Is Telegram really an encrypted messaging app?

Try the mud puddle test: log into your account on a new device using the password recovery flow. Can you see your old messages?

If the answer is yes then law enforcement can too.

https://www.forbes.com/sites/anthonykosner/2012/08/05/how-se...

In my opinion, Telegram is more of a social network than a messenger. There are many useful channels and in many countries, it plays an important role in sharing information. If we look at it from this point of view, e2ee does not seem very important.

We should also not forget that, in the time when all social media (Reddit, X, Instagram etc.) close their APIs, Telegram is one of the only networks that still has a free API.

It’s not encrypted by default, and even if it were encrypted, you should never trust any connected device with anything important. That being said, Telegram is hands down the best communication platform right now. It is feature-rich, with features implemented years ago that are only now being added to other platforms. It has normal chatting/video calls, groups, channels, and unlimited storage in theory, all for free. I just hope it doesn’t go downhill after what happened these last days because there’s no proper replacement that fulfills all Telegram features at once.

The worst thing is that almost every non-techie who uses Telegram thinks Telegram in general is e2ee.

I am null at cryptography but thie following does not sound too bad as a default tbh. And I think it is misleading to focus solely on e2ee and not mention the distributed aspect.

https://telegram.org/faq#q-do-you-process-data-requests

> To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.

> Thanks to this structure, we can ensure that no single government or block of like-minded countries can intrude on people's privacy and freedom of expression.

> Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.

> To this day, we have disclosed 0 bytes of user data to third parties, including governments.

Telegram offers end-to-end encryption in the same way that McDonalds offers salads.

I don't know why people get hung up on Telegram's encryption. Maybe they're trying to make it be something it isn't.

Is Discord end to end encrypted, is IRC? Nope, does it make them useless? Again no.

Same with Telegram, it's a chat tool where you can select your audience and have a good UX with native bot support. (like Discord and IRC).

That's what I want, nothing more.

If I want to plan a coup, I'd use something else of course.

Thanks for the blog post, now I finally have a good resource I can point people to next time they claim Telegramm is secure.

> I am not specifically calling out Telegram for this, since the same problem [with metadata] exists with virtually every other social media network and private messenger.

Notably, Signal offers a feature called Sealed Sender[0]. While it doesn't solve the metadata problem entirely, it does at least reduce it a bit.

[0]: https://signal.org/blog/sealed-sender/

If telegrams encryption is so bad why is Pavel Durov under arrest?

The arrest cites that he was not cooperating with authorities to crack down on various drug illegal activities on telegram. None of the other social networks have their ceos arrested. Is it simply that telegram is the only one without backdoors for five eyes?

It seems to me the secret chat feature actually works too well?

I am amazed at the low quality comments here. Encryption really doesn’t matter as much as the trust of the app here. Any malicious app author can 100% secure encrypt everything in wire and yet leak 100% of your data to some state actor. Anything you type into the chat box is only encrypted by the app after you type and probably storing it in the clear in some local SQLite db. It gives them a whole bunch of options to mess with that plain text data. Even if the app source code is published as you don’t know if they backdoored it before they submitted to App Store.

Am I the only one who uses Telegram mainly for p2p e2ee audio calls? It's great for that.

Only the secret chat is e2e encrypted. All the other chat options are not. I think calls are also not encrypted since they appear in the normal chat history not in the e2e chat.

Obviously if your phone is compromised your e2ee chat is not safe.

> One of the biggest privacy problems in messaging is the availability of loads of meta-data — essentially data about who uses the service, who they talk to, and when they do that talking. […] the same problem exists with virtually every other social media network and private messenger.

Is this true for Signal too? I thought it wasn’t.

Of course not. The genius of Durov was in discovering that users don't really need e2ee and all the drawbacks that come with it, and that promising them that the app has really strong encryption is good enough even without actual encryption.

>Does Telegram have encryption or doesn’t it?

>Many systems use encryption in some way or another. However, when we talk about encryption in the context of modern private messaging services, the word typically has a very specific meaning: it refers to the use of default end-to-end encryption to protect users’ message content. When used in an industry-standard way, this feature ensures that every message will be encrypted using encryption keys that are only known to the communicating parties, and not to the service provider.

