Really communicate securely: Telegram his services as the solution?




Key ssl Encryption is everywhere in our lives. We use it every day, often without us there himself dwell: to encrypt our connection to the bank and to ensure that our fellow travelers on hotspots in the train can not read along our emails. Even if we upload photos to Facebook, which is now done automatically via https.

But this means that our data are actually safe? Not necessarily. Because our connection may be encrypted, the data is often either stored unencrypted, or encryption key is owned by the company where you board your data. So Google can read your e-mails, and so does the company also engaged systematically – after all, Google earns money by displaying personalized ads. Dropbox deduplication applies: if you upload the same file as another user, it is stored only once. Most companies can not figure out user passwords – which are hashed – but the rest is all for them insightful.

That in itself is a privacy complaint – we want that Google, Microsoft, Facebook or Dropbox in our private communications and files can if they want to? But there are other risks. It became clear that U.S. intelligence is not very reluctant to retrieve private data from Europeans. Past nine months There is also the risk of hacks: who knows Dropbox for example to crack, can the files of all users.

Therefore, diving more and more services that use the zero knowledge principle. That means as little knowledge of users. It is technically necessary to process certain information – such as user name, password, and optionally e-mail address and payment information – but for the rest of their users do not need to know which service is the idea.

No keys

For chat services means zero knowledge’ principle eg, end-to-end encryption. In addition, both parties communicate encrypted, without the intervention of others. In mainstream chat services each user sets an encrypted connection to the server of the service. With end-to-end encryption, the encryption but directly set up between the two parties derogatory.

This difference seems small, but has far-reaching implications. The server of the chat service can still act as a central hub in the communication between users, but the content of communication no longer recognize. Because the encryption between the derogatory parties has been established, the instant messaging service, the key needed to decrypt the communication is not in the hands.

After Facebook WhatsApp took the competitive chat app Telegram gained popularity in a short time. At first glance the app looks a lot like WhatsApp, the app offers group chats, there is the ability to send images and videos and the numbers are central to finding contacts. One feature that has not, however, WhatsApp, is the ability to provide end-to-end encryption to be used.

It is a feature that is not enabled by default: users must themselves choose to start an encrypted conversation. For Telegram encryption uses a proprietary encryption method – this phrase will most security researchers shudder, and in this case seems to be right, because there is a few things off to stuff the encryption Telegram.

Telegram has several vulnerabilities – so use the outdated sha1 hashing algorithm – but perhaps more important is that the users communicate with each other, not using authentication together: they do only with the server. The identity of the caller can not be verified directly – that only the server.

This means that the server could intercept and decrypt the messages. Between the two interlocutors It is not saying that to happen – but it still can be, and there is no way to check if that happens as a user.


Christopher Soghoian, a security researcher and privacy activist with the American Civil Liberties Union, also is not buying it Telegram. “The application is not to show that he has developed with security as a starting immediately,” says Soghoian. “The automakers are not cryptography experts, and I have no confidence in their technology.” The success of the app he calls a mixed blessing. “Encryption makes life difficult for the NSA, even if the encryption is weak. It’s definitely better than texting, that is not encrypted., But you have to create a false impression of security . ”

The Dutch civil rights organization Bits of Freedom is okay with that. “It’s good to see that people are worried about privacy and how Facebook handles your private information,” said the organization, through Ton Siedsma. “I can hear even in the street and in the cafĂ© people talk about Telegram and WhatsApp acquisition. But on the other hand, we obviously do not know how safe the apps that they use instead. Telegram In the case of you there by questioning. ” The organization supports the idea that data should not be managed. By an organization “It is very good that there are other apps are used, only those of Facebook.”

The competing app Threema, which has fewer users than Telegram and is paid in contrast to that app, does it better. That app, which is made by a Swiss company checks the identity of the user is and provides end-to-end encryption. Moreover, a passphrase is required to activate the encryption key, even if the key is leaked, yet are the messages on the streets, though that is less long and complex passphrases with dictionary and brute force attacks a matter of time, a strong passphrase is, therefore, important.

What Soghoian from state to Threema, is that the app is closed-source. “We must be very cautious with the confidence of closed source software,” says Soghoian. “After Snowden, we know that the NSA works with technology companies to mitigate. Away their security” With open source code, anyone can detect any backdoors, he emphasizes. “Most people will not view the source code, but the point is that independent experts can take. Source under the microscope”

Text Secure

An application according to Soghoian is both safe and open source, is Text Secure. That free Android app, which includes developed by the well-known security researcher Moxie Marlinspike has existed as an app for encrypted with texting. However, last week the application update, making the service now communicates via the Internet and is similar Telegram and Threema. “Text Secure is built by highly respected security experts,” says Soghoian. We’re still working on an iOS version.

The project has no business model and is sponsored by donations, according to Soghoian shall include Mark Shuttleworth, the man behind the Ubuntu Linux distribution, donated money to the project. “Moxie is to me not a business model, he genuinely wants to make the world a better place.” The team behind Text Secure has also developed an app to make calls encrypted. This involves the use of VoIP.

