telegram-bot-api VS LibreSignal

Is not that hard, they have amazing documentation about it: https://core.telegram.org/bots

You can make authorization via Telegram another way. It works. But today we want to do the classic OAuth Authorization. Before you begin, you need to create a Telegram bot and obtain your bot token. You can do this in @BotFather in Telegram. For more information on initiating a bot, read the Telegram Bot API documentation: https://core.telegram.org/bots

Absolutely possible. Here's the github page to the Telegram bot API. You would just need to check for incoming messages, check the body of the message for a word or phrase, and then send a message back with a photo or gif and an encouraging message.

Creating a Telegram bot is fun: there's no website, no sign up, no forms — you just use a... bot. Yes, a bot that creates bots. It's called the BotFather 😂

Telegram has a bot API server that provides API to control the bots and get updates. Their own instance has some restrictions like you cannot download files bigger than 20MB. So, using a self hosted bot API server, you can overcome those limits.

General Bot Platform Overview

$ curl -4 -v https://api.telegram.org * Trying 149.154.167.220:443... * TCP_NODELAY set * Connected to api.telegram.org (149.154.167.220) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=api.telegram.org * start date: Mar 24 15:21:45 2022 GMT * expire date: Apr 25 15:21:45 2023 GMT * subjectAltName: host "api.telegram.org" matched cert's "api.telegram.org" * issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x555fdb2de2f0) > GET / HTTP/2 > Host: api.telegram.org > user-agent: curl/7.68.0 > accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! < HTTP/2 302 < server: nginx/1.18.0 < date: Tue, 18 Oct 2022 00:00:24 GMT < content-type: text/html < content-length: 145 < location: https://core.telegram.org/bots < strict-transport-security: max-age=31536000; includeSubDomains; preload < access-control-allow-origin: * < access-control-allow-methods: GET, POST, OPTIONS < access-control-expose-headers: Content-Length,Content-Type,Date,Server,Connection < 302 Found 302 Found nginx/1.18.0 * Connection #0 to host api.telegram.org left intact

It's done via bots, which let you add clickable options to posts. Here's an FAQ on bots: https://core.telegram.org/bots

>what does this mean?

Moxie (Signal's founder) has thrown fits in the past over the existence of third-party clients using their servers: https://github.com/libresignal/libresignal/issues/37#issueco...

0: https://github.com/libresignal/libresignal/issues/37

I push back when anyone recommends Signal because they are fundamentally not an open network.

OWS has historically been hostile to third party implementations outside of their clients. There are multiple unofficial options but the only one I've been looking at is the bridge with matrix, though setting up a matrix server just for this is likely overkill.

I have to say that I find him fascinating too, but there are a few things that raise my suspicion, but of course do not convict him of anything:

The way he is attacking this alternative Signal client and rules out interoperability:

https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

Signal was a word before he decided to turn it into a brand.

The signal server source code repo was not updated for a year. Communication intransparent.

https://www.androidpolice.com/2021/04/06/it-looks-like-signa...

I am not even against crypto integration, but I found the choice of MobileCoin odd. Instead of integrating an existing privacy coin or working with the community, he decided to integrate MOB and to be one of their "advisors":

https://techcrunch.com/2018/04/24/mobilecoin-moxie-marlinspi...

https://www.coingecko.com/en/coins/mobilecoin

Is that so surprising? Signal had always a hostile attitude to alternative clients. They have this weird disconnect of the new CEO saying they want to be available to as many people as possible and be a fully commited FOSS app, and then have no version on F-Droid (while Telegram has!) and actively fight alternative clients (see https://github.com/LibreSignal/LibreSignal/issues/37#issueco...)

Because of this hostility Signal is not a trustworthy organization at all.

LibreSignal existed before Moxie was like “no, don’t”: https://github.com/LibreSignal/LibreSignal

They have shut down third party clients, and resve the roght to continue that.

https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

1) You need to audit that code, which.. everyone will have to do.

2) https://signal.org/blog/reproducible-android/

> the Signal Android codebase includes some native shared libraries that we employ for voice calls (WebRTC, etc). At the time this native code was added, there was no Gradle NDK support yet, so the shared libraries aren’t compiled with the project build.

a good answer in my opinion, but it means what you run from the play store is not reproducible and thus can never really be confirmed to be what the sources actually include. There are also binary blobs needed for interacting with Google Play.

3) Signal is openly hostile to third party client implementations: https://github.com/LibreSignal/LibreSignal/issues/37

Moxie Marlinspike on May 5th 2016:

> I'm not OK with LibreSignal using our servers, and I'm not OK with LibreSignal using the name "Signal." You're free to use our source code for whatever you would like under the terms of the license, but you're not entitled to use our name or the service that we run.

> If you think running servers is difficult and expensive (you're right), ask yourself why you feel entitled for us to run them for your product.

Moxie Marlinspike left Signal this January[2] 2022.

Whose to say whether there will be any change, but it's been interesting seeing Signal as a somewhat defended property. Although various third party clients/tools/libraries do exist already.

The claim that running servers is expensive would have been more interesting, imo, had there been any viable way to run your own. But for a long while Signal server source code wasn't being updated at all.

[1] https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

[2] https://signal.org/blog/new-year-new-ceo/