Original author: Matthew Green
Original translation: Block unicorn
About the author, Matthew Green is a cryptographer and professor at Johns Hopkins University. I design and analyze cryptographic systems used in wireless networks, payment systems, and digital content protection platforms. In my research, I study various ways to use cryptography to protect user privacy.
This post was inspired by the recent worrying news that Telegram CEO Pavel Durov was arrested by French authorities for failing to adequately police content. While I don’t know the specifics, the use of criminal charges to coerce social media companies is a rather worrying escalation in the fact that there seems to be more to the story than meets the eye.
But I dont want to talk about this arrest today.
I want to talk about one specific detail in the reporting, specifically: Almost every news report about the arrests referred to Telegram as a “crypto app.” Here are a few examples:
This statement drives me crazy because from a very limited technical perspective it is not wrong. However, on every level that matters it fundamentally misrepresents what Telegram is and how it actually works. This misrepresentation is bad for journalists and for Telegram users, especially those who could be seriously harmed by it.
Now lets talk about the details.
Is Telegram encrypted?
Many systems use encryption in some way, however, when we talk about encryption in the context of modern private messaging services, the term usually has a very specific meaning: it refers to the use of default end-to-end encryption to protect the contents of a users messages. When used in an industry-standard manner, this feature ensures that each message is encrypted using encryption keys that are known only to the two parties communicating, and not to the service operator.
From your perspective as a user, an “encrypted messaging app” means that every time you start a conversation, your messages can only be read by the person you’re chatting with. If the operator of the messaging service tries to view the contents of your messages, all they’ll see is useless encrypted data. The same assurances apply to anyone who might hack into the provider’s servers, and to law enforcement agencies who serve the provider with a subpoena, for better or worse.
Telegram clearly does not meet this stricter definition for a simple reason: it does not enable end-to-end encryption by default. If you want to use end-to-end encryption in Telegram, you must manually activate an optional end-to-end encryption feature called Encrypted Chat for each private conversation. This feature is explicitly not enabled for most conversations and is only available for one-on-one conversations, never for group chats of more than two people.
As a strange add-on feature, it is actually very troublesome for non-professional users to activate Telegrams end-to-end encryption function.
First, the button to activate Telegrams encryption feature isnt visible in the main chat window or on the home screen. To find it in the iOS app, I had to tap at least four times—once to access the users profile page, once for a hidden menu to pop up with the option, and finally to confirm that I wanted to use encryption. And even then, I couldnt actually start an encrypted conversation because the encrypted chat feature only works if the person youre talking to happens to be online.
Starting an “encrypted chat” with my friend Michael in the latest Telegram iOS app. This option is not directly visible from the normal chat interface. Activating it requires four taps:
(1) Go to Michael’s profile page (left),
(2) Click the ... button to display the hidden option set (middle image).
(3) Select Start Secret Chat.
(4) Click OK in the Are you sure you want to continue? confirmation dialog box. After that, I still couldnt send any messages to Michael because Telegrams secret chat function can only be enabled when the other party is also online.
Overall, this is a very different experience from starting a new encrypted chat in modern industry-standard encrypted messaging apps, where you simply open a new chat window.
While this may seem like nitpicking, the difference between default end-to-end encryption and this experience can be quite significant. In practice, this means that the vast majority of one-on-one Telegram conversations — and every group chat — are potentially viewable and logable by Telegrams servers, which can see and log the contents of all messages sent between users. This may or may not be a problem for every Telegram user, but its clearly not something that should be promoted as particularly securely encrypted.
(If you’re interested in the details, as well as some further criticism of Telegram’s actual encryption protocol, I go into that further below.)
Does encryption by default really matter?
Maybe its important, maybe its not! This question can be viewed from two different perspectives.
One angle is that Telegrams lack of default encryption is totally fine for many people. The reality is that many users simply dont use Telegram as an encrypted private messaging tool. For many people, Telegram is more like a social media network than a private messaging app.
Specifically, Telegram has two popular features that make it a good fit for this use case. One is the ability to create and subscribe to channels, each of which is like a broadcast network where one person (or a handful of people) can push content to millions of readers. When youre broadcasting messages to thousands of strangers, keeping your chat private isnt that important.
Telegram also supports large public group chats with thousands of users. These groups can be open to the public or set to invite-only. While I personally have never thought about sharing a group chat with thousands of people, I have heard that many people like this feature. In such large public groups, the unencrypted nature of Telegram group chats is not really that important - after all, who cares about encryption when talking in a public square?
But Telegram is not limited to these features, and many users who join these features also do other things.
Imagine you are in a public square in a large group chat. In this environment, there may be no expectation of strong privacy, so end-to-end encryption is not important to you. But suppose you and five friends leave the square to have a private conversation. Is this conversation worthy of strong privacy protection? It doesnt matter because Telegram does not provide this protection, at least in the default encryption, it cant protect you from content sharing on Telegram servers.
