If the locations of his servers are merely a secret, isn't that just security through obscurity? Isn't that a serious weakness? Or is there a more advanced way his servers are kept secret than merely being a secret?
A common misconception with "Security by Obscurity" is that it's always a bad thing.
It's only a bad thing if the obscurity is critical to the security of what you are protecting. For example if you make your API completely open, but obscure it inside an app and make the domain hard to discover e.g a random string that's obviously not good.
However if you use obscurity as an extra layer in a system that is secured by other means such that removing the obscurity would not have an adverse effect on the security of the system that's fine. Hence there's no reason not to obscure things to make it more difficult for an attacker as long as that's not all your security.
But sounds like the entire telegram network could be taken down if the locations of the servers were comprimised. Then the message app wouldn't function anymore, so it wouldn't provide any security.
I guess the issue when your potential adversaries are nation states is that if they know where the servers are and that area is within their jurisdiction they can have your servers shutdown/seized. This obviously kills at least parts of the network, however I don't think it's implied that the network can be compromised as a consequence of this, that would truly be security by obscurity.
Outside of a mesh network or some peer to peer solution this doesn't seem like a problem that's solvable.
I wasn't just thinking about security against seizure or tampering of messages, but rather that since the servers could be taken down if discovered by a powerful adversary, then the network would no longer be functional. So it is not a very secure messaging tool to use if the threat model is to provide a reliable means of communication against a powerful adversary who could identify and take down the servers.
Why would you assume it's "just security though obscurity" and not "security plus obscurity"? Or that "obscurity"" as a security measure is a tragic weakness.
This is a trap a lot of people fall into and I don't know why.
If the compromise of the secret servers causes the entire network to go down, then that secret is a weakest link, so it's not "security plus obscurity".
I don't know much about Telegram's system, but if it is run on centralized servers, then that is a serious weakness...adversaries who have the capability to find and disrupt can exploit that so even though the communication may be end-to-end secure, the entire system however is not resilant against such attacks.
I think it's safe to assume that obscurity is not the only security feature protecting the secret servers. A good defense-in-depth strategy might include some amount of obscurity, along with other measures.
It's only a bad thing if the obscurity is critical to the security of what you are protecting. For example if you make your API completely open, but obscure it inside an app and make the domain hard to discover e.g a random string that's obviously not good.
However if you use obscurity as an extra layer in a system that is secured by other means such that removing the obscurity would not have an adverse effect on the security of the system that's fine. Hence there's no reason not to obscure things to make it more difficult for an attacker as long as that's not all your security.