This past weekend, when Whatsapp went down for a few hours, with server issues, many people decided to try out the alternatives. It doesn’t help that Whatsapp had also just been acquired by Facebook, raising privacy concerns among its 450-million users.
One of the apps people resorted to was a relative newcomer, Telegram. With a simple interface, and promises of speed and security, more than 5-million people downloaded the app while Whatsapp was suffering downtime. Since then, the app’s been the centre of attention among people who want a non-Facebook-related alternative to Whatsapp, as well as something more secure. After all, the big pitch Telegram gives, right on its website, is that it is private and secure.
Except it’s not as secure as it’s supposed to be.
Back in December freelance developer and security expert, Geoffrey Couprie, posted a blog in which he ripped apart the app’s supposed security, suggesting that Telegram might not be that secure. In his post Couprie, who also contributes to the VLC project, points out the flaws with Telegram’s security implementation – including the fact that the encryption happens between client and the server, not client and client. This means that man-in-the-middle attacks are possible if the servers are ever compromised, effectively leaving your data available to whoever has access to the servers.
Couprie’s analysis suggests that a more secure approach would be to let two client devices handle encryption, which completely leaves servers out of the loop. That way, servers can store and handle data – but it’s all encrypted and completely inaccessible without the decryption keys.
He also points out that the Telegram team wrote new protocols to bypass existing standards, and their approach ends up being less efficient. And encryption that happens relies on known factors rather than randomisation.
Having been posted in December, his post already has a few updates, wherein he clarifies points that the Telegram developers have argued. There are also many comments on the post, where the Telegram team explain defend and clarify their methodology. While Couprie he accepts some of their reasons, but finds other flaws that are still present. In his summary he advises to avoid Telegram “at all costs”, which is a rather harsh judgement on the popular messaging application. In a more recent post, after Whatsapp’s acquisition, Couprie published a post for what users should look for in a secure messenger.
Telegram still works and serves the purpose people want, but its claims of security and privacy might not be all that. There’s nothing stopping the developers from addressing Couprie’s valid concerns – so let’s hope they do. In the mean time, keep an eye out and be aware that it’s possibly not 100% snoop-proof. At the very least it publishes details on the security it uses, so everything is up for discussion and improvement.