Source: Block unicorn
About the author, Matthew Green is a cryptographer and professor at Johns Hopkins University. I design and analyze encryption systems used in wireless networks, payment systems, and digital content protection platforms. In my research, I examine various ways in which encryption technology can be used to protect user privacy.
The article was inspired by the recent worrying news that Telegram CEO Pavel Durov was arrested by French authorities for failing to adequately police content. While I don’t know the specifics of the situation, using criminal charges to coerce social media companies is a pretty concerning escalation, and things are not as simple as they appear.
But I don’t want to talk about this arrest today.
What I want to talk about is a specific detail in the reporting, specifically: Almost every news report about this arrest refers to Telegram as an “encrypted app.” Here are a few examples:
Source: Block unicorn
This statement drives me crazy because from a very limited technical perspective, it's not wrong. However, on every important level, it basically misleads people about Telegram and how it works in practice. Such misinformation is detrimental to both journalists and Telegram users, especially those who could be seriously harmed as a result.
Now let's get down to the details.
Is Telegram encrypted?
Many systems use encryption in some way, however, when we talk about encryption in the context of modern private messaging services, the word usually has a very specific meaning: it refers to the use of default end-to-end encryption to protect the user. Message content. When used in an industry-standard manner, this feature ensures that each message is encrypted using encryption keys known only to the communicating parties and unavailable to the service operator.
From your perspective as a user, an "encrypted messaging app" means that every time you start a conversation, your messages can only be read by the person you're chatting with. If the operator of a messaging service tried to view the content of your messages, all they would see was useless encrypted data. The same assurances apply to anyone who might hack into the provider's servers, as well as those law enforcement agencies who serve subpoenas on the provider, for better or worse.
Telegram clearly doesn't fit this stricter definition for one simple reason: It doesn't enable end-to-end encryption by default. If you want to use point-to-point encryption in Telegram, you must manually enable an optional point-to-point encryption feature called "Encrypted Chats" for each private conversation. This feature is explicitly not enabled for most conversations, and only works for one-on-one conversations, never in group chats with more than two people.
As a strange "additional feature", actually activating Telegram's point-to-point encryption function is very troublesome for non-professional users.
First, the button to activate Telegram encryption is not visible in the main dialog window or home screen. To find it in the iOS app, I had to click at least four times—once to get to the user's profile page, once to get a hidden menu to pop up showing options, and finally to confirm that I wanted to use encryption. And even then, I couldn't actually start an encrypted conversation because the "encrypted chat" feature only works if the person you're talking to happens to be online.
Source: Block unicorn
Start an "encrypted chat" with my friend Michael in the latest Telegram iOS app. This option is not directly visible from the normal chat interface. Launching it requires four clicks:
Enter Michael's profile page (pictured left),
Click the "…" button to reveal the hidden set of options (middle image),
Select "Start Secret Chat",
Click OK in the "Are you sure you want to continue?" confirmation dialog box. After that, I still couldn't send any messages to Michael because Telegram's secret chat feature only works when the other person is online as well.
Overall, this is a very different experience than launching a new encrypted chat in a modern industry-standard encrypted messaging app, where you simply open a new chat window.
While this may seem like nitpicking, the difference between default point-to-point encryption and this experience can be significant. In practical terms, this means that the vast majority of one-to-one Telegram conversations — and every group chat — can potentially be seen and recorded by Telegram’s servers, which can view and record messages sent between users. All message contents. This may or may not be an issue for every Telegram user, but this obviously shouldn't be promoted as being particularly securely encrypted.
(If you're interested in the details, and some further criticism of Telegram's actual encryption protocol, I'll elaborate further below.)
Does default encryption really matter?
Maybe it's important, maybe it's not! This issue can be viewed from two different perspectives.
One angle is that Telegram's lack of default encryption is perfectly fine for many people. The reality is that many users simply don’t use Telegram as an encrypted private messaging tool. For many people, Telegram is more of a social media network than a private messaging app.
Specifically, Telegram has two popular features that make it ideal for this type of application. One is the ability to create and subscribe to "channels." Each channel is like a broadcast network, and one person (or a few people) can push content to millions of readers. When you're broadcasting a message to thousands of strangers, it's not that important to keep the content of your chat private.
Telegram also supports large public group chats with thousands of users. These groups can be open to the public or set up to be invitation-only. While I personally would never consider sharing a group chat with thousands of people, I've heard that many people like this feature. In a large public group like this, the unencrypted nature of the Telegram group chat doesn't really matter that much - after all, who cares about encryption when you're talking in a public square?
But Telegram is not limited to these features. Many users who add these features also do other things.
Imagine you are having a large group chat in a "public square". In this environment, there may be no expectation of strong privacy, so point-to-point encryption is not important to you. But suppose you and five friends leave the square to have a private conversation. Does this conversation deserve strong privacy protection? It doesn't matter because Telegram doesn't offer this protection, at least not in the default encryption, which doesn't protect you from content sharing from Telegram's servers.
Similarly, let’s say you use Telegram’s social media features primarily to consume content rather than generate it. But one day your friend, who also uses Telegram for a similar reason, notices you are on the platform and decides to send you a private message. Are you worried about privacy right now? Will you manually turn on the "encrypted chat" feature - even though this requires four explicit clicks via a hidden menu and will prevent you from communicating immediately if one of you goes offline?
