Why Telegram’s out-of-the-box features don’t provide maximum security


Contrary to many messaging apps, Telegram doesn’t offer end-to-end encryption by default.

In recent days, after Telegram founder Pavel Durov's arrest, there have been many reports in the media calling Telegram an encrypted messaging app.

While this technically is true, one important detail is often not mentioned – Telegram doesn’t provide end-to-end encryption by default.

ADVERTISEMENT

This may not be clear to a significant portion of its 950 million users, believes Matthew Green, a cryptographer and professor at Johns Hopkins University.

Most apps that offer encryption services, even Meta’s WhatsApp, enable encryption in their default settings.

This guarantees that encryption keys are known only to communication parties, meaning that no one, not even your service provider or a hacker who happens to find its malicious way into servers, can read the content of your messages.

Meanwhile, if users want to use end-to-end encryption on Telegram, they have to turn on the feature manually, enabling the Secret Chats function.

Green's blog post points out that this may not be easy for those with no technical knowledge.

For example, the button to activate Telegram's encryption feature isn’t visible in the main conversation pane or on the home screen, and it takes four clicks to enable it.

Even then, users can’t start an encrypted conversation immediately, as Secret Chats only work if the conversation partner is online at the time.

“My strong suspicion is that many people who join Telegram for its social media features also end up using it to communicate privately. And I think Telegram knows this and tends to advertise itself as a “secure messenger” and talk about the platform’s encryption features precisely because they know it makes people feel more comfortable,” he says.

ADVERTISEMENT

“But in practice, I also suspect that very few of those users are actually using Telegram’s encryption. Many of those users may not even realize they have to turn encryption on manually and think they’re already using it.”

In addition, Telegram’s Secret Chats doesn’t work with group chats, meaning that they could still be read if someone compromises the servers.

There are many alternatives, including Signal, for those who want to use apps that offer end-to-end encryption by default.

Durov was arrested in Paris on Saturday. I he is convicted, the precedent could have far-reaching international implications.

Following Dorov's arrest, Denmark's Minister of Justice, Peter Hummelgaard, said he would “very much like” to block encrypted messaging services amidst skyrocketing gang-related crime.