My family insist on using Whatsapp for the family chats. I have to keep a copy on a device just so I can communicate with them. I do so under protest, as I was always told it isn't secure. My brother has just said
"oh Whatsapp is encrypted, it's perfectly secure".
First, is it actually as encrypted and safe as my brother claims? That would solve everything.
Second, if it isn't, where can I get some proof that we should switch to Telegram or whatever? Proof which doesn't make me look like a raving loony?
for clarity, i think that the worst thing anyone’s been able to decisively prove about telegrams encryption is that it’s vulnerable to replay attacks… which in the context of privacy rather than full security isn’t suuuuper problematic
that’s not to say that there aren’t other flaws; that’s kinda the point behind “rule number 1: DONT INVENT YOUR OWN CRYPTO”: you just don’t know what flaws there are… AES (etc) has had a LOT of eyes on it
but for the most part, the negativity with the crypto boils down to what-ifs
As I see it, the key advantage of Telegram is not technical, it is political.
Yes, Telegram is a slightly shady company with an ambiguous business model and a possibly-dodgy encryption algorithm (when it is even turned on).
But Telegram is based outside the reach of the West (in UAE, eastern Europe, maybe even Russia). Whatever its other problems, nobody thinks that Telegram is under the thumb of Western governments, as the Big Tech corporate messengers almost certainly are.
Personally I don't care much if Russia or even China is spying on me. Because if we can be certain of anything in this world, it's that Russia and China are not sharing their spyware data with Western intelligence agencies. And as Westerners we live outside the reach of the Russian and Chinese police states, fortunately. So for us it's win-win for privacy. That's the way I see it.
The ideal solution, of course, is a truly private messenger which protects everyone's privacy, including Chinese and Russians.
Telegram’s servers are located in US, Singapore, Netherlands (and maybe some other countries) from what I’ve gathered. And all chats that are not E2EE’ed are stored there, encrypted at rest at best with keys in the same database, or somewhere else that can still be accessed in automated way. Maybe it is not even encrypted at rest.
The point is, all those countries are either in 5 eyes or have information sharing agreements with 5 eyes countries. So as far as I’m concerned, TLAs can still have their fingers in those pies, in addition to Telegram’s overall shadiness and Russian ties. So maybe you get KGB strongman keeping a watch over your chats too.
This is not something I’d have much confidence in to be honest.
For the average Westerner, the threat from shady Russian agents seems orders of magnitude less serious than that from their own governments and police forces.
For EE2E, the corporate spyware messengers are asking us to take their word for it. Hard.
About the server locations, that's interesting and does indeed undermine my argument a bit.