DEV Community

loading...

Discussion on: Telegram isn't really encrypted, but you can easily encrypt chats with this service

Collapse
williamzmorgan profile image
Will Morgan Author • Edited

This is a discrete service that handles encryption and decryption only. It can be used with any chat service like Telegram.

There is an encrypted 'secret chat' feature on Telegram, but since Telegram handles the encryption keys (even if it doesn't officially run through their server), it could theoretically be decrypted via your device by Telegram as well.

This service gives full control of encryption and keys to the user rather than trusting any companies in the middle. Telegram's proprietary protocol MTProto isn't open to developer scrutiny, whereas this service is fully open-source, and can be used locally or even in a decentralized manner.

Collapse
defman profile image
Sergey Kislyakov πŸ‡·πŸ‡Ί πŸ‡ΊπŸ‡Έ

This is a discrete service that handles encryption and decryption only. It can be used with any chat service like Telegram.

So, GPG?

it could theoretically be decrypted via your device by Telegram as well.

Could you elaborate on that statement? Do you mean Telegram can send some service message to me which will tell the app to decrypt my secret chats and send them back to Telegram? I'd doubt that. Their apps are open-source so if that would be the case, I'm sure there would be news about that. I haven't heard of anything like this, though.

Telegram's proprietary protocol MTProto

Server-side chat MTProto specification.
E2E MTProto specification.

Not sure how secure it is, though it does satisfy the conditions for IND-CCA, so I guess it's good?

Thread Thread
williamzmorgan profile image
Will Morgan Author • Edited

So, GPG?

Right now, this service just generates a couple of private/public keys, but could definitely use GPG.

Could you elaborate on that statement?

Telegram won't allow you to do that with your own encryption, but this could be done with a Telegram bot which could encrypt/decrypt your messages and connect your chat on Telegram with this service.

In this case, you control your own encryption, so you're your own middle man, not Telegram. This would be the user-friendly solution, but the better way would be to do this outside of Telegram, with manual encryption/decryption of the messages.

 +----------------+    2      +-------------------+    1     +----------+
 |                <-----------+                   <----------+          |
 |   Encryption   |    3      |    Telegram bot   |          |   User   |
 |                +----------->                   |          |          |
 +----------------+           +-------------------+          +----------+
                                         |
                                         |                   +----------+
                                         |         4         |          |
                                         +------------------>+  User 2  |
                                                             |          |
                                                             +----------+


+-----------+        1        +----------------+      2      +--------------+
|           +----------------->                +------------>+              |
|  User 2   |        4        |  Telegram bot  |      3      |  Decryption  |
|           +<----------------+                +<------------+              |
+-----------+                 +----------------+             +--------------+

Not sure how secure it is, though it does satisfy the conditions for IND-CCA, so I guess it's good?

Telegram security does seem quite open and safe, but it's a proprietary protocol, and many would prefer open-source protocols and encryptions because they have full control over it. Here's an example of that sentiment: abacusnews.com/digital-life/why-te...

Thread Thread
defman profile image
Sergey Kislyakov πŸ‡·πŸ‡Ί πŸ‡ΊπŸ‡Έ • Edited

That didn't answer my question about secret chats being decrypted somehow just because Telegram does the initial key exchange, which you stated there (if I misunderstood your sentence, please forgive me for that. English is not my native language):

since Telegram handles the encryption keys (even if it doesn't officially run through their server), it could theoretically be decrypted via your device by Telegram

Yes, you have to let Telegram do the exchange for you, but that's just trading user experience over security, I'm sure most people would accept this "trade" and those who don't - I doubt they use Telegram at all (they probably use GPG + E-mail or something like that).
Diffie–Hellman key exchange have been used for years, as long as Telegram clients use that algorithm, I'm fine with that.

As for the diagram provided, I guess it shows integration of your service with Telegram? I'd not trust any bot (except created by myself) to do the decryption of my messages. It must be done on the client side. Otherwise you're not controlling it at all. You can send/receive encrypted messages over Telegram, but that's not user friendly at all. At that point, I'd simply use GPG over e-mail with a plugin for Thunderbird that would encrypt/decrypt messages automatically.

The article you linked do not provide any valuable arguments either. I can take screenshot of any decrypted data and there's no protocol that wouldn't let me do that. As for MTProto, how is that proprietary? No one stops you from implementing it as a library so anyone could use it. The specification is open.