Telegram spokesperson Remi Vaughn reached out to us to refute Wired and WhatsApp head Will Cathcart’s claims about the security of the popular chat app. According to Vaughn, the Wired article contains many errors and the editorial team ignored Telegram’s comments and replies, which in turn misled Cathcart.
Telegram compiled a list of 9 errors in the Wired article, which you can find at telegra.ph (a minimalistic Telegram publishing tool). The post concludes with “This list is being expanded.”
This post addresses various claims in the Wired article, including one about location tracking: This is only possible if the user explicitly makes their location publicly visible, which only 0.01% of users have done, writes Telegram.
A visualization of the MTProto 2.0 protocol
Regarding the privacy of secret chats, Vaughn points out that Cathcart is wrong that Telegram’s End To End Encryption (E2EE) protocol isn’t independently verified. A team from the Italian University of Udine tested the MTProto 2.0 protocol used by Telegram to secure its chats: you can find their article here (PDF).
Note that this is a protocol check rather than a specific implementation. But the Telegram app is open source and uses builds that are playable since version 5.13. “Reproducible builds” means that you can compile publicly available source code and verify that the resulting machine code is identical to that hosted on the Apple App Store, Google Play Store, and Telegram website. Telegram’s servers are not open source, although the Udine team also tested the MTProto 2.0 protocol for malicious servers.
They point out an issue that could violate the security of secret chats: when starting a secret chat, it is imperative that the user fingerprint authentication keys through a secure external channel. Otherwise, man-in-the-middle attacks (i.e. a third party intercepting and possibly altering messages) are possible. The researchers point out that such user error is also possible when using the Signal app.
Creating a secret chat and verifying the encryption key
So if you use either app, make sure you check your fingerprint correctly: a secret chat isn’t truly secret until you do, and you can’t use the same or another insecure chat to verify that your fingerprint digital match.
Start a new Thread