[ryanlol]

For a very long time there was no TLS to Telegram servers, only their own MTProto. I think they introduced TLS wrapping at some point as an anti-censorship measure, not sure if that’s even deployed in all markets.

E: Well, I took a look at the desktop client with wireshark. It appears to just do MTProto on port 443, not TLS. When I use iptables to drop traffic on port 443, it falls back to MTProto over HTTP(!).

They list some alternate transports on their website, but it looks like you need to host them yourself. https://core.telegram.org/mtproto/transports

[eeniac]

Common security wasn't respected at Vkontakte as well. The social network was serving plain http login form and internal communication unencrypted until 2013[0].

I reminisce that when Durov was questioned about the abscence of secure connection to the servers, he told it's a too much of overhead and may impact QoS badly.

Some time they rolled out an `always use https` option and buried it deep in the user preferences. Meaning most of non-tech savvy audience kept using the service unaware they are not secure.

The obvious pattern here is they tend to use plain http as a default transport unerminig established security practices.

[0] https://translate.google.com/translate?sl=auto&tl=en&u=https...

[ajconway]

> it falls back to MTProto over HTTP

Could you expand on their usage of TLS and HTTP? Surely they don't send anything in plain-text over HTTP?

[ryanlol]

Looks like they don’t use TLS at all by default, just MTProto on port 443 or MTProto over HTTP. Comms to the telegram servers are always encrypted with MTProto, but tunneling MTProto over TLS would make any attacks on MTProto much harder (perhaps impossible) to execute.

I thought they used TLS wrapping in some markets for censorship resistance, but apparently that is not the case unless you set up your own proxy.