Is Telegram the Best in Class for Privacy? (TL;DR: Nope)
#telegram#signal#openwhisper#privacy
🦄N B🛡

🦄N B🛡 @v6

About: // , “It is not so important to be serious as it is to be serious about the important things. The monkey wears an expression of seriousness... but the monkey is serious because he itches."(No/No)

Location:
(No/No)
Joined:
Mar 1, 2018

Is Telegram the Best in Class for Privacy? (TL;DR: Nope)

Publish Date: Apr 11 '20
7 12

I do not typically recommend the Telegram application for private messaging, neither to technical neophytes nor to those of us more advanced in the ways of InfoSec.

Especially because any people who would be willing to get a more secure messaging application might as well get an app backed by more solid encryption & a UX with more secure defaults. Which Telegram is, well, not.

I have come across some reviews of Telegram's implementation. The Telegram creators "rolled their own" custom built encryption algorithm, and made some questionable choices in the process.

Chats are not encrypted by default.

Telegram developers can in overwhelming majority of cases read peoples' messages. And I have heard rumors, though I cannot confirm them, that some Telegram server operators have begun to exercise some minimal editorial prerogatives by monitoring and removal of content they deem objectionable. Perhaps there's a rationale for that, but "we find your message content objectionable" doesn't reassure me that my message content is private.

TLDR: Telegram's private chats are more secure than SMS, and have, by dint of hard work, earn the coveted "banned in Russia/Iran" stamp of approval. But Telegram's relatively good UI hides a relatively questionable underlying implementation.

It's not just me. Others are skeptical of Telegram's underlying security as well, especially in comparison to applications designed for the purpose of keeping message content private by default, like Signal Private Messenger or Keybase.

Source:
On the CCA (in)security of MTProto

Links that at least good for showing "I'm not the only grumpy troll out there who's skeptical of this BS.":
https://news.ycombinator.com/item?id=16795219
https://news.ycombinator.com/item?id=6913632
https://www.schneier.com/blog/archives/2016/06/comparing_messa.html

Comments 12 total

  • Nico S___
    Nico S___Apr 11, 2020

    I Think Signal is better still, it has end to end encrypted video calls on mobile. And a desktop app too

    • 🦄N B🛡
      🦄N B🛡May 16, 2020

      I wish they'd improve the security of the desktop app (Deno, anevyone?), but Signal's pretty good. And they have made the surprisingly rare move of supporting and publishing a protocol.

      I hope one day there is a secure messaging protocol with the interoperability of SMTP, so that Signal users could send to WhatsApp or Facebook users.

  • 🦄N B🛡
    🦄N B🛡May 14, 2020

    1-2-3-4 I declare a flame war!

    But seriously, glad I finally found someone willing to disagree with me on this. I don't actually think Telegram's a bad tool. Truth be told, I'm more frustrated with what keeps it from becoming a great tool.

    the message sending protocol

    Anyway, to which type of chats are you referring? The Secret Chat that I wish was the default, or the trash that's the current default?

    The architecture is extremely flexible in that it can (and does) transmit the already encrypted packages using any available transfer protocol.

    As I understand it, this is how most of the best in class end to end encryption systems work. For example, if it's encrypted at layer 7 it could be sent over SMS. 37coins set up an SMS Bitcoin wallet with credible security guarantees based on this kind of thing. But in the case of Telegram, doesn't all that heap of awesome only apply to the Secret Chat option?

    Also, keep in mind that I didn't explore the question of mere encryption, but its intended result: Privacy

    Which depends just as much on UX and product management as it does on any kind of encryption mechanisms.

    Here's how I understand "roll your own" cryptography.

    ...it's not readily available on GitHub or at the NSA offices...

    I think it's bad for at least one reason: Because I don't think we can afford to be so sure about the latter part of the quoted phrase above.

    The National Surveillance Agencies in recent years are back in the J Edgar Hoover days, and that's to say nothing of the rise of the SSF/FSB.

    Say the National Surveillance Agencies just so happens to have the source code, algorithms, and access to devs. We the people still don't. That's an information imbalance that disfavors you, me, and the crypto community at large. And open sourcing a crypto algorithm or a protocol that makes use of it helps close the gap.

    It's not so much that "roll your own" encryption is necessarily bad, more that the high stakes of crypto magnify the benefits of a FOSS approach.

