Feedback for the OP: I didn't understand how this works, and am reluctant to start a bot just to figure it out. It would be helpful if you could add some screenshots showing how email address creation, deletion and email receipt work (please do not use GIFs, just a set of static images are enough).
Tangentially on Telegram bots, one of the things I dislike with privacy on Telegram is that the user ID (an internal Telegram generated number, not to be confused with your chosen username) given to bots is static. It's not an ID per bot and there's no way to change the ID without deleting your Telegram account and creating it again later (I'm not sure if it changes then either). Bots can also see and save your name (as entered on the profile) on Telegram. This makes it easier for bots (or bot swarms) to track users on Telegram. (AFAIK, Telegram bots don't get the phone number of the user; it'd be terrible if they did).
Telegram is such an underappreciated platform. It has many features other platforms lack, is reasonably privacy-friendly, more so than fb/whatsapp/etc, but not enough to sacrifice features or UX. The have an API ind both official and unofficial clients for almost all platforms, including command line and native, non-electron Windows (UWP). The client API is not easy to use, as crypto and similar features are involved, but C libraries exist. On the other hand, the bot API is one of the most pleasant APIs I've ever seen. It just works, can be tested in the browser, there's no oAuth crap one needs to set up. It's beautifully simple. I use Telegram whenever I can, and it has become my goto Messenger these days.
> is reasonably privacy-friendly, more so than fb/whatsapp/etc, but not enough to sacrifice features or UX.
Welp, there is a lot of discussion around these claims.
But we are also on Telegram, mostly because I'm using their API for our Home-Assistant instance to deliver status updates (left the bathroom window open for too long, weather-forecast on the morning and evening for the next 3 days). I like it.
Sorry if it’s off-topic but how does it know if the bathroom window open or not? Did you build some kind of device and connect it to the home assistant?
I'm using a ready-made sensor for this. It's the same system I'm using for temperature and humidty measurement. It's proprietary [0], but someone reverse engineered it [1], so I can send the data via MQTT to home-assistent. I then wrote an automation using Node-RED. It get's triggered when the window opens. After an initial timeout of five minutes, it will compare the inside temperature and humidity with the outside temperature and humidty, and decide if it should wait another five minutes or fire off a notification. If you close the window before, it will stop everything and reset itself.
Thanks for the answer! I didn't know there are already ready-made sensors for such use-cases (though I'm not familiar with Home Assistant itself either, only heard of what it is).
I use a few different devices from them with zigbee2mqtt and it’s working great. It’s perfect for combining devices from different manufacturers and not having to use their individual gateways.
> It has many features other platforms lack, is reasonably privacy-friendly
Telegram still has no E2E encryption by default and their official desktop client dont have it either. So it's worth nothing if no one use it. It's not that I have much trust into proprietary fb code, but there are certainly better apps privacy-wise out there.
> there are certainly better apps privacy-wise out there
With significantly worse UX.
> still has no E2E encryption by default
This doesn't make it not reasonably secure in my mind. While the TG people will be able to access your messages, they can also process them, making stuff like large groups even possible (imagine the distribution hell otherwise).
I do tend to think that there's not much of a down side to E2E for private chats though, since you can still share private keys between devices to enable sync.
> This doesn't make it not reasonably secure in my mind. While the TG people will be able to access your messages, they can also process them, making stuff like large groups even possible (imagine the distribution hell otherwise).
So your standard for “reasonably secure” communications is Facebook Messenger?
What's your point? I'd rather not assume you're saying "privacy doesn't matter because people don't care about it" or "Email is more private because people think it's more private".
But e.g. signal don't have the feature where either party of a conversation can delete messages on both phones. This is possible with telegrams secret chat. And its great.
Signal has disappearing messages for this use case. Not the same but the crypto in Signal is so much better (and permanently enabled) it’s hard to argue that Telegram is more secure.
Definately not the same. For a better snapchat—like feature, where you want reasonable protection against your coms partner telegram is way better. Also protects you from screenshots etc (again: reasonable privacy relative to threat model)
does it protect you from taking a picture of your phone?
i'd rather have a foundation of properly functioning, award winning cryptography than "features" designed for people who haven't thought through their threat model sufficiently.
Yeah, but “supporting plaintext comms by default” is not a trade off to get crypto to the masses, it’s a failure to do so at all. What’s wrong with the disappearing messages feature?
Telegram have said that you can’t trust Signal because the developers live in the US and something something the CIA, which is pretty ridiculous. They rolled their own crypto and they aren’t cryptographers, which should be reason enough not to trust its security: https://security.stackexchange.com/questions/49782/is-telegr...
