The founder of Telegram has just put this in his public Telegram channel - https://t.me/durov:
"For the last 24 hours Telegram has been under a ban by internet providers in Russia. The reason was our refusal to provide encryption keys to Russian security agencies. For us, this was an easy decision. We promised our users 100% privacy and would rather cease to exist than violate this promise.
Despite the ban, we haven’t seen a significant drop in user engagement so far, since Russians tend to bypass the ban with VPNs and proxies. We also have been relying on third-party cloud services to remain partly available for the rest of our users.
Thank you for your support and loyalty, Russian users of Telegram. Thank you, Apple, Google, Amazon, Microsoft – for not taking part in political censorship.
Russia accounts for ~7% of the Telegram user base, and even if we lose that entire market, Telegram’s organic growth in other regions will compensate for this loss within a couple of months. However, it is personally important for me to make sure we do everything we can for our Russian users.
To support internet freedoms in Russia and elsewhere I started giving out bitcoin grants to individuals and companies who run socks5 proxies and VPN. I am happy to donate millions of dollars this year to this cause, and hope that other people will follow. I called this Digital Resistance – a decentralized movement standing for digital freedoms and progress globally."
A few months ago I read an article about Telegram and their related companies and individuals. [1]
The article read like a mix between a nerdy James Bond story, a bad Law and Order episode, a Mexican soap opera and a Russian episode of Cribs.
It was written by an ex-employee so I took it with a grain of salt.
Nevertheless, the article brings up a lot of red flags and shady behavior. Combined with their (alleged) connection with the Russian government, roll-your-own-crypto and the recent >billion dollar ICO it doesn't really make me all that willing to use Telegram any time soon.
This reads like FUD, there are reasons for and against telegram and I won't get into them here. But truth is often stranger than fiction[0] and there are actors with something to gain from making telegram look poor.
To your last bullet point, these seem like a good reasons to me. This does not seem to have happened with the iOS version.
>However, the sheer volume of legacy issues, combined with submissions that completely ignore the provided issue template, has created a situation where there are currently more than 1,100 open tickets. Most of these issues have been inactive for several years and they reference versions of Signal that are no longer available. Many open issues are essentially ad-hoc discussion threads or feature requests that are a better fit for the community forum. Perhaps most importantly, many of these issues lack debug logs, descriptions, and the steps that would be necessary to understand and reproduce the reported behavior.
What do tests and CI have to do with the usability and usefulness of a program? I agree that the other issues could be worrying, but those first two throw me for a loop.
Tests and CI help you make sure that functionality actually works, that buttons you press have the desired effect, and that if I as a contributor ship you a pull request for a UX/feature improvement, both your and me can check that it doesn't break anything before merging.
The grandparent poster also wrote about security/privacy, for which I think tests are pretty important.
Finally, having CI would allow the developers/contributors with limited time to spend more time on usability and usefulness instead of on issues like "master doesn't build, anybody else have this problem?" (when I wanted to PR something to Signal, master did not build).
This is still looking at it from a developer's or contributor's point of view. Developer velocity has no practical impact on the user experience. In a way, the constant addition of features or tweaks to the user experience is a net negative, since the user has to re-learn how to do things in the app.
This also makes the assumption that since there are few automated tests, that there are no tests done on a build at all. I disagree that it is a valid assumption. Most security vulnerabilities are not found by unit or functional tests, but instead by linting and code reviews.
> Developer velocity has no practical impact on the user experience.
This may be true in a megacorp. I doubt it's true in a project like Signal where resources are limited and a few developers are the single bottleneck for everything, UX or otherwise.
All those issues were closed, as it is explained in your link, because they lacked debug logs/steps to reproduce the problem/etc. It's not feasible to dedicate enormous amounts of resources to try to address those issues. You're welcome to re-open them, properly this time, if you want.
That is wrong, they closed issues indiscriminately.
Oh, and they will keep doing so: "Legacy issues that are more than one month old will be closed by an automated process as part of this cleanup effort."
That is wrong. If you read the thread, you would immediately see that, as I give examples there of how issues that were in the middle of being tested by users were closed, and that were acknowledged as real issues by the developers days before.
