Franz messaging app
-
@Dashrender said in Franz messaging app:
@scottalanmiller said in Franz messaging app:
You are confusing accessibility with security. No matter how much you can get it to "keep working" when your account hasn't been taken over, the risk to it being taken over is the same. The instant someone gets access to your number, they own your telegram and can revoke you any time they want... or just listen in on what you are saying.
No I'm not - if anyone is, it's you claiming that I am. I fully understand that there is no security, I'll scroll this thread is see if I actually said that Telegram is secure...
If that is true, why would you bring up that you can get it to "keep working" before it gets hijacked? What was the relevance to that statement?
-
The one thing that I do like about Telegram (no, it's not a security feature) is the message you get when you sign up a new device.
IE: I installed it on my phone, and bam... It was happy. I said, "Oh, Windows version!" And installed it on my Windows. I got a Telegram message on my phone with a code to punch in on my Windows device.
Now I want it on my tablet... I get that same security message on my Phone and my Windows Desktop...
When somebody connects another device to your Telegram account, assuming you have at least one device that is still connected, you should know about it.
-
@scottalanmiller said in Franz messaging app:
@Dashrender said in Franz messaging app:
@scottalanmiller said in Franz messaging app:
You are confusing accessibility with security. No matter how much you can get it to "keep working" when your account hasn't been taken over, the risk to it being taken over is the same. The instant someone gets access to your number, they own your telegram and can revoke you any time they want... or just listen in on what you are saying.
No I'm not - if anyone is, it's you claiming that I am. I fully understand that there is no security, I'll scroll this thread is see if I actually said that Telegram is secure...
If that is true, why would you bring up that you can get it to "keep working" before it gets hijacked? What was the relevance to that statement?
to simply state that Telegram does not require a phone after the account is setup, that was all - nothing more, nothing less. I certainly did know when making that post that the phone number controller could do anything they want, because it was what gain one access to the account, but that doesn't mean it's still not functional.
-
@Dashrender said in Franz messaging app:
@JaredBusch said in Franz messaging app:
@Dashrender said in Franz messaging app:
@scottalanmiller said in Franz messaging app:
@Dashrender said in Franz messaging app:
I am now made to wonder how good the security on these types of apps are. I never really thought about it in the past, but things have changed.
If they tie to a phone number (WhatsApp, Telegram, etc.) then security isn't at the core of their design.
Still don't get what you mean - while it's true they are tied, I see that primarily as a way to make the connection to users.
In 10 years you'll tell us that using an email address shows that security isn't at the core of the design, even though the main and possibly only purpose of the phone number/email address is a way of finding others you know.
Now Telegram does fail in the first place because you can't sign up without having a phone number, but after you get signed up, I'm not sure it's ever needed again.
No, there is no sign up for telegram. it is 100% phone based. there is not an "account" for telegram.
If it was 100% phone based, how would I have it on my PC. After signing up with my phone (which I DID mention) I could install it on my desktop, then remove it from my phone and never put it back on my phone again, and then install it on future Windows installs all I want.
This is the statement that it stemmed from... the authentication is 100% on the phone. All of that "it keeps working" stuff is confusing because that's just a cache of this authentication. Whether the phone must be on or not doesn't matter, what matters is that the instant the phone number is compromised, the Telegram is, too.
-
Apparently now, you can set up a password for your Telegram account as well, so that no one will be able to add a new device to your account without the password as well as the PIN sent as a Telegram message.
(Settings -> Enable two step verification) -
@Dashrender said in Franz messaging app:
@scottalanmiller said in Franz messaging app:
@Dashrender said in Franz messaging app:
@scottalanmiller said in Franz messaging app:
You are confusing accessibility with security. No matter how much you can get it to "keep working" when your account hasn't been taken over, the risk to it being taken over is the same. The instant someone gets access to your number, they own your telegram and can revoke you any time they want... or just listen in on what you are saying.
No I'm not - if anyone is, it's you claiming that I am. I fully understand that there is no security, I'll scroll this thread is see if I actually said that Telegram is secure...
If that is true, why would you bring up that you can get it to "keep working" before it gets hijacked? What was the relevance to that statement?
to simply state that Telegram does not require a phone after the account is setup, that was all - nothing more, nothing less. I certainly did know when making that post that the phone number controller could do anything they want, because it was what gain one access to the account, but that doesn't mean it's still not functional.
It means it is not reliably functional. It might work for months, or for seconds. That's at the discretion of the phone.
-
@dafyre said in Franz messaging app:
Apparently now, you can set up a password for your Telegram account as well, so that no one will be able to add a new device to your account without the password as well as the PIN sent as a Telegram message.
(Settings -> Enable two step verification)At least they are moving in the right direction. But they are starting from a really stupid, flawed starting point.
