Big flaws in Telegram's encryption system

Hanno Labuschagne

Hanno Labuschagne

Journalist
Staff member
Joined
Sep 2, 2019
Messages
6,453
Reaction score
4,733
Big flaws in Telegram's encryption system

Researchers from the University of London and ETH Zurich have documented significant problems with the security of Telegram's encryption system.

While Telegram fixed the four specific security flaws identified by the researchers, they also highlighted underlying problems to Telegram's general approach to encryption.

This has been a long-standing criticism against Telegram due to its use of a home-grown and closed source encryption scheme called MTProto.
 
bwana said:
End to end encryption.
Click to expand...
Yeah, IIRC it had end-to-end encryption before WhatsApp, but only in secret chats.

However, also IIRC, at the time Moxie Marlinspike was already working on integrating Signal Protocol into WhatsApp.

Also: Good PR. They managed to convince people they were more secure and private than WhatsApp even if they weren't necessarily.
 
I don't use Telegram for its encryption or privacy.

I don't use WhatsApp because I execrate the politically-inspired censoriousness of its owners. Even if WhatsApp has has better encryption, privacy, and so on, this is not enough to overcome my objection to its imperialist political pretensions.

My working assumption is governments will see what they want. But I don't want my eyes and usage to support private people who actively censor political views they don't like. Of course I believe they should be free to do so - it's their property, after all.
 
The main problem with everyone vs Telegram at its heart always come down to it not being open source and openly available for review.

It’s never been cracked (that I’m aware of) and never has data been obtained through the few discoveries of vulnerabilities.

The main issue is that people don’t seem to understand that Telegram’s default client-server-client is intentional to add additional functionality to the platform which is lacking on others and then knock it for not having end to end encryption which it does in fact have but it’s optional through use of Secret Chats.
 
My own view is that privacy, security and encryption are largely an idle and pointless fantasy when it comes to choosing and using messaging and communications systems. It's all software running on massmarket operating systems, and that means everything without exception is open and vulnerable to a greater or lesser extent.

Rather choose for other reasons, like function, convenience, ease of use, where your typical interactors are, etc.
 
Last edited:
I don't understand what they mean with the crime pizza attack?
 
Why not just use IRC? If you want to move people to Telegram IRC is also an option. Same effort and you control the servers and encryption.
 
hj007 said:
I don't understand what they mean with the crime pizza attack?
Click to expand...
Imagine you send four messages in the following sequence:
  1. I say yes to all the
  2. pizza
  3. I say no to all the
  4. crime
The vulnerability lets attackers change the sequence the messages are received so the context can be changed to:
  • "I say yes to all the crime"; and
  • "I say no to all the pizza"
Naturally this will immediately result in the TSA pulling you aside for an "enhanced screening" to ask what kind of monster you have to be to say "no" to all the pizza.
 
I'm not surprised something like this eventually made the news. It would be preferable for Telegram to adopt an encryption standard. Considering how difficult implementing any of these vulnerabilities would have been, calling the existing security 'brittle' seems dumb though. Especially when WhatsApp has genuine vulnerabilities that are far, far more serious.

But it's good that researchers are poking holes. Maybe it will cause Telegram to make the switch.

r00igev@@r said:
Never liked Telegram. Why the infatuation by some people?
Click to expand...

Why would you have a problem with Telegram? It's almost identical to WhatsApp but with loads more useful features, such as untethered desktop apps, cloud storage, huge group limits, better group admin controls and so on. Telegram is awesome.
 
r00igev@@r said:
Never liked Telegram. Why the infatuation by some people?
Click to expand...
It's mostly that they don't have an agreement to share the metadata upstream to a company like Facebook who actually profits out of location, identity, and contacts (all is metadata). So true it is more for folks who just want to stay away from Facebook as much as they can.
 
Danie_V said:
It's mostly that they don't have an agreement to share the metadata upstream to a company like Facebook who actually profits out of location, identity, and contacts (all is metadata). So true it is more for folks who just want to stay away from Facebook as much as they can.
Click to expand...
^ this

also Dubai based and not under USA jurisdiction, and seemingly principled about how they will earn money:
t.me

Pavel Durov

As Telegram approaches 500 million active users, many of you are asking the question – who is going to pay to support this growth? After all, more users mean more expenses for traffic and servers. A project of our size needs at least a few hundred million dollars per year to keep going. For...
t.me t.me
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X