I'm running this on my own server (using ejabberd [1] as Prosody - which I used previously - still has problems with some of the required XEPs[2]) using several different clients (Conversations [3] on Android, Pidgin on Linux, etc).
The one weak link in OMEMO is the difficulty of verifying the authenticity of the device key signatures used by communication counterparts. These signatures are 64-character hexadecimal strings which the user is supposed to verify being authentic before initiating encrypted communications. Humans as not very good at this task, computer can help but they can also be tampered with. There are ways around this problem - e.g. meeting up in person before initiating communications (viz. PGP key signing parties), sending Q-codes off-line, using algorithms to turn those numbers into things which humans are better at recognising (e.g. the coloured emoji used by Telegram etc.). Encrypted group chat only works if all participants have all other participants in their address lists. Then again, it does work and it is fully standardised with several compatible implementations.
That would work for graphical clients but not so much for textual versions. Some type of ASCII-art might serve the purpose but whatever solution is chosen it will be hard to visualise the entropy of a 64-digit hex string in such a way as to distinguish it from the same string with 1 bit flipped.
(not just individual people obsessed with privacy, the large numbers of people who can see the advantage of privacy but may not invest a lot of effort to achieve it)
Yes, it is obfuscated, the pairing of real person and random id would be much more work, than pairing phone number with real person, and you can throw away and generate as many as you want, whenever you want - unlike your phone number.
Still beats using your phone number for chats, or your SSN in place of bitcoin wallet.
Honestly, I'd say it's much worse than using your phone number or SSN. Sure, an SSN makes it easier to tie an identity to a person, but it doesn't instill a false sense of anonymity in the user.
Again, for the practical example, people bought and sold bitcoins with the broad assumption that it was anonymous. It's a widely understood falsehood, yet new people almost universally believed it was anonymous and safe from law enforcement/the tax man.
Pretending that a random yet static ID adds any level of anonymity is simply dangerous. At best, it keeps honest people honest; like locking your door but not the bay window next to it.
Why block Telegram and not .. all the others? Whatsapp, Signal, Viber, ... Are they objecting to the use of encryption? Because everyone uses encryption almost all the time for everything everywhere. The cat has been well and truly released from that bag. Are they just going to turn off the internet altogether?
Telegram is not the most popular messenger in Russia. It's not even in top-3 as far as I remember. But it is widely used by people who tend to be opposite to the current government (young professionals). Also, there are a lot of anonymous Telegram channels curated by the opposition.
Telegram was reported by one of three russian cellular network companies as 2nd after Viber by number of clients (both each day and simultanious peak) nearly a week prior to blocking.
Not only Telegram still working here, but it was a great experience yesterday.
Imagine the following: a manager in a supermarket explaining how to setup a proxy to a customer so that she (a woman in her 60s) could use their bot again.
Or a woman with a kid who is asking what the are going to do: "It's okay, we'll ask dad and he's going to do proxy-something".
Similar things long going on in Crimea for the same reasons established by the other side (whatsapp and viber are blocked by whatsapp and viber owners correspondingly). When I was there, everyone seemed to have a vpn on their phones and getting it installed was none of a problem.
Smarter people are better!
Russians do make up a huge list of telegrams overall userbase. But most importantly, whatsapp and viber are end to end encrypted. Whatsapp uses signal. Viber uses a signal inspired encryption format. The common ground between both is that every single message is encrypted using a different secret key that is deleted after the message is received and decrypted on the device. Whatsapp and Viber have no way to give chat details even if they wanted to. Provided that they follow the protocol, and all accounts seem to point to the fact they do, then there is no backdoor or secret key they can give to any government.
Telegram in contrast uses a set of master keys to encrypt the conversations using RSA and aes256 as they travel through the servers. The keys are split across multiple servers residing in multiple jurisdictions so that legally, a government would have to seek permission to obtain each part of the key from a separate state.
Basically, this means that at the end of the day, if telegram ever forgoes its integrity (based off its public statements), every message will suddenly become decryptable.
That last point is what seems to really make telegram worth targeting.
For unknown reason user verification (for secret chats) is awful and almost useless in practice. Telegram itself reimplemented this specific bit much much better - for video chats
Not yet. Moreover, the head of russian regulatory says this year Facebook probably might be blocked as well if they will not receive all data they need.
