Why You Should Stop Using Telegram Right Now

Earlier this week, The Intercept evaluated the best instant messaging clients from the privacy standpoint. The list included Facebook's WhatsApp, Google's Allo, and Signal -- three apps that employ end-to-end encryption. One popular name that was missing from the list was Telegram. A report on Gizmodo sheds further light on the matter, adding that Telegram is riddled with a wide range of security issues, and "doesn't live up to its proclamations as a safe and secure messaging application." Citing many security experts, the report states:One major problem Telegram has is that it doesn't encrypt chats by default, something the FBI has advocated for. "There are many Telegram users who think they are communicating in an encrypted way, when they're not because they don't realize that they have to turn on an additional setting," Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the American Civil Liberties Union, told Gizmodo. "Telegram has delivered everything that the government wants. Would I prefer that they used a method of encryption that followed industry best practices like WhatsApp and Signal? Certainly. But, if it's not turned on by default, it doesn't matter."The other issue that security experts have taken a note of is that Telegram employs its own encryption, which according to them, "is widely considered to be a fatal flaw when developing encrypted messaging apps." The report adds:"They use the MTproto protocol which is effectively homegrown and I've seen no proper proofs of its security," Alan Woodward, professor at the University of Surrey told Gizmodo. Woodward criticized Telegram for their lack of transparency regarding their home cooked encryption protocol. "At present we don't know enough to know if it's secure or insecure. That's the trouble with security by obscurity. It's usual for cryptographers to reveal the algorithms completely, but here we are in the dark. Unless you have considerable experience, you shouldn't write your own crypto. No one really understands why they did that."The list goes on and on.

Re:Security by obscurity is fine

[NotInHere]

Also, it does not at all apply here. Telegram not just publishes documentation how their protocol works, but it also releases the full source code: https://telegram.org/apps#sour...

So even if the mtproto documentation would have a flaw or be not precise enough to fully specify the behaviour (and that often happens!), you could still look into the source code to find out what actually happens.

Re: Why I *do* use Telegram

[johanw]

You could always use Silence (https://github.com/SilenceIM/Silence): it is a fork of Signal that uses only sms/mms, so no gapps required or used. They forked after Signal dropped the encrypted sms option.

Bullshit

[Brethil]

I'll just leave this here. https://telegram.org/faq#q-how...