Nxt Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client 1.11.5 - NEW RELEASE: Ardor 2.0.3e TestNet IS LAUNCHED!

Pages: [1] 2 3  All

Author Topic: Telegram  (Read 9453 times)

MrCluster87

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 842
    • View Profile
    • youtube
  • Karma: +81/-3
Telegram
June 27, 2015, 10:01:07 am

Could someone build a Nxt plugin for us to use telegram messenger?

https://core.telegram.org/api

https://core.telegram.org/mtproto

Jimmy2011

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 328
    • View Profile
  • Karma: +24/-19
Re: Telegram
November 01, 2015, 09:27:57 am


It's a great idea.
NXT-LX5G-L63N-ST8S-9LVZY

xivba

  • Full Member
  • ***
  • Offline Offline
  • Posts: 127
    • View Profile
  • Karma: +14/-2
Re: Telegram
November 01, 2015, 09:57:35 am

Dedicated NXT Telegram channel built right into NXT client would be nice.
NXT-33DU-8Q49-R2LY-FQRTG

chevdor

  • Full Member
  • ***
  • Offline Offline
  • Posts: 165
    • View Profile
  • Karma: +19/-0
Re: Telegram
November 15, 2015, 04:37:12 pm

That´s great idea.
What kind of features do you think it should offer?
NXT-YCLA-V44V-USJK-3GPJD
BM-2cXnA5HdtsDttGaPEAJd1oYX3zMbiKDewV

farl4bit

  • Global Moderator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 3399
  • Go Nxt!
    • View Profile
    • Blockchain Startpagina
  • Karma: +206/-45
Re: Telegram
November 23, 2015, 07:01:27 am

Great idea, is that even possible? Signal is an other chat program which is becoming popular, especially because Edwardo Snowman advice people to use it.

gaba

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 54
    • View Profile
  • Karma: +5/-2
Re: Telegram
November 23, 2015, 09:12:33 am

Great idea, is that even possible? Signal is an other chat program which is becoming popular, especially because Edwardo Snowman advice people to use it.

US. Government Funded Your Favorite ‘NSA-Proof’ Apps
http://revolution-news.com/us-government-funds-favorite-nsa-proof-apps/

MrCluster87

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 842
    • View Profile
    • youtube
  • Karma: +81/-3
Re: Telegram
January 15, 2016, 10:45:33 am

Ok, since still no one took up the initiative I will offer a bounty of 5.000 NXT to whoever has the skills.

My request is to transform the Telegram Desktop app (https://github.com/telegramdesktop/tdesktop) into a Nxt Plugin so that I can use it within the client. The Plugin should be Open Source so hopefully other developers will maintain it and make it NRS future proof/compatible.

Hopefully we will use the Arbitrary Message system as certified e-mail (https://www.youtube.com/watch?v=ycPv0eFJw-k) and Telegram as instant messaging app.

I mean only a blind person wouldn't see the potentials:

Arduino + NodeJS en SailsJS + Telegram API: https://www.youtube.com/watch?v=qM3_4FQjFIY
RaspberryPiTelegramControl: https://www.youtube.com/watch?v=wD1Dwkq1kHM

+ 15.000 NXT from Damelon
+ 15.000 NXT from abctc
******************************
Total 35.000 NXT
« Last Edit: April 05, 2016, 09:59:12 am by MrCluster87 »

capodieci

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1303
  • Tips go to DeBuNe Dev fund
    • View Profile
    • DeBuNe - Decentralised Business Network
  • Karma: +252/-18
Re: Telegram
January 15, 2016, 11:18:29 am

This would be AMAZING! :)
- Decentralised Business Network: DeBuNe -
Asset: 6926770479287491943 - Issuer: NXT-GQ27-DD53-YM6K-ER6HK
OTDocs.com - debune.org - nxtforum.org/debune - NEW: thesoundkey.com

Damelon

  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2298
    • View Profile
    • Nxt Inside
  • Karma: +792/-53
Re: Telegram
January 15, 2016, 11:59:28 am

Adding 15000 NXT to the bounty :)
Member of the Nxt Foundation | Donations: NXT-D6K7-MLY6-98FM-FLL5T
Join Nxt Slack! https://nxtchat.herokuapp.com/
Founder of Blockchain Workspace | Personal Site & Blog

abctc

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1280
    • View Profile
  • Karma: +143/-13
Re: Telegram
January 15, 2016, 12:22:22 pm

Adding 15000 NXT to the bounty :)
+ another 15k NXT.

