This blog is dedicated to real cryptographic topics, so ordinarily this isn’t a topic I would spend time on here. But much as I’d like to write about interesting things, sometimes it’s important to spend a bit of effort on what Brad Delong calls “Intellectual Garbage Pickup” — namely: correcting wrong, or mostly-wrong ideas that spread unchecked across the Internet.
So in this post I’m going to talk about Telegram, and try to answer the question of whether it’s an “encrypted messaging app.” (NB: it mostly isn’t.) Sadly, this post is inspired by the recent and concerning news that Telegram’s CEO Pavel Durov has been arrested by French authorities. Reportedly, the arrest stems from insufficient content moderation on Telegram’s network, and claims that the platform “[failed] to cooperate with law enforcement over drug trafficking, child sexual content and fraud.” While we don’t know the details, the use of criminal charges to coerce social media companies is a pretty worrying escalation, and I hope there’s more to the story.
But this isn’t what I want to talk about today.
What I do want to talk about is one detail of the reporting: namely the fact that every news report calls Telegram as an “encrypted messaging app.” Here are just a few examples:
This drives me completely nuts.
It drives me nuts because while it’s true, or truthy, in some meaningless technical sense, this framing completely misrepresents what Telegram is, and how it works in practice. That’s bad for journalistic accuracy in this story. But even worse, continuing to describe Telegram as an “encrypted messenger” buys into an inaccurate story of the safety guarantees offered by Telegram’s platform — one that has been heavily promoted by the platform itself. This means that vulnerable real-world users are much more likely to make bad decisions, which will then potentially put them at risk of getting really hurt.
Now to the details.
Does Telegram have encryption or doesn’t it?
Many systems use encryption of one sort or another. However, when we talk about encryption in the context of modern private messaging services, it typically has a very specific meaning: the use of default end-to-end encryption to protect message content. When used in an industry-standard way, this feature ensures that all conversations are encrypted by default — under encryption keys that are only known to the communication participants, and not to the service provider.
End-to-end encryption means when you start a conversation in a messenger (such as, for example, Signal, Apple iMessage or WhatsApp) your messages will be encrypted between you and the folks you’re speaking with. If the operators of those services want to review the content of your messages, all they should see is useless encrypted garbage. This same guarantee holds for people who hack into the provider’s servers, and yes, for better or for worse, also to law enforcement agencies who serve those providers with subpoenas.
Telegram clearly fails to meet this stronger definition, because it does not encrypt conversations by default. If you want to use end-to-end encryption in Telegram, you must manually activate an optional end-to-end encryption feature called “Secret Chats” for each private conversation you want to have. To reiterate, this feature is explicitly not turned on for the vast majority of conversations, and is only available for one-on-one conversations, and never for group chats with more than two people in them.
Moreover, manually activating end-to-end encryption in Telegram is bizarrely hard to do. The button that activates the encryption feature is not visible from the main conversation pane, or from the home screen. To find it in the iOS app, I had to click at least four times — once to make a hidden menu pop up, and a second time to “confirm” that I wanted to use encryption. And even after this I was not able to actually have an encrypted conversation, since Secret Chats only works if your conversation partner happens to be online when you do this.
Overall this is quite different from the experience of starting a new encrypted chat in an industry-standard modern messaging application, which simply requires you to open a new chat window.
While it might seem like I’m being picky, the difference in adoption between default end-to-end encryption and this experience is likely very significant. The practical impact of these UX decisions is likely that the vast majority of one-on-one Telegram conversations — and literally every single group chat — Telegram’s servers can see and record the content of all messages sent between users. That may or may not be a problem for every Telegram user, but it’s certainly not something we’d advertise as particularly well encrypted.
(If you’re interested in the details, as well as a little bit of further criticism of Telegram’s actual encryption protocols, I’ll get into what we know about that further below.)
But wait, does default encryption really matter?
Maybe yes, maybe no! There are two different ways to think about this.
One is that Telegram’s lack of default encryption is just fine for many people. The truth is that many users don’t choose Telegram for encrypted private messaging at all. For plenty of people, Telegram is used more like a social media network than a private messenger.
One of Telegram’s most popular features is the ability to create and subscribe “channels“, each of which is like a broadcast network where one person (or a small number of people) can push content out to millions of readers. When you’re broadcasting messages to thousands of strangers in public, maintaining the secrecy of your chat content isn’t as much of a big deal.
Telegram also supports large public group chats that can include thousands of users. These groups can be made open for the general public to join, or they can set up as invite-only. While I’ve never personally enjoyed sharing a group chat with thousands of people, I’m told that many people use these features. In this large and public instantiation, it doesn’t really matter that Telegram group chats don’t feature end-to-end encryption.
Where things get more difficult is once we get below these extremes.
Imagine you’re in a “public square” having a large group conversation. Clearly in that setting there’s no expectation of strong privacy, and so end-to-end encryption doesn’t really matter. But let’s say that you and five friends step out of the square to have a side conversation. Does that conversation deserve strong privacy? It doesn’t matter, because Telegram won’t provide it, at least not with encryption that protects you from sharing your content with Telegram servers.
