The Arrest of Pavel Durov Is a Reminder That Telegram Is Not Encrypted

I once visited Moscow for a AI coding jam sponsored by the Russian state, and while I was there, there was a Telegram group for all of the students to use to communicate during the jam. This Telegram channel was set up by the state officials.

A small section of Russian students were floored, and responded that they thought Telegram was banned in the country at the time (circa 2017-2018). The state officials laughed and responded that it wasn't any concern because they could read everything in any chat they wanted.

I've avoided the app ever since. I can't say how, why, or when the app became compromised, but anecdotally, I was told that it was and that it was no longer a concern in Russia.

Maybe it was some dry joke, maybe those students were woefully misinformed, who knows. But it certainly broke any confidence I had in the security of any existing messaging app.

I personally use Signal, but that's mostly just because I have personal friends who use it and it's convenient to use on my PC.

Edit: Kinda funny, I only just logged into this site again, and some of my last previous comments were about the same thing.

>Telegram is mostly about big group chats and channels where people share information with their fans.

This is the gist of it. Telegram is mostly like an uncensored blog platform at this point. Probably the only platform to host official channels of Navalny, Zelenski, Dmitry Medvedev, Russian and Ukrainian milbloggers at the same time.

And for public channels, E2E is pointless - everyone can see it anyway.

It also doesn't mean "plain text". Telegram uses MTProto and the decryption keys are stored on multiple servers in multiple jurisdictions, something which Gizmodo doesn't even mention.

See also this excellent comment by another HN user: https://news.ycombinator.com/item?id=41348228

>"sperm-obsessed co-founder of Telegram"

>"possible vector for child sex abuse material"

>"hub for various scams and crimes—but"

What is it? Setting up a mood to make sure people feel that Durov / Telegram are bad? This is anything but even a try to objective journalism. Whoever the author is - fuck you.

Just a small note: even if Telegram would be encrypted end to end, most people use it with a mobile app, writing messages with the OS virtual keyboard, inserting images/video from the OS internal storage. How can anyone think an app could be private on a closed source, remotely managed, OS it run on it's definitively not?

How can anyone think a damn picture on an Android/iOS/* phone could be considered private? People have Google Photos/iCloud auto-backups and do care about "the privacy of a messaging app"?

Beside that I do consider this arrests much less meaningful than most current press, yes it's a debatable act, but so far Telegram works in France, there is no state-enforced block, in user base size terms it's hardly be considered a significant hostile political/social actor, and actually the government is doing MUCH bigger things against the République and Democracy at a whole than arresting the funder of a messaging services based in Dubai...

The title is not correct IMO, it is not "end-to-end encrypted" by default.

But the traffic between you and the Telegram server is always encrypted and the "end-to-end encryption" can be enabled.

An encrypted system can depend on a trusted third party. Sometimes that trust is mandatory, like, say, a XMPP system used in an industry where IM messages have to be archived for future possible access to a regulator. Such systems are much easier for the user to use securely.

Most end to end capable systems degrade to trusting the provider when the user fails to verify the identity of their correspondent using some ridiculously long number. In other words, the user has to take an assertive action to become fully end to end where only the end users are trusted. Just like with Telegram secret chats. You can't just claim that such systems are not encrypted. Things are more subtle.

The headline here ("Telegram Is Not Encrypted") is misleading...

The encryption is a red herring to distract from the truth: telegram is the only platform where views different from war profiteers can be expressed. You can't do it anywhere else: not on cnn, not bbc, not guardian, not bloomberg, ..., not fox news, not npr, not reddit, not medium, not in a french court that rubberstamps whatever overseas masters tell them.

I never trusted Telegram; who are their founders, what is their corporate structure and management style, what are their values and vision? Nor do I trust any other centralized messaging app. P2P FTW. Cryptography is the only salvation.

That's funny because the French government is accusing him of:

  - Fourniture de prestations de cryptologie
    visant à assurer des fonctions de
    confidentialité sans déclaration conforme,

    Providing cryptography services with
    an eye to ensure confidentiality
    features without a compliance
    declaration.  (Translation mine.)