My request is to transform the Telegram Desktop app (https://github.com/telegramdesktop/tdesktop) into a Nxt Plugin so that I can use it within the client.
- shared here: https://bitcointalk.org/index.php?topic=345882.msg13560179#msg13560179
« Last Edit: January 15, 2016, 12:29:17 pm by abctc »
Welcome to the Nxt generation of crypto!   Magis quam Moneta (More than a Coin)
"Do not worry, it is an attack" (c) Jean-Luc

capodieci

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1303
  • Tips go to DeBuNe Dev fund
    • View Profile
    • DeBuNe - Decentralised Business Network
  • Karma: +252/-18
Re: Telegram
January 15, 2016, 02:17:56 pm

Adding 15000 NXT to the bounty :)
+ another 15k NXT.

My request is to transform the Telegram Desktop app (https://github.com/telegramdesktop/tdesktop) into a Nxt Plugin so that I can use it within the client.
- shared here: https://bitcointalk.org/index.php?topic=345882.msg13560179#msg13560179

IMO the very important aspect is that it should create an account matching the Nxt account, and log in with that one.

R
- Decentralised Business Network: DeBuNe -
Asset: 6926770479287491943 - Issuer: NXT-GQ27-DD53-YM6K-ER6HK
OTDocs.com - debune.org - nxtforum.org/debune - NEW: thesoundkey.com

MrCluster87

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 842
    • View Profile
    • youtube
  • Karma: +81/-3
Re: Telegram
January 15, 2016, 02:25:05 pm

Exactly, but I don't want that through my public address you can read my messages. I would go with a token login generated with my passphrase. Like you can log to coinomat https://coinomat.com/login.php#login_nxt

The website string could be: telegram

capodieci

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1303
  • Tips go to DeBuNe Dev fund
    • View Profile
    • DeBuNe - Decentralised Business Network
  • Karma: +252/-18
Re: Telegram
January 15, 2016, 02:33:26 pm

Exactly, but I don't want that through my public address you can read my messages. I would go with a token login generated with my passphrase. Like you can log to coinomat https://coinomat.com/login.php#login_nxt

The website string could be: telegram

yes, obviously ! ;)

We implemented a system, for a DeBuNe client, that automatically does all the process (user creation and login) with wordpress.

Shouldn't be too hard :)

R
- Decentralised Business Network: DeBuNe -
Asset: 6926770479287491943 - Issuer: NXT-GQ27-DD53-YM6K-ER6HK
OTDocs.com - debune.org - nxtforum.org/debune - NEW: thesoundkey.com

Cassius

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2459
  • Rather be a pirate than join the navy
    • View Profile
  • Karma: +207/-18
Re: Telegram
February 05, 2016, 11:41:57 am

Looks pretty cool :) Watching.
I head up content for BitScan, crypto business hub.

devlux

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 308
    • View Profile
    • Gemspace
  • Karma: +67/-2
Re: Telegram
April 06, 2016, 02:35:00 am

...me and my big mouth... grumble...
« Last Edit: April 09, 2016, 03:23:16 am by devlux »
Evolution NEXT D.A.C.
NXTAE:3385321989487982138 (EVOLVE)

devlux

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 308
    • View Profile
    • Gemspace
  • Karma: +67/-2
Re: Telegram
April 09, 2016, 03:25:17 am

Ok guys, so here's the deal.

Wrapping Telegram Desktop for Web in the plugin API was a rather trivial process.
Once I fixed the issue with the plugin API in general it took all of about an hour to get Telegram's web client integrated.

In the course of doing so I uncovered problems.
First and foremost, Telegram has about 20 immediate javascript dependencies and another 40 or so that are lazy loaded, including a few from various and random content distribution networks, i.e. trackers.

Secondly the CSS from telegram literally stomps all over the NRS CSS so I had to strip that out completely.  The UI needs a lot of help without it's CSS, but that can be fixed by walking the CSS line at a time and sorting out which ones are really causing the problem.  Hopefully it's only one or two.

Javascript dependencies, I was able to strip down quite a bit because NRS uses some of the same dependencies such as jquery etc.  Got it down to about 10 or so, but it's still a giant wall of includes.

Unfortunately, Telegram uses it's own custom encryption library.
This encryption library as well as several others exist in the global name space and are overridding the ones provided by NRS.
This CAN be fixed via namespacing.  Basically I go in and find the conflicting functions and rename them, then go through and find every place that the old function was called, updating it to the new name.  It's complex, but mostly just time consuming, but I've faced worse.

