Cedric Fung

Mixin me 25566

Telegram is NOT Secure

Jun 21, 2020

Telegram is an excellent instant messenger service, and has plenty of innovative features. It’s also very open, with its open protocol and API, developers can build almost anything around it, and so do the designers.

Secret Chat Mode

There is a secret chat mode in Telegram, it utilizes an in house crypto protocol by Telegram team. And in almost ten years, there are no real hacks reported in this end-to-end encrypted mode yet. Secure enough.

However, the secret mode is not enabled by default and that mode requires both party online, otherwise nobody was able to send messages at all. And this mode doesn’t support group chat neither. Another drawback is that secret chat won’t sync to other devices, that make an average Telegram user feel frustrated.

All these inconveniences lead to very low usage of secret mode (I have no data on this, only my assumptions from people around). That say, most people will use the default chat mode. It’s still OK if people are properly educated by the service itself, they will know potential risks.

Dangerous Security Assumptions

Before asynchronous end-to-end encrypted messengers widely usable, Telegram was once a more secure choice compared to others. Many privacy pioneers including EFF recommend Telegram as the most secure messenger service.

People preferred Telegram for its encryption and privacy, but it has already fall behind a lot in this area, the MTProto has remains unchanged for years and no other usability improvements over the Telegram secret chat mode.

However many people still don’t have their attitudes toward Telegram changed, there are historical reasons, but the continuously promotion on the encryption feature of Telegram is the main reason that make people send sensitive messages and files through the service, without knowing the risks that anyone with Telegram server access could view their messages.

Secure Messengers

Encryption technology has improved enormously, and we have much better choices. Signal is the most widely used end-to-end encryption protocol, with billions of devices running Facebook Messenger and WhatsApp. Yes Facebook has a bad reputation in privacy, but math is always more important than reputation when comes to encryption and security.

The most secure messenger with Signal protocol is no arguably Signal Messenger, besides end-to-end encrypted messages, almost all metadata are also encrypted. whistleblowers, privacy advocates, journalists, and security technologists all recommend Signal as the most secure messenger.

[References list]

  1. Telegram APIs
  2. Telegram: MTProto Mobile Protocol
  3. EFF: Surveillance Self-Defense
  4. Old discussion: Is Telegram secure?

About the Author

Core developer of Mixin Network. Passionate with security and privacy. Strive to formulate elegant code, simple design and friendly machine.

25566 @ Mixin Messenger

https://vec.io