Original author: Matthew Green

Original translation: Block unicorn

About the author Matthew Green is a cryptographer and professor at Johns Hopkins University. I design and analyze cryptographic systems used in wireless networks, payment systems, and digital content protection platforms. In my research, I study various ways that cryptography can be used to protect user privacy.

This post was inspired by the recent worrying news that Telegram CEO Pavel Durov was arrested by French authorities for failing to adequately police content. While I don’t know the specifics, the use of criminal charges to coerce social media companies is a rather worrying escalation in the fact that there is more to the story than meets the eye.

But I don't want to talk about this arrest today.

I want to talk about one specific detail in the reporting, specifically: nearly every news report about the arrests referred to Telegram as a “crypto app.” Here are a few examples:

This statement drives me crazy because from a very limited technical perspective it is not wrong. However, on every level that matters it fundamentally misrepresents what people think about Telegram and how it actually works. This misrepresentation is bad for journalists and for Telegram users, especially those who could be seriously harmed by it.

Now let's talk about the details.

Is Telegram encrypted?

Many systems use encryption in some way, however, when we talk about encryption in the context of modern private messaging services, the term usually has a very specific meaning: it refers to the use of default end-to-end encryption to protect the contents of a user's messages. When used in an industry-standard manner, this feature ensures that each message is encrypted using encryption keys that are known only to the two parties communicating, and not to the service operator.

From your perspective as a user, an “encrypted messaging app” means that every time you start a conversation, your messages can only be read by the person you’re chatting with. If the operator of the messaging service tries to view the contents of your messages, all they’ll see is useless encrypted data. The same assurances apply to anyone who might hack into the provider’s servers, and to law enforcement agencies who serve the provider with a subpoena, for better or worse.

Telegram clearly does not meet this stricter definition for a simple reason: it does not enable end-to-end encryption by default. If you want to use end-to-end encryption in Telegram, you must manually activate an optional end-to-end encryption feature called "Encrypted Chat" for each private conversation. This feature is explicitly not enabled for most conversations and is only available for one-on-one conversations, never for group chats of more than two people.

As a strange "add-on feature", it is actually very troublesome for non-professional users to activate Telegram's end-to-end encryption feature.

First, the button that activates Telegram's encryption feature isn't visible in the main chat window or on the home screen. To find it in the iOS app, I had to tap at least four times—once to go to the user's profile page, once for a hidden menu to pop up with the option, and finally to confirm that I wanted to use encryption. And even then, I couldn't actually start an encrypted conversation because the "encrypted chat" feature only works if the person you're talking to happens to be online.

Starting an “encrypted chat” with my friend Michael in the latest Telegram iOS app. This option is not directly visible from the normal chat interface. Activating it requires four taps:

(1) Go to Michael’s profile page (left),

(2) Click the "..." button to display the hidden option set (middle image).

(3) Select "Start Secret Chat".

(4) Click OK in the "Are you sure you want to continue?" confirmation dialog box. After that, I still couldn't send any messages to Michael because Telegram's secret chat feature can only be enabled when the other party is also online.

Overall, this is a very different experience from starting a new encrypted chat in modern industry-standard encrypted messaging apps, where you simply open a new chat window.

While this may seem like nitpicking, the difference between default end-to-end encryption and this experience can be significant. In practice, this means that the vast majority of one-to-one Telegram conversations — as well as every group chat — can potentially be seen and recorded by Telegram’s servers, which can view and record all messages sent between users content. This may or may not be an issue for every Telegram user, but this obviously shouldn't be promoted as being particularly securely encrypted.

(If you’re interested in the details, as well as some further criticism of Telegram’s actual encryption protocol, I go into that further below.)

Does encryption by default really matter?

Maybe it's important, maybe it's not! This question can be viewed from two different perspectives.

One angle is that Telegram's lack of default encryption is totally fine for many people. The reality is that many users simply don't use Telegram as an encrypted private messaging tool. For many people, Telegram is more like a social media network than a private messaging app.

Specifically, Telegram has two popular features that make it a good fit for this use case. One is the ability to create and subscribe to "channels," each of which is like a broadcast network where one person (or a handful of people) can push content to millions of readers. When you're broadcasting messages to thousands of strangers, keeping your chat private isn't that important.

Telegram also supports large public group chats with thousands of users. These groups can be open to the public or set to invite-only. While I personally have never thought about sharing a group chat with thousands of people, I have heard that many people like this feature. In such large public groups, the unencrypted nature of Telegram group chats is not really that important - after all, who cares about encryption when talking in a public square?

But Telegram is not limited to these features, and many users who join these features also do other things.

Imagine you're in a "public square" in a large group chat. In this environment, there may be no expectation of strong privacy, so end-to-end encryption is not important to you. But suppose you and five friends leave the square to have a private conversation. Does this conversation deserve strong privacy protection? It doesn't matter because Telegram doesn't provide that protection, at least in the default encryption, which can't protect you from content sharing with Telegram servers.