Here's my problem though and why I'm bringing it to your attention.  In order to do this integration I had to do a deep dive into the code.
What I found just kind of shocked me.  Yes it works, but it's doing a lot of dangerous things.
Let me stress.  These things are not very dangerous if it's just you and a buddy having a chat.  But if your buddy sends you a specially formed message it would compromise your wallet.  If I remove that, then other pieces of this house of cards begin to fall down.

As soon as I saw that, I stepped back for a bit to think and do some research.  I'm a programmer, but it's not the main thrust of what I do professionally. 

Mainly I analyze things, poke holes in them, find ways around things.  In short I try to find ways to make things happen.  I had never heard of telegram before this, but I took the bounty because it seemed like something nice I could do for the community.  The community believes it's secure, so I let that drive my opinion.  Then I saw the code and I have to be honest, there just isn't any way I can think of to secure this.

I'm hardly alone in my opinion...
https://yalantis.com/blog/whats-wrong-telegram-open-api/

I agree with everything that guy says and he's only refering to the android version, I'd take it a step further.

Once I realized that their code was insecure I decided it might be a good idea to go back to the API docs and build my own implementation from scratch.
Maybe that could allow me to deliver on this.
Unfortunately, the API docs are written in such a way that you can't just read them and do an implementation.  It's a form of obfuscation.  They make it look like they've provided useful and important information, but it's not in a format that is designed for building a new implementation.

Interestingly, the bot API looks fine. 
https://core.telegram.org/bots/api#making-requests
That could be wrapped, but it's not really designed for a desktop chat, it's meant for remote control purposes.

The regular "core" API docs look like this...
https://core.telegram.org/method/users.getFullUser

What this does is define a custom binary protocol and the specification of that protocol is done in their own custom language.
Normally when you're specifying a binary protocol you specify it in c or protobuf syntax, these are considered standard.
The binary protocol makes a sort of sense, the amount of data you can send out via mobile push is limited, so they probably tried to accommodate that.
The normal way to do push messaging is to keep it very simple... You have X new messages and then have the app pull in the rest of the details off the server.

Because they diverged so much from best practices, Telegram really went lone wolf and the way they did it feels to me like they are intentionally obfuscating it.  There are two reasons I can think of for doing that.  Firstly maybe they don't want independent implementations.  It's more money in their pocket if they can charge a consulting fee.  I can respect that, but I'm not paying these guys after reading the code they did publish.  Secondly, it could just be a mindset.  If people feel like they can see the code, even though it might be out of their league, then they'll feel comfortable, in the meantime you can hide bugs and flaws behind a wall of impenetrable syntax.

There's a saying about this... "If you can't dazzle them with brilliance then baffle them with BS".

I read the docs, then I read the spec of the language they created to specify the api.  I have to be perfectly honest here, it just feels like an attempt at obfuscation in hopes of a paying gig.  It looks professional to a layman, but to a professional it looks like they're hiding something bad.

Understand I'm not saying they actually have a backdoor.  I'm simply saying that if I were going to hide one, this is one way I could think of to do it.
I presented this information to MrCluster and Damelon.  Between the two of them they have paid for over half the bounty, but then I realized that others in this community have paid into the bounty as well so I asked to bring it here for everyone to talk about.  MrCluster agreed, but Damelon was offline, nevertheless this seems like the type of thing he would support.

Here's the rules.  I will never knowingly release buggy or insecure code to any client.  Whether it's open source or paid, if it has my name attached to it it doesn't leave my desk until I feel certain it can't be exploited.  I cannot guarantee that with any option involving Telegram.

However the bounty is for a Telegram plugin.  So here's the potential solutions.

#1 I could namespace what I've got here, fix what I can and release it under a best effort basis.  The plugin would be limited to signin and check/send message functionality and I can bring in the contacts to make a sort of buddy list.  This would be moderately secure, but the thing is built like a house of cards, touch one thing and it can come crashing down on you.  I cannot guarantee security.

#2 I could toss the work done so far and implement the bot API from Telegram.  This is enormously more secure because it's a from scratch rewrite and doesn't have the house of cards effect.  The drawback is that much of the desktop functionality is missing.  Bot API is intended more for remote control style operations.  Chat can be done, but it's clunky and heavy.  Functionality would be limited to these methods...  https://core.telegram.org/bots/api#available-methods  and you'll need to get your own bot key  https://core.telegram.org/bots/api#authorizing-your-bot 

#3 We could forget Telegram and implement Slack.  Slack has a cleaner more functional API, chat is less clunky to implement.  Down side is that their API javascript is distributed via a CDN / tracker.  So it's not 100% secure, but the only thing a tracker would see is your refurl was localhost:7876 or whatever.  If we did this it would be possible to have instant messaging.  You could later add remote control functions to for instance create a slackchat tipbot.  But mostly slack is where all the cool kids are hanging out now, so you could pop in and get support from the community right there in your client.

