cx48

Back
How Secure is Telegram?Blur image
5 min read
English

How Secure is Telegram?

Highlighting Telegram's Insecurities. Why you shouldn't use Telegram for sensitive conversations.
views | comments

I have been using Telegram for a while now. It’s been a great experience when it comes to usability and performance. It is fast, stable to its core, receives regularly updates and desktop app have also been taken good care of. All this goodness of Telegram does come at cost of privacy and security.

No Encryption By Default#

Telegram doesn’t have encryption enabled for securing chats. A messaging app being marketed as a secure and privacy respecting doesn’t have even the basic security measure like end-to-end encryption enabled by default. For enabling end-to-end encryption, you need to start a secret chat before communicating. Why don’t they enable it by default for every user? WhatsApp and Signal does quite better here because they make use of both client-server and end-to-end encryption protocols by default and Telegram makes use of only client-server encryption. BTW, secret chats don’t work on Telegram Desktop App, you will always need your phone for chatting, read last heading for more detail on this issue.

Proprietary Encryption#

As much as I want to use Telegram, I have to say the encryption standards they use are a huge concern. Telegram use its own in-house encryption which haven’t gone through rigorous pen testing or audits as compared to NIST standards. Many cryptography experts and security researches have questioned them about the use of proprietary algorithm. Open source standards provide more verification and transparency. Telegram’s time-tested algorithm MTProto V1.0 had many serious security issues. While in the V2.0 release of MTProto many improvements were in place. It still makes use of SHA-1 hash function (In some cases) and AES-IGE. They are using it in a way by which it doesn’t get affected by the previously disclosed security vulnerabilities.

Closed Source Servers#

Telegram does release verifiable apps on their GitHub release pages which is great. They even allow you to create your own app for yourself or the community, many free-to-use, Libre telegram client do exist. Where Telegram gets it wrong is the server part. Everything is closed source there, so forget about independently auditing their servers. You can’t verify or audit any of their server code. This is also a huge downside for those who want to self-host and not rely on a centralized server for communication. Not a big deal if everything is encrypted at transit and at rest but it’s just better to be able to have full control of chats on your own server.

Metadata Collection#

If you read Telegram’s privacy policy you’ll realise just how much data they collect when you setup your profile and send your first message. This data can include IP (Will keep it in logs for a year), usernames, phone number and other personal info you have given. it is always great if this sensitive data isn’t collected but not in this case. Also, they can do better with concealing sensitive metadata with care by encrypting all of it.

No Secret Chat Backup (Usability Issue)#

Imagine you purchased a new device for communicating and you want to move all your “secure” secret chats from your old phone to your new phone. FYI, let me tell you that you can’t. Where most messaging apps allow you to securely upload your encrypted backup to cloud for future usage. Telegram doesn’t allow you to shift devices for secret chats. You can create a new secret chat on your new device but you won’t be getting all your previous messages since backing up those isn’t an option. Offline encrypted backup or at least cloud encrypted backups should be an option. This does allow for PFS (perfect-forward secrecy) incase a device is compromised but when WhatsApp and Signal can make use of PFS and also allow backing up your chats regularly at the same time then why can’t Telegram with 800 million users? Usability is as much important as PFS in this case.

More Write-Ups#

  • Matthew Green - a professor from John Hopkins University who is quite good with Cryptography has written a great article on Telegram. This goes a bit more in detail, you can check it here.

  • Operational Telegram - if you want to read another more detailed article on Telegram issues.

You may open a pull request for fixing typos. I will merge them as quickly as possible.

How Secure is Telegram?
https://cx48.dev/blog/telegram-security
Author cx48
Published at August 26, 2024
Copyright CC BY-NC-SA 4.0
Buy me a cup of coffee ☕.

CompTIA Exam Resources

Windows Enterprise Setup + My Edge Policies