Why Telegram isn’t as secure as claimed/Unsplash
Among users of various instant messengers, Telegram has a reputation as a more secure communication tool than WhatsApp or Messenger. However, the founder and manager of another secure messenger Signal, Moxie Marlinspike, strongly disagrees with this, saying Telegram’s reputation for cybersecurity is overblown.
Why Telegram Isn’t As Secure As Commonly Believed
Marlinspike said messages sent via Telegram are
are stored on company servers in their original form or in plain text, without encryption to protect users’ personal data. The Signal chief noted that in this regard, even Meta’s Messenger and WhatsApp (formerly Facebook) offer better privacy than Telegram.
The thing is, both of these programs offer at least end-to-end encryption for all messages sent through their platforms.
In turn, Telegram stores all data in the cloud in a completely open format : texts, general multimedia data, contacts. Even Messenger offers a minimal standard end-to-end encryption protocol for data stored on servers.
In the case of Telegram, anyone with access to its services also has access to the entire unsecured database of email users.
Main telegram problem
Don’t trust Telegram/Photo Unsplash security
Winfuture who first reported Telegram’s insecurity, claims that the program is basically a window open to the servers which store the complete history of everything that happened on the platform, which is visible to a private user, as well as to server operators.
If, for example, a hacker decides to spy on a user’s private messages in Telegram, he can easily do so.
Criticism of Telegram’s “security”
In December 2015, a dispute arose on Twitter over the security of Telegram between Pavel Durov and representatives of Open Whisper Systems, developers of secure messaging Signal and Edward Snowden. OWS responded to a Twitter user who thought Telegram was secure enough to does not encrypt messages by default . Snowden added that Telegram should undergo a major update to get rid of “dangerous” flaws.
Moxie Marlinspike – the founder of OWS and creator of the messenger Signal, who previously worked as the head of Twitter’s security department – pointed out that there is a difference between how Telegram positions itself and what it really is.
Interesting fact! Christopher Sogoyan, chief technologist of the American Civil Liberties Union, says positioning the messenger from a security standpoint is unwarranted because companies should think about default protection and not force users to change settings. client.
The myth of the super secure telegram
The main problem around the whole story with the “most secure” messenger is that a lot of people have a poor understanding of cryptography and data protection, so they easily succumb to populist marketing claims, which haven’t done only grow since Telegram entered the market.
Associate an account with a phone number
Telegram uses authorization using a phone number and by default, just enter a code from an SMS to access the account.
You cannot ignore this requirement because the messenger is tied to a number and all user activity is tied to that number. Despite the simplicity for the user, this solution significantly reduces account security .
Due to the risks of being tied to a phone number, it is very important to enable two-factor or two-step authentication in such programs.
Important! By the way, enabling two-step authentication in Telegram will not prevent you from being hacked at all, it will only ensure the destruction of your chat history.
The problem of linking an account to a phone number can be described for a very long time, but in a nutshell everything is based on the insecurity of outdated SS7 technologies , on the basis of which mobile networks operate. For example, such vulnerabilities allow you to intercept calls and SMS messages and you don’t even need to have special skills for this. No operator in the world is immune to such attacks, no matter how well they defend themselves.
Contacts are synchronized with the server
The contact list is continuously synchronized with the server. If you connect your Google account for a few minutes or put in another SIM card, all their contacts will be sent to messenger’s servers .
Even if you only used secret chats, but the attackers gained access to your account, they will be able to define a complete list of your contacts which will allow you to build a giant map of social connections with other users. This is how you can determine how users interact with each other.
Huge amounts of metadata
Telegram collects and sends huge amounts of service data to servers every day. The program sends messages to the entire contact list whenever the application window is opened or hidden.
An attacker can actually “subscribe” to all of the victim’s metadata by simply adding it to their contact list. Unfortunately, the messenger will not ask for mutual consent in this case. Moreover, the victim will not know about it, since there will be no messages, and the attacker will not appear in the Telegram contact list at all.
With enough metadata, you can know when specific people have spoken to each other . It would seem that the problem is insignificant, but for a messenger that puts data protection and complete privacy of its users as its base, it is still a problem.
To protect against such an attack, you must select in the privacy settings to display the time of the last visit “Only for my contacts” or “For no one”.
Encryption is disabled by default
It’s just ridiculous for a messenger that positions itself as secure, but yeah, correspondence is not encrypted by default . To enable encryption, you need to wait for the interlocutor on the network and enable secret chat. An existing conversation cannot be encrypted. Group chats do not support encryption at all.
Besides the fact that encryption is disabled by default, the MTProto encryption technology raises many questions from many security experts . The thing is, the server side of encryption is closed, and no one has seriously tested client-side encryption.
Fans of the messenger can claim that a competition was announced for the Telegram hack with a cash prize, but the event has been repeatedly criticized. The potential winners claimed that they were limited in their actions and only had the encrypted content of the correspondence at their disposal, examples were given of how, according to the given rules of the competition, even a previously vulnerable algorithm could not be hacked.
Interesting! A year later, Pavel Durov announced the start of a new competition. The hackers were asked to “disclose” the correspondence of the two robots and have already been authorized not only to act as observers, as in the case of the first contest, but also to carry out active attacks. Despite the fact that the conditions of the contest have been changed, questions have arisen as to the veracity of such a contest.
There are also many stories about how Russian special services easily hacked into the correspondence of opposition politicians, journalists and other prominent figures, and not so long ago Telegram at the official level there confirmed that he would provide all the data requested by the special services. . Therefore, the Telegram messenger can be as convenient and advanced as you want, but in terms of security, it is definitely not the tool to rely on.