That's what's going to happen. Various localities will shut off encrypted passageways altogether because they control the pipes. They will create a corporate-like intranet where they monitor everything.
they know how bad an open internet can hurt them because they do it themselves to other countries. can't blame them that they don't want to be on the receiving end of the weapon they created.
It's just that Telegram is the most used one in Russia so they proceed by targeting this one first but don't worry they will target the other ones after.
Just one remark: Viber/WhatsApp client's code is closed, where is the guarantee that they do not have some "backdoor" to the client's chat right in the application?
The FSB wants encryption keys. Telegram won't share, so is blocked. Therefore, Whatsapp and Viber gave up their keys, I suppose. Or provided backdoors.
We know from Snowden leaks that Microsoft (Skype) & Facebook (WhatsApp) are already freely handing info to any government that asks. Search Wikipedia for: PRISM (surveillance program) Other programs have probably superseded it (and include Japanese ecom giant Rakuten who owns Viber), but you can be sure the user info still flows.
Telegram's independence is what separates them from other services, what allowed them to deny the demand for crypto keys, and why they were targeted.
Because the Russian government can read all non-E2EE conversations (so 99% of them) on Telegram and is hoping to drive adoption overseas with this PR stunt.
None of the other messengers you mentioned are designed to work like this (not 100% sure about Viber), the ability of operators to read most of the conversations on the platform is very much unique to Telegram.
It's really not a coincidence that the Russian government is choosing to ban the worst "encrypted messenger" on the market.
That Telegram has handed their keys to the Russian government? Difficult, but unnecessary.
That Telegram was deliberately designed in a manner which enables its owners to easily hand over the keys to the government? Easy to prove, Signal and Whatsapp do not share the same surveillance features.
I for one refuse to think that Facebook bought it for a number of billion USD and keep operating and improving it for no good reason.
We also know, based on what they had to tell EU and based on their new EULA - that they tried to introduce by default - that they wanted to harvest metadata from it.
Attacking Telegram while simultaneously praising WhatsApp seems really strange to me.
As for Signal, that's another story. They have their own issues but I personally believe it is better than both Telegram and WhatsApp.
>Attacking Telegram while simultaneously praising WhatsApp seems really strange to me.
Look at them both from a purely technical perspective.
WhatsApp has made an effort to ensure that they're limited to only monetizing the metadata of the chats, Telegram by design does not share this limitation.
Even if you don't trust Whatsapp, you know that they'd have to push a backdoored app to everyone in order to intercept your chats. Telegram is backdoored by default.
And they also ordered Apple and Google to remove the app from their stores. I understand there are workarounds, but I'd really like them to respond with "f*ck yourself". It's a shame they won't do that, though.
And here is another yet problem with walled gardens. It creates a single failure point because Apple and Google are forced to comply with local law, regardless of how absurd it is, if they want to continue doing business there.
In an open environment, you would simply change the mirror urls and run apt-get update.
I'd argue that in this case the centralization helps because blocking GCM would kill all notifications for all apps. As long as they (Russia) are not willing to do that Telegram can use this as a side-channel to update their IPs for all clients.
The other option would be for google to turn push notifications off selectively for Telegram and only in russia. Not sure if they can/will do that.
If Google will comply with an order to remove apps from the store in certain regions then they can certainly comply with orders to filter push messages destined for specific apps as well.
My problem with GCM is not the implementation on the client, but the fact that Google sees traffic. I don't want Google to see my data nor my metadata.
I always get notifications about Telegram messages on my phone at around the same time (within a second or so) as I get the notification on the web client.
Currently Telegram keep working because it's get new backend IPs constantly via Google Play / AppStore services. Since push notifications are centralized they'll stop working as soon as application removed from stores so app wouldn't be able to get lists of unbanned IPs.
Whether they respond with process and patience or not, I’m hard pressed to think of powerful states that abide “f*ck yourself” once they’ve started to think national interest/security.
It definitely change, although I can't say to which direction. He makes the system legitimate, so any successor would have either to be more open and earn some political trust in a normal process or just close the country even more (deploy martial laws, etc.)
They already blocked it once. As they normally block domain and IP, they ran into issue when owner of blocked domain set the A record to 127.0.0.1.