>From your perspective as a user, an “encrypted messenger” ensures that each time you start a conversation, your messages will only be readable by the folks you intend to speak with. If the operator of a messaging service tries to view the content of your messages, all they’ll see is useless encrypted junk. That same guarantee holds for anyone who might hack into the provider’s servers, and also, for better or for worse, to law enforcement agencies that serve providers with a subpoena.

>Telegram clearly fails to meet this stronger definition for a simple reason: it does not end-to-end encrypt conversations by default. If you want to use end-to-end encryption in Telegram, you must manually activate an optional end-to-end encryption feature called “Secret Chats” for every single private conversation you want to have. The feature is explicitly not turned on for the vast majority of conversations, and is only available for one-on-one conversations, and never for group chats with more than two people in them.

The worst is that Telegram Secret Chats are limited in functionalities, compared to the normal ones, for no reasons. Stickers set don’t work, for exemple, and that’s one of the main feature of Telegram chats.

For me Telegram is more like an uncensored Twitter slash blog platform. I use it to check out public channels for updates and that's about it. For private communication, I use Whatsapp. So, lack of e2e by default is not an issue for me at all.

Telegram is not Signal, it is a waaay better Discord

Are there any pointers for work to try to make metadata private (I.e encrypted)?

I was recently very curious about this question and asked similar ones here:

https://news.ycombinator.com/item?id=41267877

https://news.ycombinator.com/item?id=41270863

On a side note, I was just recommending Telegram as alternative to WhatsApp (but I did mention that we need to enable Private chats for E2E). It is definitely not an ideal UX.

https://barac.at/essays/on-leaving-meta

It is weirdly fascinating that this question has to be answered on a semi-regular basis. I am not sure if it is more of an insight into humans, ephemeral nature of software or concern that something major has changed.

>One of the biggest privacy problems in messaging is the availability of loads of meta-data — essentially data about who uses the service, who they talk to, and when they do that talking.

>I am not specifically calling out Telegram for this, since the same problem exists with virtually every other social media network and private messenger.

In fact, https://simplex.chat/ is the only messenger with the least amount of metadata.

One of the biggest, more significant as well as successful Internet-scale cons of the last decades that I can think of, apparently perfectly executed too.

This article discusses a well known point about telegram. But only to techies. Vast majority of users are misled by journalists many of whom have degrees in social "science", political "science" etc. It doesn't say you need encryption that's for each person to decide perhaps for each conversation. It's need to be an educated choice.

Though it's old hat better to recycle this often so many know.

Reads like a hit piece on Telegram from a crypto expert who couldn't be bothered to explain in more than one paragraph why the app he is calling not an encrypted app (according to how he personally thinks everyone refers to when talking about encryption) actually uses some encryption technology that he's not exactly sure of but suspects is insecure.

Something that might be interesting in this topic - forked version [0] of telegram client made during protests in Belarus in 2020 (and appears to be actively maintained to this day). Can't vouch for it, but found it interesting.

[0] https://github.com/wrwrabbit/Partisan-Telegram-Android

I thought this was going to be just a big "NO." like the are we X yet? pages.

not being a criminal is really good, I don't have to worry about any of these stuff

Does anyone have any reason to believe that Telegram's E2EE doesn't have a backdoor? Because if not, then I fail to see why it matters whether the E2EE even exists in the first place.

you don't use telegram for encryption

you use it because you can use disposable phone number

nobody ever cares about encryption, it's a false flag

people care about no footprints

that's exactly why it was used to create civil unrest in Iran

https://www.wsj.com/articles/iranians-turn-to-telegram-app-a...

Simple question denotes whether its encrypted.....

Does cloud server store the message and key.....

If answer is yes, ITS NOT FULLY ENCRYPTED!

Sounds contrary right?

If key and message is on server any LEO org can get it....for it to be fully encrypted cloud server should never store the keys....

So how many services claiming encryption have this flaw? All....

