Back to blog

telegram – a revision

29/03/2015 - Posted in internet , privacy , Software , surveillance Posted by:

Tags: , , , , ,

In several previous posts i promoted the use of Telegram. After using it for quite a while now and reflecting about the app i have to change my recommendation. While Telegram itself is a nice WhatsApp alternative that offers similar features, now i do feel that it actually fails its purpose and is using somewhat misleading PR talk.

Telegram is great and even a critical mass has adopted it so you can really use it on a daily basis but it has several design choices that led me to change my statement. Some of these points are pure subjective views and may not hold true for everyone. So please be aware that while some may be valid technical concerns not all of the following can be generalized.

  • The most critical point is that Telegram does not offer privacy by default. Although on their website they make it appear that all communication is private, that is in fact not the case. Most non technical people will just start chatting away with friends and believe that the messages are a secret to everyone but them. However this is not true, Telegram does not end to end encrypt messages by default. Users have to deliberately set up a secret chat in order to enjoy full privacy.
  • The next problem is verification. Telegram uses some kind of visual representation of the secret chat key. This key picture looks similar to a QR code and i doubt many people even bother to check its validity. This way of ensuring a correct untampered key exchange is very error prone and to non technical users very unintuitive. I think that in a world where surveillance is ubiquitous even non tech savvy users should be protected, even if that means that the magic should happen in the background and that developers have to think about how to hide these issues from the users –  key distribution is an easy task right?
  • The first crypto contest they held was fishy. Telegram always proclaimed that they are 200% secure because nobody can crack their encryption and that they even have set up a contest that proves it. Everyone involved in computers knows that total security is a myth and that everything can be broken given enough time and resources. The problem with the contest and the claim though is that it was setup in a suboptimal way. The contest excluded many attack vectors and was therefore not very meaningful. To honour Telegram, they did set up a new contest that does include a wider array of attacks.
  • This leads me to my last (and subjective) point. A company that sells a product based on lies – and yes telling the half truth is a lie (to me) – is not very trustworthy. They claim 100 percent security, they claim to have end to end encryption when in fact this is only true if it is deliberately activated. This, the way they handled criticism in the past, and the way the contest was set up does not give me a lot of confidence when i use their services. A trustworthy software should not proclaim half true facts – thats almost like selling snake oil.

The above statements and a few other minor concerns of myself lead me to this post. I can not fully support Telegram anymore and i advise against the use of it. I still think it is a nice piece of software and that it is a step in the right direction but for all the people seeking true digital privacy i recommend they look at different apps. The most solid alternative i think is Signal(iOS)/Textsecure(Android) . It is a solid piece of software written by Moxie Marlinspike and others. Signal in combination with Redphone even adds the possibility to make encrypted phone calls all around the world. Furthermore Moxie Marlinspike is a guy who has proven that he knows what he’s doing. The best is that it is, like Telegram, also free and open source and handles the end to end encryption a lot more elegantly. So go and get that little gem and spread to word about it so its user base will reach the critical mass to be a usable alternative to WhatsApp and Telegram.

Leave a Reply

Your email address will not be published. Required fields are marked *