[continued from previous message]   
      
   >Imagine you're in a "public square" having a large group conversation. In   
   >that setting there may be no expectation of strong privacy, and so end-to-   
   >end encryption doesn't really matter to you. But let's say that you and   
   >five friends step out of the square to have a side conversation. Does that   
   >conversation deserve strong privacy? It doesn't really matter what you   
   >want, because Telegram won't provide it, at least not with encryption that   
   >protects you from sharing your content with Telegram servers.   
   >Similarly, imagine you use Telegram for its social media-like features,   
   >meaning that you mainly consume content rather than producing it. But one   
   >day your friend, who also uses Telegram for similar reasons, notices   
   >you're on the platform and decides she wants to send you a private   
   >message. Are you concerned about privacy now? And are you each going to   
   >manually turn on the "Secret Chat" feature -- even though it requires four   
   >explicit clicks through hidden menus, and even though it will prevent you   
   >from communicating immediately if one of you is offline?   
   >My strong suspicion is that many people who join Telegram for its social   
   >media features also end up using it to communicate privately. And I think   
   >Telegram knows this, and tends to advertise itself as a "secure messenger"   
   >and talk about the platform's encryption features precisely because they   
   >know it makes people feel more comfortable. But in practice, I also   
   >suspect that very few of those users are actually using Telegram's   
   >encryption. Many of those users may not even realize they have to turn   
   >encryption on manually, and think they're already using it.   
   >Which brings me to my next point.   
   >Telegram knows its encryption is difficult to turn on, and they continue   
   >to promote their product as a secure messenger   
   >Telegram's encryption has been subject to heavy criticism since at least   
   >2016 (and possibly earlier) for many of the reasons I outlined in this   
   >post. In fact, many of these criticisms were made by experts including   
   >myself, in years-old conversations with Pavel Durov on Twitter.1   
   >Although the interaction with Durov could sometimes be harsh, I still   
   >mostly assumed good faith from Telegram back in those days. I believed   
   >that Telegram was busy growing their network and that, in time, they would   
   >improve the quality and usability of the platform's end-to-end encryption:   
   >for example, by activating it as a default, providing support for group   
   >chats, and making it possible to start encrypted chats with offline users.   
   >I assumed that while Telegram might be a follower rather than a leader, it   
   >would eventually reach feature parity with the encryption protocols   
   >offered by Signal and WhatsApp. Of course, a second possibility was that   
   >Telegram would abandon encryption entirely -- and just focus on being a   
   >social media platform.   
   >What's actually happened is a lot more confusing to me.   
   >Instead of improving the usability of Telegram's end-to-end encryption,   
   >the owners of Telegram have more or less kept their encryption UX   
   >unchanged since 2016. While there have been a few upgrades to the   
   >underlying encryption algorithms used by the platform, the user-facing   
   >experience of Secret Chats in 2024 is almost identical to the one you'd   
   >have seen eight years ago. This, despite the fact that the number of   
   >Telegram users has grown by 7-9x during the same time period.   
   >At the same time, Telegram CEO Pavel Durov has continued to aggressively   
   >market Telegram as a "secure messenger." Most recently he issued a   
   >scathing criticism of Signal and WhatsApp on his personal Telegram   
   >channel, implying that those systems were backdoored by the US government,   
   >and only Telegram's independent encryption protocols were really   
   >trustworthy.   
   >While this might be a reasonable nerd-argument if it was taking place   
   >between two platforms that both supported default end-to-end encryption,   
   >Telegram really has no legs to stand on in this particular discussion.   
   >Indeed, it no longer feels amusing to see the Telegram organization urge   
   >people away from default-encrypted messengers, while refusing to implement   
   >essential features that would widely encrypt their own users' messages. In   
   >fact, it's starting to feel a bit malicious.   
   >What about the boring encryption details?   
   >This is a cryptography blog and so I'd be remiss if I didn't spend at   
   >least a little bit of time on the boring encryption protocols. I'd also be   
   >missing a good opportunity to let my mouth gape open in amazement, which   
   >is pretty much what happens every time I look at the internals of   
   >Telegram's encryption.   
   >I'm going to handle this in one paragraph to reduce the pain, and you can   
   >feel free to skip past it if you're not interested.   
   >According to what I think is the latest encryption spec, Telegram's Secret   
   >Chats feature is based on a custom protocol called MTProto 2.0. This   
   >system uses 2048-bit* finite-field Diffie-Hellman key agreement, with   
   >group parameters (I think) chosen by the server.* (Since the Diffie-   
   >Hellman protocol is only executed interactively, this is why Secret Chats   
   >cannot be set up when one user is offline.*) MITM protection is handled by   
   >the end-users, who must compare key fingerprints. There are some weird   
   >random nonces provided by the server, which I don't fully understands the   
   >purpose of* -- and that in the past used to actively make the key exchange   
   >totally insecure against a malicious server (but this has long since been   
   >fixed.*) The resulting keys are then used to power the most amazing, non-   
   >standard authenticated encryption mode ever invented, something called   
   >"Infinite Garble Extension" (IGE) based on AES and with SHA2 handling   
   >authentication.*   
   >NB: Every place I put a "*" in the paragraph above is a point where expert   
   >cryptographers would, in the context of something like a professional   
   >security audit, raise their hands and ask a lot of questions. I'm not   
   >going to go further than this. Suffice it to say that Telegram's   
   >encryption is unusual.   
   >If you ask me to guess whether the protocol and implementation of Telegram   
   >Secret Chats is secure, I would say quite possibly. To be honest though,   
   >it doesn't matter how secure something is if people aren't actually using   
   >it.   
   >Is there anything else I should know?   
   >Yes, unfortunately. Even though end-to-end encryption is one of the best   
   >tools we've developed to prevent data compromise, it is hardly the end of   
   >the story. One of the biggest privacy problems in messaging is the   
   >availability of loads of meta-data -- essentially data about who uses the   
   >service, who they talk to, and when they do that talking.   
   >This data is not typically protected by end-to-end encryption. Even in   
   >applications that are broadcast-only, such as Telegram's channels, there   
   >is plenty of useful metadata available about who is listening to a   
   >broadcast. That information alone is valuable to people, as evidenced by   
   >the enormous amounts of money that traditional broadcasters spend to   
   >collect it. Right now all of that information likely exists on Telegram's   
   >servers, where it is available to anyone who wants to collect it.   
   >I am not specifically calling out Telegram for this, since the same   
   >problem exists with virtually every other social media network and private   
   >messenger. But it should be mentioned, just to avoid leaving you with the   
   >conclusion that encryption is all we need.   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)