Why do you think Telegram has shell companies to avoid gov subpeonas?

Because it knows that its encryption is faulty to real world LEO and laws as it stores the keys on the cloud which means its can be subpoenaed for those keys and messages.

at the end of the day, if you run it on an iPhone, it's iOS that renders the text, and apple is routinely subpoenaed

that gives a better explanation on why telegram is safer in real world settings than whastapp or other popular messengers: https://x.com/Pinboard/status/1474096410383421452

I remember having this same conversation on here nearly a decade ago. I stopped using Telegram then.

This is actually great blogpost since too many people tend to believe that Telegram is somehow more secure and private then alternatives on market.

Also it's not like Telegram dont have censorship. During last 3-4 years there was many cases where Durov blocked bots and channels that belong to protests and opposition in Russia, marked them as "fake" or just plain removed with no trace.

So it's just another case where some rich guy try to sell his own platform as some "freedom of speech" one even though it's just censored to his liking.

It's not e2e encrypted, so what? It's something the majority of users does not need, and that doesn't increase security that much given their downsides.

Of course for Telegram is much more convenient to not have end2end encryption. Given that they store everything on their servers, it means years of chat history that probably weights Gb for each user, contrary to what WhatsApp/Signal do, of course if 10 million people send eachother the same meme it's stupid to have 10 million copies of the same images on their servers just because it is end2end encrypted. They probably have a store where they index each media with its hash and avoid to have multiple copies, that is fine. This is the reason Telegram can offer you to have all your messages, including medias that can be up to 1Gb each, stored on a cloud for free.

As I user I prefer Telegram just because it's the only app that works perfectly synchronized among multiple devices (Android, Linux, macOS) with good quality native clients, without wasting space on my phone for data.

By the way, end2end encryption it's not that safe as they claim. Sure, the conversation can not be intercepted, however:

- you can put a backdoor on endpoints, that is compromise the user phone (something they do)

- you can make a MITM attack on the server (don't know if they do that, but technically possible)

- you can access the data that is backed up on other platforms (i.e. WhatsApp makes by default backups on Google Drive or Apple iCloud, trough which you can access all the conversations in clear text).

This is such an old topic. Every time something related to the Telegram happens, somebody starts a discussion about how it's not an e2e-by-default. But the reality is nobody cares. And considering this, it's ridiculous now that Durov is detained on the accusations of being responsible for all kinds of information that's being spread in non e2e-by-default messenger.

> Is Telegram really an encrypted messaging app?

If is is encrypted, then it aids terrorists and can be banned. So it is encrypted, whatever the technological details. It's a political decision.

Fascinating. I might have missed it, but I don't think the author mentioned the possibility of steganography. Just code the encrypted text such that it resembles a normal conversation.

No, it is not.

Same thing with proton mail. I have never understood the "Trust me bro we encrypt it" business model. If it's not your key on your client machine it's not encrypted.

Well yes, but actually no.

Prime example of Betteridge's law of headlines.

Let's stop repeating this word "moderate" when what we're talking about is censorship.

Moderation is what happens here on HN: Admins have some policies to keep the conversation on track, users voluntarily submit to them.

Censorship is when a third party uses coercion to force admins to submit to them and remove posts against their will.

Durov has been arrested for refusing to implement censorship, not for anything concerning moderation.

The author claims that everyone refers to Telegram as an encrypted messenger, but he only provides a single example to support that. I quickly checked Google News and couldn't find any media on the first page that did the same. It feels like a manipulation.

UPDATE: anyone who downvote, I invite to check for themselves.

Just a few known media:

1. https://www.aljazeera.com/amp/news/2024/8/25/telegram-messag...

2. https://www.washingtonpost.com/technology/2024/08/25/durov-t...

3. https://www.businessinsider.com/telegram-ceo-pavel-durov-arr...

4. https://www.theguardian.com/media/article/2024/aug/24/telegr...

However, indeed, I‘ve seen a few media that call it encrypted. This include France24, POLITICO, and The Times.

Perhaps the French authorities have some taste in UI/UX. They're going to keep him in jail until telegram is no longer painful to use.