By building a phenomenal chat app and gradually (deliberately) building features around it to create a complete WeChat-like ecosystem, Telegram will probably improve people's uptake of chat-centric utilities in the markets they're targeting.
I think the fundamental component to their success is just how snappy and 'live' their chat conversations feel. Everything including their backend perf, chat bubble animations, etc seems to be finely tuned to make conversations feel alive and active.
Woah, that's some lazy code in ChatActivity.java. Functions with 30+ conditionals depending on tons of external state. That must be a nightmare to debug and impossible to test.
I've seen some huge Android java functions where everything gets stuffed into the Fragment creation/update/etc API functions... but this is one just stuffed everything in them.
It's just asking for bugs and security issues.
Edit: the commit history all comes the same developer, each titled with a generic "Bug fixes" commit and no description of the changes. Seems like a single guy is just cowboying the whole App, it's not a team project at Telegram. Which explains the above... https://github.com/DrKLO/Telegram/commits/master/TMessagesPr...
That's the reason they are working on the next-gen mobile client now, code-named Telegram X [1] [2]. In my tests it appears to be faster and lighter, I can't speak for the code though as it hasn't been released yet.
It is super performant and stable though. I'm often surprized how easily it works through a shaky slow connection while others end up in an endless loading icon.
I don't use WhatsApp. I use Telegram almost always and am impressed with the speed of development and introduction of new features. In my limited trials with Wire and Signal, Telegram just blows them out of the water in features, reliability and speed. I know the background about its crypto being criticized, but until other apps catch up, I can't move to them. I've already spent a lot of capital to push a few people to use Telegram and haven't regretted that move from an user experience point of view.
On topic, I don't like these third party login systems much. Yes, they could provide better security compared to what smaller websites with less competent teams could, but associating a login with a provider also means I'm putting more eggs in one basket, so to speak. I also don't like the privacy implications, regardless of what Telegram states. It's sad that Mozilla Persona didn't take off and was shelved. It seemed like the best solution for this requirement.
In my case, these are some of them:
1.Many utility bots(including those admin bots to manage large groups if you have groups). Some examples of these bots are @gif @imdb @bing etc to instantly share gifs, movie ratings and images respectively.
2.No sharing of phone numbers with unknown people. Username handles will help to connect with anyone. Can chat with any of the members in the group (among 100000 people) without fearing lose of your number unless you chose to share.
3.Can download movies, songs, and videos from different channels and groups where they are shared. There are bots which can aggregate the search results from many channels to get them at one place.
4.I get those hackernews posts which gets more than 100 points in a channel.
5.Feed reader bots which get me feeds from my favourite websites.
6.Unlimited cloud storage. You could save movies,songs, pdfs,apps or anything you want there unless they don't exceed 1.5gb size per file.
7.Global search among the chats you have including groups, bots, channels and personal chats.
8. There are many niche groups or channels. Like programming, web development, crypto, reddit, regional, and not to mention porn too.
But comparing to e.g. Line or WeChat maybe the entire social & stickers & attending services thing. Signal is a pretty bare-bones chat client, and WhatsApp only slightly less so.
I personally love their bot API and the option to create custom stickers.
Although not "features", having an open API for writing clients for whatever platform I choose and the fact that their official clients are open source are also a big plus.
@daredevil_kohai has already mentioned several. What I most like about Telegram, though it does require a phone number to get started, is that it allows messaging anyone else without revealing one's phone number with the use of usernames. For me my phone number is a precious piece of information that I guard (despite the fact that I still get spam SMS and such) because it's increasingly used in many contexts as a unique person identifier for behavior profiling and surveillance (which I'm against). With Telegram, I do have to trust the platform on not leaking my number, but that's the extent of my worry.
Wire went two steps further and allows a) signing up with email addresses (without revealing phone number to Wire) and more recently b) multiple accounts for a person. Telegram has just started catching up on multiple accounts, but is still tied to a phone number.
A minor feature in Telegram that I use a lot is to edit my messages after sending them. No more re-typing messages with corrected typos prefixed with an asterisk. This either doesn't exist or came much later in other platforms I've listed in my comment (including WhatsApp).
This is anecdotal, sharing photos in Telegram means it gets through with the same resolution instead of being re-compressed and losing detail. I've heard from some others that re-compression happens on other platforms, but I don't recall on which ones right now.
Speed of message delivery, which is the most basic thing for any messaging platform. While Telegram has slowed down over time (it used to be almost instantaneous a few years ago), it still seems faster than the other platforms. This may just be my experience, since there are multiple factors that affect this.