-
Thanks, I didn't think I said it was secure.
-
@dafyre said in Franz messaging app:
Apparently now, you can set up a password for your Telegram account as well, so that no one will be able to add a new device to your account without the password as well as the PIN sent as a Telegram message.
(Settings -> Enable two step verification)Huh - well, as Scott said, until they remove the ability for the phone number alone to take over the account, it still doesn't have much if any real security.
-
Secure messaging score card from EFF
-
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
Apparently now, you can set up a password for your Telegram account as well, so that no one will be able to add a new device to your account without the password as well as the PIN sent as a Telegram message.
(Settings -> Enable two step verification)Huh - well, as Scott said, until they remove the ability for the phone number alone to take over the account, it still doesn't have much if any real security.
With the Two-Step enabled, they cannot take over the account with just the phone number. They also have to have the Password that you set up to allow it.
-
@dafyre said in Franz messaging app:
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
Apparently now, you can set up a password for your Telegram account as well, so that no one will be able to add a new device to your account without the password as well as the PIN sent as a Telegram message.
(Settings -> Enable two step verification)Huh - well, as Scott said, until they remove the ability for the phone number alone to take over the account, it still doesn't have much if any real security.
With the Two-Step enabled, they cannot take over the account with just the phone number. They also have to have the Password that you set up to allow it.
Interesting, so the account could be lost forever if you lose that password?
-
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
Apparently now, you can set up a password for your Telegram account as well, so that no one will be able to add a new device to your account without the password as well as the PIN sent as a Telegram message.
(Settings -> Enable two step verification)Huh - well, as Scott said, until they remove the ability for the phone number alone to take over the account, it still doesn't have much if any real security.
With the Two-Step enabled, they cannot take over the account with just the phone number. They also have to have the Password that you set up to allow it.
Interesting, so the account could be lost forever if you lose that password?
It links to an email address so you can go through recovery procedures. I'm testing it out now.
-
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
Apparently now, you can set up a password for your Telegram account as well, so that no one will be able to add a new device to your account without the password as well as the PIN sent as a Telegram message.
(Settings -> Enable two step verification)Huh - well, as Scott said, until they remove the ability for the phone number alone to take over the account, it still doesn't have much if any real security.
With the Two-Step enabled, they cannot take over the account with just the phone number. They also have to have the Password that you set up to allow it.
Interesting, so the account could be lost forever if you lose that password?
Yup, if you lose that OR lose the phone number. Which is "good" for security of access, bad for security of data.
-
Recovery seems to work.
-
@dafyre said in Franz messaging app:
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
Apparently now, you can set up a password for your Telegram account as well, so that no one will be able to add a new device to your account without the password as well as the PIN sent as a Telegram message.
(Settings -> Enable two step verification)Huh - well, as Scott said, until they remove the ability for the phone number alone to take over the account, it still doesn't have much if any real security.
With the Two-Step enabled, they cannot take over the account with just the phone number. They also have to have the Password that you set up to allow it.
Interesting, so the account could be lost forever if you lose that password?
It links to an email address so you can go through recovery procedures. I'm testing it out now.
Ah ha, interesting. That's good.
-
@Ambarishrh said in Franz messaging app:
Secure messaging score card from EFF
With the new features, Telegram scores well there.
-
I tried logging in via the web interface from a system that has never used it before.
Enter phone number, and it sends a message via Telegram to my phone with the Pin. If you don't have any access at all to Telegram, it can send you the Pin via SMS. Enter PIN... Oops, I forgot password... It sends a temporary login code to your email on file.
Then you fix the password and done.
-
@dafyre said in Franz messaging app:
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
@Dashrender said in Franz messaging app:
@dafyre said in Franz messaging app:
Apparently now, you can set up a password for your Telegram account as well, so that no one will be able to add a new device to your account without the password as well as the PIN sent as a Telegram message.
(Settings -> Enable two step verification)Huh - well, as Scott said, until they remove the ability for the phone number alone to take over the account, it still doesn't have much if any real security.
With the Two-Step enabled, they cannot take over the account with just the phone number. They also have to have the Password that you set up to allow it.
Interesting, so the account could be lost forever if you lose that password?
It links to an email address so you can go through recovery procedures. I'm testing it out now.
Thanks I've added it.
-
@dafyre said in Franz messaging app:
I tried logging in via the web interface from a system that has never used it before.
Enter phone number, and it sends a message via Telegram to my phone with the Pin. If you don't have any access at all to Telegram, it can send you the Pin via SMS. Enter PIN... Oops, I forgot password... It sends a temporary login code to your email on file.
Then you fix the password and done.
Sending the PIN to SMS is bad security, that's been shown to be easy to intercept. But some decent improvements.