How really secure and private is Telegram

Last update: September 1, 2023

Español - Italiano

This article analyses and responds to the most common criticisms of Telegram.

Note: a detailed list of Telegram features is available at this address.

Index

• FAQ
• Bibliography
• License

FAQ

Telegram is developed under the protection of Russian government authorities.

Telegram is a project founded in 2013 and managed by the Durov brothers, Russians by birth, and forced into exile for some years due to discrepancies with the Russian authorities. The development team is composed of many Russian engineers and based in Dubai.

Telegram is at the service of government authorities and third parties.

Telegram supports freedom of speech and counteracts censorship. Moreover, it has never given data to third parties including government authorities and therefore has been blocked in Iran, China, Pakistan and many other countries while continuing to operate through the use of proxies (excluding China). The servers are geographically distributed around the world in various jurisdictions to protect data from mass control by government authorities. Telegram is part of a project known as The Open Network (TON) which provides for the creation of a decentralized anti censorship network, parallel to the Internet, with integrated proxy and VPN services by 2021 [1].

Telegram uses and transfers user data for profit.

Telegram is a FZ-LLC company whose funds come from the donations of its co-founder and will become a non-profit foundation from 2021 being part of the project The Open Network (TON) [1]. Telegram is free of advertising and does not profile users as it does not have to guarantee a profit for shareholders. Pavel Durov has outlined a strategy to make Telegram sustainable in this post.

Telegram is not secure because it does not use end-to-end or e2e encryption.

Telegram uses end-to-end encryption (secret chats and audio/video calls) and client-server encryption (private, group and voice chats, channels). The former is always preferable to the latter provided you can verify the identity of the interlocutors. Otherwise, end-to-end encryption loses its effectiveness, remains susceptible to MITM attacks and requires trust in the data delivery server on a par with client-server encryption. At the moment, communication protocols fully protect with end-to-end encryption only one-to-one communications (chat and audio/video calls) and not group communications (chat and conferences).

Telegram is not private because it can read user data.

Telegram stores data (messages, images, audio, video, files, etc.) in the cloud on its servers. The data, without end-to-end encryption, is protected by its distribution on servers located around the world in various jurisdictions and by their separation from the respective decryption keys. Telegram allows you to delete for all and for an unlimited time the data sent and received. In addition, Telegram plans to store data in the decentralized network of the project known as The Open Network (TON) by 2021 [1].

Telegram uses a proprietary and unsecured communication protocol developed by non cryptographers.

Telegram uses the MTProto protocol for end-to-end encryption and client-server encryption. The protocol is open and there are no known vulnerabilities. Version v2.0 is formally verified, meets IND-CCA criterion and uses RSA-2048, AES-256 cryptographic and SHA256 hashing primitives. Telegram has received strong criticism from experts cryptographers for both the design defects (use of the SHA1 hashing primitive and the absence of the IND-CCA criterion) in version v1.0 corrected with version v2.0 and for the design of a new communication protocol instead of using a tested one.

Telegram uses the unsafe SMS registration method.

Telegram allows you to register to the service using a phone number and an anonymous number via the project known as The Open Network (TON). In addition, it provides 2-factor authentication (2FA) with the possibility of entering a password and retrieve it via an email address. Finally, Telegram informs the user of the presence of a new device by means of a notification in the application installed in other previously added devices.

Telegram is only open in theory because it obfuscates the binaries of the application and does not completely publish the source code.

Telegram is open on the client side and has a free version on the FOSS F-Droid catalogue. Moreover, Telegram allows you to verify the absence of changes to Android and iOS applications from the sources from which they were downloaded. Clients are transparent and can be analysed by third parties while the server is closed and requires trust in the developer of the Telegram service. In addition, Telegram is part of a project known as The Open Network (TON) which involves opening the source code of the server by 2021 [1].

Telegram contains and supports the dissemination of illegal material, terrorism, pornography and child abuse.

Telegram has no access to secret chats and calls protected by end-to-end encryption and no access to private and group chats protected by client-server encryption. Channels, bots and stickers are publicly available and must respect the ethical principles of the service to avoid being deleted. In addition, Telegram reports daily updates on the elimination of terrorism and child abuse content.

Telegram is neither secure nor confidential because it has backdoors, security holes and data loss.

