DEV Community


Discussion on: Telegram isn't really encrypted, but you can easily encrypt chats with this service

williamzmorgan profile image
Will Morgan Author • Edited

So, GPG?

Right now, this service just generates a couple of private/public keys, but could definitely use GPG.

Could you elaborate on that statement?

Telegram won't allow you to do that with your own encryption, but this could be done with a Telegram bot which could encrypt/decrypt your messages and connect your chat on Telegram with this service.

In this case, you control your own encryption, so you're your own middle man, not Telegram. This would be the user-friendly solution, but the better way would be to do this outside of Telegram, with manual encryption/decryption of the messages.

 +----------------+    2      +-------------------+    1     +----------+
 |                <-----------+                   <----------+          |
 |   Encryption   |    3      |    Telegram bot   |          |   User   |
 |                +----------->                   |          |          |
 +----------------+           +-------------------+          +----------+
                                         |                   +----------+
                                         |         4         |          |
                                         +------------------>+  User 2  |
                                                             |          |

+-----------+        1        +----------------+      2      +--------------+
|           +----------------->                +------------>+              |
|  User 2   |        4        |  Telegram bot  |      3      |  Decryption  |
|           +<----------------+                +<------------+              |
+-----------+                 +----------------+             +--------------+

Not sure how secure it is, though it does satisfy the conditions for IND-CCA, so I guess it's good?

Telegram security does seem quite open and safe, but it's a proprietary protocol, and many would prefer open-source protocols and encryptions because they have full control over it. Here's an example of that sentiment:

Thread Thread
defman profile image
Sergey Kislyakov πŸ‡·πŸ‡Ί πŸ‡ΊπŸ‡Έ • Edited

That didn't answer my question about secret chats being decrypted somehow just because Telegram does the initial key exchange, which you stated there (if I misunderstood your sentence, please forgive me for that. English is not my native language):

since Telegram handles the encryption keys (even if it doesn't officially run through their server), it could theoretically be decrypted via your device by Telegram

Yes, you have to let Telegram do the exchange for you, but that's just trading user experience over security, I'm sure most people would accept this "trade" and those who don't - I doubt they use Telegram at all (they probably use GPG + E-mail or something like that).
Diffie–Hellman key exchange have been used for years, as long as Telegram clients use that algorithm, I'm fine with that.

As for the diagram provided, I guess it shows integration of your service with Telegram? I'd not trust any bot (except created by myself) to do the decryption of my messages. It must be done on the client side. Otherwise you're not controlling it at all. You can send/receive encrypted messages over Telegram, but that's not user friendly at all. At that point, I'd simply use GPG over e-mail with a plugin for Thunderbird that would encrypt/decrypt messages automatically.

The article you linked do not provide any valuable arguments either. I can take screenshot of any decrypted data and there's no protocol that wouldn't let me do that. As for MTProto, how is that proprietary? No one stops you from implementing it as a library so anyone could use it. The specification is open.