I strongly suspect that many people may have joined Telegram for its social media features but will also end up using it for private chats. I think Telegram knows this and tends to promote itself as a "secure messaging app" and talk about the platform's encryption features precisely because they know it will make people feel more comfortable. But in reality, I also suspect that few of these users are actually using Telegram’s encryption features. Many users may not even know they need to manually turn on encryption and may think they are already using encryption.
This leads me to my next point.
Telegram knows its encryption is difficult to turn on, but continues to market its product as a secure messaging app.
Telegram’s encryption features have been heavily criticized since 2016 (probably earlier) for many of the reasons I mentioned in this article. In fact, many of these criticisms were made by experts, including myself, in conversations with Pavel Durov on Twitter many years ago.
Despite sometimes acerbic interactions with Durov, at the time I still mostly believed Telegram had good intentions. I think Telegram is busy expanding its network, and over time they will improve the quality and usability of end-to-end encryption on the platform: for example, by making it the default, supporting group chats, and making it possible to start encrypted chats with offline users become possible. I hypothesize that while Telegram may be a follower rather than a leader, it will eventually reach a level of functionality comparable to Signal and WhatsApp on encryption protocols. Of course, another possibility is that Telegram will abandon encryption entirely and focus on becoming a social media platform.
What actually happened confused me even more.
Telegram’s owner has not improved the usability of its end-to-end encryption, and its encryption user experience has remained virtually unchanged since 2016. Despite some upgrades to the underlying encryption algorithms used by the platform, the Secret Chat user experience in 2024 will be virtually the same as it was eight years ago. Despite this, Telegram’s user base has grown seven to nine times over the same period.
Meanwhile, Telegram CEO Pavel Durov continues to actively promote Telegram as a "secure messaging app." Recently, he has made sharp criticisms of Signal and WhatsApp on his personal Telegram channel, suggesting that these systems are backdoored by the US government and that only Telegram's independent encryption protocol is truly trustworthy.
This might be understandable if this were a legitimate technical argument between two platforms that both support point-to-point encryption by default. However, Telegram really has no place in this discussion. It’s no longer amusing to see the Telegram organization encouraging users to stay away from messaging apps that encrypt by default, while itself refusing to implement basic features that would broadly encrypt user messages. In fact, it's starting to look a little malicious.
What other encryption details are there?
This is a cryptography blog, so I’d be remiss if I didn’t spend some time explaining boring cryptographic protocols. I'd also miss a great opportunity to marvel at the internal details of Telegram's encryption, which almost always leave me dumbfounded every time I look at them.
To make it less painful, I'll cover the details in one paragraph, so feel free to skip it if you're not interested.
Telegram’s secret chat feature is based on a custom protocol called MTProto 2.0, according to what I consider to be the latest encryption specs. This system uses 2048-bit finite field Diffie-Hellman key exchange, with group parameters (I think) chosen by the server. (Because Diffie-Hellman key exchange requires two users to interact online, encrypted chat cannot be set up if one user is offline.) MITM protection is handled by the end user, who must compare key fingerprints. The server provides some weird random non-ces (random values) whose purpose I don't entirely understand* - these used to make key exchange completely insecure against malicious servers (but this issue has long since been resolved*) . The generated keys are then used in the most amazing, non-standard authenticated encryption mode - a mode called Infinite Obfuscation Extensions (IGE), which is based on AES and uses SHA2 to handle authentication. **
Note: In the paragraph above, everything I marked with a "*" is a point at which an expert cryptographer would raise his hand and ask a question in a context similar to a professional security audit. I'm not going to get into it, but suffice it to say that Telegram encryption is very unusual.
If you asked me to guess whether the protocol and implementation of Telegram secret chats are secure, I would say probably it is. Honestly, it doesn't matter because it doesn't matter how secure it is if people don't actually use it.
Block unicorn note: Simply put, Telegram’s encryption system uses some complex technologies to protect information, but in terms of user experience, its setup and use are relatively complicated. Some of the technical details may feel opaque, particularly the use of random numbers and how keys are protected.
at last
While end-to-end encryption is one of the best tools we’ve ever developed to prevent data breaches, it’s not the whole story. One of the biggest privacy issues in messaging is the vast amount of metadata — basically data about who is using the service, who they are talking to, and when they are talking.
This data is typically not protected by end-to-end encryption. Even in broadcast-only apps, like Telegram's channels, there's a lot of useful metadata about who's listening to the broadcast. The information itself is valuable to people, as evidenced by the huge amounts of money traditional broadcasters spend collecting this data. Currently, all of this information may exist on Telegram's servers, available to anyone who wants to collect it.
I’m not criticizing Telegram specifically, because the same problem exists with almost every other social media network and private messaging app. But it should be mentioned, but I mention these issues to avoid making you think that just having encryption is enough.
[Disclaimer] There are risks in the market, so investment needs to be cautious. This article does not constitute investment advice, and users should consider whether any opinions, views or conclusions contained in this article are appropriate for their particular circumstances. Invest accordingly and do so at your own risk.
This article is reprinted with permission from: "Foresight News"
Original author: Matthew Green