[maqp]

"I cannot verify this, but Telegram said years ago that they solved certain problems by routing keys and messages through different datacenters in different jurisdictions."

Firstly, there is no proof of this happening. I've been looking for the documentation and/or source code for this for more than five years now, and it's never been published.

Secondly, even IF it was happening, the server that strips the in-transit encryption has access to the plaintext, and can copy the message to anywhere it damn pleases. It can write it to "plaintext-messages.txt" for all it cares, that's like two lines of Python in the backend.

Also, the servers creating database entries must by definition have the full database encryption key in its RAM, from where privileged processes can exfiltrate it (computer organization 101).

The thing is, there isn't technology out there that allows Telegram to do what it claims as securely as it claims. If they are indeed innovating on this, why aren't they publishing their research and proving their worth?

"they seem remarkable competent at certain aspects of what they do"

Yeah, you can be great at UX design and shitty at cryptography. That's perfectly fine. The fact they won't spend money to hire competent cryptographers is the shitty part. I don't know if it's this Russian pride wrt. Nikolai being an award winning mathematician, or if they don't really give a fuck and think damage control can mend the damage that resulted from nepotism.

Well, the first time they get hacked properly shows how shit the architecture was. We can only hope people will then ask "ok where the fuck did we go wrong, again, can we switch to something that fixed this once and for all", and that by then, Signal is usable enough for their needs.

[eitland]

I think me and you agree to a large degree :-)

> Firstly, there is no proof of this happening. I've been looking for the documentation and/or source code for this for more than five years now, and it's never been published.

I haven't found anything more either. See also below.

> Secondly, even IF it was happening, the server that strips the in-transit encryption has access to the plaintext, and can copy the message to anywhere it damn pleases. It can write it to "plaintext-messages.txt" for all it cares, that's like two lines of Python in the backend.

Theoretically, couldn't the client send the message to one server and the keys to a different set of servers? Clients would request the encrypted messages from one server and the keys from another?

It is still not nearly as good security as proper E2E-encryption but should still be possible to set up so that a single rogue sysadmin cannot get hold of messages.

> Also, the servers creating database entries must by definition have the full database encryption key in its RAM, from where privileged processes can exfiltrate it (computer organization 101). The thing is, there isn't technology out there that allows Telegram to do what it claims as securely as it claims. If they are indeed innovating on this, why aren't they publishing their research and proving their worth?

See above. As long as they don't do serverside search or anything this should be possible?

> "they seem remarkable competent at certain aspects of what they do" Yeah, you can be great at UX design and shitty at cryptography. That's perfectly fine.

Definitely.

As mentioned before I prefer Signal. I actually like your answer.

We need more of these answers and less:

- X is definitely in the pocket of FSB.

- E2E or nothing!

- Use WhatsApp or nothing!

Hey, even tptacek went as far as admitting this at some point:

https://news.ycombinator.com/item?id=22371316

[maqp]

Theoretically, couldn't the client send the message to one server and the keys to a different set of servers? Clients would request the encrypted messages from one server and the keys from another?

That would imply client-side encrypted cloud backups, with external key management which isn't the case in Telegram, if it were it could be shown from client-side code. Also, even if that would be the case, it would just need combining key and ciphertext in once place which is again the weak link.

Also, there's no way the search would work as fast as it does now if key /ciphertexts would have to be transported via servers, and finally, since it's a single server that can request data (I have checked the destination IPs), anything of the sort is not happening.

"should still be possible to set up so that a single rogue sysadmin cannot get hold of messages."

I'm afraid that's not possible. When the message arrives to server and the outer layer that is in-transit encryption is stripped, what must remain is the plaintext message, or a message that the server can not decrypt. Such technology already exists, it's called end-to-end encryption. If there was a simpler way to protect from malicious servers, there wouldn't be a need for E2EE communication ;)

"See above. As long as they don't do serverside search or anything this should be possible?"

