| Telegram isn't secure. Use Signal if you want a proper secure messenger. http://www.gizmodo.com.au/2016/06/why-you-should-stop-using-... > "Encryption works best if it's ubiquitous and automatic. The two forms of encryption you use most often -- https URLs on your browser, and the handset-to-tower link for your cell phone calls -- work so well because you don't even know they're there.
>
> Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting.
>
> This is important. If we only use encryption when we're working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive." https://www.schneier.com/blog/archives/2015/06/why_we_encryp... Pavel himself admits security isn't a priority here https://twitter.com/durov/status/678305311921410048 in response to this: Thomas H. Ptacek
https://twitter.com/Snowden/status/678274362609426432
By default Telegram stores the PLAINTEXT of EVERY MESSAGE every user has ever sent or received on THEIR SERVER. Edward Snowden
https://twitter.com/Snowden/status/678274362609426432
I respect @durov, but Ptacek is right: @telegram's defaults are dangerous. Without a major update, it's unsafe. https://twitter.com/Snowden/status/678274362609426432
To be clear, what matters is that the plaintext of messages is accessible to the server (or service provider), not whether it's "stored." Moxie Marlinspike
https://twitter.com/moxie/status/678219238394298372
It's just how Telegram works and is self-documented to work: Only their marketing copy suggests otherwise. https://twitter.com/moxie/status/678277776391077888
If you're on an iPhone, they also send a plaintext copy of every msg you receive to Apple's servers. So not even in transit. https://twitter.com/moxie/status/678309008789258240
For iOS push notification previews. They didn't do the work to make them privacy preserving. It's the least of Telegrams problems but let's not forget their home made crypto even though there are better alternatives. See the take-home message here: > "We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack. At the same time, we see no reason why one should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist.
>
> The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes." https://eprint.iacr.org/2015/1177 And the conclusion here: > "Abstract: The number one rule for cryptography is never create your own crypto. Instant messaging application Telegram has disregarded this rule and decided to create an original message encryption protocol. In this work we have done a thorough crypt analysis of the encryption protocol and it's implementation. We look at the underlying cryptographic primitives and how they are combined to construct the protocol, and what vulnerabilities this has. We have found that Telegram does not check integrity of the padding applied prior to encryption, which lead us to come up with two novel attacks on Telegram. The first of these exploits the unchecked length of the padding, and the second exploits the unchecked padding contents. Both of these attacks break the basic notions of security, and are confirmed to work in practice. Lastly, a brief analysis of the similar application TextSecure is done, showing that by using well known primitives and a proper construction provable security is obtained. We conclude that Telegram should have opted for a more standard approach.
>
> Conclusion: TextSecure is based on strong primitives that have withstood crypt analysis from the crypto community for years, and these are combined in a way that proven provides authenticated encryption. Telegram on the other hand has crafted its own encryption scheme and deployed it in an unproven state, and prior to any scrutiny from other cryptographers. We have seen this done time and time again, and rarely with good results. Take for example the smart grid meters that were shown to use terrible crypto back in April this year. Furthermore, the DH Ratchet is a very nice way of providing forward secrecy on a per-message basis with little overhead, which is an improvement over Telegram's one key per 100 messages approach. http://cs.au.dk/~jakjak/master-thesis.pdf |