Multi-platform and multi-device support with synced conversations across all of them. Telegram did it this way from the beginning. Wire is also similar, and better, since it has end-to-end encryption as well (but it doesn't store all conversations forever, and so newer devices will start with the most recent messages). Signal is way too behind in this department, and doesn't even allow carrying over received messages from one phone to a newer phone (this is true in iOS, and on Android it involves some work by the user). Signal actively prevents data from being backed up from the device!
Telegram's search, both within conversations and across conversations, is very fast and reliable.
Telegram allows chatting with oneself, which was renamed to Saved Messages a little while ago. I use it as a bookmarking feature to store interesting information. Combined with great search, it becomes a reference repository.
I'm sure I'm forgetting some other stuff, but the overall user experience is much better, right from application startup.
Seriously, I can't sell this to others. Getting people to use another platform is extremely difficult due to network effects and laziness. As I said above, I spent a lot of my personal capital to move some people to Telegram and they haven't regretted it because of the features (which I also tell them about). Without richer features and without large marketing and advertising budgets, any of these will only be niche platforms.
I'm still waiting for Signal to come closer to being relevant, as per my expectations, before moving to it and pushing some others to move to it. But every time I look at a new release and compare, Telegram still seems about a year or more ahead.
But doesn't this mean you're really logging in with your phone?
It's 2018. Why are we still trusting the phone network for anything related to authentication? Surely companies like Telegram can't use the excuse that they didn't know how horribly insecure SMS and the phone network in general is, no?
I don't know how Telegram does it, but it keeps picking the wrong security options. It's like a gift they have.
No, in Telegram the phone number is used only as a sort of username. You can login to Telegram just with a password and the 2FA token gets to you inside the appp itself. Not SMS.
A majority of banking, at least in Europe, depends on SMS as authentificiation. As well as most other 2fa services depend on it as last resort fallback.
It's 2018 but this problem is far from solved.
(there is a lengthy rant about that somewhere in my post history)
I think the main motivation is making it harder to create (many) fake accounts. A phone number is probably the best trade-off between usabilty and verifiability.
All of your data? At best, they know the URL of any pages where this widget is visible. Not all websites, and not even a large subset of that site's pages.
This isn't like a Facebook share widget, which is usually so ubiquitous, they really can know all the sites you visit.
That's how every now-ubiquitous thing starts. It used to be other things. Most of them are gone now. Something will take the place of the Twitter and Facebook buttons some day.
While this is very clever, I'm not a fan of the implementation. I wish there was a documented oauth2 option and not just an iframe and some script. Script seems innocuous but Im not a fan of having the iframe on my page, and its hard to control the style. Obviously we can reverse engineer this a bit but I would prefer to just have a more robust API w/ proper docs.
Or in other words: We are ready to sell your private data now. Because that's what actually happens when you login to another website via Telegram login.
> First, it's you who decide to use telegram to login to a website (as you would login with Facebook / google).
Yes, this is implicit in what the parent is saying. The point is, your data can be shared if you volunteer it by using this feature.
> Secondly, you see what informations will be shares with the website.
At a minimum, you are sharing the fact that your identity logged into the application. A profile of logins associated with your identity can be built, and a profile of how many Telegram users logged into a particular website can also be built. Both (and particularly the latter) are valuable.
> Lastly, there is no money involved. It's totally free to use.
This has nothing to do with whether or not your data is actually shared or sold with third parties.
I'm not necessarily agreeing with the parent that Telegram is going to start selling user data, but your arguments here do nothing to diminish the fact that they could do so en masse. A graph of your logins should probably be considered "private data."
Telegram's security is a joke. They show the first and last letter of your password and the length (the number of asterisks they put in the middle changes) when you sign in. Next to some pretty bad implications (do they store the password in cleatext or just the length and two letters?) , that password is down to about 1/5 of its original entropy. Told them a year ago, they don't seem to care.
EDIT: Yes, Telegram uses passwords if you enable them. This is what the questionable query looks like: https://i.imgur.com/BAnddlg.png
They do? On which login do they show that information? I've only seen the kind-of two-factor one where you have to enter a code sent in a text message or with a telegram message to a different device.
Are there known vulnerabilities or do you mean the missing audits and security through obscurity approach? Because bogus in this context is a very strong word.
> It is a car with seatbelts that don’t work; a car without any seatbelts is better.
This is a wrong comparison.
Furthermore:
As an early enthusiastic Whatsapp user I'd love to use Whatsapp if it had continued developing into what Telegram is now instead of selling out and start feeding data Facebook.