This answer is ridiculous. They got world level mathematicians in their team, what more do you want? Who are those "cryptographers"? And why those cryptographers don't break Telegram if they think that their crypto is broken?
Again, crypto is either broken or not. Telegram crypto is not broken. It's fine. Not everyone might like it, but that does not matter. I don't know story about CIA (although I wouldn't be surprised to find out that Signal is honeypot), so can't comment about that.
Mathematicians are not cryptographers. Crypto is harder to trust when the rationale behind it hasn’t been justified. Signal’s crypto is very easy to justify. That’s about it.
Security is not a yes/no thing. It is equal to the price to break it. If the cryptography is well-tested for decades, the price is much higher. This is not true for Telegram. It does not matter how good its creators are.
Signal leaks your telephone number to everyone with whom you communicate, which is a privacy disaster before you even send your first message. (Please don't take this as implicit approval for Telegram's approach to secure messaging, but at least they managed not to cock up in such a basic way.)
This has been explained on HN ad nauseam. It leaks less metadata than anything else, the phone number is the only metadata that it leaks (only to people you’re messaging, mind), and they’re working on a solution to that problem right now. It works that way because the developers wanted to avoid holding a central server with metadata for their entire user base. Instead it uses your local contact list to discover other users. I would say that being unencrypted by default and having a centralized metadata directory in plaintext is more of a cock-up in secure messaging than taking a rigorous and cautious approach to metadata leakage.
The constant repetition is indeed nauseating. It's also nonsense.
There is another unique identifier that's stored in the local contact list: email addresses.
Use either email address or a phone number as an identifier, and you've no longer built a offensively privacy-violating service but have exactly the same distributed property.
You can use any phone number to sign up, it doesn’t have to be the one on your SIM. The rationale is that people typically text using phone numbers, and they wanted to make it easier to text people securely. It’s not nonsense, it makes perfect sense, and again, they’re working on it: https://signal.org/blog/signal-pins/
If you only have access to one phone number and not giving it out is critical, then Signal might not be the right choice for you. But you won’t find a more secure channel that collects less metadata anywhere else.
People typically email using email addresses, and text using phone numbers. They're both messaging identifiers that might be easily be repurposed for Signal.
There's no property of the latter that makes them a better choice than the former, but the existing ecosystem makes a disposable or role email address a much easier thing to obtain, and in general leaking an email address a far-less-damaging privacy violation than leaking a phone number, which can so easily be used to harass and directly track you.
In many parts of the world, disposable mobile numbers are very definitely not a practical thing. The correct starting point here is to use either an email or a telephone number as an external ID. It's still not perfect, but at least it's not a complete disaster any more.
Alas they've been 'working on it' for a very long time now, and are likely to fail because of this painfully slow progress.
Perhaps if they'd pissed around less with trivia like cryptographically secure stickers, they might have increased their chances of becoming a useful product before they end up surrendering the space to an inferior product which gains too much market share to overcome before they're even properly off the starting blocks.
I criticise Signal here because I like the design and hate their botched execution, not because I dislike the protocol. On the contrary, I dearly want something that competent to succeed, but fear we're rapidly losing the chance of that happening because they have launched a privacy-disaster product and most of the potential market will have seen that, dismissed it and forgotten about it before they pull their finger out and fix it.
Yeah but even with the phone number “leaking” (only to the recipient) nothing else even comes close to it. If your standard calls Signal a privacy disaster, what kind of product would you expect people to use? Everything else either involves storing comprehensive metadata in plaintext or worse durable logs of all conversation and interaction. Prepaid SIMs are pretty cheap and outside the US most phones are unlocked. Emails are too easy to fake and generally abuse. Nobody has solved this problem yet.
Seriously, that's how I feel whenever someone asks me for my WhatsApp number (no, I don't use WhatsApp, and there's nothing called a WhatsApp number) or asks me about Facebook Messenger. Great UX, fast and new features added at a pace that puts other chat platforms to shame.
[I won't talk about the security aspect in this comment, since it has been rehashed many times here]
A WhatsApp number would be the phone number to which a user has tied their WhatsApp, for cases in which users have multiple phones and multiple phone numbers, not all of which are accessible beyond SMS.
Oh? I thought it was Qt. I don't want to seem like I'm complaining for nothing as it's definitely much better than, say, Slack client, but I still feel like the Windows client is a bit "out of place". Like the task bar context menu looks different from all the other menus for other apps in there, with rounded corners etc.
I'm not sure that Slack is a proper term of comparison for Telegram. A closer competitor would probably be WhatsApp, and Telegram Desktop easily beats the "desktop" version of WhatsApp on every single aspect. The only reason I'm still using WhatsApp is due to the fact that that's what all the people I know use.