Similarly, let’s say you use Telegram’s social media features, primarily to consume content rather than to generate it. But one day your friend, who also uses Telegram for similar reasons, discovers you’re on the platform and decides to send you a private message. Are you now concerned about privacy? Do you manually turn on the “encrypted chat” feature — even though it requires four explicit clicks through a hidden menu and will prevent you from communicating immediately if one of you is offline?
I strongly suspect that many people may have joined Telegram for its social media features, but will eventually use it for private chats as well. I think Telegram knows this and tends to promote itself as a secure messaging app and talk about the encryption features of the platform precisely because they know it will make people feel more comfortable. But in reality, I also suspect that very few of these users are actually using Telegrams encryption features. Many users may not even know that they need to manually turn on encryption and may think they are already using it.
This brings me to my next point.
Telegram knows that its encryption is difficult to turn on, but continues to promote its product as a secure messaging app.
Since 2016 (and probably earlier), Telegram’s encryption features have been heavily criticized for many of the reasons I mentioned in this post. In fact, many of these criticisms were made by experts, including myself, in conversations with Pavel Durov on Twitter many years ago.
Despite the sometimes acrimonious interactions with Durov, at that point I still mostly believed that Telegram had good intentions. I assumed that Telegram was busy growing its network, and that over time they would improve the quality and usability of the platform’s end-to-end encryption: for example, by making it the default, supporting group chats, and making it possible to start encrypted chats with offline users. I assumed that while Telegram might be a follower rather than a leader, it would eventually reach a level of functionality on encrypted protocols comparable to Signal and WhatsApp. Of course, another possibility is that Telegram would abandon encryption entirely and focus on being a social media platform.
I am more confused by what actually happened.
Telegram’s owners have not improved the usability of its end-to-end encryption, and its encrypted user experience has barely changed since 2016. Despite some upgrades to the underlying encryption algorithms used by the platform, the secret chat user experience in 2024 is virtually indistinguishable from that of eight years ago. Despite this, Telegram’s user base has grown 7-9 times over the same period.
Meanwhile, Telegram CEO Pavel Durov continues to actively promote Telegram as a secure messaging app. Recently, he sharply criticized Signal and WhatsApp on his personal Telegram channel, suggesting that these systems have backdoors set up by the US government and that only Telegrams independent encryption protocol is truly trustworthy.
If this were a legitimate technical argument between two platforms that both support end-to-end encryption by default, this might be understandable. However, Telegram really has no place in this discussion. It’s no longer funny to see the Telegram organization encouraging users to move away from messaging apps that are encrypted by default, while refusing to implement basic features that would widely encrypt user messages. In fact, it’s starting to look a bit malicious.
What other encryption details are there?
This is a cryptography blog, so I’d be remiss if I didn’t spend some time explaining boring cryptographic protocols. I’d also miss a great opportunity to marvel at the inner details of Telegram’s encryption, which almost always leave me speechless every time I look at it.
To make it less painful, I’ll go into the details in a paragraph, but feel free to skip if you’re not interested.
Telegrams secret chat feature is based on a custom protocol called MTProto 2.0, following what I believe to be the latest cryptographic specifications. This system uses a 2048-bit finite field Diffie-Hellman key exchange, with group parameters (I think) chosen by the server. (Because Diffie-Hellman key exchange requires both users to be online, encrypted chats cannot be set up if one user is offline) MITM protection is handled by the end user, who has to compare key fingerprints. The server provides some weird random non-ces (random values) that I dont fully understand the purpose of* - in the past these random numbers have made key exchange completely insecure against malicious servers (but this problem has long been fixed*). The generated keys are then used in the most amazing, non-standard authenticated encryption mode - a mode called Infinite Obfuscation Extension (IGE), which is based on AES and uses SHA 2 to handle authentication.**
Note: In the paragraph above, every place I marked with a * is a point where an expert cryptographer would raise their hand and ask a question in the context of something like a professional security audit. Im not going to go into detail, but suffice it to say that Telegram encryption is highly unusual.
If you asked me to guess whether the protocol and implementation of Telegram Secret Chats is secure, I would say it’s probably secure. But it doesn’t really matter, to be honest, because it doesn’t matter if people don’t actually use it.
Block unicorn Note: In short, Telegrams encryption system uses some complex technology to protect information, but in terms of user experience, it is relatively complicated to set up and use. Some technical details may seem less transparent, especially the use of random numbers and the way keys are protected.
at last
While end-to-end encryption is one of the best tools we have developed to prevent data breaches, it’s not the whole story. One of the biggest privacy issues in messaging is the large amounts of metadata — basically data about who is using a service, who they’re talking to, and when they’re talking.
This data is not usually protected by end-to-end encryption. Even in broadcast-only apps, such as Telegram channels, there is a lot of useful metadata about who is listening to the broadcast. This information itself is valuable to people, as evidenced by the huge sums of money traditional broadcasters spend to collect this data. At present, all of this information may exist on Telegrams servers and can be obtained by anyone who wants to collect it.
I’m not criticizing Telegram specifically, as the same issues exist with almost every other social media network and private messaging app. But it should be mentioned, but I mention these issues to avoid you from thinking that just having encryption is enough.