The same "hack" was used to block Google and other huge sites. Once they found out this "hole", they introduced a white list of resources which shouldn't be blocked.
Maybe the goal of the Russian government was to block the Amazon and Google APIs in the first place, and they used Telegram as a convenient excuse. Just a thought.
It would actually seem like an ideal way to force the adoption of native cloud service replacements (regardless of quality or competitiveness of the offering). Russia has tended to go that way with most things, whether Mail.ru, VK or Yandex. Russia has a very long history of being insular like that and the powers that have dominated Russia the last century have a vested interest in keeping it that way.
The only reason why local hosters are making money is local personal data law which restricts that PD of russian citizen should be stored inside Russia, because their prices and level of service is non-competitive to i.e. DO or OVH.
I wouldn't say the Russian government cares a lot about its main players, like Chinese do.
Actually, they've spent millions building Sputnik — a government owned search engine that nobody used.
If they were just being protectionist, I'd be able to understand them in some way. But it's deeper.
Just in case previously when same thing happened with service called Zello and back then Amazon cease to provide them service (forbid to change IPs) before actual subnets were banned. Soon we'll see how Amazon / Google will react on Kremlin bullying this time.
If they don't cancel Telegram's service, their other customers who are also being affected by the ban will flee to other services. I don't think they can sit and watch that happen.
So, Telegram is blocked. But Facebook Messenger and WhatsApp are still online. Hence, this is pushing users of a (relatively) country-neutral service, towards more American services.
I think a much simpler and more elegant answer is "they didn't think of that, they just want to block Telegram."
As someone in Russia, the block pretty much only hinders use of the legitimate services, not of Telegram. Numerous services exist to allow it to continue, and the block is a hack-job to try to prove a point.
Isn't WhatsApp supposed to be end-to-end encrypted making it next to impossible even for developers (Facebook Inc. in this case) to access the transmitted messages' content?
Wasn't it WhatsApp that sent a key back to Facebook servers? Technically it's end-to-end encrypted, but Facebook could decrypt it if they really wanted to.
As other have said, maybe the others are easier to compromise.
I would also adventure that it might have been seen as an easy target by the Russian intelligence agencies and they anticipated Telegram to secretly comply.
The first round of the fight is clearly won by telegram - roscomnadzor is perceived as a lumbering and inept gorilla whose actions harm innocent bystanders while telegram continues to work almost perfectly.
Next we will see how effective the deletion of the telegram app from the Russian app stores will be. Because of the centralized nature of the stores telegram can’t do much with it (they can try publishing clones of the client under unaffiliated entities, but apple and google can easily ban those too). Also it is rumored that the client uses push notifications to deliver proxy settings to devices and these also can be easily blocked by the store owners.
We used Telegram as the main tool for our team's communication. We all applied proxy settings but it's almost impossible to work without a VPN enabled :(.
Here is the blocked IP counter https://2018.schors.spb.ru The page is in Russian, but the graph should be clear. It's now 16M IP's!!! It causes multiple problems in various services in Russia, but Telegram is still working as is :-0)
Does this mean that Google/Amazon customers on mentioned IP addresses are inaccessible? If so, I think Google/Amazon will choose to cease the contract with Telegram.
Russia is taking a page out of the China internet playbook. Next it will build out it's own great firewall and slowly unblock services after it gain's control.
There the govt builds the controls. Here Twitter, YouTube and Facebook do. No big difference in my book. In terms of outcomes, only clowns get propped up either way.
There is no alternative to Google, Amazon, Youtube, etc. You have tiny, inferior competitors that don't even come close to 10% of the monopolist's market share. Google works very hard to trap you in their ecosystem. Once you're there, escape is almost impossible.
You're conflating legal restriction on individual behavior with market/individual-preference constraints.
"Life" in general is constrained. We are not trying to get rid of limited options (every choise is between limited options), we're trying to limit totalitarian control over individuals.
That is, behaviour which is artificially constrained by imprisonment, punishment and death for the sake of preserving tyrannical power structures.
And the end result are tyrannical power structures that de facto exert totalitarian control. There is very little difference between government-enforced restrictions and those created by global capitalism and its monopolies.
