> Pavel Durov, Telegram founder, arrested by France following warrant - The Jerusalem Post
> The alleged offenses include: terrorism, narcotic supply, fraud, money laundering and receiving stolen goods.
For those unaware, all channel on telegram are NOT ENCRYPTED. They are stored in plaintext on telegram servers. All chats that are not 'secret chat' mode (single device to single device) are NOT ENCRYPTED (stored in plaintext on server).
This is not about encryption, it is about the plaintext data and the organized crime happening in these channels.
Signal group chats ARE ENCRYPTED by default. It is actually not possible to send an unencrypted message on signal. This will not pivot into an E2E issue, and will not affect signal which has set itself up to not store unencrypted content on it's servers.
EDIT: Also possibly this may be a factor in the decision to arrest:
> finance.yahoo.com
> • 2 weeks ago
> Telegram adds new ways for creators to earn money on its platform
> Today's announcement comes as Telegram reached 950 million active users last month, and aims to cross the 1 billion mark this year. Earlier this year, Telegram founder Pavel Durov said the company expects to hit profitability next year and is considering going public.
> They are stored in plaintext on telegram servers
FYI, this is a totally misleading and false claim.
Telegram uses the MTProto 2.0 Cloud algorithm for non-secret chats[1][2].
In fact, it uses a split-key encryption system and the servers are all stored in multiple jurisdictions. So even Telegram employees can't decrypt the chats, because you'd need to compromise all the servers at the same time.
Telegram's algorithm has been independently audited multiple times. Compared to other apps like WhatsApp with claims of E2EE and no body of verification and validation.[3]
> So even Telegram employees can't decrypt the chats
I very much doubt that. If Durov wanted to, they could decrypt all of those messages.
That fancy encryption system is worthless when someone can hijack the session of any of the users in a chosen group. This is a risk in many crypto messengers, but those usually come with optional key verification whereas Telegram doesn't have that outside of encrypted one-on-one chats.
This is likely why the grabbed Durov, he has the keys to the kingdom. Telegram is a remarkably small company and not a 800lb gorilla and it would be very easy for him to provide whatever they need if he folds.
Because of the nature of the encryption, it allows more convenience compared to WhatsApp and Signal. For example, on Telegram you can (and we do) have a million people in a group without exposing their phone numbers. This has proven itself to be extremely useful to protestors. Signal failed massively, you couldn't add too many people and you always had the risk of exposing the phone numbers.
Along with that, you can use Telegram on as many devices as you want. The chats instantly appear after login. WhatsApp and Signal both are lacking here.
So there are always tradeoffs when it comes to encryption and convenience.
Telegram's focus has been on the convenience side and providing assurance using a clean record of protecting user-data from governments, which is why Telegram was created in the first place.
Can the encryption be improved? Of course yes! I'd love to! but I think much of the criticism by the WhatsApp loving crowd is not only disingenuous, but also harmful.
I agree, that is very convenient.
Also for the secret police officer..
I use telegram as social media, but I really would not use it to organize protest somewhere. Then the whole safety depends on whether Durov made a deal with the secret police, or them infiltrating the servers to know everything about anyone involved. What they liked at what time, what pictures they shared, etc.
That’s my concern as well, maybe none of the devs have the capability, but if -anyone- does it’s Durov, so why not just grab him under false pretenses and throw the book at him, trying to scare him into compliance with anything they want or face the rest of his life in the worse French prison they can find for him.
Unless I’m missing something, your mproto link only covers transport level encryption not storage.
It doesn’t include E2E encryption in the scheme only client to server.
Whether the server stores it as plaintext or not, is moot to the point of having telegram itself be able to see the chats because they hold the encryption keys of the server and therefore can be made to comply with legal requests.
The person you replied to may be incorrect on the aspect of plain text but imho they’re right that it’s not really relevant in this context.
Encrypted storage would be relevant for the case where a server is compromised by a hacker.
I can't open the telegram.com links, blocked at work :/
But the Arxiv paper says:
"We stress that peer clients never communicate directly: messages always go through a server, where they are stored to permit later retrieval by the recipient. Cloud chat messages are kept in clear text, while secret chat messages are encrypted with the peers’ session key, which should be unknown to the server."
So it doesn't appear to be encrypted-at-rest, but without reading the telegram documentation I can't verify that.
