I would not trust any IM platform with perfect security. I care much more about reliability and availability on multiple platforms, which is where Telegram wins hands down.
And plenty of people in tech as well ;)
FWIW you can use desktop/mobile xmpp clients with facebook chat in a similar way (not that that I really recommend that -- although it does allow you to layer OTR on top, so facebook can't read your messages).
Even if you'd consider their protocol secure enough (which I don't), this third-party app was written by someone who thought rand48 was good enough for long-term crypto keys. I'd stay far, far away from this.
Alright then, I use Facebook Messenger a lot, it can be accessed from the web, I can use it on my phone and other devices, and I don't need to add contacts as my friends are already using it. Bam!
And security? Well, does it matter?
Android-only right now but open source.
See also http://thoughtcrime.org/blog/telegram-crypto-challenge/ (comments: https://news.ycombinator.com/item?id=6936539 )
Q: Why not just make all chats ‘secret’?
The idea behind Telegram is to bring something more secure to the masses, who understand nothing about security and want none of it. Being merely secure is not enough to achieve this — you also need to be fast, powerful and user friendly. Telegram is a secure and powerful alternative to mass market messengers and a fast and user-friendly alternative to secure messengers. Hence the two types of chats that we have: ordinary chats and Secret Chats.
The important thing to remember is that all Telegram messages are always securely encrypted. The difference between messages in Secret Chats and ordinary Telegram messages is in the encryption type: client-client in case of Secret Chats, client-server/server-client for ordinary chats. This enables your ordinary Telegram messages to be both secure and available in the cloud so that you can access them from any of your devices — which is very useful at times.
To make that claim you're assuming their implementation has fewer exploitable holes than OpenSSL or some other well-known and checked library.
I don't put that much faith on them.
You could flip your argument around and say the fact it took so long for Heartbleed to have been discovered means even OpenSSL didn't have enough people checking it. Which it probably didn't. And Telegram has even less people combing through its source than OpenSSL did pre-Heartbleed.
The only valid reason I can think of is a small and obscure proprietary crypto algorithm and implementation isn't worth the bad guys/agencies' time for finding the inevitable bugs. But Telegram has gained more than enough popularity for that ship to have sailed months ago.
- whatsapp — mobile only (and phone number dependent)
- hangouts — slow
- fb messenger — does not have native mac app
Telegram solves it all
I still don't get the insistence of WhatsApp on being tied to a single device and phone number, in an age where increasingly more people have a phone, a tablet, a PC, maybe a smart TV, etc.
I'm very excited about the Pavel Durov's another project http://telegra.ph/ which - I hope - is still in development. This is his next social project also with a focus on privacy. Pavel has become more well-known as a Russian IT-entrepreneur since he fled a country with a dozen of colleagues from his former VK company.
Have you even tried to google (or yandex) this? There has been a lot of discussion about their hand-rolled crypto.
http://unhandledexpression.com/2013/12/17/telegram-stand-bac...
For non-secret chat it's even worse than Whatsapp, because Whatsapp reasonably convincingly simply relays messages, only storing them on their servers until it is delivered.
https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Clien...