• woelkchen@lemmy.world
    link
    fedilink
    English
    arrow-up
    66
    arrow-down
    19
    ·
    2 months ago

    As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do.

    No, it’s not. It’s very easy. In the bottom right corner there is a pencil button to compose a new message and right there it asks which tpye of chat to start. Secret chat is the second topmost option after group chat. Really not hidden or complicated at all.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      71
      arrow-down
      7
      ·
      2 months ago

      It should be a setting to always use encrypted chat, and it should probably prompt you when you first login.

      Better yet, don’t have an option to not have encrypted chats. I don’t see a reason to not have everything E2EE all the time.

      • woelkchen@lemmy.world
        link
        fedilink
        English
        arrow-up
        25
        arrow-down
        2
        ·
        edit-2
        2 months ago

        It should be a setting to always use encrypted chat, and it should probably prompt you when you first login.

        I don’t disagree but the claim that you quoted was that it’s complicated to initiate and as I explained it’s not. Also secret chats stay in the messages list, so you can go back to an initiated secret chat and pick up there without any additional fiddling.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          24
          arrow-down
          12
          ·
          2 months ago

          If you have to enable it every time, it’s complicated enough that most people won’t bother. Maybe they’ll do it once or twice out of novelty, but it’s not going to become a habit.

          I only consider something “encrypted” if it’s actually encrypted by default, or at least prompts to enable it permanently on first launch. Otherwise, it’s not an “encrypted” chat, it just has the option to have some chats encrypted.

            • scarabic@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              2 months ago

              More steps required to perform something is very squarely within the definition of complicated, no matter how straightforward those steps are.

          • woelkchen@lemmy.world
            link
            fedilink
            English
            arrow-up
            12
            arrow-down
            3
            ·
            2 months ago

            If you have to enable it every time, it’s complicated

            But you don’t. As I already explained: secret chats stay in the messages list, so you can go back to an initiated secret chat and pick up there without any additional fiddling.

            I have plenty of encrypted chats that I don’t have to enable every time I want to send one. I don’t understand where this misconception comes from.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              19
              arrow-down
              6
              ·
              2 months ago

              Surely you talk to more than one or two people, no? If you have to manually check a box or something every time you start a new message with someone, people are going to stop doing it.

              It’s not an encrypted chat app. It’s an unencrypted chat app that has an option for encrypted chats. Whether something is encrypted or not depends on how most people use it and what the defaults are.

              Signal is an encrypted chat app. E2EE is the default and AFAIK only behavior. Telegram can be encrypted, but it’s not by default, and defaults matter.

              • woelkchen@lemmy.world
                link
                fedilink
                English
                arrow-up
                9
                arrow-down
                6
                ·
                2 months ago

                Surely you talk to more than one or two people, no? If you have to manually check a box or something every time you start a new message with someone, people are going to stop doing it.

                Maybe you get acquainted to 100 new people every day, so your day is a constant chore of starting secret chats all the time. I don’t. I doubt regular people do. Just start the secret chat once and then pick it up later.

                Signal is an encrypted chat app.

                Except for the locally stored data which is not encrypted and Signal’s attitude is that device encryption is up to the user.

                • sugar_in_your_tea@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  6
                  arrow-down
                  2
                  ·
                  2 months ago

                  True, device encryption should be up to the user. Mine is encrypted, and most smartphones have encrypted storage these days. I actually have mine reboot after a period of inactivity, which removes the encryption keys from memory.

                  That said, they should have an option for app data encryption, but that’s hardly a requirement IMO, because I care far more about data being encrypted in transit than at rest on my devices. I can encrypt data at rest on my machines, I can’t encrypt data in-transit unless that’s baked in to the service.

                  • woelkchen@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    arrow-down
                    1
                    ·
                    2 months ago

                    That said, they should have an option for app data encryption, but that’s hardly a requirement IMO

                    So Telegram is not an encrypted messenger because there are types of messages that are not E2E encrypted but Signal is a encrypted messenger because encrypting local storage is optional. Got it.

                  • pressanykeynow@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    2 months ago

                    most smartphones have encrypted storage these days

                    Encrypted from your girlfriend or yourself if you forgot your gesture, but not from Google/Apple/Government or anyone who actually wants your data.

        • brrt@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          6
          ·
          2 months ago

          Is it more complicated to achieve than in other e2ee messengers? Yes, thus saying it is complicated is justified.

