Conversation

Notices

  1. Remote profile options...
    xrevan86 xrevan86

    @nicolasmaia One pseudo-secure proprietary phone-requiring step? Pff.

    Wednesday, 16-Dec-15 12:34:45 UTC from loadaverage.org
    1. Cerulean Spark Cerulean Spark

      @xrevan86 What's "Psuedo-Secure" about end to end encryption and publicly available source code? I would have thought that was the actual optimum way to do it?

      Wednesday, 16-Dec-15 12:43:04 UTC from web
      1. Remote profile options...
        xrevan86 xrevan86

        @ceruleanspark As far as I know, Telegram doesn't even authenticate exchanged public keys, meaning those can be MITM by Telegram servers.
        Telegram servers are centralised and proprietary, it's as FOSS as ICQ + Pidgin.

        Wednesday, 16-Dec-15 14:43:20 UTC from loadaverage.org
        1. Cerulean Spark Cerulean Spark

          @xrevan86 Aren't the clients the ones doing the key verification? If the central servers were doing it, wouldn't it not be e2e anymore?

          Wednesday, 16-Dec-15 14:54:16 UTC from web
          1. Remote profile options...
            xrevan86 xrevan86

            @ceruleanspark Thing is that keys are received by clients through Telegram and then trusted completely.

            Wednesday, 16-Dec-15 15:47:32 UTC from loadaverage.org
            1. Cerulean Spark Cerulean Spark

              @xrevan86 The endpoints generate a QR-code like image, which represents the key. You're supposed to compare the two images and verify that they're the same on both devices yourself.

              Wednesday, 16-Dec-15 15:54:38 UTC from web