Right after the horribly tragic terror attacks in Paris, we started to read badly written articles by journalists trying to attract readers with sensational headlines.
The easiest target was encrypted communication tools and one of those is Telegram Messenger. It was said ISIS/ISIL used Telegram to chat securely and that they considered it a good solid secure and trustworthy platform. Does it really deserve that reputation?
I wrote a article on March 2014 that explained some of the shortcomings of this messaging platform.
With all the publicity it is receiving now, I wanted to revisit the tool.
Some of the security issues for people wanting the best security available:
Uploading your contacts In order to register for Telegram, you have to use your real telephone number and upload your phonebook contacts (to find others that are using Telegram). This means they know with absolute certainty who owns each account and have a list of your contacts.
Metadata Metadata Metadata With everything Snowden has released, we know what metadata is and why it is so important to protect. It is how governments around the world can build very accurate profiles of users. Most users will use Telegram Messenger via a smartphone which is a horribly leaking end point for metadata. Even if you encrypt the actual message, your provider, phone manufacturer and phone OS provider know what app is installed, when it was installed, how often it was used, when it was used and for how long. Combining this with triangulated location information and general information collection means tracking down individual users becomes much easier for crafty well-funded hackers or governments.
Custom encryption Read my original article about Telegrams custom encryption. We are at a point in Information Security where there are well documented, tried, tested and reliable encryption mechanisms and it is strange that a company comes along and creates it own. This becomes especially worrisome when the protocol and tool aren’t completely open sourced.
Looking back at Telecom
Looking back at Telegram 1 year after the original article, I would still rate its security as medium level. It may be better than the most popular platforms but is nowhere near a level I would call really secure.
What’s the most secure instant messaging tool?
I write a blog post entitled “The most secure smartphone messaging app in 2013 and my recommendation still stands. The most secure instant messaging tool available today is Threema. Key management is handled by each user (not by the platform provider which weakens the security). It’s security model and back end infrastructure has been independently vetted for security.