This rebuttalakes no sense to me. What you cite is about about transport encryption. App -> Server. The end of the process is that the receiver (Telegram servers) receives a decrypted (plaintext) message, just as kelsey98765431 is saying.
> Compared to other apps like WhatsApp with claims of E2EE and no body of verification and validation.
We do have at least some empirical evidence that WhatsApp is properly encrypted. WhatsApp's cryptography has made judges in my country foam at the mouth with rage so hard they ordered retaliatory nation wide blocks of the service at least twice.
People are right to distrust Meta but I for one am glad that everyone I know is using WhatsApp. I also have Signal and Matrix but a grand total of zero people message me through those.
> We do have at least some empirical evidence that WhatsApp is properly encrypted
so do we. Telegram's MTProto 2.0 has been audited multiple times by independent researchers, compared to WhatsApp's closed-source claims of E2EE.
I'd rather trust a company with a proven track record of no security incidents and fight for user privacy than a corporation which lies through its teeth time and again.
What is stopping Telegram from signing in as you and reading all of your past messages by changing how the authentication logic is handled for specific targeted users? Not saying they have done this, but they obviously could.
We can agree on the statement "Telegram does not cooperate with law enforcement authorities".
This is however something completely different from and largely orthogonal to "Telegram does not have access to their users' message contents".
The fact that they are consistently claiming the former and the latter makes them seem extremely untrustworthy to me.
Gaining my trust requires truthfulness and transparencies about the capabilities and limits of a service provider's technology (but of course is in no way sufficient).
> FYI, this is a totally misleading and false claim.
No, you seem to have have in fact fallen for Telegram's continuous intentional misinformation.
The only thing that matters for whether we can call something "encrypted" or "plaintext" (or more precisely, "end-to-end encrypted" vs. "storage encrypted at rest" or "encrypted in transit" etc.) is whether they, the service providers, can access it themselves.
Would you argue they can't? And if so, how come can I log in to my Telegram account using only SMS verification and access my old messages?
And non E2E chats by default is an intentional design desision.
Pavel previously gave comments about these tradeoffs:
In some sense it is better design than Whatsapp's e2e by default BUT 99%+ users have an automated backup to an un-e2encrypted storage such as Google Drive.
Yeah. I have no idea how Telegram got this reputation for privacy.
I'd like to point out WhatsApp chats are also end-to-end encrypted, just like in Signal. People aren't wrong to distrust Meta but I'd like to point out that WhatsApp encryption often makes judges here seethe to the point they order nation wide blocks of WhatsApp out of spite. The fact everyone I know uses something this secure makes me very happy. It's not perfect but since network effects makes alternatives unusable I'll take what I can get.
See my comment above about the unencrypted backup.
It's basically a UX tradeoff:
You can not promote default E2E + no autobackups -- people in mass are not ready to lose their data when losing the device. Nor they are ready to store the key separately in a confidential manner. Nor they are ready to manually transfer the key among different devices.
All this UX situation is defined by Moxie (the author of Signal and Whatsapp encryption) in his blog post about PGP/WoT concept meeting the reality https://moxie.org/2015/02/24/gpg-and-me.html
So in fact as the average user you have either:
1) E2E + unenctypted autobackup (Whatsapp)
or
2) no e2e by default and separate e2e secret chats (Telegram) that are available only on a specific device.
In the first scenario all your chats inclusing the most sensitive are available by the law enforcement by issuing a warrant to your file storage provider.
In the second scenario you potentially can spill some sensitive information in default non-encrypted chats.
What is worse? I don't know. But I use both Telegram and Whatsapp with backups turned off. So I'm losing all the Whatsapp chat history when using a new device while losing only secret chats In Telegram (not a problem for me since I delete them often manually or set a self-destruct timer anyway)
Backups are encrypted now. Looks like they improved it.
I get it. I'm a privacy and free and open source software enthusiast. It's not perfect. It certainly is better than alternatives though. We know for a fact that it pisses off judges and authorities. That's a major sign that its working. You should be concerned when they stop complaining about it, it means they got in.
Judges and authorities complaining is not a proof that encryption is good. Not cooperating with court will have the same effect, which is exactly what Durov is allegedly accused of.
> It stores it encrypted with encryption keys split across the globe.
The physical storage location is completely irrelevant. What matters is access, and they have that.