It doesn't matter to me if my rights are restricted by legal means or by corporate hegemonies, in fact the mechanisms in play are so complex nobody can really be sure anymore.
No no, people can be very very very sure. The 20th C. tried both of those experiments and in the totalitarian system 10s of millions -- at least -- died.
Having your choices restricted by social cooperation and negotiation (in a market places) is NOT the same as having them restricted by a bully with a military.
This false equivalence is a defense of genocide whether you are willing to own up to that or not.
My sympathy with state action ends however, when the leaders are murders, dictators and rutheless pilliagers of the public's wealth.
Russia's oligarchy stole Russia's wealth after the dissolution of the SU, and here you are equivocating objecting to regimes of murder and abuse with "muh food idle dont be having no choices fur me1112"£""11¬11223
The entitlement and ignorance is overwhelming. You arent owed two major search engines. "Bing" not being bigger is not the same as having to use apps which in encrypt your commnunication because you fear the police will imprison or murder you.
You are owed your political freedom. Which is de jure removed from you in Russia, and the suppression of telegram is state action to supress it further.
I sincerely ask the question: Is it possible to evaluate whether freedom has expanded since 1995? It seems like they controlled much, much more when not everyone had their Youtube channel. Now it’s possible to do your own research on, for example, real M/F wage difference, or get informed about Trump news despite MSM. Not ideal, but better than the 90’s.
This used to be a big problem for colo and decidated service providers. You get 2-3 napster/bittorrent/kazaa/... or worse, some website some law enforcement agency finds objectionable ... with users renting/paying for servers and poef entire countries and large isps block all your ranges. Happened all the time.
The sad part is that it's not just authoritarian countries that are doing this, but also the democratic ones, in a foolish effort to stop "fake news" or "terrorism propaganda".
And the "better" AI is going to get, the easier it will be for them to call for such censorship, especially when people like Zuckerberg say they can already "stop 99% of the terrorist posts automatically".
Because that's most definitely misleading and wrong, unless we can actually review what that content was. Like I bet a large portion of those posts were not posts by terrorists, but posts about terrorists. I don't think the AIs we have today can distinguish between them very well. And at least a small portion probably had very little to do with terrorism, but maybe were posts from people in the same area as some terrorists, or stuff like that.
The AI will automatically block content that nobody will ever see. And we'll only depend on people who can somehow raise awareness that their content was blocked, produce a scandal, and then get the companies to unblock it (assuming the censorship will mostly be done by private companies in democratic countries). But this is not going to be a pretty future.
> Which democratic country has blocked a major messaging app because it is used by political dissenters?
While it hasn't yet blocked it, the UK Government is certainly constantly after WhatsApp to remove the encryption (or build a backdoor) because a couple of terrorist jackoffs used it that one time (and I think they count as "political dissenters".)
Not messaging apps, but the government in Switzerland of all places recently introduced a law to block online casinos that don't operate under a Swiss license. The only reason that it hasn't gone into effect yet is because enough signatures have been collected to force a referendum.
If your government can pass laws to allow themselves to block any Internet services, it may as well go ahead pass laws to prevent people from circumventing that block.
So, the only defense you have, is to prevent your government from issuing the first law.
Until you create a true point to point channel between households without any corporate or government equipment, this is just a dream. Many people are mistaken about the internet, they think it cannot be easily filtered but this is not true at all. Every country has few major telcos that own the equipment where 100% of the internet traffic flows through. This is why banning IP ranges is super easy for them.
It won't. The antennas will be pretty big and visible, and also they will inevitably leak some RF sideways. It's easy to ban them and catch people who get them illegally.
quote from https://github.com/aspnet/Docs/issues/5832 : "That's not about the Azure's sites only. Almost each of Microsoft's sites is absolutely unusable in Russia now, like: Docs, MSDN, Visual Studio, Office, Windows, Xbox, all of them and many others are almost dead now."
Depends on the other IMs, but as far as I know, at least Signal and WhatsApp have no keys they can give the government. WhatsApp could potentially sneak a backdoor in their closed-source code, but I don't think that's something they'd have incentive enough to do.
What does that even mean? Every ISP has it's own filtering system, some (or maybe even most of them) are custom built ones. There is no such thing as single government approved DPI.