Similarly, imagine you use Telegram for its social media-like features, meaning that you mainly consume content rather than producing it. But one day your friend, who also uses Telegram for similar reasons, notices you’re on the platform and decides she wants to send you a private message. Are you concerned about privacy now? And are you each going to manually turn on the “Secret Chat” feature — even though it requires four explicit clicks through hidden menus, and even though it will prevent you from communicating immediately if one of you is offline?
My strong suspicion is that maby people join Telegram for its social media features, but then gradually ease into using it as a messenger. And Telegram welcomes this, going to some effort to advertise itself as a “private” messenger. Yet in reality my strong suspicion is that the fraction of users who actually remember to activate Telegram’s end-to-end encryption is pretty small.
Of course I can’t substantiate this. Only Telegram can tell us the actual usage numbers, and they generally keep that information close to their vest. But in my experience, putting a bunch of relatively hostile UX between users and encryption tends to drive usage way, way down. Which brings me to my next point.
Telegram knows its encryption is difficult to turn on, and they continue to promote their product as a secure messenger
Telegram’s encryption has been subject to heavy criticism since at least 2016 (and possibly earlier) for many of the reasons I outlined in this post. In fact, many of these criticisms were made by experts including myself, in years-old conversations with Pavel Durov on Twitter.1
Although the interaction with Durov could sometimes be harsh, I still mostly assumed good faith from Telegram back in those days. I assumed that Telegram was busy growing their network and that, in time, they would improve the quality and usability of the platform’s end-to-end encryption: for example, by activating it as a default, providing support for group chats, and letting offline users start encrypted chats. I assumed that while Telegram might be a follower rather than a leader, it would eventually reach feature parity with the encryption protocols offered by Signal and WhatsApp. Of course, a second possibility was that Telegram would abandon encryption entirely — and just focus on being a godo social media platform.
What’s actually happened is a lot more confusing.
Instead of improving the usability of Telegram’s end-to-end encryption, the owners of Telegram have more or less kept their encryption UX unchanged since 2016. While there have been a few upgrades to the underlying encryption algorithms used by the platform, the user-facing experience of Secret Chats in 2024 is almost identical to the one you’d have seen eight years ago. This, despite the fact that the number of Telegram users has grown by 7-9x during the same time period.
At the same time, Telegram CEO Pavel Durov has continued to aggressively market Telegram as a “secure messenger.” Most recently he issued a scathing criticism of Signal and WhatsApp on his personal Telegram channel, implying that those systems were backdoored by the US government, and only Telegram’s independent encryption protocols were really trustworthy.
While this might be a reasonable nerd-argument to have between two different platforms that both supported default end-to-end encryption, Telegram really has no legs to stand on here. The fact that the Telegram organization continues to urge people away from default-encrypted messengers, while refusing to implement essential features that would widely encrypt their own users’ messages, that no longer feels like a fun argument between nerds. Indeed, it’s starting to feel a bit malicious to me.
What about the boring encryption details?
This is a cryptography blog and I’d be remiss if I didn’t spend at least a little bit of time on the boring encryption protocols. I’d also be missing a good opportunity to let my mouth gape open in amazement, which is pretty much what happens every time I look at the internals of Telegram’s encryption.
I’m going to handle this in one paragraph to reduce the pain, and you can feel free to skip past the next dense paragraph.
According to what I think is the latest encryption spec, Telegram’s Secret Chats feature is based on a custom feature called MTProto 2.0. This system uses 2048-bit* finite-field Diffie-Hellman key agreement, with group parameters chosen by the server.* (Since the Diffie-Hellman protocol is only executed interactively, this is why Secret Chats cannot be set up when one user is offline.*) MITM protection is handled by the end-users, who must compare key fingerprints. There are some weird random nonces provided by the server, which I don’t fully understands the purpose of* — and that in the past used to actively make the key exchange totally insecure against a malicious server (but this has long since been fixed.*) The resulting keys are then used to power the most amazing, non-standard authenticated encryption mode ever invented, something called “Infinite Garble Extension” (IGE) based on AES and with SHA2 handling authentication.*
NB: Every place I put a “*” in the paragraph above is a point where expert cryptographers would, in the context of something like a professional security audit, raise their hands and ask a lot of questions. I’m not going to go further than this. Suffice it to say that Telegram’s encryption is unusual.
Is there anything else I should know?
Yes, unfortunately. Even though end-to-end encryption is one of the best tools we’ve developed to prevent data compromise, it is hardly the end of the story. One of the biggest privacy problems in messaging is the availability of loads of meta-data — essentially data about who uses the service, who they talk to, and when they do that talking.
This data is not typically protected by end-to-end encryption. Even in applications that are broadcast-only, such as Telegram’s channels, there is plenty of useful metadata available about who is listening to a broadcast. That information alone is valuable to people, as evidenced by the enormous amounts of money that traditional broadcasters spend to collect it. Right now all of that information likely exists on Telegram’s servers, where it is available to anyone who wants to collect it.
I am not specifically calling out Telegram for this, since the same problem exists with virtually every other social media network and private messenger. But it should be mentioned, just to avoid leaving you with the conclusion that encryption is all we need.
Notes:
- I will never find all of these conversations again, thanks to Twitter search being so broken. If anyone can turn them up I’d appreciate it.
Article Link: Is Telegram really an encrypted messaging app? – A Few Thoughts on Cryptographic Engineering
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Post a Comment
Post a Comment