Telegram has full operational control over these keys, as demonstrated by the fact that anyone that can perform SMS verification is able to access past messages on an account, and SMS-OTP can in principle not involve any cryptographic operation, as there is absolutely no user input.
> Not perfect, but multiple legal jurisdictions would have to be subpoenad for Telegram to read your non-secret chats.
Thats not how legal works.
for example if I am an EU based judge and I issue a warrant for getting data from a company in a case related to something important (your values may vary, but lets say its not about parking fines) then if your company wants to continue to operate in the EU, you need to pony up the data, or tell them why your can't comply, rather than won't
Having your data stored with keys that you control isn't an excuse.
This is effectively plaintext, in that one entity has all of those secrets for everyone. That's one entity to subpoena.
If that entity doesn't comply, governments will get upset and charge your executives with crimes if they get the chance.
Different jurisdictions makes it harder to kick down the doors and get the keys, but it doesn't change the fundamental problem.
"Nuh-uh, I put all those records in a box in Switzerland, you can't have them" does not work well for US citizens, unless the government fails to even notice the box.
This is such an ignorant comment I am really disappointed at reading this here.
Besides the protocol used by Telegram being publicly available so you can easily confirm in 5 minutes that what you're saying is completely wrong, but you're also saying that law enforcement can totally see all those plain text messages hosted by Telegram, yet they choose to be really upset about it anyway despite it being, according to you, the best possible honeypot ever created with all criminal activity readily available for their peruse. Why, I ask you, would law enforcement want to stop such an app??? They would be completely silent about it and enjoy catching all criminals in it who are "ignorantly" thinking their messages are safe, wouldn't they??
Given the amount of baseless comments like yours on this topic, I can only imagine there's a concerted effort here to misinform everyone to make Telegram look bad so actual criminals move away from it to some more law enforcement-friendly platform. I have conflicting feelings about that, as perhaps the intention is noble, but I can never agree with misleading people by spreading misinformation and plain lies.
Law enforcement totally could see all those plaintext messages, if Telegram would honor their requests. But they don't, hence their CEO is being detained.
That's a position he knowingly and willingly maneuvered himself into. Compare that with e.g. the way Signal answers subpoenas: https://signal.org/bigbrother/
> Besides the protocol used by Telegram being publicly available so you can easily confirm in 5 minutes that what you're saying is completely wrong
There's absolutely no need to analyzse the protocol, since you can just perform a high-level mud puddle test [1], and Telegram fails it. I've tried this myself.
Yes, the data is encrypted in transit. But Telegram can decrypt the data.
We can see that's true, because when I add a new device I can get into all my group chats.
Only if I explicitly "Start secret chat" does something else happen.
Telegram is sitting on a lot of group chats where a lot of horrible things are happening that governments want to see... and gets upset when Telegram doesn't use this access to share that information in response to lawful orders.
> I can only imagine there's a concerted effort here to misinform everyone
Assume good faith-- it's in the guidelines. I have been here just as long as you. I am not part of some shadowy conspiracy to make people think that Telegram security is bad.
I feel like people just don't understand the term of art "effectively plaintext".
Alternatively, if you thought I was talking about secret chats in general-- note that we are in a subthread talking explicitly about channels and non-secret chats:
"For those unaware, all channel on telegram are NOT ENCRYPTED. They are stored in plaintext on telegram servers. All chats that are not 'secret chat' mode (single device to single device) are NOT ENCRYPTED (stored in plaintext on server)."
Data that is transmitted or stored along with the keys is effectively plaintext, which Telegram does. The data is effectively plaintext on my device, at Telegram, and on the group members' devices, even if it is not plaintext in-between.
Data I send to a website over TLS is effectively plaintext on my computer and on the other side; in transit, it is not.
It all comes down to your threat model. Encryption does not protect information from entities who hold the keys to decrypt that information.
> It's not. They use a split-key encryption system so it's not exactly the same as storing the keys where the data is.
Yes, again, it all comes down to your threat model. No one can kick down the door and get to the keys.
But Telegram can get to all the keys, and thus can be legally expected to. The data is effectively plaintext to Telegram.
> Is MTProto 2.0 Cloud Encryption plaintext? No.
Just to note: "effectively plaintext" has been in use for a couple of decades as a term of art. We don't say it's plaintext, because it's not. It means there's effectively no security properties lent by the encryption.