      • oktoberpaard@feddit.nl
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        2 months ago

        They’ve implemented it in such a way that you only have access to an encrypted chat on a single device, so no syncing between devices. Syncing E2EE chats across devices is more difficult to pull off, but it’s definitely possible and other services do that by default.

        • pressanykeynow@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          3
          ·
          edit-2
          2 months ago

          Syncing E2EE chats across devices is more difficult to pull off, but it’s definitely possible and other services do that by default.

          That’s because if you are able to get your private key on another device, then Google, Apple or Microsoft, and that means anyone, also have access to your private key. And you don’t have e2ee, literally.

          • oktoberpaard@feddit.nl
            link
            fedilink
            English
            arrow-up
            4
            ·
            2 months ago

            I would look into how Matrix handles this, for example. It involves unique device keys, device verification from a trusted device, and cross-signing. It’s not just some private key that’s spread around to random new devices where you lose track of.

      • Kekzkrieger@feddit.org
        link
        fedilink
        English
        arrow-up
        7
        ·
        2 months ago

        its some message for the users, having a secret chat kinda sounds bad, like doing something illegal and guilt trapping users into not using it

      • Lucy :3@feddit.org
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        2 months ago

        But then you couldn’t get that juicy user and conversation data.

      • pressanykeynow@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        2 months ago

        I don’t see a reason to not have everything E2EE all the time.

        You probably didn’t ever meet non-IT person(or most of the IT people). To use e2ee means you need to keep your private key close and safe. 99.999% people can’t do that. So when they lost their key their conversation history is gone and it’s your fault not theirs.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          Signal does this by having your data be unencrypted at rest on your device, and I think that’s a reasonable tradeoff because it protects the most import part: data in transit. Or you can be like Matrix and require/strongly encourage setting up multiple clients so you always have a fallback (e.g. desktop and phone). There are reasonable technical solutions to the problem of making an E2EE chat system.

      • GBU_28@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        2
        ·
        2 months ago

        As I understand it, public groups use server side encryption (so not robust), but private chats use e2e encryption that is client side. (More robust)

      • woelkchen@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        4
        ·
        2 months ago

        That’s my day job and I’m good at it. People understand when I explain three clicks.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          13
          arrow-down
          1
          ·
          2 months ago

          People understand when I explain three clicks.

          This is the problem. You have to explain it. Feel like talking to several million people to get them to use it?

          • woelkchen@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            1
            ·
            2 months ago

            Feel like talking to several million people to get them to use it?

            I already made a one-line excessive tutorial in another comment. Feel free to link it.

            • pressanykeynow@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              2
              ·
              2 months ago

              Maybe when you share it, and explain, and be ready to support the millions of users, then we’ll have e2ee. But even then we probably won’t.

              • woelkchen@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                arrow-down
                2
                ·
                2 months ago

                Maybe when you share it

                I already did.

                and explain

                I already did.

                and be ready to support the millions of users

                Of course. As I already explained, this sort of thing is my job. Millions of people signing support contracts with me: Awesome! I’ll be creating so many jobs. Happy to expand into enterprise communication by offering Teamgram hosting services.

                • pressanykeynow@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  edit-2
                  2 months ago

                  My comment was a sarcastic remark how hard it is to explain to millions of people how not to lose their data when they use e2ee.

                  If you are in the process of doing it - good job. But right now all out e2ee is for the enthusiasts only.

    • quaff@lemmy.ca
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      4
      ·
      2 months ago

      It’s three clicks. And it opens a separate chat from the existing one. It’s obscure enough that you could say the UX deprioritizes (which at best is not an actively malicious design choice) usage of end-to-end encryption.

      • rottingleaf@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        2 months ago

        Anything harder than usual in the same application means it won’t usually be used.

        And encryption is about collective immunity. So everything should be encrypted.

      • woelkchen@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        14
        ·
        2 months ago

        It’s three clicks.

        So it’s only three clicks, ergo easy.

        And it opens a separate chat from the existing one.

        I don’t see the problem. The secret one has the lock icon to clearly mark it. There’s no way one would accidentally pick the wrong chat. Delete the old, unencrypted one to be sure.

        It’s obscure enough that you could say the UX deprioritizes (which at best is not an actively malicious design choice) usage of end-to-end encryption.

        I agreed in another comment that there should be an “encrypted by default” option somewhere. I’m not claiming that it’s perfect but the claim in the blog that it’s super complicated is just not true. At least calls are P2P-encrypted by default.

