Many people who focus on information security, including myself, have
long considered
Telegram suspicious and untrustworthy.
Now, based on findings
published by the investigative journalism outlet ISt
The article unfortunately isn’t much better when read in it’s entirety. A unique identifier is sent along with an encrypted payload. The entire set is then encrypted again in transit. But the author claims the identifier is sent “cleartext”.
This coupled with repeated “russian bad” comments peppered throughout. Article is bad.
The entire set is then encrypted again in transit.
Citation? The author of the article provides theirs, and a cursory glance at the chart that telegram themselves provides reveals that the authentication key is not encrypted at all.
Here’s the part of the article you may have missed that clarifies why that’s actually a huge issue:
This enables anyone who has sufficient network visibility and a bit of dedication to identify traffic originating from a given user device.
IStories found evidence that all network communication to and from Telegram’s infrastructure go through a company linked to the Russian FSB. This would provide the kind of network visibility that combined with auth_key_id would allow it to identify traffic coming from specific users, globally.
Why exactly did Telegram create a proprietary messaging protocol that uses this “surprising and unnecessary protocol design choice, present neither in Signal nor WhatsApp”?
Maybe it was just a huge coincidence, compounded by other huge coincidences. You tell me. You have the opportunity to blow this article wide open.
The article unfortunately isn’t much better when read in it’s entirety. A unique identifier is sent along with an encrypted payload. The entire set is then encrypted again in transit. But the author claims the identifier is sent “cleartext”.
This coupled with repeated “russian bad” comments peppered throughout. Article is bad.
Citation? The author of the article provides theirs, and a cursory glance at the chart that telegram themselves provides reveals that the authentication key is not encrypted at all.
Here’s the part of the article you may have missed that clarifies why that’s actually a huge issue:
Why exactly did Telegram create a proprietary messaging protocol that uses this “surprising and unnecessary protocol design choice, present neither in Signal nor WhatsApp”?
Maybe it was just a huge coincidence, compounded by other huge coincidences. You tell me. You have the opportunity to blow this article wide open.