    This is NOT the same as saying it's "security by obscurity"...

    So, security by what? Hiding the source code from anyone but the developers and, presumably, the major nation state surveillance organs, is what? Security by restricted access control?

    Also, you gonna address the Telegram admins' rumored exercise of "editorial privilege"? "Private Chats! But some are more private than others, you see. Which ones? We don't need to make that quite so obvious or opt in, now, do we?"

  • 🦄N B🛡
    🦄N B🛡May 15, 2020

    Fie! My gifs and outdated pop culture references shall blot out the sun!

    If it were just me, I'd say I'll douse it for a month to do some homework and re-light the torch then.

    But first I should write on behalf of the original source of my skepticism, a crypto nerd far nerdier than me. This is the diagram that one of my crypto friends looked at and shook his head "nuh-uh" in a matter of minutes:

    "Zoom, enhance"

    But I'll admit, that was back in the dark days of the 1.0 version.

    I've already noticed some eyebrow raisers, at which I did indeed arch an eyebrow, in 2.0. For instance, for a protocol designed for end-to-end encryption between clients, the trust model for the key generation seems to include a lot more server than I'd expect. As in, any at all.

    Also, I get if they don't want to publish the source code for this, but why not at least the math? And let poor schlubs like me at least LARP as people who can math things?

    The sentiment of a quote from one of the more critical articles (which I thought was a bit too one-sided) on Telegram's "soooper-seeekrit" algorithm and source code seems to echo my own, here:

    "...That said, I don’t know if it’s broken. But it’s just weird.”

    ---gizmodo.com/why-you-should-stop-us...

    P.S. As the initial belligerent (aka OP), I feel I must concede to you the last word.

  • Dave
    DaveMay 15, 2020

    I read the article, then sat here shaking my head at the links to ycombinator threads as source opinions here.

    Have a much better source, eprint.iacr.org/2015/1177.pdf

    From the abstract:

    Our main discovery is that the symmetric encryption scheme used in Telegram – known as MTProto – is not IND-CCA secure...

    And:

    We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack.

    So, "best in class?" No, but "sufficient for most of the masses?" Probably.

    • 🦄N B🛡
      🦄N B🛡May 16, 2020

      I read the article

      See, that was your first mistake.

      But seriously thanks, I've added "On the CCA (in)security of MTProto" to the list of links at the bottom. That list of links wasn't intended as "sources." That article is indeed worthy as a source.

      Thanks for the suggestion!

      And perhaps I should make it less implicit that what I consider "best in class" in my post here is "best in class" for recommending to people relatively unfamiliar with security stuff; "the masses".

      Like, Grandma doesn't want the NSA stealing her secret cookie recipes, and asks for one of them secret chat thingies (they've been naughty!). Or a friend just got a job as a congressional aide/CEO assistant/regulator/software developer and wants to up the InfoSec game. What do?

      And hey, Y Combinator isn't that bad, at least for showing "I'm not the only grumpy troll out there who's skeptical of this BS."

      • Dave
        DaveMay 16, 2020

        perhaps I should make it less implicit that what I consider "best in class" in my post here is "best in class" for recommending to people relatively unfamiliar with security stuff; "the masses".

        See, for grandma, Telegram is just fine, because it's "better than WhatsApp". For medium requirements, I use Zendo, for its OTP feature. I also use Signal (for medium rated voice calls).

        For things that require true SC, in person, in a secured location.

    • 🦄N B🛡
      🦄N B🛡May 16, 2020

      I still kind of disagree with this:

      "sufficient for most of the masses?" Probably.

      I don't disagree in comparison to SMS, but I do not think that's a fair enough comparison.

      • Dave
        DaveMay 17, 2020

        Grandma doesn't need security to share recipes. Her problem is more likely using 2FA, rather than the fact her 2FA uses SMS.

        The average Joe is the same. Some, even weak security, is good enough.

        C-level employees, probably want better than Telegram. Any state officials using Telegram probably need firing.

        It's all relative. Hell, there's an argument for actively using plaintext too, when you WANT the opponent to know what your saying.

        Privacy for the sake of privacy just fuels the arms race. I don't care who knows my shopping list. But I don't do company work on public WiFi.

Add comment