Off the record

Mega Mega, the business of Megaupload founder Kim Dotcom, also working on an end-to-end messaging service. So says the Dutch developer Bram van der Kolk, the lead developer at Mega. “In April, a browser version. Mobile apps for Android and iOS will follow later., I would not be too optimistic, but I’m guessing somewhere in August or September,” said the Dutchman, who, like Dotcom suspect in the Megaupload case, but the process must wait in relative freedom.

The application is best comparable to a hybrid form of WhatsApp and Skype, according to Van der Kolk: it is both possible to chat, like to call, which also supports encrypted video chat. “It’s all true, end-to-end encrypted. Also we apply off the record”, says van der Kolk. In addition, each conversation is a new cryptographic key is generated. “The moment you stop to chat, are therefore all the keys away.” This has the disadvantage that there is no conversation history can be saved. “We sit there thinking to users that option to leave off. Then the call history only locally accessible,” says Van der Kolk.

The chat service Mega should make it possible to chat. From multiple devices Multi-party off the record, according to Van der Kolk difficult to implement. “You want to make sure that all devices that are logged by the same user,” says the developer. “A chat service making is not that difficult, the cryptography in order to get the most complicated.”

Also, one of the founders of The Pirate Bay, Peter Sunde, working to secure messaging. will use xmpp and pgp, proven technologies to communicate securely. If the service does, however, is still unclear. Another chat service that offers off-the-record messaging is Cryptocat . For each new chat cryptographic keys are generated. Incidentally Cryptocat have struggled with a bug, which group discussions could be decrypted. During a half
Silent Circle

Recently showed that KPN will offer’s software. U.S. company Silent Circle That company also provides encrypted chat apps, paid. “We want to minimize our customers know and thus save as much as possible,” said director Mike Janke Silent Circle last week at the RSA Conference in San Francisco. “We want to set up a system that is not about the monetization of customer data.”

According to Janke online should have more control over their personal data “. On the Internet you return your privacy for free services, but I do not feel that I’ve given Google to ask about my life a whole dossier consent.” That while there is a mini computer in everyone’s pocket, which does exactly that, signs the Silent Circle-CEO of.

Silent Circle is also working on a phone where privacy is key, Black Phone . That phone runs on a customized Android version and includes tweaks for privacy. Thus wifi disabled when a user is not in the vicinity of a known Wi-Fi network, which wifi tracking must be countered. In addition, the Silent Circle apps installed by default and get a buyer four year subscriptions to the services of the company: one for himself, and four for the people with whom he communicates.

An advantage of chat services that control the encryption for the user, the low barriers to entry. Via pgp / gpg and off the record messaging in xmpp is much longer possible to communicate encrypted but that is still not for the masses. “Pgp is so complicated to use, even for security experts,” said Irippuge Milinda Perera at Tweakers. He does at the New York University study of cryptography and spoke last week at the RSA Conference. “There are so many things you should pay attention to.”

Mega-developer Van der Kolk agrees. “We want to make our application as accessible as possible, a user needs the encryption actually not notice:. It must feel like a normal service,” he says.

The Dutchman Arne Renkema-Padmos, who does research at a German university in Darmstadt, doing research for six months to make it easier for e-mail encryption. “The average citizen is not interested in cryptography. Moreover, many people do not know how the Internet and e-mail are put together,” says Renkema-Padmos. “That does not surprise me.”

From research also shows that people with the principle of pgp, leaning on asymmetric encryption, not understood. “In one study, people began to send each other their private keys,” says Renkema-Padmos. That while they have to send their correct public key, the private key is only intended for the recipient to mail that is encrypted with the public key to decrypt.

How does PGP?

Concrete proposals on how e-mail cryptography can be made easier has Renkema-Padmos yet. “But I do have some ideas. Example, I would imagine that you exchange public keys automatically. If you meet someone and you shake his hand, you would automatically have its public PGP key me a wristband,” says Renkema-Padmos.

Bits of Freedom will be a good idea if pgp would be easier. Use “As a PGP interface and user-friendliness of the eighties would not have, would be a major obstacle to be removed to protect yourself,” says spokesman Siedsma.

An open source webmail client that is trying to make more accessible cryptography Mailpile . That software has support for PGP built where this should be done via a plug-in. Other mail clients “E-mail will remain with us for a long time,” said developer client Bjarni Einarsson RĂșnar last summer at Wired. “We must do what we can to make it safe.”
Xmpp and a single point of failure

Which is widely used to communicate, including by hackers and journalists, confidentiality is open source chat protocol xmpp in combination with an off the record plugin. Researcher Soghoian: “One problem is that many people use the server of the CCC.” German hacker club who has a public XMPP server. “Do not get me wrong: I love the CCC and what they do, but that xmpp-server is a single point of failure.”.

According to Soghoian is it safe to assume that each intelligence has tried to break into the chat server. At “So you can also assume that some intelligence at least it worked. So I do not think it’s a good idea to have a computer that all communications to trust.”


In: A Technology & Gadgets Asked By: [22628 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »