For people who only read the headline, it's not as bad as the title might suggest. This attack requires backdooring the client, by which point it's already effectively game over in most threat models. The main advantage of this attack is that a compromised client can be sending "encrypted" messages that can actually be trivially decrypted by authorities, but that isn't immediately obvious to someone inspecting network traffic. Needless to say, this is a pretty pointless attack because nobody is manually inspecting every piece of data that their telegram is sending, and the client probably makes so many requests that it's trivial to smuggle data through some other side channel.
The threat model of the attack is targets relying on binary/source transparency of open source clients to protect against (state-sponsored) client backdoors; in that sense, it most closely resembles the Juniper/NetScreen Dual-EC attack, which functioned basically the same way: a backdoor that was essentially not auditable, as the underlying vulnerability was realized cryptographically.
I'm just clarifying. I agree the practical implications of the attack are not really meaningful to a general audience.
I was gonna post "why do people keep calling it 'encrypted' if the encryption is not on by default?" It has always seemed odd to me that it is put into the same category as WhatsApp and Signal (which even those are a bit weird to compare).
What confuses me more is how passionate people are about Telegram. Weirdly I see those posts degrade into Signal vs Telegram and it really feels like apples and oranges but very one sided. I get that Telegram is more feature rich, and that's a good argument, but feels weird that many argue it is also more secure. Some of those arguments even appear in the thread r721 linked.
I like Telegram because it gets my friends & family to not do everything in SMS or iMessage. If I'm the only one using it, what's the point after all? Feature-wise, the app is nice to use, and one I can use on all platforms, even Linux.
Since it has a public API, I can easily make a custom frontend if I ever want to. Most social media does not offer this or tries to lock you into their shitty ecosystem.
I basically just treat it as unencrypted, but the pretend encryption features at least puts the company in a position where blatantly selling data would be a liability. In this respect, I place it on the same level as WhatsApp. Because even if WhatsApp has solid encryption, all it takes is one forced update from Meta to undo all that. They are like the inverse of each other.
My uncle is the only one I know who refused to use Telegram, insisting Signal was better and because he didn't want to use something with vague connections to Russia. Yet even he did not actually use Signal, and simply insisted if we should all switch to something it's either that or he sticks to SMS. So well, when I couldn't sell Signal to anyone else, Telegram it is, sorry uncle, but Verizon is pretty transparent about how they sell all my data.
in short, you don't need access to the device, only to the same network
if you are on the same network and manage either intercept key to bruteforce it or guess encryption key with emoji it's possible to decrypt the whole chat. It works because telegram random generator uses time and some device information which is predictable
the study managed to decrypt 500 messages out of 500 on emulator devices. Brutewforcing takes like a few $100 worth of computing power
Honestly, durovs are exceptional people and enterpreneurs, however their encryption and what they say isn't always what it presented as
can anyone explain why telegram doesn't use an audited e2e implementation? is it really because they wanted more convenient and faster cross-device sync? have they been threatened and/or backdoored by the fsb? they basically stole vk from him, but left him alone w/ telegram?
it's suspicious, but at the same time, iirc, nobody's been able to find a vulnerability in their encryption protocol :shrug
The first version of MTProto was found to have weaknesses.
The reason they rolled their own was because it came out before the Double-Ratchet/Axolotl protocol and OtR (which double-ratchet is essentially based on) was extremely inconvenient to use properly and had its own weaknesses.
> The reason they rolled their own was because it came out before the Double-Ratchet/Axolotl protocol and OtR (which double-ratchet is essentially based on) was extremely inconvenient to use properly and had its own weaknesses.
this actually makes a lot of sense lowkey, thanks :)
Reminder that Telegram has "end to end" encryption only for direct messages; the rest is client-server, which they seem to believe is just as good as end-to-end.
There are basically zero practicing cryptography engineers who would agree with the logic you've used here, but I acknowledge this is also someting Durov believes.
I listened to bits of it and I was disappointed by the lack of push back from Lex who was supper excited because he got to hang out with Durov for a couple of weeks in Dubai - the tl;dr I got from what I heard is that Telegram is amazing and Durov is a visionary freedom fighter. Lex's recent history I'm not surprised though.
He claims: 'So, by the time the head of intelligence services met me to ask about Romania to help them silencing conservative voices in Romania, I was already wary of what can be going on next.'
I call bullshit on this. The 'conservative voices' are muppets doing Russia's bidding who broke all sorts of election laws. There was nothing serious happening on Telegram in Romania that would warrant any foreign intervention, it just doesn't make sense.
Is this really something new? If memory serves, Telegram has had it's own crypto since the beginning, and I don't remember anything about it ever being audited by... Well, anybody?
Granted, I don't know how MTProto actually works all that well, but IMO Telegram should've just used Noise or something. Would've saved them a lot of trouble. Although that doesn't really resolve the underlying problem that people think Telegram is secure when it's not (i.e., you have to explicitly enable E2EE and it's off by default), at least last time I checked. I haven't used telegram in years so my knowledge might be out of date though.
It was audited, found to have some serious flaws[0], then those were rectified.
Most people dislike Telegram because:
A) It takes away from Signals market share
B) They don't enable E2EE by default
C) They're owned by Pavel Durov, the Russian Zuckerberg.
I am aware that it's an unpopular opinion, but the FUD spread against Telegram and the hagiographies of Signal make me think something weird is going on.
Telegram has third party clients, so you can just roll your own client that runs another encryption on top if you want, like Pidgin used to do with OTR.
People in the US prefer Signal over Telegram because Signal was created by people who took security seriously, and Telegram wasn't.
People outside the US prefer telegram because they assume that Signal is probably compromised, or at least highly vulnerable to compromise, by US intelligence - they trust Pavel Durov's history of expropriation and arrest more than they trust some nerds who claim that our product is secure.
As someone that uses Telegram almost every day, the sad true is that most messages are not private. Most people simply don't use "secure chats". Not only it's not the default, but encrypted chats also don't work across devices.
So it shouldn't be a surprise that Signal users speak against Telegram. It's simply not private for most people. It's like recommending using Facebook Messenger (pre-E2EE)... privacy minded people won't do that. Signal itself is criticised by other more privacy minded users because it requires a phone number.
Signal doesn't have the best call quality (voice/video) especially on slow connections, sending media can be a pain in the rear, their desktop client is way too simple, they move slowly, etc. Telegram beats them in almost everything, but not privacy...
Between having to trust Durov forever with our texts and system that uses e2ee by default and may or may not (no proof) have some flaw, I think most people that want privacy will use the option that uses e2ee for everything.
For people who only read the headline, it's not as bad as the title might suggest. This attack requires backdooring the client, by which point it's already effectively game over in most threat models. The main advantage of this attack is that a compromised client can be sending "encrypted" messages that can actually be trivially decrypted by authorities, but that isn't immediately obvious to someone inspecting network traffic. Needless to say, this is a pretty pointless attack because nobody is manually inspecting every piece of data that their telegram is sending, and the client probably makes so many requests that it's trivial to smuggle data through some other side channel.
The threat model of the attack is targets relying on binary/source transparency of open source clients to protect against (state-sponsored) client backdoors; in that sense, it most closely resembles the Juniper/NetScreen Dual-EC attack, which functioned basically the same way: a backdoor that was essentially not auditable, as the underlying vulnerability was realized cryptographically.
I'm just clarifying. I agree the practical implications of the attack are not really meaningful to a general audience.
Excellent article about Telegram's encryption from Matt Green (cryptographer, for those who haven't heard of him):
https://blog.cryptographyengineering.com/2024/08/25/telegram...
I was gonna post "why do people keep calling it 'encrypted' if the encryption is not on by default?" It has always seemed odd to me that it is put into the same category as WhatsApp and Signal (which even those are a bit weird to compare).
What confuses me more is how passionate people are about Telegram. Weirdly I see those posts degrade into Signal vs Telegram and it really feels like apples and oranges but very one sided. I get that Telegram is more feature rich, and that's a good argument, but feels weird that many argue it is also more secure. Some of those arguments even appear in the thread r721 linked.
I like Telegram because it gets my friends & family to not do everything in SMS or iMessage. If I'm the only one using it, what's the point after all? Feature-wise, the app is nice to use, and one I can use on all platforms, even Linux.
Since it has a public API, I can easily make a custom frontend if I ever want to. Most social media does not offer this or tries to lock you into their shitty ecosystem.
I basically just treat it as unencrypted, but the pretend encryption features at least puts the company in a position where blatantly selling data would be a liability. In this respect, I place it on the same level as WhatsApp. Because even if WhatsApp has solid encryption, all it takes is one forced update from Meta to undo all that. They are like the inverse of each other.
My uncle is the only one I know who refused to use Telegram, insisting Signal was better and because he didn't want to use something with vague connections to Russia. Yet even he did not actually use Signal, and simply insisted if we should all switch to something it's either that or he sticks to SMS. So well, when I couldn't sell Signal to anyone else, Telegram it is, sorry uncle, but Verizon is pretty transparent about how they sell all my data.
HN discussion (2024): https://news.ycombinator.com/item?id=41350530
Thanks! Macroexpanded:
Is Telegram really an encrypted messaging app? - https://news.ycombinator.com/item?id=41350530 - Aug 2024 (583 comments)
and another one from king of encryption in golang
The Most Backdoor-Looking Bug I’ve Ever Seen
https://words.filippo.io/telegram-ecdh/
Note that this is about MTProto 1 and not the MTProto 2 under consideration here.
in short, you don't need access to the device, only to the same network
if you are on the same network and manage either intercept key to bruteforce it or guess encryption key with emoji it's possible to decrypt the whole chat. It works because telegram random generator uses time and some device information which is predictable
the study managed to decrypt 500 messages out of 500 on emulator devices. Brutewforcing takes like a few $100 worth of computing power
Honestly, durovs are exceptional people and enterpreneurs, however their encryption and what they say isn't always what it presented as
In a very real sense you do need access to the device to install the backdoored client.
There is no actual cryptographic weakness presented here...
can anyone explain why telegram doesn't use an audited e2e implementation? is it really because they wanted more convenient and faster cross-device sync? have they been threatened and/or backdoored by the fsb? they basically stole vk from him, but left him alone w/ telegram?
it's suspicious, but at the same time, iirc, nobody's been able to find a vulnerability in their encryption protocol :shrug
People have found vulnerabilities in MTProto.
IIRC, they had even started out with basic mistakes like MAC-then-encrypt.
1,2) NIH syndrome 3) We don't know 4) Expropriation isn't "basically stolen", Telegram was a tiny side project at the time
The first version of MTProto was found to have weaknesses.
The reason they rolled their own was because it came out before the Double-Ratchet/Axolotl protocol and OtR (which double-ratchet is essentially based on) was extremely inconvenient to use properly and had its own weaknesses.
> The reason they rolled their own was because it came out before the Double-Ratchet/Axolotl protocol and OtR (which double-ratchet is essentially based on) was extremely inconvenient to use properly and had its own weaknesses.
this actually makes a lot of sense lowkey, thanks :)
Reminder that Telegram has "end to end" encryption only for direct messages; the rest is client-server, which they seem to believe is just as good as end-to-end.
*for direct messages in secret chats, which you have to enable explicitly and which reduces user expericence in comparison to normal chats.
*only on non-GNU/Linux systems.
4 replies →
It's weird that you can delete a message for you and for the other person too.
I doubt client-server is the only way to accomplish this.
client-server is good enough, if you trust the server.
If you don't trust the server, then you shouldn't trust them to supply you a client either. Since a client is basically "whatever code they decided".
Very few people are building from FOSS, and those that do will include binary blobs too. It's theatre.
There are basically zero practicing cryptography engineers who would agree with the logic you've used here, but I acknowledge this is also someting Durov believes.
5 replies →
(2023)
Lex Friedman recently did an interview with Durov: https://lexfridman.com/pavel-durov/
I listened to bits of it and I was disappointed by the lack of push back from Lex who was supper excited because he got to hang out with Durov for a couple of weeks in Dubai - the tl;dr I got from what I heard is that Telegram is amazing and Durov is a visionary freedom fighter. Lex's recent history I'm not surprised though.
Here's the transcript of the section about encryption: https://lexfridman.com/pavel-durov-transcript#chapter15_encr... I'll let you judge for yourself.
I'll comment on another section though because I'm somewhat knowledgeable having followed the subject closely in the media and by knowing the country: https://lexfridman.com/pavel-durov-transcript#chapter7_roman...
He claims: 'So, by the time the head of intelligence services met me to ask about Romania to help them silencing conservative voices in Romania, I was already wary of what can be going on next.'
I call bullshit on this. The 'conservative voices' are muppets doing Russia's bidding who broke all sorts of election laws. There was nothing serious happening on Telegram in Romania that would warrant any foreign intervention, it just doesn't make sense.
Is this really something new? If memory serves, Telegram has had it's own crypto since the beginning, and I don't remember anything about it ever being audited by... Well, anybody?
Granted, I don't know how MTProto actually works all that well, but IMO Telegram should've just used Noise or something. Would've saved them a lot of trouble. Although that doesn't really resolve the underlying problem that people think Telegram is secure when it's not (i.e., you have to explicitly enable E2EE and it's off by default), at least last time I checked. I haven't used telegram in years so my knowledge might be out of date though.
Well, the article is from 2023, but what you remember is most likely MTProto version 1, which was even more ridiculously broken, iirc
> Granted, I don't know how MTProto actually works all that well
I suppose it's what the actual goals of the app are, potentially it works out very well for someone.
telegram is NOT safe. Far from it.
It was audited, found to have some serious flaws[0], then those were rectified.
Most people dislike Telegram because:
A) It takes away from Signals market share
B) They don't enable E2EE by default
C) They're owned by Pavel Durov, the Russian Zuckerberg.
I am aware that it's an unpopular opinion, but the FUD spread against Telegram and the hagiographies of Signal make me think something weird is going on.
Telegram has third party clients, so you can just roll your own client that runs another encryption on top if you want, like Pidgin used to do with OTR.
[0]: https://mtpsym.github.io
People in the US prefer Signal over Telegram because Signal was created by people who took security seriously, and Telegram wasn't.
People outside the US prefer telegram because they assume that Signal is probably compromised, or at least highly vulnerable to compromise, by US intelligence - they trust Pavel Durov's history of expropriation and arrest more than they trust some nerds who claim that our product is secure.
As someone that uses Telegram almost every day, the sad true is that most messages are not private. Most people simply don't use "secure chats". Not only it's not the default, but encrypted chats also don't work across devices.
So it shouldn't be a surprise that Signal users speak against Telegram. It's simply not private for most people. It's like recommending using Facebook Messenger (pre-E2EE)... privacy minded people won't do that. Signal itself is criticised by other more privacy minded users because it requires a phone number.
Signal doesn't have the best call quality (voice/video) especially on slow connections, sending media can be a pain in the rear, their desktop client is way too simple, they move slowly, etc. Telegram beats them in almost everything, but not privacy...
Between having to trust Durov forever with our texts and system that uses e2ee by default and may or may not (no proof) have some flaw, I think most people that want privacy will use the option that uses e2ee for everything.
D) They don't enable E2EE for groups at all
E) (I believe) don't enable E2EE with more than one device
14 replies →
I like how you sandwiched "the encryption story is bad" between two irrelevant social claims.
D) They moved to the enshittification phase and started displaying ads
I mean Durov is going down the deep end in the last few weeks. Messaging all Telegram user with an Emergency feature with a doomer manifest.
https://t.me/durov/452
8 replies →