Right now
-one side has sketchy crypto (according to world leading cryptographers AFAIK) and correct incentives
while the other side has
-- good crypto,
-- incentives stacked towards tracking me (contrary to their previous promises)
-- and a track record of doing exactly that
I don't think it is an obvious choice without trade-offs either way.
But it's not like "just use Whatsapp" is an obvious alternative.
(Signal seems to be a completely different story but most of my contacts don't use it.)
However they are not subject to national security letters. You can have all the best crypto in the world but if the vendor is forced to catch keystrokes by a government it won't help you.
By law, NSLs can request only non-content information, for example, transactional records and phone numbers dialed, but never the content of telephone calls or e-mails.
As a theoretical matter, it's not even close; WhatsApp's Signal Protocol is literally decades more sophisticated than Telegram's, which traces back to just after the phlogiston era of cryptography. No practicing cryptographer or crypto engineer would ever select Telegram's protocol over WhatsApp's.
As a practical matter, it's even starker. WhatsApp messages are end-to-end encrypted by default, forward secure so that losing your phone doesn't let adversaries retroactively decrypt sniffed messages, and, most importantly, encrypted for groups.
Telegram's messages are plaintext by default --- you have to opt conversations in to encryption! --- and don't encrypt group messages at all. Telegram plays a sneaky game where they tell users that all messages are encrypted because they use TLS. But, of course, so was AOL Instant Messenger.
>should be continually and consistently discouraged
If you need top security - maybe. If you need features - not. I'd consider using something else if other apps have same features or similar features done better.
It’s marketed as a secure messenger. People using it casually for non-secure things may be mislead to believe by their marketing communications that it’s safe to use, when it isn’t. Its use should be discouraged in all cases as a result.
Readit News
I think the fundamental component to their success is just how snappy and 'live' their chat conversations feel. Everything including their backend perf, chat bubble animations, etc seems to be finely tuned to make conversations feel alive and active.
And it absolutely is, from a 2 minutes look at their code :
- their chat activity is 12000 lines of code : https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...
- it looks like they have copy pasted tons of Android library like exoplayer directly in their repo
It does work very well though !
I guess that they have an extremely small team (or just one persone) and it is their first Android project.
It looks like they have acqui-hired a competing chat client (Telegram X), so it looks like they have a solution to clean this mess.
I've seen some huge Android java functions where everything gets stuffed into the Fragment creation/update/etc API functions... but this is one just stuffed everything in them.
It's just asking for bugs and security issues.
Edit: the commit history all comes the same developer, each titled with a generic "Bug fixes" commit and no description of the changes. Seems like a single guy is just cowboying the whole App, it's not a team project at Telegram. Which explains the above... https://github.com/DrKLO/Telegram/commits/master/TMessagesPr...
1. https://itunes.apple.com/us/app/telegram-x/id898228810?mt=8 2. https://play.google.com/store/apps/details?id=org.thunderdog...
Deleted Comment
https://keybase.io/blog/keybase-chat
On topic, I don't like these third party login systems much. Yes, they could provide better security compared to what smaller websites with less competent teams could, but associating a login with a provider also means I'm putting more eggs in one basket, so to speak. I also don't like the privacy implications, regardless of what Telegram states. It's sad that Mozilla Persona didn't take off and was shelved. It seemed like the best solution for this requirement.
When you say features, which ones do you mean? Do you mean the user interface?
But comparing to e.g. Line or WeChat maybe the entire social & stickers & attending services thing. Signal is a pretty bare-bones chat client, and WhatsApp only slightly less so.
Although not "features", having an open API for writing clients for whatever platform I choose and the fact that their official clients are open source are also a big plus.
Wire went two steps further and allows a) signing up with email addresses (without revealing phone number to Wire) and more recently b) multiple accounts for a person. Telegram has just started catching up on multiple accounts, but is still tied to a phone number.
A minor feature in Telegram that I use a lot is to edit my messages after sending them. No more re-typing messages with corrected typos prefixed with an asterisk. This either doesn't exist or came much later in other platforms I've listed in my comment (including WhatsApp).
This is anecdotal, sharing photos in Telegram means it gets through with the same resolution instead of being re-compressed and losing detail. I've heard from some others that re-compression happens on other platforms, but I don't recall on which ones right now.
Speed of message delivery, which is the most basic thing for any messaging platform. While Telegram has slowed down over time (it used to be almost instantaneous a few years ago), it still seems faster than the other platforms. This may just be my experience, since there are multiple factors that affect this.