For example, my web browser encrypts a few passwords for me and stores them on disk, but doesn't need a cryptographic secret from me to decrypt them; they're effectively plaintext, because no one has to break any encryption to read them.
Indeed, here's a thread on HN from 2013, where Durov is participating, where people are using "effectively plaintext" in exactly this way to describe exactly what we're talking about: https://news.ycombinator.com/item?id=6937097
Browsers should be interacting with the OS to require something (like your system password, Touch ID, etc.) to have unlocked the vault before being allowed to auto complete.
Yeah, I don't doubt that it can be improved. I hope it does because Telegram is not a fringe messenger anymore. There can be improvements made to the infrastructure, so that they don't keep facing these issues again and again.
There was no discussion of whether it can be improved. I was just telling you that it meets the established understanding of the term "effectively plaintext," which you were seeming to disagree with.
Yeah, I would still disagree because everything is effectively plaintext in the end. The only difference is how you derive the key. There are levels of encryption, that is true but I think calling an actual encryption as 'effectively plaintext' is wrong.
Telegram CEO has access to all keys and therefore all chats. Matrix foundation has no such access. These two examples should explain the difference between "effectively plaintext" and e2ee. The main difference is not how someone derives the key. It's who can do it.
Signal does not have access to the keys for the text. The government can not decrypt your signal chats no matter how much the company might want them to.
No, end-to-end encrypted systems are not effectively plaintext. That's a distinction anyone familiar with cryptography is well aware of, but Telegram has been gaslighting their user/fanbase and many journalists about it for years.
It could be worth a try to extract the keys of one server with a liquid nitrogen can and a cold boot attack. Or something more advanced that isn’t documented on Wikipedia.
RAM can be XOR'd with little latency with hardware acceleration with a key in a slightly - separated secure enclave that will degrade if upset too rapidly, similar to a virtual da Vinci cryptex.
radio/bluetooth/em/sensitive/proximity warning switches to unmount virtualized volumes all in a quasi-state-sanctioned-"contact center" in middle Ukraine.
They are trying their best to prevent the inevitable; the ungovernable, untaxable, uncensorable, un-surveillable commerce and communication platform that will eventually arise from the amalgamation of human's pesky technology and its crossroads with the human condition.
The hate for all things labeled "crypto" (convenient poising the well/doublespeak) was a (partially) government sigh op astro-fabri-exagerated to sway public opinion against anything "crypto" so that an ungovernable, decentralized, general trust-less computation protocol/escrow/rep using zkp+ and hormophic encryption was not able to be realized before the alfabit bois got a chance to mole into the development pipeline and backdoor the inevitable Merchanti Ultimatum; anything less would be a massive national security threat globally.
Anyway, while it's possible to activate a Telegram account without a physical phone (using some temporary number services) or using an (relatively) anonymous SIM card 99% of users use it via Android or iOS and that's means there is no need to grab data from Telegram, USA gov. as well as Apple or Alphabet could simply milk them from their OSes, virtual keyboards and so on.
It's really cloying how many do focus on the service instead of weighting the ecosystem...
It's Kit Klarenberg of Grayzone. If he claims X, you should believe the opposite with much better than even odds. It could have been a hint to you when the news source of your choice attributes everything in the world to the CIA.
> • 5 hours ago
> Pavel Durov, Telegram founder, arrested by France following warrant - The Jerusalem Post
> The alleged offenses include: terrorism, narcotic supply, fraud, money laundering and receiving stolen goods.
For those unaware, all channel on telegram are NOT ENCRYPTED. They are stored in plaintext on telegram servers. All chats that are not 'secret chat' mode (single device to single device) are NOT ENCRYPTED (stored in plaintext on server).
This is not about encryption, it is about the plaintext data and the organized crime happening in these channels.
Signal group chats ARE ENCRYPTED by default. It is actually not possible to send an unencrypted message on signal. This will not pivot into an E2E issue, and will not affect signal which has set itself up to not store unencrypted content on it's servers.
EDIT: Also possibly this may be a factor in the decision to arrest:
> finance.yahoo.com
> • 2 weeks ago
> Telegram adds new ways for creators to earn money on its platform
> Today's announcement comes as Telegram reached 950 million active users last month, and aims to cross the 1 billion mark this year. Earlier this year, Telegram founder Pavel Durov said the company expects to hit profitability next year and is considering going public.