  - Fourniture d'un moyen de cryptologie
    n'assurant pas exclusivement des
    fonctions d'authentification ou de
    contrôle d'intégrité sans déclaration
    préalable,

    Providing a cryptographic method
    non-exclusively ensuring authentication
    and integrity features w/o prior
    declaration.  (Translation mine.)

  - Importation d'un moyen de cryptologie
    n'assurant pas exclusivement des
    fonctions d'authentification ou de
    contrôle d'intégrité sans déclaration
    préalable.

    Same, but regarding import controls.

The first item implies that you're not allowed to provide others with software/services that provides confidentiality protection without registration -- without a statement that you comply with legal requirements!

Presumably the compliance declaration is subject to prosecution for perjury or similar charges if they can twist the legal requirements after your registration.

The second item implies that you're not allowed to provide others even with something as innocuous as authentication and integrity protection software/services without first registering your intent to do so!!

In the context of the cryptowars of the 90s, and in the context of web browsers, all of this is just pure nonsense.

Where are the prosecutions of Mozilla, Google, and Apple (and Brave, and Opera, and...) for distributing browsers which all provide confidentiality services? Or did they all get approval from the French government?

That’s my fustration with Telegram. When it comes to ui/ux is beats WhatsApp day and night. But the encryption by default is so so disappointing

Why are these popping out now?

https://news.ycombinator.com/item?id=41350530

When it comes down to it, practical encryption no longer exists.

Every operating system now phones home and uploads copious event logs. Many users install custom "swipe" keyboards, ad blockers, toolbars, and even bios chips are now programmable.

There are just so many vectors and exfiltration paths, plus it's not enough for you to secure them all. The person you are talking to must also.

Often encrypted messaging gives a false sense of security. Messages can still be intercepted on either end, and an automatic app update is sufficient to silently disable the encryption without the user knowing.

edit: Since it seems that some are considering this baseless fear-mongering, here's just one recent example:

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zer...

https://en.wikipedia.org/wiki/Pegasus_(spyware)

Wrong title.

Not Encrypted (x)

Not "Fully" Encrypted (o)

Yeah I kinda wonder why they don't end to end encrypt telegram, this would take them out of a lot of hot water with the authorities. Because the situation would be the same as with Signal and WhatsApp: What they can't see they can't moderate.

Of course telegram is actually encrypted, but just not end to end. Except the secret chat function which is very limited (only works between 2 participants, only between 2 devices and everyone needs to be online at the same time for the key exchange to work).

I wonder if developers of Tor or Matrix, which are far more popular among shady dealers as a percentage of regular users, were arrested. A storm would follow. In Durov's case - crickets. No EFF for you.

I have no idea if it is encrypted or not. Always thought it is. But I think of offering a commercial service of something my buddy is currently offering for free on a smaller scale. And there have been police inquiries.

I am US based and have a US passport. I wonder if I would have to respond to police inquiries. When is this enough, and when would I need a court order? And do I have to respond to foreign police inquiries. Demand a court order? And accept one from France, what is next? Russia? China? North Korea?

I think in the end it was his French Passport that killed him. Now there are not so many options for him:

He can help with providing a kind of key, backdoor whatever and can walk or gets a small sentence. I thought Telegram is encrypted and if done, in the right way, he could not provide help at all, but this seems not the case. The other option is that he asks for help from Russia. I am sure Putin could get him out in 1-2 years. Trust me, Putin has his ways with this, see Vadim Krasikov. :-)

Let's hope he plays his cards wisely. Good luck.

Motorola radios marketed at law enforcement have flawed AES encryption and can be decrypted in near real time. You are delusional if you think your consumer phone or any app on it is more secure than that.

I sort of assumed that a messaging app based in Russia should probably not be used unless you were okay with Russia reading your messages, which is currently considered an enemy state in most western countries. It totally shocks me that so many pro Ukrainian influencers use Telegram.

I feel that this is a pretty good summary of what's going on: https://youtu.be/39rBzRd4M0k and explains how the encryption works etc.