Despite controversy I like Telegram and it's bots. I would like using a couple of bots as personal assistants. However I'm paranoid with regards to secure network communication and data privacy. The idea of trusting my private data to some possibly mean kid or unsafe data storage is daunting.
So consequently I thought I snap twice, sing bibbidi-bobbidi-boo quickly and then have a self-written Telegram bot ready on a Raspberry Pi hosted in my basement (or possibly hosted in the cloud, when I trust the provider).
But then I'm wondering: Is end-to-end encryption implemented for private chats with Telegram bots? The Telegram clients are open source, however the server is not as far as I'm aware. And in general you never know what's happening behind the scenes on the servers of Telegram Messenger LLP.
I've ran up and the down the whole net twice, but I could only find the official, technical documentation about end-to-end encryption in general. To me it seems private chats with bots are encrypted, but I just want to double-check I am not overseeing something. Thanks.
No, Telegram Bot API's are not end to end encrypted. based on Telegram documentation end to end encryption are for user's chat, without mentioning about bots:
Secret Chats are one-on-one chats wherein messages are encrypted with a key held only by the chat’s participants.
You can implement it manually by adding encryption and decryption in both sides.
Same question asked here.
Related
My bot currently works as a service to notify users of their application status on our platform. However, I am worried users who have strict privacy settings will miss these notifications.
Does anyone know other options to work around this? My best option currently is creating a private channel with said user. Maybe getting verified?
Thanks
I am using discordjs library and I can send DMs to users with their snowflake for now, no issues unless the user has these strict privacy settings.
All these users would be sharing at least one server with the bot.
I have attached below a small snippet illustrating where/ how I am sending these messages
code snippet example
From the docs:
Stripe can optionally sign the webhook events it sends to your endpoints by including a signature in each event’s Stripe-Signature header. This allows you to verify that the events were sent by Stripe, not by a third party. You can verify signatures either using our official libraries, or manually using your own solution.
Before you can verify signatures, you need to retrieve your endpoint’s secret from your Dashboard’s Webhooks settings. Select an endpoint that you want to obtain the secret for, then click the Click to reveal button.
The last paragraph suggests that the secret is truly something to be treated confidentially. Is there a reason why Stripe doesn't use a private-public key scheme for signing webhook events?
They could keep the private key in their DB, never displaying it on the UI. The UI would only show the public key. Every request made to a webhook by Stripe would be signed with the private key and verified at the receiving end with the public key. This way, malicious actors getting access to the public key would be irrelevant, as they could only use it for verification, whereas now — I assume — an accidentally revealed secret can be used for forgery.
I'm neither a Stripe employee nor a Stripe expert, but I think your question comes from an ideal world where HMAC has disadvantages compared to digital signature from the point of view you're standing on. I suppose the main reason behind this decision is the computational complexity. But for the sake of truth, why you don't consider this problem along with related factors? Stripe prevents replay attacks and publish their ip adresses. Taken together, these measures provide very real protection against message forgery.
I'm trying to send a notification out using Google Chats. But I have a few problems with the documentation I've been able to find:
It requires me to have a paid service account, which I do not have, and will not be getting
It requires using a chat bot, which (in my understanding) needs to be added to a room, and cannot just send out messages
Chat bots can't send out messages directly to personal accounts?
I'm already using Google OAuth2 authentication to access another Google API, so I'd like to use a Google API to send messages directly from the authenticated account. How would I do that?
So far:
All the documentation I can find is about making a chat bot.
I've considered some alternatives to sending out messages, but due to corporate device restrictions that will not be changing, google chats is my best option.
At the moment what you're trying to do is not possible, for multiple reasons.
You may know this already, but Google Chat is an upgrade to their old "Classic Hangouts" chat. In Google's own words, this is focused on enterprise (i.e. paid) accounts. While personal accounts are also able to upgrade and get some of the benefits, their documentation shows that Google Chat for personal accounts is very similar to the old Hangouts and most of the new features are meant for the paid accounts. This also includes the use of bots.
As you've observed, the Chat API currently only has methods to create and manage bots. There are no methods to send messages as your own account. This could be to prevent spam or because their Chat API is relatively new, since the Classic Hangouts did not have an API, and Chat hasn't fully replaced it yet. Even then, given that Chat is "enterprise-focused", it is uncertain whether or not personal accounts would get access to any new API features.
You could try to post feedback on their issue tracker or request the feature to see if you get a response, but for an immediate solution you may want to just use the Gmail API to send a regular email or reconsider the other alternatives that you had in mind.
I am prototyping an automated messaging system with a few pilot companies and about 10 users. They want my system to send status emails on their behalf, from their gmail accounts. This can easily be accomplished when they enter their gmail usn/pwd into my system (it is AES 256-bit encrypted before being stored in the DB). The problem is that the first time my system tries to send a status email on their behalf, using their account, the message is blocked until "Allow less secure apps" is enabled. When they try again, it's blocked again, along with scary warnings being emailed to them by google saying that someone has their google password. Only after they click through that and verify that my system has permission to do this, all is good, no more warnings, and everything works.
I have been researching this and I have found 2 potential approaches for smoothing this process and avoiding the scary warnings to the users:
Enable 2-factor authentication in the google account, and use an app-specific password (per user I think??) to send the emails without any warnings.
Have my system use oauth2 with the gmail accounts so that google no longer considers my app "less secure".
My question is, what is the best approach, and how do I set this up? If my gmail users enable 2-factor authentication, can they store their code into my system, and my system uses that code for future auto-emails? Does it even work that way? My experience with 2-factor auth is that a code is sent to the user's phone each and every time. Is that not the case? Would a stored code on my server (1 per user) work over and over? Does it expire after a certain amount of time?
And my understanding with oauth2 is that my users would need to be actively logged in with their google account and somehow exchange tokens with my server, but I really don't know. Is there some way for my web server (PHP) to implement oauth2 in connection with gmail accounts?
In summary, what is the simplest way to send auto-generated gmails for my users who are paying for this service without triggering scary warnings from google? The volume of emails is low -- this isn't spam -- it's a status follow-up system for the workplace.
You are right on your second point; that is an easy way to accomplish your objectives. You'll first have to authorize your app with Gmail to work with OAuth. You can follow these links to learn how to implement authorization in your server, but you can also enter here to appreciate some examples. When you develop the authorization protocol, you can read the Gmail API to start working with your customer accounts.
I am trying to understand how the https://squareup.com/ square Credit Card reader works.
What would be the underlying middleware that is being used to
send the data to the squareup server,
process the payment
send verification to a user of a successfull payment
This is implmented on the iPhone, could there be a generic middleware that could be used for other devices to access this service created, so we could have all type of smartphones access a similar service language independent?
Also what security protocols would be used to ensure the data is sent encrypted over the network?
Their own website contains details about their security technology. They appear to use common and trusted technologies like SSL, which isn't a surprise.
If you want to build an application that integrates with their service, you should contact them. It's possible that they will require you to purchase a license in order to do so. They would also be the authority on the protocols and middleware required to integrate with it.