There are no services or applications, especially communications services, without vulnerabilities and the compromise of security and confidentiality depends on their extent. Telegram has been subject to some vulnerabilities, but no backdoors, security holes and data loss. The main security and confidentiality issues encountered are:

• Telegram bypassing the authentication protocol, Diaz Vico-Daswani-Fírvida Pereira, 2014. The authors point out a weakness in the authentication mechanism of the MTProto v1.0 protocol which can be exploited using ad hoc modified client (solved by the official client, 2014 and 2FA, 2015).
• On the CCA (in)security of MTProto, Jakobsen-Orlandi, 2015. The authors highlight two weaknesses of the MTProto v1.0 protocol that does not meet the IND-CCA criterion and uses the SHA1 primitive hashing instead of SHA256 (solved by MTProto v2.0, 2017), two known MITM attacks, in the presence of a malicious server (solved by a crack contest, 2013) and a hidden server (very expensive to realize with MTProto v1.0 and solved by MTProto v2.0, 2017), and a replay-attack (not possible). Note: Telegram responded comprehensively to the authors' observations.
• Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach, Kobeissi-Bhargavan-Blanchet, 2017. The authors, in addition to mentioning some problems already known by Jakobsen-Orlandi, report two weaknesses of the MTProto v1.0 protocol, in parameters configuration and authentication mechanism (hardly exploitable and solved by MTProto v2.0, 2017), and an implementation bug in the Windows Phone application (solved in 2017).
• Security Analysis of Telegram, Saribekyan-Margvelashvili, 2017. The authors, in addition to reporting some problems already known by Jakobsen-Orlandi, illustrate a weakness in the authentication mechanism of the MTProto v1.0 protocol that allows to know the status of users by analyzing the metadata.
• Security Analysis of the Telegram IM, Sušánka-Kokeš, 2017. The authors, in addition to highlighting some problems already known by Jakobsen-Orlandi, report a method of data obfuscation, not officially documented, performed by the MTProto v1.0 protocol to circumvent censorship.
• Security Analysis of End-to-End Encryption in Telegram, Lee-Choi-Kim-Kim, 2018. The authors cite the problems already known by Jakobsen-Orlandi and focus their attention on the weaknesses of the padding algorithm of the MTProto v1.0 protocol (solved by the MTProto v2.0, 2017). Note: IND-CCA and INT-CTXT.
• Tapping Telegram bots, Taurus, 2019. The author reports the possibility of obtaining access to data (private and group chats and channels) where a bot is present (only possible after a MITM attack on the HTTPS/TLS protocol). Note: Telegram responded fully to the author's comments.
• Automated Symbolic Verification of Telegram's MTProto 2.0, Miculan-Vitacolonna, 2021. The authors provide a formal verification of the MTProto v2.o protocol (authentication, client-server and end-to-end encryption, rekeying mechanisms) assuming the various components (cryptographic primitives, implementation flaws, side-channel analysis) to be ideal. Note: the assumption can be removed by testing the IND-CCA and INT-CTXT properties for cryptographic primitives. In addition, the authors report a theoretical weakness (unknown key-share (UKS)) of the encryption rekeying mechanism.
• Four Attacks and a Proof for Telegram, Albrecht-Mareková-Paterson-Stepanovs, 2021. The authors show that the MTProto v2.0 protocol (client-server encryption) can provide a channel with confidentiality and integrity properties if it is implemented with care. In addition, the authors point out some practical (reordering messages, implementation of clients) and theoretical (re-sending of unacknowledged messages, RSA decryption on the server) non-critical weaknesses (inability to decrypt or tamper with messages). Note: Telegram has resolved the weaknesses and responded comprehensively to the authors' observations.
• On the Cryptographic Fragility of the Telegram Ecosystem, von Arx-Paterson, 2022. The authors extend the Albrecht-Mareková-Paterson-Stepanovs analysis to third party clients and libraries by showing the possibility of a replay attack (Pyrogram, Telethon and GramJS) and a timing attack (MadelineProto). Although the attacks are not able to compromise the security of Telegram, they show the difficulty of the correct implementation of the MTProto v2.0 protocol by third party developers.

"In its almost 6 years of existence, Telegram has had no major data leaks or security flaws of the kind WhatsApp demonstrates every few months. In the same 6 years, we have disclosed exactly zero bytes of data to third parties, while Facebook and WhatsApp has been sharing pretty much everything with everybody who claimed they worked for a government." Pavel Durov, 2019

“Privacy is not for sale, and human rights should not be compromised out of fear or greed.” Pavel Durov, 2018

“Every one of us is going to die eventually, but we as a species will stick around for a while. That’s why I think accumulating money, fame or power is irrelevant. Serving humanity is the only thing that really matters in the long run.” Pavel Durov, 2019

[1] The Open Network (TON) project is officially abandoned due to disagreements with the US authorities.

Bibliography

• What are the features of a secure and private communication service?
• Telegram FAQ
• The Open Network (TON)

License

This document is released under the license Creative Commons Attribution-ShareAlike CC BY-SA.