Similarly, let’s say you use Telegram’s social media features, primarily to consume content rather than to generate it. But one day your friend, who also uses Telegram for similar reasons, discovers you’re on the platform and decides to send you a private message. Are you now concerned about privacy? Do you manually turn on the “encrypted chat” feature — even though it requires four explicit clicks through a hidden menu and will prevent you from communicating immediately if one of you is offline?

I strongly suspect that many people may have joined Telegram for its social media features, but will end up using it for private chats as well. I think Telegram knows this and tends to market itself as a "secure messaging app" and talk about the platform's encryption features precisely because they know it will make people feel more comfortable. But in reality, I also suspect that very few of these users are actually using Telegram's encryption features. Many users may not even know that they need to manually turn on encryption and may think they are already using it.

This brings me to my next point.

Telegram knows that its encryption is difficult to turn on, but continues to promote its product as a secure messaging app.

Since 2016 (and probably earlier), Telegram’s encryption features have been heavily criticized for many of the reasons I mentioned in this post. In fact, many of these criticisms were made by experts, including myself, in conversations with Pavel Durov on Twitter many years ago.

Despite the sometimes acrimonious interactions with Durov, at that point I still mostly believed that Telegram had good intentions. I assumed that Telegram was busy expanding its network, and that over time they would improve the quality and usability of the platform’s end-to-end encryption: for example, by making it the default, supporting group chats, and making it possible to start encrypted chats with offline users. I assumed that while Telegram might be a follower rather than a leader, it would eventually reach a level of functionality on encryption protocols comparable to Signal and WhatsApp. Of course, another possibility is that Telegram would abandon encryption entirely and focus on being a social media platform.

I am more confused by what actually happened.

Telegram’s owners have not improved the usability of its end-to-end encryption, and its encrypted user experience has barely changed since 2016. Despite some upgrades to the underlying encryption algorithms used by the platform, the user experience of secret chats in 2024 is virtually indistinguishable from that of eight years ago. Despite this, Telegram’s user base has grown 7-9 times over the same period.

Meanwhile, Telegram CEO Pavel Durov continues to actively promote Telegram as a "secure messaging app." Recently, he sharply criticized Signal and WhatsApp on his personal Telegram channel, suggesting that these systems have backdoors set up by the US government and that only Telegram's independent encryption protocol is truly trustworthy.

If this were a legitimate technical argument between two platforms that both support end-to-end encryption by default, this might be understandable. However, Telegram really has no place in this discussion. It’s no longer funny to see the Telegram organization encouraging users to move away from messaging apps that are encrypted by default, while refusing to implement basic features that would widely encrypt user messages. In fact, it’s starting to look a bit malicious.

What other encryption details are there?

This is a cryptography blog, so I’d be remiss if I didn’t spend some time explaining boring cryptographic protocols. I’d also miss a great opportunity to marvel at the inner details of Telegram’s encryption, which almost always leave me speechless every time I look at them.

To make it less painful, I’ll go into the details in a paragraph, but feel free to skip if you’re not interested.

Telegram's secret chat feature is based on a custom protocol called MTProto 2.0, following what I believe to be the latest cryptographic specifications. This system uses a 2048-bit finite field Diffie-Hellman key exchange, with group parameters (I think) chosen by the server. (Because Diffie-Hellman key exchange requires both users to be online, an encrypted chat cannot be set up if one user is offline) MITM protection is handled by the end user, who has to compare key fingerprints. The server provides some weird random non-ces (random values) that I don't fully understand the purpose of * - in the past these random numbers have made key exchange completely insecure against malicious servers (but this problem has long been solved *). The generated keys are then used in the most amazing, non-standard authenticated encryption mode - a mode called "Infinite Obfuscation Extension" (IGE), which is based on AES and uses SHA 2 to handle authentication. **

Note: In the paragraph above, every place I marked with a "*" is a point where an expert cryptographer would raise their hand and ask a question in the context of something like a professional security audit. I'm not going to go into detail, but suffice it to say that Telegram encryption is highly unusual.

If you asked me to guess whether the protocol and implementation of Telegram Secret Chats is secure, I would say it’s probably secure. But it doesn’t really matter, to be honest, because it doesn’t matter if people don’t actually use it.

Block unicorn Note: In short, Telegram's encryption system uses some complex technology to protect information, but in terms of user experience, it is relatively complicated to set up and use. Some technical details may seem less transparent, especially the use of random numbers and the way keys are protected.

at last

While end-to-end encryption is one of the best tools we have developed to prevent data breaches, it’s not the whole story. One of the biggest privacy issues in messaging is the large amounts of metadata — basically data about who is using a service, who they’re talking to, and when they’re talking.

This data is not usually protected by end-to-end encryption. Even in broadcast-only apps, such as Telegram channels, there is a lot of useful metadata about who is listening to the broadcast. This information itself is valuable to people, as evidenced by the huge sums of money traditional broadcasters spend to collect this data. At present, all of this information may exist on Telegram's servers and can be obtained by anyone who wants to collect it.

I’m not criticizing Telegram specifically, as almost every other social media network and private messaging app has the same issues. But it should be mentioned, but I mention these issues to avoid you from thinking that just having encryption is enough.