What encryption? Last I checked, there was no E2E group encryption (Telegram has a bizarre web page claiming that TLS to their servers addresses the privacy threat), and 1:1 E2E is disabled by default.
For a very long time there was no TLS to Telegram servers, only their own MTProto. I think they introduced TLS wrapping at some point as an anti-censorship measure, not sure if that’s even deployed in all markets.
E: Well, I took a look at the desktop client with wireshark. It appears to just do MTProto on port 443, not TLS. When I use iptables to drop traffic on port 443, it falls back to MTProto over HTTP(!).
Common security wasn't respected at Vkontakte as well.
The social network was serving plain http login form and internal communication unencrypted until 2013[0].
I reminisce that when Durov was questioned about the abscence of secure connection to the servers, he told it's a too much of overhead and may impact QoS badly.
Some time they rolled out an `always use https` option and buried it deep in the user preferences. Meaning most of non-tech savvy audience kept using the service unaware they are not secure.
The obvious pattern here is they tend to use plain http as a default transport unerminig established security practices.
Looks like they don’t use TLS at all by default, just MTProto on port 443 or MTProto over HTTP. Comms to the telegram servers are always encrypted with MTProto, but tunneling MTProto over TLS would make any attacks on MTProto much harder (perhaps impossible) to execute.
I thought they used TLS wrapping in some markets for censorship resistance, but apparently that is not the case unless you set up your own proxy.
> What encryption? Last I checked, there was no E2E group encryption
You of all should know better than to conflate the general concept of encryption with the very nice special case that is end-to-end encryption!
> and 1:1 E2E is disabled by default.
It is not disabled in any way. It just isn't default.
There are really enough real reasons to criticize Telegram, absolutely no reason to 1. redefine words to have narrower definitions 2. Write outright misinformation.
I respect you a whole lot but your somewhat sloppy handling of facts detract a whole lot from the overall image.
E: Well, I took a look at the desktop client with wireshark. It appears to just do MTProto on port 443, not TLS. When I use iptables to drop traffic on port 443, it falls back to MTProto over HTTP(!).
They list some alternate transports on their website, but it looks like you need to host them yourself. https://core.telegram.org/mtproto/transports