> is reasonably privacy-friendly, more so than fb/whatsapp/etc
This is a harmfully misleading notion that we shouldn't be spreading.
Without explicitly invoking "secret chats" which are not even available on desktop telegram is no different from skype and fb messenger and is categorically less secure than whatsapp.
How do you know it has E2E? The app itself is closed source. As far as anyone is concerned, it's all claims. How do they handle the private keys, for example? Any backdoor?
WhatsApp reverse engineering happens all the time. There's news channels out there with people dedicated to being the first to announce references to upcoming features every update.
The same can be said of Signal or any other chat application distributed through Google Play. How do you know the binary corresponds to the source? Good luck getting reproducible builds on Android or iOS. If you want to be sure your chat app is secure, you need to review and compile the code every time. And, of course, you need the knowledge and skills of a good cryptographer to determine hidden backdoors in the algorithms.
Whatsapp is reasonably secure, as long as you don't upload your unencrypted chats to Google Drive (the backup functionality). Telegram, with E2E enabled, hasn't been proven insecure enough despite its weird custom crypto scheme. However, WhatsApp brings E2E to group chats where Telegram needs manual configuration in private chats to do so. If we want to bring E2E to the masses, WhatsApp is the best option for now.
I'm hoping Matrix will change this or Telegram will implement proper crypto, but until then, WhatsApp is probably the best option we have.
It uses the Signal Protocol/Axolotl Ratchet and Open Whisper Systems helped them integrate it, which is a big reputational stake from very trustworthy people.
AFAIK, WhatsApp has decent E2EE, but metadata is not encrypted. So even though Facebook can't see what you are saying, it can see to whom you are saying it, how often, at what times etc.
That's a bit disingenuous. Everything is encrypted these days, there's virtually nothing that doesn't use TLS. Therefore, when someone says "encrypted", it's a good bet they mean E2E.
Depends on what you prefer. WhatsApp shares your messaging metadata with Facebook. WhatsApp also exposes your phone number to everyone else (for example, in groups). Telegram does not expose your phone number to others by default, and you can even make sure that phone number enumeration attacks can't be carried out (like the authorities did in Hong Kong last year).
Remember the old Zawinski's Law? "Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can."
In 2020, r/mail/chat/g
Telegram is such a great messenger to integrate with. It is basically just "import telegram" and you're almost done. I built the Telegram integration for Histre in just a weekend: https://histre.com/blog/take-notes-with-telegram/ This lets you take notes on Telegram either directly or via share intent, so that you can save links etc from your phone without installing another app. I think I also watched a movie and went for a hike that weekend, so it's not like it was an intense weekend of furious typing.
I wish other messengers made it as easy. I'd love to integrate with Signal, and probably will do so soon, as a good number of my users are on Signal. But the number of steps listed just makes it easy to put it off for later.
If you haven't integrated Telegram with your app yet, I'd suggest you look into it. You'd be surprised how easy it is.
I think the sane and simple API approach is going to make Telegram eat all other messengers. But I'm a programmer, so maybe I just want that to be true ;)
The problem with disposable mail is that it gets blocked quite often. For example, I have a list with more than 3000 domains of disposable mail servers and you can’t register or comment with such a mail on saashub.com or libhunt.com
I run a service called Kopi that does this (plus email2rss functionality).
You can bring your own domain, so broad block-list based blocking like that doesn't work. Plus, you're not locked in to the service. It's your domain - when you want to use something other than Kopi - you just change your MX record.
I was thinking about building a tool with opposite functionality - Getting chat messages delivered on email.
Reason - To switch to a full-linux based phone, as clients for those platforms aren't available. I rarely use chat message so, intuitiveness is not the concern. But when I do get a message, I would like it to be delivered via an encrypted email service.
Little thought went into this - Parsing messages from web app of the respective chat apps on a SBC.
Why doesn't AWS SES allow generating receiving addresses without giving a domain, like `<uuid>@inbound.ses.amazonaws.com` or something - there wouldn't be a reputational risk if it was incoming only right? That would be awesome.
(The more common use case might be 'contact us' forms, for example, where you want to accept something as an email, but the address isn't user-facing so doesn't need a domain.)
First, this bot doesn't work. I was using this https://etlgr.io for disposable emails and it worked no stress.
My Outlook app kept getting closed by android and I kept missing emails. So I created a disposable etlgr email to get bank notifications. Created a rule in Outlook.com to send balance notifications anytime money enters or leaves my account.
Also a few times when discussing with clients, sent the email title to the bot.
A few months back, there was one "a page a day" book reading service that came on hacker news. Created an email just for it.
Another to receive manga notifications.
