Insights For Success

Strategy, Innovation, Leadership and Security

Telegram Messenger

Telegram Messenger isn't as secure as you think

GeneralEdward Kiledjian

Right after the horribly tragic terror attacks in Paris, we started to read badly written articles by journalists trying to attract readers with sensational headlines.

The easiest target was encrypted communication tools and one of those is Telegram Messenger. It was said ISIS/ISIL used Telegram to chat securely and that they considered it a good solid secure and trustworthy platform. Does it really deserve that reputation?

I wrote a article on March 2014 that explained some of the shortcomings of this messaging platform.

With all the publicity it is receiving now, I wanted to revisit the tool.

Some of the security issues for people wanting the best security available:

  • Uploading your contacts In order to register for Telegram, you have to use your real telephone number and upload your phonebook contacts (to find others that are using Telegram). This means they know with absolute certainty who owns each account and have a list of your contacts.

  • Metadata Metadata Metadata With everything Snowden has released, we know what metadata is and why it is so important to protect. It is how governments around the world can build very accurate profiles of users. Most users will use Telegram Messenger via a smartphone which is a horribly leaking end point for metadata. Even if you encrypt the actual message, your provider, phone manufacturer and phone OS provider know what app is installed, when it was installed, how often it was used, when it was used and for how long. Combining this with triangulated location information and general information collection means tracking down individual users becomes much easier for crafty well-funded hackers or governments.

  • Custom encryption Read my original article about Telegrams custom encryption. We are at a point in Information Security where there are well documented, tried, tested and reliable encryption mechanisms and it is strange that a company comes along and creates it own. This becomes especially worrisome when the protocol and tool aren’t completely open sourced.

Looking back at Telecom

Looking back at Telegram 1 year after the original article, I would still rate its security as medium level. It may be better than the most popular platforms but is nowhere near a level I would call really secure.

What’s the most secure instant messaging tool?

I write a blog post entitled “The most secure smartphone messaging app in 2013 and my recommendation still stands. The most secure instant messaging tool available today is Threema. Key management is handled by each user (not by the platform provider which weakens the security). It’s security model and back end infrastructure has been independently vetted for security.

Whatsapp to become more secure than Apple Messages

technologyEdward Kiledjian
Image by downloadsource.fr used under Creative Commons License

Image by downloadsource.fr used under Creative Commons License

I'm an advocate of personal privacy through encryption. I love the Threema instant messenger (Link) but none of my contacts used it. This is the problem with secure instant messenger apps, your friends aren't there so it becomes useless. 

Now Whatsapp is including the encryption functionality of TextSecure from Open Whisper Systems in their Android client and this will make Whatsapp the most secure instant messenger (beating even Apple's a Messages/iMessage).

Like Whatsapp, Apple's iMessage/Messages offers end to end encryption but in Apple's design, they control the encryption keys which means they could create a man in the middle type situation and you would never know. In the new Whatsapp with encrypted messenger app, the keys are controlled by the client and you will be able to verify the counter-parties encryption key using QR code scanning (similar to Threema) or by verbally exchanging the encryption key verifier. This will make sure beyond any doubt that the messages are encrypted for the intended recipient and no one else. 

How will it work?

When you start a conversation with another Whatsapp android users using the latest version, you will be asked to initiate a secure session. Once initiated, you will see visual marker (lock icon) in a couple of places to remind you the session is protected : next to the send button, next to each encrypted message and in the title bar.

When?

If you are using the latest android client, your version already includes the new end-to-end encryption mechanism and it is activated when talking to other Android based Whatsapp users.

Although I haven't seen any promises for an IOS version upgrade containing this secure technology from Whatsapp, I am confident we will eventually see it on iPhone as well. 

Telegram messenger isn't secure

technologyEdward Kiledjian

I first wrote about Telegram Messenger February 25 (link). As soon as I published my article, readers started asking me "how secure Telegram Messenger really is". The answer is not that secure. But then again, Whatsapp isn't a super secret messenger either. 

Most users aren't transmitting state secrets so ultra protection really isn't really a requirements. But for those that are interested, Telegram Messenger's security is not verifiably secure. Personally, I would not rely on it if I wanted to share something confidential.

If you are not interested in security, stop here and go about your day with this new knowledge.

Security diagram provided on their protocol security page 

Security diagram provided on their protocol security page 

They claim the protocol was designed by world leading mathematicians. Maybe but it shows a clear lack of understanding about basic cryptography constructs. 

