 So I did my review a few days ago of the signal messaging app and a lot of people had asked me about telegram Man, I said I don't use telegram and I do not plan on using telegram And I know telegram is a very popular app But I wanted to discuss some of the reasons not to use it and of course the news today in April of 2018 Here is Russian court to hear request to block telegram and it's very likely this will go through I haven't heard the absolute latest on this I know because it's in process in the Russian court system They're gonna block telegram and let's talk about what that means because telegram won't surrender the keys And we're talking about what that means because if you're using an encryption tool Why would there be any reason for them to surrender any data? Well, that's where we're gonna start So comparing telegram a signal and I'm talking about app functionality I'm talking about like how it works on the back end functionality So we're not gonna talk about like what it looks like that's that doesn't matter to me I care more about the security of these devices and how they do their encryption So out of the box telegram suffers from the tyranny of the default as I love the phrase Which means by default it does not encrypt the messages To a secret server now it does it through telegram's secret server Which means they have the ability to see messages They then have an option where you can turn on encryption between you and the person you're having a conversation with So as it passes through telegram servers, it's encrypted That is where the flaw lies because as we know although you can use telegram for secure encryption Most people do not so that's Part one of the problem part two of the problem is the protocol telegram uses so they developed their own Protocol for it. So that also brings into a lot of questions when people decide to start building Their own protocols. They become very hard to vet because you they built them on non-standard functions Now this person who made it the program and may be an absolutely Genius person and they do have a bug bounty for someone who wants to try it but yeah, yeah, the basically The problem is when you do that and I'll even quote what maxi marlings like said security researcher Mark your monitor commented on the hacker news and criticize the first contest being rigged or framed in telegram's favor And said that telegram's statements of value of these contests as proof of cartography are misleading So What in short is they have a weird protocol. That's really hard to decipher Security through obscurity is always a bad idea and I know it's been slightly looked at by someone a while ago like Matthew Green He's a cryptographer if you're not sure very well vetted very real inspector researcher and oh boy doesn't Telegram encryption sucks Seriously people don't use this except it's there and there's a discussion on there because it's a custom It's a custom crypto protocol. So there's that issue there And I kind of like Bruce Nyer's take on it. Don't use telegram In the same thing. He's looked at it too and says it's hard to make heads or tails of it So just because it works doesn't mean it's vetted just because it hasn't been hacked don't mean it won't So there's some security concerns that a lot of people have now, of course The other problem is the fact that it can be blocked that is the final problem with telegram And that's because of the methodology that was used in implementation of the protocol requires it to land on telegram servers So if it lands on their servers now, you have the problem of they can intercept Don't necessarily intercept because it's encrypted provided you turned on the encryption as opposed to using it to fault But they can say I'm blocking telegram What they did it's signal to get around this and one of the things that made signal very popular is they do what they Call cloud fronting now They also offer workarounds for this and both of these are open source and signals very open source in terms of you can even Roll your own and and build this they also use very standard eyes protocols For the encryption so it's easy to decipher because knowing the protocol does not make something insecure If it does the protocol is not secure and that's a different topic. They're using forward secrecy and AES 256 they have a series of HMAC SHA 256 Encryption so they're using all standardized protocols They call it the double ratchet algorithm by combining all these together very well documented This has been vetted by other people because it's very clean and easy to read and they have not just this Wikipedia page You can also go to signals page itself and understand how that works So it's also because of the well documented nature of it other people and we'll go to the blog post here In the signal foundation by the way, they're also not a company. They're a foundation So they're not they're not a for-profit signals free and it right relies on donations But other places are starting to use signals like for example Skype And I believe Facebook have both decided to adopt the signal protocol now They've adopted the protocol because it's open source and they're using it does not make signal Interoperable with Facebook messenger because there are sometimes some confusions that comes in there They're just saying that they've decided that this protocol that they're going to use and because signals Open source. They're just saying this is the open source protocol. We're going to use for encryption Do I trust Facebook to encrypt anything? Hell no So cool that they're using it. I'm going to stick with when I want to send messages using signal so it is Fundamentally different these are the two different things and the cloud fronting is that final piece of that pie Where what cloud fronting is to explain it is they rely on Google to essentially proxy the data So you hit Google and then it goes to the signal servers in there now It's encrypted before it gets to Google so Google does get your IP address But if you're on an Android phone, they kind of do anyways, so there's that so Google does get to see the IP address Which means you're collecting some metadata, but they do not get to see the contents of the message now This is also where it becomes a very safe protocol to use in places Oh, let's say like Russia because the only way to block signal is to block Google so China has gone about this and they're you know striving for being able to see everything and spy on people and so as several other Countries they have to make that hard decision China's big enough and has other services So they could block Google and provide you with something else That's not Google But they do it's really hard in some of the countries that don't have an alternative to Google for people to go to Google becomes this Go-to bohemath service and so you can't just switch off Google and you're probably saying well Can't they just detect the signal protocol the way it works it it goes to the Google servers? And I believe it's all encapsulated what looks like standard SSL type traffic Therefore, there's not easy distinctions. You can't say this is that because it's all encrypted So I just want to bring up some of those distinctions of signal versus Telegram and why I still choose signal for secure messaging. I know there's someone can see it But yeah, but you're using an Android phone or an Apple phone or whatever you're using to run this on or even your computer At some point do you grind the sand and build your own silicone? There's comes a level where you do have to decide what devices you trust or what devices you do not trust That's always going to be a push-pull back and forth, but at least with the signal protocol and everything It's well documented as as much as they can put out in the open is out in the open, which is the full thing It's open source. It's on kid hub You can compile it yourself you can write your own APKs and if you don't want to use Google Cloud front It does have an option to use with a virtues web socketing So you can use it or if you just say I'm going to roll my own There's ways you can roll your own and base it off the same protocol So you don't have to do that and then you can even grind your own silicone to make your own computer So you don't have to have any mistrust in any path building your secure foundation for things But I still endure signal here in 2018 as a excellent solid platform for security and privacy in terms of messaging I've been using it for a while. It's a great one. I did a review of it Telegram this is going to be we're going to see telegram is not really at fault so to speak But we're going to see more of this company is going for things that can be blocked Such as telegram such as what's that we've seen them blocking what's happened places So some of these these are just global problems. We're going to keep seeing as cut some Authoritarian governments want to see everything that's going to be a concern Your privacy should be your own and we're you know dealing with that here in 2018 I'm sure we'll be dealing with that a lot in the future. So try signal see if that works for you It's a great protocol and it's harder to block and this is kind of why I don't do telegram So no need to keep asking me for a telegram review. Thanks. If you like to content here like and subscribe