So no that wouldn't work in practice. Proper cryptographic design in secure messaging apps doesn't distinguish between entities on server who have access to keys. "Jack has one part of the key and Jill has another, but they will never collude or get hacked at the same time" is very bad security rationale.

"- X is definitely in the pocket of FSB."

Well, the problem here is, if the scenario is this "Telegram is secretly in the pocket of the FSB and they're giving access to every message on their server" I can't say "No way, it's all end-to-end encrypted they have nothing to give". I can say that for Signal, however, so I'd rather recommend it instead, and actually, because I can't say Telegram definitely isn't in the pocket of FSB, I don't think it should be used. I hope you understand this requirement of verifiability. If Telegram really wanted to lock themselves from user data, the would've implemented E2EE from the get go.

"E2E or nothing!"

Not sure what to make of this, I haven't heard anyone claim no encryption is better than weaker encryption. But wrt. message confidentiality, since there is no difference when it comes to service provider obtaining the plaintext copy, it's hard to not say "don't use it if it's not E2EE".

"- Use WhatsApp or nothing!"

Another complex problem that boils down to trusting WA has not changed source code after Moxie helped implement Signal Protocol. Like I said earlier, there's maybe a 1..2% chance of backdoor that allows WA to snoop on it's E2EE. So if for some reason one would have to compare these particular ones (IRL this is what we'd call a false dilemma), I'd say

1. Telegram secret messages for one-on-one chats 2. WhatsApp group messages 3. Telegram group messages

WhatsApp may have 1..2% chance of backdoor, but with Telegram I know there's a front door with 100% probability.

If we forget the false dilemma, suddenly Signal solves all of our woes wrt. cross-platform private one-on-one chats and group chats.

"Hey, even tptacek went as far as admitting this at some point:"

Let's not put his words "almost literally any secure messenger is better than email."

Firstly, that assumes he considers Telegram a secure messenger. Secondly, encrypted email has serious problems with deniability (which we'll ignore this time) and forward secrecy: in those respects Telegram's E2EE is better, sure, but E2EE email for group chats (Assuming the client knows how to reply individually to all, and to use each individual's PGP key to protect it) is again more private than Telegram's group chats.

[afiori]

I always took the claim of routing keys and messages in different jurisdiction to be about not writing them to storage in those jurisdiction, not about not having them in RAM.

the idea being that there can be an internal policy to shut down the server and wipe the ram but it is harder to do with drives.

I also have a question since you probably can answer: can E2E offer a similar user experience to what normal telegram chats offer?

[maqp]

" I always took the claim of routing keys and messages in different jurisdiction to be about not writing them to storage in those jurisdiction, not about not having them in RAM."

There's no precedent I'm aware of that if e.g. NL Telegram server has the key in its RAM but not in its disk, that it doesn't have to hand out the keys. Also the keys and/or plaintexts can just be stolen by foreign intelligence establishments. It's not just judicial means we need to be concerned about. E.g., just because it's legal in China to hack Telegram servers abroad, doesn't mean it's right, and Telegram should take this into account.

"the idea being that there can be an internal policy to shut down the server and wipe the ram but it is harder to do with drives."

This is pure speculation and it wouldn't matter because key lifting attacks would be transparent, i.e. the exploit is polished enough not to raise alarms.

"I also have a question since you probably can answer: can E2E offer a similar user experience to what normal telegram chats offer?"

Yes. Except channels and extremely large supergroups. But these two don't enjoy expectation of privacy. You can't expect something you say to a group of 10,000+ people to remain private, people consider such groups public.

Encrpytion is just math so there's also no way around the UX problem of authentication that's part of E2EE, but since that's expected of users, it's not a problem either.

Everything else, group chats with roles, synced chats, file transfers, locations, stickers... you name it, can be done over E2EE, just look at how Signal is showing each of those can be done. It's not trivial of course, but like you asked, "can it be done", yes, it can.