Author: InvisibleUser Team
Categories: Communication Privacy
In this article, we will analyse why you cannot trust Telegram Messenger, even though it claims to be privacy-focused software.
We all use messaging services, like SMS, WhatsApp, iMessage, Google Hangouts and Facebook Messenger at work or for private conversations. It is a very convenient way to communicate and aside from internet costs, it is completely free. Unfortunately, popular services are highly compromised when it comes to privacy. There are much better options. In this post, we will outline why the Telegram Messenger is not as secure as the developers pretend.
Telegram is the main competitor of Signal Messenger. It offers a secure chat option where it uses encryption. This app is unfortunately quite a shady program. The developers say they are based in Dubai, but the Website does not have a site notice and nobody really knows.
Telegram was launched by two members of a Russian internet forum, then they moved their headquarters to Germany and had employees in St. Petersburg, but relocated the team to the current location, Dubai. This is already pretty shady, but keep on reading, because there is more.
The source code for the Telegram client is available, which is good, but we do not know what software runs on the server side of the application. The developers promised to release it all in 2014, but did not hold their promises. Nothing has been published since then and they did not comment on the topic anymore. You might think this is a minor issue, since a lot of client code is on GitHub (macOS, Windows, iOS, Android), but clients are just mere GUIs that do not let you see anything of what is going on in the background and on Telegram servers. And that is what really matters! Not the superficial software that conceils everything with its smileys and buttons!
We know, however, that Telegram used the SHA-1 hash function for some of its functionality. That is bad news: SHA-1 has been cracked a long time ago. When the developers responded to this, they said that they do not use it in the end-to-end encryption process and that they have “tweaked” the hash function to improve it. Currently, they claim to have switched to the state-of-the-art SHA-256, but again, we do not have server software source code.
Telegram lacks transparency when it comes to the encryption. They do not disclose much about their methods and some critics have argued that they make use of home-brewed and unproven cryptography. In particular, they use the non-standard MTProto encryption protocol, even though there are proven security standards available open-source.
Let us quote the Committee to Protect Journalists here:
“Security experts have expressed skepticism about the esoteric encryption Telegram uses, saying it is poorly designed and implemented.” – Committee to Protect Journalists
We also do not know how data is stored on Telegram servers and some suspect that Telegram insecurely stores all messages, media and contacts in their cloud. The developers are also quite offended every time someone mentions a possible flaw in their app, which is a red flag for us.
Something we should mention about the developer is that they reportedly declined a bribe from members of a US intelligence agency. The Telegram founder claimed they tried to persuade Telegram to build a backdoor into their software in exchange for financial compensations. We will never know if that story is true. If it is, that is great to hear, but if it is made up, that is a ruthless marketing move and shameless clickbait! If it is in fact a marketing strategy, that is another reason why we cannot trust Telegram.
On 25th June 2019, a group of young neo-Nazis (21-31 years) named “Revolution Chemnitz” was arrested in Chemnitz, Saxony, Germany. They were planning a terrorist attack for the national holiday of Germany and they used WhatsApp and Telegram to communicate the details of the attack. The media widely reported how the young extremists used an encrypted chat and thought they were save, but police were always one step ahead. The media also said that law enforcement was able to crack the encryption, because police are like awesome computer scientists. According to media reports, village police officers single-handedly defeated 256-bit AES encryption.
This was, however, a bare-faced lie. Instead, the idiots did not inform themselves well about Telegram. Group chats in Telegram are not encrypted, NEVER. Police did not hack anything, the chat was never encrypted in the first place and law enforcement got it from the phones of the terrorists (or Telegram servers?). There are so many ways of secure communication they could have used, but neo-Nazis are retarded, most of the time. No, the Chemnitz boys had to use the unencrypted Telegram app and compromised WhatsApp chats.
Do not get us wrong here. We are happy that they got arrested and cannot harm anyone anymore for at least a while. Fortunately, we can learn from those prats. In our opinion, they deserve an additional year of prison for being too dumb to use encryption. We detest terrorists that abuse secure communication for their purpose. If you use it to harm others, then FVCK YOU!
Why would you use such a shady app if there are Signal and Pidgin instead? Another problem with Telegram is that end-to-end encryption is possible, but not enabled by default, so a new user could accidentally send confidential messages in cleartext without knowing it. To use end-to-end encryption, you have to enter a “secret” chat with another user. The documentation on the website is usable, but we simply do not have any certainty about the safety of Telegram.
We hope that we could make it clear that you cannot trust Telegram. Kindly stay away, we really do not like companies that claim to be open-source and transparent and then not publish the most important parts of their source code. Neither server software nor encryption details.
It is beyond us why the Electronic Frontier Foundation (EFF) thought it deserves a 4/7 rating.