Is Telegram secure?

  • There is a new WhatsApp-killer application called Telegram. They said that it's open source and that it has a more secure encryption.

    But they store all the messages in their servers and WhatsApp doesn't store any messages in any server, only a local copy in the phones.

    Is Telegram more secure than WhatsApp?

    In short, I'd say nothing is secure that works as easy as Telegram, WhatsApp, Skype, BlackBerry, etc. All of those (except WhatsApp) have promised end to end encryption, and so far only Telegram is not known to hand over their encryption keys to governments, simply because they are not big enough yet. Somehow Microsoft and Blackberry made it possible to break their own security and provide India and the United Arab Emirates with some plaintext. I wouldn't put it past *any* app to do this. For real security, use trusted tools like PGP/GPG or OTR.

    They did a roll-your-own on their encryption... So, no. Hilarity from the future, enjoy! Said someone who examined it, "The crypto is like being stabbed in the eye with a fork."

    Judging from the fact that the Russian gov won the trial related to the encryption and ordered them to subdue their keys, no.

  • Correct answer

    7 years ago

    TL;DR: No, Telegram is not secure.

    I'd like to ignore the comparison to WhatsApp because WhatsApp does not advertise itself as a "secure" messaging option. I'd like to instead focus on whether Telegram is secure.

    Telegram's security is built around their home spun MTProto protocol. We all know that the first rule of Cryptography is Don't Roll Your Own Crypto. Especially if you aren't trained cryptographers. Which the Telegram people most certainly aren't.

    The team behind Telegram, led by Nikolai Durov, consists of six ACM champions, half of them Ph.Ds in math. It took them about two years to roll out the current version of MTProto. Names and degrees may indeed not mean as much in some fields as they do in others, but this protocol is the result of thougtful and prolonged work of professionals.

    Source: https://news.ycombinator.com/item?id=6916860

    Math Ph.Ds are not cryptographers. The protocol they invented is flawed. Here is a nice blog post explaining why. In addition to that, Telegram has issued a rather ridiculous challenge offering a reward to anyone who can break the protocol. Except that the terms they set makes even the most ridiculously weak protocol difficult to break. Moxie Marlinspike has a nice blog post explaining why the challenge is ridiculous.

    So, no. Telegram is by no means secure. For commonly accepted definitions of secure, not the one Telegram made up.

    If you want a real secure means of communication on your phone, look to more reputable projects such as Signal or WhatsApp (which, since this answer was first written, now uses the Signal Protocol for end-to-end message encryption).

    UPDATE

    • 09 January 2015: A new 2^64 attack On Telegram has been announced.
    • 12 December 2015: A new paper demonstrating that MTProto is not IND-CCA secure.
    • 22 December 2017: Replaced outdated recommendation for CryptoCat with a more up-to-date recommendation for Signal and WhatsApp.

    Yes, Threema is 'trust no one': they don't have the keys so they cannot decrypt your messages. It costs $2 IIRC. Threema also does authentication on several levels, the strongest being that if you exchange QR code between phone displays, you know from that moment on that you are communication with that phone ('person' would be incorrect, someone could have stolen your contacts' phone).

    Reiterates lots of the criticism, but so far I have yet to hear a non-theoretical vulnerability. Can anyone read encrypted messages as they go over the wire, change contents without the other party noticing (even if the attacker doesn't know what the decrypted output will be), or spoof the sender? If not, I don't see a problem with this self-designed protocol. All protocols have been designed by one team or another at some point.

    @Luc I really wish I can downvote comments. Really? Non-standard crypto doesn't make you nervous? Do you want to encourage people to use crypto protocols without strong theoretical foundations? What happens when adoption reaches critical mass and a serious vulnerability is found? Yes, protocols need to be designed by people. But the people designing them should be trained cryptographers and the protocol needs to be peer reviewed by other trained cryptographers.

    @TerryChia I understand your point, and I too distrust any crypto in new apps, but I don't think this is the major concern when using Telegram right now. The protocol has been looked at by a few smart people and so far I've yet to hear actual issues, so that in my opinion that moves it from "distrusted" to "probably one of the lesser issues". Things like not having plausible deniability, leaking metadata, devices being pwned, people not comparing the encryption key out of band, etc. seem like much bigger issues when deciding whether one should say product X can be ultimately trusted.

