Telegram Messenger – Not as secure as advertised?

cyberSecMuch has been said about encryption lately, and about Telegram specifically. Well, it isn’t all its cracked up to be. (The people complaining about terrorists using Telegram make me think of the quote from Hamlet, “The lady doth protest too much, methinks.” But then I am a cynic at heart.)

The number one rule for cryptography is never create your own crypto. Instant messaging application Telegram has disregarded this rule and decided to create an original message encryption protocol. In this work we have done a thorough cryptanalysis of the encryption protocol and its implementation. We look at the underlying cryptographic primitives and how they are combined to construct the protocol, and what vulnerabilities this has. (Yes that is a link to a masters thesis in cryptography. Click at your own risk. Math is involved, and it may cause your head to explode.) The title of the thesis is A practical cryptanalysis of the Telegram messaging protocol

To all my programming friends: if you feel the need to write your own messaging program, use one of the open source implementations for whatever you are doing. GnuPG is your friend for Public Key/Private Key. (If you don’t know what PGP – Pretty Good Privacy – or GnuPG are, well you might consider learning. You can bake GnuPG into Thunderbird email via an extension – after you install GnuPG.)

People say they have nothing to hide, but you have financial data, and you don’t want your identity stolen. (What are your “secret questions” for resetting your passwords?) If you work for a company you have data that needs to be kept confidential.


One thought on “Telegram Messenger – Not as secure as advertised?

  1. You have to think that if a European graduate student has been looking into breaking Telegram’s encryption, that someone in the NSA/CIA/EIEIO has been doing so as well.

Comments are closed.