Are Telegram chats actually encrypted?
Authorities in France have arrested Pavel Durov, the founder of Telegram and Russia’s largest social network, VK. Last week, he was in Azerbaijan at the same time as Vladimir Putin. Around the world, hundreds of millions of Telegram users are suddenly questioning a fundamental promise of Pavel Durov: “All chats are secure.”
As of May 2020, Telegram claimed that Durov was the sole financier of its messenger. The application boasts between 700 and 950 million monthly active users. Since 2017, he has repeatedly assured his fans, “Everything is secure.”
However, many cybersecurity experts have questioned this characterization.
Although Telegram’s end-to-end encrypted “Secret Chats” are widely regarded as a truly secure messenger between two devices, there are vulnerabilities in Telegram’s group and standard chats – dwarfing the popularity of Secret Chats by orders of magnitude.
In Telegram, end-to-end encryption is optional. Creating a Secret Chat requires several extra steps and does not allow cloud backups. Most users opt for default settings, which initiate and maintain group and standard chats using non-end-to-end, Telegram-operated services. Telegram calls this “client-server encryption.”
Generally speaking, the overwhelming popularity of non-end-to-end encrypted chats on Telegram is the primary concern for most users. Most Telegram users have chat histories that rely on Telegram’s services. This means users are relying on Telegram to be honest, secure, and trustworthy. However, there are no guarantees.
Concerns of unencrypted Telegram chat history
The second concern about Telegram’s encryption is its proprietary encryption protocol, MTProto. For its part, Telegram claims that it needs a non-open source protocol for “reliability on weak mobile connections as well as speed when dealing with large files.” Skeptics doubt this claim.
A third concern about Telegram is that it refuses to disclose the location of its servers. Rather than permitting independent audits of its data centers, Telegram leaves users to rely on the company’s assurances. Without the ability to independently verify its actual security practices, there is no way to know if its servers are physically secured from tampering.
Transparency is crucial in building trust, especially in cybersecurity. Open-source encryption protocols allow developers to verify claims. Telegram’s choice to not enable end-to-end encrypted settings by default, maintain a proprietary protocol MTProto, and prohibit audits of its servers are three of its biggest criticisms.
Read more: Telegram trading bots force crypto traders to sacrifice self-custody for UX
Many users are unaware that most Telegrams chats are not end-to-end encrypted, relying instead on client-server encryption, which requires trust in Telegram.
With its founder and CEO now detained in France with limited information available about his charges or reasons for being in Azerbaijan around the same time as Vladimir Putin, Telegram users are left to wonder whether their information is at the center of a geopolitical scandal.