    @Luc the point that Terry mentioned, which I wholeheartedly agree, is that if (when) an actual issue is found, it may be too late if it has already got critical mass, and because messages are stored on the server.

    You've proven that Telegram uses a non standard protocol, that, we already know. But who knows, it might turn out to be secure, no one has objectively examined MTProto yet. The only claim is "This is not standard, therefore this is not secure".

    Using Cryptocat as an security exemplar is actually quite dangerous. It has a very controversial history, and lots of well known security professionals think it's actually dangerous. So, please remove that from your answer. You should also mention that Moxie worked for OpenWhisper. And that OpenWhisper don't have a usable iOS client.

    An update would be nice. Telegram responded to the linked blogs and it looks like a lot of accusations were based on an out-dated documentation or misunderstanding of it. They also adjusted rules for their hacking contest. Therefore this answer seems deprecated to me.

    The "Unhandled expression" article contains serious errors and is not a reliable source. Please consider not referencing it. An example of an error (out of many): "Encryption can happen end to end between clients, but there is no authentication, so the server can perform a MITM attack." http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-maths/

    @JanDoggen Threema is "trust our closed code to be doing what it's claiming to be doing".

    Just found out that EFF has given 7/7 of it's secure messaging checklist to Telegram secret chat https://www.eff.org/secure-messaging-scorecard

    @ChristianStrempfer Where is Telegram's reply? I can't find it on the blog. I'm really interested in seeing what they have to say.

    @Seth: There are several answers on https://news.ycombinator.com/item?id=6916860. They also updated their TechFaq. Telegram is not as secure as some alternatives, but it is not insecure. Even in the blog post on alexrad.me it is estimated that full attack costs will be in tens of millions US dollars. That's enough for most users. If you're life is at risk, use another messenger.

    @Bibhas I have no idea where that figure is from but it’s pure fantasy. For instance, it credits Telegram with having an open, auditable source code. But only parts of the code are (still!) open, and (like in most/all other programs) there’s no verifiable build process. The EFF scoreboard a farce, really. “Points for trying (or pretending)” are nice and all but not an indicator of security.

    I'd like to recommend prepending a small header with "TL;DR: No it's not" with a hyperlink to the MTProto paper.

    History bears out that Telegram's "Roll your own Security Spliff" produces dreams of protection. Seriously broken and not theoretically so...

    So, more than a year later, the very insecure protocol and application is still not broken. :)

    Why does this answer still list Cryptocat as a 'real secure alternative'? Given its history, that seems quite a dangerous recommendation.

    According to a recently leaked documents ("COMPANY INTELLIGENCE REPORT 2016/080" page 6) post on an NOS.nl article, Telegram is insecure: "His/her understanding was that the FSB now successfully had cracked this communications software". There are no details available yet about the validity of these claims.

    @Ken Van Hoeylandt Read Telegram's response here. Allegedly, the weakness is not Telegram's encryption but the SMS auth. Which is easier: breaking a wall or opening a door with no lock? The Russian government was able to hijack SMS from Russian service provider MTS and takeover any account. The same attack was done in Iran and Germany. Everyone should stop using SMS. SMS is not secure. Anyone, even a teenager, can hijack SMS.

    Both links in the answer body lead to 404 for me. Should they be replaced with link to web archive in this case?

    Any security review that ends with recommending Signal as secure automatically disqualifies itself. Independently of the other arguments being true or false. "Math Ph.Ds are not cryptographers" made me laugh. Most Math Ph.Ds I know are cryptographers. What else would you do with a PhD in math? ;)

    There is absolutely no reason to assert that a Math Ph.D cannot be a cryptographer

    @Andreas "Any security review that ends with recommending Signal as secure automatically disqualifies itself" Why is that? Are there any known security issues regarding Signal?

    @Bibbas The EFF scorecard link has been moved and it is worth noting it gave 7/7 to *Telegram (secret chats)*, not to *Telegram* standard chats. Furthermore, if we want to listen to EFF (and I'm not saying we shouldn't), then note they are not recommending any other messenger but Signal in their security-self-defense how tos.

    The "real secure" Signal desktop app saves attachments unencrypted to your disk...

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM