[continued from previous message]   
      
   cares about confidentiality if you’re talking in the public square?   
      
   But Telegram is not limited to just those features, and many users who   
   join for them will also do other things.   
      
   Imagine you’re in a “public square” having a large group conversation. In   
   that setting there may be no expectation of strong privacy, and so end-to-   
   end encryption doesn’t really matter to you. But let’s say that you and   
   five friends step out of the square to have a side conversation. Does that   
   conversation deserve strong privacy? It doesn’t really matter what you   
   want, because Telegram won’t provide it, at least not with encryption that   
   protects you from sharing your content with Telegram servers.   
      
   Similarly, imagine you use Telegram for its social media-like features,   
   meaning that you mainly consume content rather than producing it. But one   
   day your friend, who also uses Telegram for similar reasons, notices   
   you’re on the platform and decides she wants to send you a private   
   message. Are you concerned about privacy now? And are you each going to   
   manually turn on the “Secret Chat” feature — even though it requires four   
   explicit clicks through hidden menus, and even though it will prevent you   
   from communicating immediately if one of you is offline?   
      
   My strong suspicion is that many people who join Telegram for its social   
   media features also end up using it to communicate privately. And I think   
   Telegram knows this, and tends to advertise itself as a “secure messenger”   
   and talk about the platform’s encryption features precisely because they   
   know it makes people feel more comfortable. But in practice, I also   
   suspect that very few of those users are actually using Telegram’s   
   encryption. Many of those users may not even realize they have to turn   
   encryption on manually, and think they’re already using it.   
      
   Which brings me to my next point.   
   Telegram knows its encryption is difficult to turn on, and they continue   
   to promote their product as a secure messenger   
      
   Telegram’s encryption has been subject to heavy criticism since at least   
   2016 (and possibly earlier) for many of the reasons I outlined in this   
   post. In fact, many of these criticisms were made by experts including   
   myself, in years-old conversations with Pavel Durov on Twitter.1   
      
   Although the interaction with Durov could sometimes be harsh, I still   
   mostly assumed good faith from Telegram back in those days. I believed   
   that Telegram was busy growing their network and that, in time, they would   
   improve the quality and usability of the platform’s end-to-end encryption:   
   for example, by activating it as a default, providing support for group   
   chats, and making it possible to start encrypted chats with offline users.   
   I assumed that while Telegram might be a follower rather than a leader, it   
   would eventually reach feature parity with the encryption protocols   
   offered by Signal and WhatsApp. Of course, a second possibility was that   
   Telegram would abandon encryption entirely — and just focus on being a   
   social media platform.   
      
   What’s actually happened is a lot more confusing to me.   
      
   Instead of improving the usability of Telegram’s end-to-end encryption,   
   the owners of Telegram have more or less kept their encryption UX   
   unchanged since 2016. While there have been a few upgrades to the   
   underlying encryption algorithms used by the platform, the user-facing   
   experience of Secret Chats in 2024 is almost identical to the one you’d   
   have seen eight years ago. This, despite the fact that the number of   
   Telegram users has grown by 7-9x during the same time period.   
      
   At the same time, Telegram CEO Pavel Durov has continued to aggressively   
   market Telegram as a “secure messenger.” Most recently he issued a   
   scathing criticism of Signal and WhatsApp on his personal Telegram   
   channel, implying that those systems were backdoored by the US government,   
   and only Telegram’s independent encryption protocols were really   
   trustworthy.   
      
   While this might be a reasonable nerd-argument if it was taking place   
   between two platforms that both supported default end-to-end encryption,   
   Telegram really has no legs to stand on in this particular discussion.   
   Indeed, it no longer feels amusing to see the Telegram organization urge   
   people away from default-encrypted messengers, while refusing to implement   
   essential features that would widely encrypt their own users’ messages. In   
   fact, it’s starting to feel a bit malicious.   
   What about the boring encryption details?   
      
   This is a cryptography blog and so I’d be remiss if I didn’t spend at   
   least a little bit of time on the boring encryption protocols. I’d also be   
   missing a good opportunity to let my mouth gape open in amazement, which   
   is pretty much what happens every time I look at the internals of   
   Telegram’s encryption.   
      
   I’m going to handle this in one paragraph to reduce the pain, and you can   
   feel free to skip past it if you’re not interested.   
      
   According to what I think is the latest encryption spec, Telegram’s Secret   
   Chats feature is based on a custom protocol called MTProto 2.0. This   
   system uses 2048-bit* finite-field Diffie-Hellman key agreement, with   
   group parameters (I think) chosen by the server.* (Since the Diffie-   
   Hellman protocol is only executed interactively, this is why Secret Chats   
   cannot be set up when one user is offline.*) MITM protection is handled by   
   the end-users, who must compare key fingerprints. There are some weird   
   random nonces provided by the server, which I don’t fully understands the   
   purpose of* — and that in the past used to actively make the key exchange   
   totally insecure against a malicious server (but this has long since been   
   fixed.*) The resulting keys are then used to power the most amazing, non-   
   standard authenticated encryption mode ever invented, something called   
   “Infinite Garble Extension” (IGE) based on AES and with SHA2 handling   
   authentication.*   
      
   NB: Every place I put a “*” in the paragraph above is a point where expert   
   cryptographers would, in the context of something like a professional   
   security audit, raise their hands and ask a lot of questions. I’m not   
   going to go further than this. Suffice it to say that Telegram’s   
   encryption is unusual.   
      
   If you ask me to guess whether the protocol and implementation of Telegram   
   Secret Chats is secure, I would say quite possibly. To be honest though,   
   it doesn’t matter how secure something is if people aren’t actually using   
   it.   
   Is there anything else I should know?   
      
   Yes, unfortunately. Even though end-to-end encryption is one of the best   
   tools we’ve developed to prevent data compromise, it is hardly the end of   
   the story. One of the biggest privacy problems in messaging is the   
   availability of loads of meta-data — essentially data about who uses the   
   service, who they talk to, and when they do that talking.   
      
   This data is not typically protected by end-to-end encryption. Even in   
   applications that are broadcast-only, such as Telegram’s channels, there   
   is plenty of useful metadata available about who is listening to a   
   broadcast. That information alone is valuable to people, as evidenced by   
   the enormous amounts of money that traditional broadcasters spend to   
   collect it. Right now all of that information likely exists on Telegram’s   
   servers, where it is available to anyone who wants to collect it.   
      
   I am not specifically calling out Telegram for this, since the same   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)