#4 We could forget Telegram and slack and go with pubnub.  This would allow rapid signalling and messaging.  Essentially chat, remote control and things like balance updates coming into your phone.  I would ONLY be implementing basic chat and a buddy list, but the code is easy, open and extensible.  The drawback is that with PubNub you have to pay beyond a certain number of messages a month and it requires signing up for an API key with a credit card.  Also two people on separate API keys would be in segregated channels.  I use pubnub for communications between cash machines and backoffice services, I've found it to be highly reliable and secure, but for who knows how many users to send pictures of their cats I dunno if it would be appropriate.  We could get choked off.

In the interests of full disclosure, you should know that when I presented this information to Damelon & Mr Cluster I also presented a 5th option.  This option is to implement a high speed message passing api over the existing peer to peer network that we already have with NXT.  I called this solution NXT2NXT

It would be a sidechannel communications mechanism and would be using the addons API to open a couple of new ports.  I based the design on a retail inventory and point of sale system I architected a few years back that updated inventory levels in near real time even if there were internet connectivity issues.  However looking at the addons API, I think it's a whole separate project.  So I'm backing off that one for now.

If we used the slack API for chat and instant messaging, we could revisit NXT2NXT at a later date.  The telegram bot API is also somewhat similar but something about Telegram is giving me pause for concern.  However the Telegram Bot API would meet requirements best...
Quote
Hopefully we will use the Arbitrary Message system as certified e-mail (https://www.youtube.com/watch?v=ycPv0eFJw-k) and Telegram as instant messaging app.
Much better than any other option.

So I'm going to leave the way forward up to the community on this.  Damelon, MrCluster and abctc will have final say, but I'm interested in all thoughts from the community.
« Last Edit: April 09, 2016, 04:41:08 am by devlux »
Evolution NEXT D.A.C.
NXTAE:3385321989487982138 (EVOLVE)

devlux

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 308
    • View Profile
    • Gemspace
  • Karma: +67/-2
Re: Telegram
April 09, 2016, 04:46:27 am

Just some additional information to think about...

On further consideration, option #2 is the most straightforward and will give something secure while still being Telegram.
Option #1 is more feature rich, but opens security risks.
The others aren't telegram, but could be additional plugins done at a later time.

I could deliver #2 by Monday.  #1 I don't think is safe, #3 could be as soon as Wednesday and same with #4.
Evolution NEXT D.A.C.
NXTAE:3385321989487982138 (EVOLVE)

Damelon

  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2298
    • View Profile
    • Nxt Inside
  • Karma: +792/-53
Re: Telegram
April 09, 2016, 05:42:17 pm

I would choose slackify.
I'd rather have a well known function now than an "if" later

Verstuurd vanaf mijn SM-G901F met Tapatalk

Member of the Nxt Foundation | Donations: NXT-D6K7-MLY6-98FM-FLL5T
Join Nxt Slack! https://nxtchat.herokuapp.com/
Founder of Blockchain Workspace | Personal Site & Blog

devlux

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 308
    • View Profile
    • Gemspace
  • Karma: +67/-2
Re: Telegram
April 09, 2016, 07:44:36 pm

Thanks, I'll let it run one more day.  Just to make sure there are no objections, then move forward with the majority.
Evolution NEXT D.A.C.
NXTAE:3385321989487982138 (EVOLVE)

abctc

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1280
    • View Profile
  • Karma: +143/-13
Re: Telegram
April 09, 2016, 10:06:25 pm

I believe that Telegram encrypts messages end-to-end. I think Slack doesn't use encryption. So Slack is non a good choice for Nxt (= cryptoplatfom) plugin in my opinion. It seems that  among popular messengers only WhatsApp does end-to-end encryption. So I vote for Telegram or WhatsApp. In any case (including the absence of plugin) I will pay at least 5k NXT for devlux's  Telegram investigations.
Welcome to the Nxt generation of crypto!   Magis quam Moneta (More than a Coin)
"Do not worry, it is an attack" (c) Jean-Luc
Pages: [1] 2 3  All