        • quaff@lemmy.ca
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          2
          ·
          2 months ago

          Ah good point, gotta delete the old unencrypted chat too to avoid confusion. That’s definitely more than just 3 clicks.

          • PhreakyByNature@feddit.uk
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            3
            ·
            2 months ago

            Yeah I mean if you started one. If you went in with a secret chat in the first place then it wouldn’t be an issue. And so it’s one extra click vs. starting a normal chat. I hope it hasn’t inconvenienced you more than it’s taken for all these replies.

        • quaff@lemmy.ca
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          2 months ago

          If you’re talking to 30 people, it’s 90 clicks. It might be 3 clicks if you know where to look, but end of the day, even if you know where to find it, that’s still that many clicks times how many people you chat with. It’s not ideal. I wouldn’t say it’s complicated sure, but it’s not easy.

          • woelkchen@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            4
            ·
            2 months ago

            If you’re talking to 30 people, it’s 90 clicks.

            Uh, so? A “compose message” button is the approach many communication apps use, including e-mail. Don’t get me started how many clicks it is to GPG-encrypt e-mails…

            It’s not ideal.

            I don’t know how many times I have to repeat myself that I agree on that part. You act as I would disagree. I don’t. It could be better but it’s also not a complicated nightmare as the blog author makes it out to be.

            • quaff@lemmy.ca
              link
              fedilink
              English
              arrow-up
              3
              arrow-down
              2
              ·
              2 months ago

              Right. But it’s also not exactly “easy” which is what you’re saying it is.

              If easy was a sliding scale. Easy would be enabled by default. Hard would be making it obscure and hard to find. I would say it’s definitely closer to the harder to find side. But that’s just me. But 3 clicks, and having to switch chats and maybe delete the old one to avoid confusion, none of that is easy.

              • woelkchen@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                arrow-down
                3
                ·
                2 months ago

                Right. But it’s also not exactly “easy” which is what you’re saying it is.

                I said it’s as easy as tapping the compose button and selecting secret chat. I nowhere claimed that it’s easier than that but it’s also not more complicated than that.

                • quaff@lemmy.ca
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  arrow-down
                  4
                  ·
                  2 months ago

                  It’s 100% not just two clicks. You make it sound easier than it really is. But there’s no way for a new or infrequent user to know where it is unless they explore a bit or even knew to look for it. It’s hidden away behind a hamburger menu.

                  • woelkchen@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    arrow-down
                    2
                    ·
                    edit-2
                    2 months ago

                    You make it sound easier than it really is.

                    No, I gave a detailed tutorial how to initiate a secret chat and then explained that the procedure has to be done only once per contact. It’s exactly as easy or complicated as I explained. Not more, not less.

                    It’s hidden away behind a hamburger menu.

                    No, it’s not. Tap the pencil in the bottom right corner. That’s how I explained it and that’s how it’s done. Hamburger menu is an additional way but the compose button is the pencil in the bottom right corner.

    • Kekzkrieger@feddit.org
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      1
      ·
      2 months ago

      Why would it even be an option to have a non-encryted chat if the app can do encrypted?

      • John Richard@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        10
        ·
        2 months ago

        Telegram isn’t made to be a full E2EE messenger. They have things like public channels which you can’t do with E2EE. What kind of idiots thought that Telegram was intended to be a fully E2EE messenger? People use it cause it is native and good for its purposes. It has secret chats if you need them at times. Why all the hate from the Signal CIA fanbois?

        • tapo@lemmy.zip
          link
          fedilink
          English
          arrow-up
          5
          ·
          2 months ago

          The author makes the point that Telegram advertises itself as secure, but isn’t except a hidden out of the way option that almost nobody will use.

          The truth of the matter is Telegram has the full plaintext content of almost every message posted on that site.

          • Petter1@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            Yummy data for telegram AI

            It sells you drugs and warns you from masks and vaccines

        • Kekzkrieger@feddit.org
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          so make 1to1 conversation e2ee by default, what would be the downsite? Only one i can think of is they want to snoop in peoples convos.

          im fine with public channels not being encrypted, thats fair.

    • rottingleaf@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 months ago

      Encryption is part of defense strategy, otherwise it’s like a steel door in a house with wall panels made of paper.

      That strategy involves all communications being encrypted. Otherwise rubber hose cryptanalysis becomes practical.