Multi-platform and multi-device support with synced conversations across all of them. Telegram did it this way from the beginning. Wire is also similar, and better, since it has end-to-end encryption as well (but it doesn't store all conversations forever, and so newer devices will start with the most recent messages). Signal is way too behind in this department, and doesn't even allow carrying over received messages from one phone to a newer phone (this is true in iOS, and on Android it involves some work by the user). Signal actively prevents data from being backed up from the device!
Telegram's search, both within conversations and across conversations, is very fast and reliable.
Telegram allows chatting with oneself, which was renamed to Saved Messages a little while ago. I use it as a bookmarking feature to store interesting information. Combined with great search, it becomes a reference repository.
I'm sure I'm forgetting some other stuff, but the overall user experience is much better, right from application startup.
Dead Comment
Security with fewer features is still useful; features without security are unusable.
I'm still waiting for Signal to come closer to being relevant, as per my expectations, before moving to it and pushing some others to move to it. But every time I look at a new release and compare, Telegram still seems about a year or more ahead.
It's 2018. Why are we still trusting the phone network for anything related to authentication? Surely companies like Telegram can't use the excuse that they didn't know how horribly insecure SMS and the phone network in general is, no?
I don't know how Telegram does it, but it keeps picking the wrong security options. It's like a gift they have.
It's 2018 but this problem is far from solved.
(there is a lengthy rant about that somewhere in my post history)
It then calculates a second number that you send back to the bank. No SMS at all!
This isn't like a Facebook share widget, which is usually so ubiquitous, they really can know all the sites you visit.
Why would you think I'd have to use Allo and G+?
Or in other words: We are ready to sell your private data now. Because that's what actually happens when you login to another website via Telegram login.
First, it's you who decide to use telegram to login to a website (as you would login with Facebook / google).
Secondly, you see what informations will be shares with the website.
Lastly, there is no money involved. It's totally free to use.
Yes, this is implicit in what the parent is saying. The point is, your data can be shared if you volunteer it by using this feature.
> Secondly, you see what informations will be shares with the website.
At a minimum, you are sharing the fact that your identity logged into the application. A profile of logins associated with your identity can be built, and a profile of how many Telegram users logged into a particular website can also be built. Both (and particularly the latter) are valuable.
> Lastly, there is no money involved. It's totally free to use.
This has nothing to do with whether or not your data is actually shared or sold with third parties.
I'm not necessarily agreeing with the parent that Telegram is going to start selling user data, but your arguments here do nothing to diminish the fact that they could do so en masse. A graph of your logins should probably be considered "private data."
Deleted Comment
Deleted Comment
EDIT: Yes, Telegram uses passwords if you enable them. This is what the questionable query looks like: https://i.imgur.com/BAnddlg.png
https://i.imgur.com/BAnddlg.png
I counted the asterisks, they do in fact reveal the length of the password.
https://telegram.wiki/desktop/tdesktoppasscode
It is a car with seatbelts that don’t work; a car without any seatbelts is better.
All of the peer review by qualified professionals has been negative. Don’t take my word for it, go look it up.
Deleted Comment
This is a wrong comparison.
Furthermore:
As an early enthusiastic Whatsapp user I'd love to use Whatsapp if it had continued developing into what Telegram is now instead of selling out and start feeding data Facebook.
Right now
-one side has sketchy crypto (according to world leading cryptographers AFAIK) and correct incentives
while the other side has
-- good crypto,
-- incentives stacked towards tracking me (contrary to their previous promises)
-- and a track record of doing exactly that
I don't think it is an obvious choice without trade-offs either way.
But it's not like "just use Whatsapp" is an obvious alternative.
(Signal seems to be a completely different story but most of my contacts don't use it.)
https://fas.org/sgp/crs/intel/RL33332.pdf
NSLs don't break well-designed and well-implemented E2E encryption. They can obtain metadata, which can still be harmful, but that's it.
If you want metadata on Telegram users, just hack Telegram's ISP. If the NSA hasn't already done so, I'd be surprised.
As a practical matter, it's even starker. WhatsApp messages are end-to-end encrypted by default, forward secure so that losing your phone doesn't let adversaries retroactively decrypt sniffed messages, and, most importantly, encrypted for groups.
Telegram's messages are plaintext by default --- you have to opt conversations in to encryption! --- and don't encrypt group messages at all. Telegram plays a sneaky game where they tell users that all messages are encrypted because they use TLS. But, of course, so was AOL Instant Messenger.
If you need top security - maybe. If you need features - not. I'd consider using something else if other apps have same features or similar features done better.