Subverting Telegram's end-to-end encryption (2023)
44 comments
·October 14, 2025gruez
tptacek
The threat model of the attack is targets relying on binary/source transparency of open source clients to protect against (state-sponsored) client backdoors; in that sense, it most closely resembles the Juniper/NetScreen Dual-EC attack, which functioned basically the same way: a backdoor that was essentially not auditable, as the underlying vulnerability was realized cryptographically.
I'm just clarifying. I agree the practical implications of the attack are not really meaningful to a general audience.
supermatou
Excellent article about Telegram's encryption from Matt Green (cryptographer, for those who haven't heard of him):
https://blog.cryptographyengineering.com/2024/08/25/telegram...
defraudbah
and another one from king of encryption in golang
The Most Backdoor-Looking Bug I’ve Ever Seen
defraudbah
in short, you don't need access to the device, only to the same network
if you are on the same network and manage either intercept key to bruteforce it or guess encryption key with emoji it's possible to decrypt the whole chat. It works because telegram random generator uses time and some device information which is predictable
the study managed to decrypt 500 messages out of 500 on emulator devices. Brutewforcing takes like a few $100 worth of computing power
Honestly, durovs are exceptional people and enterpreneurs, however their encryption and what they say isn't always what it presented as
null
taminka
can anyone explain why telegram doesn't use an audited e2e implementation? is it really because they wanted more convenient and faster cross-device sync? have they been threatened and/or backdoored by the fsb? they basically stole vk from him, but left him alone w/ telegram?
it's suspicious, but at the same time, iirc, nobody's been able to find a vulnerability in their encryption protocol :shrug
chupasaurus
1,2) NIH syndrome 3) We don't know 4) Expropriation isn't "basically stolen", Telegram was a tiny side project at the time
dijit
The first version of MTProto was found to have weaknesses.
The reason they rolled their own was because it came out before the Double-Ratchet/Axolotl protocol and OtR (which double-ratchet is essentially based on) was extremely inconvenient to use properly and had its own weaknesses.
taminka
> The reason they rolled their own was because it came out before the Double-Ratchet/Axolotl protocol and OtR (which double-ratchet is essentially based on) was extremely inconvenient to use properly and had its own weaknesses.
this actually makes a lot of sense lowkey, thanks :)
tptacek
People have found vulnerabilities in MTProto.
tptacek
Reminder that Telegram has "end to end" encryption only for direct messages; the rest is client-server, which they seem to believe is just as good as end-to-end.
ynoxinul
*for direct messages in secret chats, which you have to enable explicitly and which reduces user expericence in comparison to normal chats.
j45
It's weird that you can delete a message for you and for the other person too.
I doubt client-server is the only way to accomplish this.
dijit
client-server is good enough, if you trust the server.
If you don't trust the server, then you shouldn't trust them to supply you a client either. Since a client is basically "whatever code they decided".
Very few people are building from FOSS, and those that do will include binary blobs too. It's theatre.
tptacek
There are basically zero practicing cryptography engineers who would agree with the logic you've used here, but I acknowledge this is also someting Durov believes.
GranPC
(2023)
null
ethin
Is this really something new? If memory serves, Telegram has had it's own crypto since the beginning, and I don't remember anything about it ever being audited by... Well, anybody?
Granted, I don't know how MTProto actually works all that well, but IMO Telegram should've just used Noise or something. Would've saved them a lot of trouble. Although that doesn't really resolve the underlying problem that people think Telegram is secure when it's not (i.e., you have to explicitly enable E2EE and it's off by default), at least last time I checked. I haven't used telegram in years so my knowledge might be out of date though.
hiimkeks
Well, the article is from 2023, but what you remember is most likely MTProto version 1, which was even more ridiculously broken, iirc
jansper39
> Granted, I don't know how MTProto actually works all that well
I suppose it's what the actual goals of the app are, potentially it works out very well for someone.
ProofHouse
telegram is NOT safe. Far from it.
dijit
It was audited, found to have some serious flaws[0], then those were rectified.
Most people dislike Telegram because:
A) It takes away from Signals market share
B) They don't enable E2EE by default
C) They're owned by Pavel Durov, the Russian Zuckerberg.
I am aware that it's an unpopular opinion, but the FUD spread against Telegram and the hagiographies of Signal make me think something weird is going on.
Telegram has third party clients, so you can just roll your own client that runs another encryption on top if you want, like Pidgin used to do with OTR.
s17n
People in the US prefer Signal over Telegram because Signal was created by people who took security seriously, and Telegram wasn't.
People outside the US prefer telegram because they assume that Signal is probably compromised, or at least highly vulnerable to compromise, by US intelligence - they trust Pavel Durov's history of expropriation and arrest more than they trust some nerds who claim that our product is secure.
tptacek
I like how you sandwiched "the encryption story is bad" between two irrelevant social claims.
hiimkeks
D) They don't enable E2EE for groups at all
E) (I believe) don't enable E2EE with more than one device
dijit
D) True aside from group calls afaik
E) Neither does Whatsapp/Signal; they rely on a backdoor interface to your phone to send messages.
fsflover
F) They don't allow E2EE on GNU/Linux, including phones and desktop.
weberer
D) They moved to the enshittification phase and started displaying ads
BoredPositron
I mean Durov is going down the deep end in the last few weeks. Messaging all Telegram user with an Emergency feature with a doomer manifest.
ur-whale
> with a doomer manifest
Can you point at anything in his message that's not factually correct?
asacrowflies
Seems pretty cognizant of the modd of entire HN front page past few weeks honestly
For people who only read the headline, it's not as bad as the title might suggest. This attack requires backdooring the client, by which point it's already effectively game over in most threat models. The main advantage of this attack is that a compromised client can be sending "encrypted" messages that can actually be trivially decrypted by authorities, but that isn't immediately obvious to someone inspecting network traffic. Needless to say, this is a pretty pointless attack because nobody is manually inspecting every piece of data that their telegram is sending, and the client probably makes so many requests that it's trivial to smuggle data through some other side channel.