  • The SHA1 function is cryptographically broken (it has been theoretically broken which means it shouldn't be used). There are many other replacement functions that are just as fast but much more securre. Bruce Schneier had a 2005 article on SHA-1 being broken that you should read if interested (link).
  • They are doing "Mac and encrypt" instead of "Encrypt and MAC". Message Authentication Code is a way to verify that the message wasn't tampered with. In the model used by Telegram Messaging, a padding oracle trick can be used by an attacker to find the plaintext message. The ideal model is encrypt then MAC. In this model the message is encrypted and then a MAC is performed. If the MAC test fails on the recipients device, the message is not decrypted and is discarded (meaning no padded oracle trick). An attacker can't forge a MAC without knowing the encrypted session key.  
  • They are using their own cipher called "Infinite Garble Extension" which is a horrible idea when there are already time tested and proven ciphers available.
  • No public key authentication

Overall Telegram Messenger is clean and fairly well designed (from a user perspective) and many have migrated over to it (after the major Whatsapp crash and then the Facebook acquisition). You should use it for its features but not because it is ultra-secure (which it is not).

Personally, I use Hangouts & Whatsapp when security isn't a critical requirement and Threema (link) when security is paramount. I like the fact that Threema is cross platform and only requires a one-time fee ($2).

Telegram Messenger is a nice Whatsapp alternative

technologyEdward Kiledjian
photo 1.PNG

Now that Whatsapp was bought by Facebook for $19B, many users are searching for a new instant messaging platform to use. Enter Telegram Messenger (link).

Telegram Messenger is the brainchild of russian technology magnate Pavel Durov. Pavel is rich enough that he can pretty much do whatever he wants and said he wanted to build an easy to use, secure and free instant messaging platform that he could share with the world.

After all of the Edward Snowden NSA revelations, tech users have been searching for a more secure non-US based IM system and Pavel believes his Telegram Messenger is the perfect answer.

Telegram is a not for profit organization

When a company says their product is free, we typically look at them very skeptically thinking that there must be some catch. Maybe they are tracking your usage or are trying to hook you in before they switch to a paid model.

Telegram is based on a custom protocol called MTProto built by Pavel's brother Nikolai. This protocol is used to encrypt messages end to end. This encryption means messages cannot be forwarded or can even be set to self-distruct. 

The organization that creates and maintains Telegram is a not for profit and the company will make the source code available to researchers interested in reviewing the code. They hope that this model will help them win users trust.

The funding model will be based on donations and in-app purchases for additional features later on. These add-on services aren't available today but many believe they will be privacy enhancing features (think disposable email, disposable number, etc).

The founder has had issues with the Russian government in the past so his new initiative (aka Telegram messenger) rents datacenter space from various providers around the world to prevent a single government from flexing too much muscle. Because they don't operate in the most regulated regimes (USA, Russia, China, Saudi Arabia, etc) they don't have to comply with the tougher less privacy friendly rules in these countries. 

Telegram says that even if they received a government request for access to a user's chat session, they can't provide it because the encryption key is generated and held on the user device and never stored in the cloud.

You can check out the Telegram Messenger source code (link), MTProto (link), Telegram Messenger API (link). If you are more technical and want to read more detailed technical information, read this (link).

They are so confident in their security that

"Anyone who claims that Telegram messages can be deciphered is welcome to prove that claim in our competition and win $200,000."

The Post Facebook Whatsapp purchase flood

Telegram says they were seeing a steady stream of new registrations daily then Facebook bought Whatsapp and everything changed. All of a sudden millions of users flocked to Telegram and the new service experienced some small controlled glitches.

How does Telegram compare to Whatsapp?

Telegram describes the difference as such:

Unlike WhatsApp, Telegram is cloud-based and heavily encrypted. As a result, you can access your messages from several devices (including desktops!) and share an unlimited number of photos, videos and documents (doc, zip, mp3, etc). Thanks to our multi-data center infrastructure and encryption, Telegram is also faster and way more secure. On top of that, Telegram is free and will stay free — no ads, no subscription fees, forever."

It also has small improvements over Whatsapp like allowing 100 members of a group chat (instead of Whatsapps 50). It allows for video sharing of up to 1GB.

Once installed, it asks for permission to your address book and automatically identified contacts that are using Telegram. The problem is that this is a new an emerging client so many of your contacts may not be on Telegram Messenger yet.

Pictures

photo 2.PNG
photo 3.PNG
photo 4.PNG
photo 5.PNG
photo 1.PNG
photo 2.PNG