Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Secure Messenger. Show all posts

Examining Telegram’s Encryption Flaws: Security Risks and Privacy Concerns

 

Telegram is often perceived as a secure messaging app, but this perception is flawed. Unlike WhatsApp, Telegram doesn’t have end-to-end encryption by default. While Secret Chats offer end-to-end encryption, this feature must be activated by users and does not apply to group chats or the desktop versions. However, it must be noted that all chats on Telegram are encrypted in transit and at rest.

Additionally, Telegram’s apps are open source, and its encryption protocols are fully documented, allowing independent researchers to verify their integrity and implementation. To date, no vulnerabilities in Telegram’s encryption have been identified. This leaves room for potential vulnerabilities, including access by admins, authorities, and hackers. While Telegram is widely used for its innovative features like chat organization and community management, its encryption methods raise red flags among security experts. The platform encrypts data in transit, preventing message interception. 

However, the majority of conversations on Telegram are not end-to-end encrypted, meaning administrators could access them if required by law enforcement. This poses risks for users discussing sensitive topics or sharing confidential information. Further, Telegram is the only messenger to offer verifiable builds on both iOS and Android, enabling researchers to confirm that the apps on app stores are built from the published source code. 
Moreover, Telegram’s encryption methods are seen as complex and opaque. For example, the optional Secret Chats use a proprietary encryption algorithm, which is difficult to verify and may include hidden vulnerabilities. Cryptography professionals have criticized this, noting that unless an encryption system is open-source, it cannot be thoroughly vetted for weaknesses or backdoors. One of the significant drawbacks of Telegram’s security is its inapplicability to group chats. Group conversations cannot be encrypted, which increases the risk of unauthorized access to user messages. 

For those needing strong privacy for sensitive communications, this is a serious limitation. Given that other popular messaging platforms like Signal and WhatsApp offer end-to-end encryption by default, users of Telegram may want to reconsider using the app for private or sensitive discussions. Signal, for instance, uses the highly respected Signal Protocol, which has been audited and proven to be robust. Telegram, by comparison, leaves users with limited protection due to its closed-source encryption. Despite these concerns, Telegram remains a popular app due to its versatile features, making it more than just a messaging platform. Telegram’s organizational tools, community management features, and ability to broadcast information have made it a favorite among certain groups, especially those sharing tech news or international updates. 

However, for those who prioritize security, Telegram’s limited encryption may not be sufficient, making apps like Signal or even WhatsApp a safer option for encrypted messaging. While Telegram has many innovative features, its encryption limitations leave it far from being the most secure messaging app.

Durov Suspected WhatsApp of Intentionally Introducing Vulnerabilities

 

Russian entrepreneur and founder of the Telegram messenger Pavel Durov while criticizing the WhatsApp service said that the messenger, owned by Meta, was hardly ever secure, in his Telegram channel.

Durov also suspects that the service may intentionally introduce vulnerabilities. "Since the creation of WhatsApp, there has hardly been a moment when it was secure: every few months, researchers discover a new security problem in the application," he added. 

Durov noted that every few months researchers find a new security issue in the application. He recalled that he had already spoken out about the danger of the service in 2020. Since then, as the creator of Telegram considered, the situation with WhatsApp has not changed. 

As an illustration of his words, he cited a study by the American information technology company Boldend, which revealed a vulnerability in WhatsApp. The gap in the messenger has existed for several years and allows attackers to gain access to the correspondence of their victims unnoticed. 

In addition, the creator of Telegram commented on a Forbes report, which claims that Facebook investor Peter Thiel secretly funded a startup with the ability to hack WhatsApp. "WhatsApp users' messages have been available for attacks by potential hackers for years," Durov said about the report. 

"It would be hard to believe that WhatsApp technicians are so often incompetent. Telegram, a much more technically sophisticated application, has never had such serious security problems," Durov concluded. 

In December, Durov said that his Telegram remains protected from the influence of third parties. He cited the example of the FBI report, which claimed that the bureau has access to Viber, iMessage, WhatsApp, and Line, but Telegram, Threema, Signal, and Wickr do not transmit correspondence to third parties. At the same time, it was noted that Telegram can, at the request of law enforcement officers, issue the IP address and phone number of the user. 

Earlier, Pavel Durov's team advised the Ministry of Finance of Ukraine on cryptocurrencies. The Minister said that he actively uses the Telegram messenger for fast communications.

Signal Foundation owner says Telegram is not as secure as it claims

 Marlinspike stated that the security of the Telegram service is low since the personal data of users is on servers without any protection. According to him, this data includes contacts, media files, and every message that was created in unencrypted form. Allegedly, system administrators and engineers have easy access to this information.

Moxie Marlinspike believes that Telegram uses the dubious security protocol MTProto version 2.0, and end-to-end encryption E2EE does not always work.

The developer of the Telegram messenger, Pavel Durov, gave the founder of Signal an answer that simply shocked. He stated that the service stores all messages and user data in the public domain and does not assign itself the status of "the most secure messenger."

Durov wrote that his company still does not disclose personal data to third parties and third-party organizations. He said that any messenger does not give complete privacy to the user. For example, US companies work closely with the FBI and the NSA. According to the legislation of this country, they allow the introduction of backdoors that can become available to government agencies without notification and a court case.

Pavel noted that the Signal Foundation is sponsored by the CIA government agencies and can provide any data even without an official request.

Indeed, there is an opinion that the Signal Foundation is a project of the CIA, which, through intermediary organizations, organizes financial support and implements its agents.

It should be noted that Signal itself was hacked two years ago. The Israeli company Cellebrite, a developer of spyware, has gained access to the messages and attachments of the messenger. At the moment, the company cooperates with the governments of many countries and can provide access to the service.