Key changes in WhatsApp and Telegram

Key changes in WhatsApp and Telegram

Markus Ra

The Guardian recently published a story about a backdoor in WhatsApp that allows snooping on encrypted messages. Some Telegram users asked me about this Medium post that was written in response to that story.

Sadly, the author of said post fails to grasp the severity of the WhatsApp situation. I've already written about the story in detail, so check out this post before we go on:

How WhatsApp can send your private messages to China

Now what about Telegram?

The author of the Medium post shows little understanding of how Telegram works. Most likely, they never actually used the app and only installed it for a quick test. This is obvious from their weird claim about the absence of read receipts in Telegram's Secret Chats. As any Telegram user knows, there are read receipts in all Telegram chats (1 check = message sent, 2 checks = message read).

The key part that the author is missing is that a Telegram account can be active on many devices simultaneously using Cloud Chats. Secret Chats, on the other hand, are session-specific. For each new log in, starting a secret chat creates a new chat, visibly separated from the old one in the recipient's chat list. This serves as a much more prominent notification that a key change has taken place.

When you log out on a device, all Secret Chats are cancelled. Your partner can still access the messages in them, but the chat becomes inactive displaying a 'Delete & Exit' button instead of the input field, so no new messages can be sent. [1]


Unlike WhatsApp, Telegram doesn't have any means of secretly forcing a key change. This can be verified, because both Telegram's protocol specification and the app code are open. Thanks to this, researchers have all the tools to fully evaluate Telegram's end-to-end encryption implementation.

Notes

[1] – There is one special case. In the unlikely event that you uninstall the app from a device without logging out first, Telegram has no way of knowing that the secret chat will never be active again. So when you reinstall the app and make a fresh login, it is seen as a new device/session – and Telegram has no idea that you can't access secret chats from the old session because it's still listed as active. These old secret chats will hang in a limbo of sorts: your partner will be able to send messages there, but these messages will never be read. Naturally, your partner will notice that messages are not being read because of the read receipts. And you can always terminate this old session from any of your devices by going to Settings — Privacy and Security — Active Sessions.