Relying on “encrypted” messenger Telegram for privacy or out-of-band communications? Congratulations: Tu t’es fait pwned.*
The arrest of Telegram’s Russian founder Pavel Durov at Le Bourget airport in France this weekend has caused a mighty stink among users, ruffled Russian feathers, and drawn criticism from Edward Snowden.
Durov, who runs the messenger application from Dubai and holds both United Arab Emirates and, controversially, French passports, is among the world’s richest people and has grown Telegram to over a billion users – with moderation functionally non-existent across its many large groups.
He has now been personally charged with complicity in drug running, child pornography and the dystopian-sounding "providing cryptology services aiming to ensure confidentiality without certified declaration."
See also: Spying on MPs and breaking encryption: New UK legislation damned as “unprecedented” – and “deeply troubling”
Telegram users can join groups of up to 200,000 and the application has become hugely popular not just as a distribution channel for news, for example by the Ukrainian president, but also for an array of black market activities.
The arrest came as French press reported that Paris’ OFMIN, an office responsible for tackling violence against minors, had “launched an investigation into the dissemination of child pornography on Telegram.”
Wire agency AFP said the investigation was joined by several other agencies investigating cyberharassment and also organised crime.
French prosecutors late Monday said an investigation had begun on July 8 and Durov's "custody period was extended until the 25th August 2024 by an investigative
magistrate and can last up to 96 hours (that being the 28th August 2024) given the
applicable procedure for organized crime offences."
Telegram responds after founder arrested
“Telegram abides by EU laws, including the Digital Services Act — its moderation is within industry standards and constantly improving.
“Telegram's CEO Pavel Durov has nothing to hide and travels frequently in Europe. It is absurd to claim that a platform or its owner are responsible for abuse of that platform. Almost a billion users globally use Telegram as means of communication and as a source of vital information. We’re awaiting a prompt resolution of this situation. Telegram is with you all.”
That was the company’s response late Sunday as the row escalated.
(The Russian embassy in Paris said it had been stonewalled when seeking consular access to Durov – who left the country in 2014 after clashes with Putin’s government over access to and then the sale of his previous firm.)
Is Telegram encrypted?
Durov’s arrest has shone a fresh spotlight on Telegram’s security – not least among those concerned that the French government is muscling its way into Telegram’s servers on a sweeping treasure hunt as we write.
Despite Telegram being widely described as an “encrypted messaging app” it is really, for most users, nothing of the sort; E2EE needs to be manually configured as a “secret chat” (a process that is far from a single click) and “secret” group chats are limited to a total of… two users.
The company insists it provides robust security. Its privacy policy says that “all data is stored heavily encrypted and the encryption keys in each case are stored in several other data centers in different jurisdictions.”
It adds that for E2EE chats “there is no way for us or anybody else without direct access to your device to learn what content is being sent in those messages. We do not store your secret chats on our servers. We also do not keep any logs for messages in secret chats, so after a short period of time we no longer know who or when you messaged via secret chats.”
Read this: Eutelsat-OneWeb deal gives UK's "sovereign" space play a French flavour
But one Telegram vulnerability, published only in Russian in 2021, was described by security expert Filippo Valsorda as “the most backdoor-looking bug I've ever seen” – and Telegram support’s "detailed guide to end-to-end encryption” is a single line that has long-said, simply: “Alas, this magnificent work is not finished yet. Come back later. Yes.”
Those actually using its E2EE do so through a glass, darkly.
Respected cryptographer Matthew Green wrote on August 25 that “According to what I think is the latest encryption spec, Telegram’s Secret Chats feature is based on a custom protocol called MTProto 2.0.
Green, a cryptographer and professor at Johns Hopkins University, posted on his blog: “This system uses 2048-bit* finite-field Diffie-Hellman key agreement, with group parameters (I think) chosen by the server.* (Since the Diffie-Hellman protocol is only executed interactively, this is why Secret Chats cannot be set up when one user is offline.*) MITM protection is handled by the end-users, who must compare key fingerprints.
Green wrote: “There are some weird random nonces provided by the server, which I don’t fully understands the purpose of* — and that in the past used to actively make the key exchange totally insecure against a malicious server (but this has long since been fixed.*) The resulting keys are then used to power the most amazing, non-standard authenticated encryption mode ever invented, something called “Infinite Garble Extension” (IGE) based on AES and with SHA2 handling authentication.*
“NB: Every place I put a “*” in the paragraph above is a point where expert cryptographers would, in the context of something like a professional security audit, raise their hands and ask a lot of questions.” – Matthew Green
“Suffice it to say that Telegram’s encryption is unusual.”
Build it yourself?
If nothing else, the incident is a reminder how hard it is to choose and sometimes to meaningfully assess the robustness of an encrypted messenger. Durov himself in May had hit out at the security of Signal and Whatsapp, telling his 11 million subscribers on Telegram that “the US government spent $3 million to build Signal's encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference,” he claimed, without proof.
The arrest may drive fresh interest in many quarters in decentralised and federated applications without a single locus of control.
Those looking to build their own alternatives could do worse than to explore Messaging Layer Security (MLS). That’s the world’s first standardised and fully specified E2EE protocol which anyone can choose to adopt, irrespective of implementation language or cipher suite.
It was published last year as an official standard by The Internet Engineering Task Force (IETF) as RFC 9420 and is the fruit of efforts to build an open standard for group E2EE applications that in theory avoids users being locked into proprietary, expensive encryption protocol siloes.
Durov, meanwhile, remains in custody.
See also: The world’s first fully specified, end-to-end encryption standard just landed. That's big.
*Or so it would seem reasonable to suspect.