That’s right, but basically dpi sends tcp reset in case of https or 302 redirect in case of http before target server response, since it’s located nearer. There’s a tool to bypass this, so you can read more there. https://github.com/ValdikSS/GoodbyeDPI
Maybe they just don't have enough balls to go after the biggest ones (WhatsApp and Viber). Plus, other IMs don't have public channels anyone can subscribe to. IIRC that was the original problem, "extremist" channels. Why did they ask for encryption keys instead of blocking channels? Who knows lol.
Telegram still works without (manually adding) proxies :D
EC2 Ireland (at least the subnets where my servers are) also works.
Russian here. Good job Roskomnadzor. You just taught quite a few people to use VPN -- including me. And, as a side benefit, you created another image problem for Putin's regime (as if he needed any more of that).
I already had Bitlocker on all my PCs, 2FA everywhere, moved from Gmail to Fastmail, and VPN was one of the last privacy-related things I procrastinated on. Now I have VPN on all my desktops and on my phone, turned on by default. And I also switched to 1.1.1.1 for DNS.
VPN doesn't give you privacy; it only allows you to bypass blocks (and introduce yourself to blocks in other countries or services though). VPN providers can still log your every move.
The difference is, VPN providers, unlike ISPs normally don't have your home address and passport info[1]. Some don't have your name at all, unless your traffic leaks your identity - e.g. when you're paying for VPN service with Bitcoin. Even more, they're generally out of your jurisdiction, which acts as some barrier against frivolous requests.
_____
[1] In Russia every ISP is legally required to perform this sort of KYC and keep those records for a while.
It's rather "Russia bans lots of AWS and GCP IPs just because they can." There is no chance of riot happening.
A power play - sure. It's not the first (and surely not the last, unless something unthinkable happens) time our Tsar and his boyars introduce "countermeasures" against "foreign agents" that barely affect anyone abroad, but are essentially showing the world what kind of enforced restrictions Russian serfdom can tolerate for "national security" reasons - if any reasons at all.
When the Soviets had dissolved, Russia had its internal power struggles and was late to this game - but as we've entered this era of stabilnost' (cf. Harmonious Society) we're catching up fast.
So do you think it's good idea for Amazon / Google reputation to cease their service to any SaaS if kremlin dont like it? Unlike many smaller players Telegram might actually afford to pay for even millions of new IPs in thousands of subnets.
I not sure how it's can be against ToS because unlike other case Telegram is actually large enough to actually pay for tens of thousands end point IPs easily even on monthly basis.
And Kremlin minions certainly not going to stop ban subnets now even if will be 1:1000 ratio of Telegram's one and other services.
I think he meant that only Telegram would be be blocked instead of possibly affecting half of the Internet on the way there. For Telegram it wouldn't be any better.
I'm assuming it would be easier having one IPv6 address used only by a single application, that's why. Amazon/Google services would be less affected then. There's a whole different question if government would bother to be that precise, still.
The whole point of moving to the cloud was to make themselves harder to block. I don't think they would self-defeat by limiting themselves to a single /64 or something.
"For the last 24 hours Telegram has been under a ban by internet providers in Russia. The reason was our refusal to provide encryption keys to Russian security agencies. For us, this was an easy decision. We promised our users 100% privacy and would rather cease to exist than violate this promise.
Despite the ban, we haven’t seen a significant drop in user engagement so far, since Russians tend to bypass the ban with VPNs and proxies. We also have been relying on third-party cloud services to remain partly available for the rest of our users.
Thank you for your support and loyalty, Russian users of Telegram. Thank you, Apple, Google, Amazon, Microsoft – for not taking part in political censorship.
Russia accounts for ~7% of the Telegram user base, and even if we lose that entire market, Telegram’s organic growth in other regions will compensate for this loss within a couple of months. However, it is personally important for me to make sure we do everything we can for our Russian users.
To support internet freedoms in Russia and elsewhere I started giving out bitcoin grants to individuals and companies who run socks5 proxies and VPN. I am happy to donate millions of dollars this year to this cause, and hope that other people will follow. I called this Digital Resistance – a decentralized movement standing for digital freedoms and progress globally."