Etlgr recently became a subscription service and that was the end.
MY OTHER USES FOR TELEGRAM
RSS feed reader for sites. Also created a private channel for my friends that posts 100% free udemy courses. It's been completely hands off for over a year now.
Why Telegram Rocks
My telegram account is accessible from 4 different devices - Two phones and two laptops (6 client apps).
Could switch off the phone with the number registered to telegram and I'll still be able to chat. With WhatsApp this is impossible.
I could lose my sim card, both phones and one laptop. But if I still have access to one client, I can login on fresh devices.
This is because once you're registered, telegram sends the OTP to the installed clients instead of SMS.
One awesome stuff they do is that after a successful logon on a new device, the notification is broadcast to all logged in client apps. Deleting the notification in one device will not remove it in others.
Making it harder for account takeovers to happen stealthily.
Also newly logged in clients cannot terminate older sessions.
CHATTING
The ability to edit already sent text in telegram is awesome. Make a mistake? Correct it.
Telegram does not leave a "deleted" stamp when you delete a message unlike WhatsApp.
In telegram you can delete everything in your chats from the other person's device.
WhatsApp allows you to delete your chats from the other person's phone. Telegram tops that by allowing you to delete the other person's words from their own phone!
Without this, quoted chats will have empty placeholders alerting the other party.
Oh this is exactly the same service that i tried to build. Does this enforces privacy ? They have some pricy model, so seems like they would be definitely keeping some ads out their in free version. But yeah thanks for letting this know, i will check this out.
Cool idea for a bot. Suggestion: the UI could use more polish. You can use a conversational UI instead of `/create <email>`, `/delete <email>`. Also, it would be nice to have a command that generates a random user ID instead of having to type something in.
What’s the point of implementing this as a telegram bot rather than a website? I guess it’s a USP, considering there are hundreds of disposable email websites out there, but I don’t see how it enhances the user experience.
In my case it's convenience. I have Telegram open most of the day and occasionally I use bots for small tasks that could be done elsewhere, but bots offer a more streamlined experience.
I get the concept, but I don't see how it applies to this use case. Both web/bot has the same workflow.
web: open browser -> find website in bookmarks -> copy email -> do whatever you need to do with it -> switch back to the website to check for emails
bot: open telegram -> find bot in chat history -> tell it to generate a new address -> copy it -> do whatever you need to do with it -> switch back to the app to check for emails
The only case I could think of a bot being useful is for semi-permanent email. ie. using the same email address for weeks/months, rather than one time only.
I'm guessing it's just lesser friction for whoever uses Telegram. It's similar to how companies keep pushing apps instead of promoting websites (they do have other ulterior motives for that too).
The bot is simply down.
I would say 90% of all bots are down all the time and most of them completely go offline within the first 3 months.
There are a lot of reasons for that. like
- no revenue
- made by beginners with no scalability in mind so it simply cant handle the traffic if a bot gets popular
- lose of interest in developing if it doesn't "blow up" soon
- every good idea is instantly copied especially if the code is public there will be clones all over the place.
- no official way to promote your bot. Most large groups will directly ban you if you tell em about the bot you made. Some even have bots to auto-ban if you name another bot. Everything is considered advertising/spam very toxic behavior in a lot groups. As with everything free on the internet there are the 0.1% who create and all other consume and give back nothing.
Source: I'm on Telegram since nearly day one. I run roughly a dozen completely free to use bots since many years. Some of them with thousands of daily users.
I will definitely try to keep this up running for the longer term. Also I have not planned to make this monetary and keep it free from advertisement. I know initially things are slow, but I have jumped in to the game with long commitment. Also the source code is completely written by me and the motivation was to learn spring boot. I have not copied it :)
And thanks for taking some time to review it. I really appreciate that.
I don't have such intentions, the main reason to make this open source was this only. Even i hate ads, and I know every one does. Currently the bot is down, I will definitely work on this to get this fixed tomorrow. And once this is fixed the bot will be healthy.
For now due to certificate issues with Telegram, Bot is not working, I will check the issues with the bot tomorrow, and will try to resolve it. Till than thanks for taking time to review it :) I really appreciate everyone's effort.
Tangentially on Telegram bots, one of the things I dislike with privacy on Telegram is that the user ID (an internal Telegram generated number, not to be confused with your chosen username) given to bots is static. It's not an ID per bot and there's no way to change the ID without deleting your Telegram account and creating it again later (I'm not sure if it changes then either). Bots can also see and save your name (as entered on the profile) on Telegram. This makes it easier for bots (or bot swarms) to track users on Telegram. (AFAIK, Telegram bots don't get the phone number of the user; it'd be terrible if they did).