242

There is a new WhatsApp-killer application called Telegram. They said that it's open source and that it has a more secure encryption.

But they store all the messages in their servers and WhatsApp doesn't store any messages in any server, only a local copy in the phones.

Is Telegram more secure than WhatsApp?

jrtapsell
  • 3,169
  • 15
  • 30
ilazgo
  • 2,743
  • 4
  • 12
  • 10
  • 9
    In short, I'd say nothing is secure that works as easy as Telegram, WhatsApp, Skype, BlackBerry, etc. All of those (except WhatsApp) have promised end to end encryption, and so far only Telegram is not known to hand over their encryption keys to governments, simply because they are not big enough yet. Somehow Microsoft and Blackberry made it possible to break their own security and provide India and the United Arab Emirates with some plaintext. I wouldn't put it past *any* app to do this. For real security, use trusted tools like PGP/GPG or [OTR](https://otr.cypherpunks.ca/). – Luc Apr 05 '14 at 19:07
  • 5
    They did a roll-your-own on their encryption... So, no. Hilarity from the future, enjoy! Said someone who examined it, "The crypto is like being stabbed in the eye with a fork." – Fiasco Labs Nov 23 '15 at 19:03
  • 1
    Judging from the fact that the Russian gov won the trial related to the encryption and ordered them to subdue their keys, no. – Michael Chourdakis Mar 20 '18 at 17:14
  • 2
    As mentioned in the edit [here](https://crypto.stackexchange.com/a/37242) all of this thread should be renamed to just apply to the first version of MTProto. After 2017 it ceased to be relevant. – mirh Jan 11 '21 at 13:03

6 Answers6

259

TL;DR: No, Telegram is not secure.

I'd like to ignore the comparison to WhatsApp because WhatsApp does not advertise itself as a "secure" messaging option. I'd like to instead focus on whether Telegram is secure.

Telegram's security is built around their home spun MTProto protocol. We all know that the first rule of Cryptography is Don't Roll Your Own Crypto. Especially if you aren't trained cryptographers. Which the Telegram people most certainly aren't.

The team behind Telegram, led by Nikolai Durov, consists of six ACM champions, half of them Ph.Ds in math. It took them about two years to roll out the current version of MTProto. Names and degrees may indeed not mean as much in some fields as they do in others, but this protocol is the result of thougtful and prolonged work of professionals.

Source: https://news.ycombinator.com/item?id=6916860

Math Ph.Ds are not cryptographers. The protocol they invented is flawed. Here is a nice blog post explaining why. In addition to that, Telegram has issued a rather ridiculous challenge offering a reward to anyone who can break the protocol. Except that the terms they set makes even the most ridiculously weak protocol difficult to break. Moxie Marlinspike has a nice blog post explaining why the challenge is ridiculous.

So, no. Telegram is by no means secure. For commonly accepted definitions of secure, not the one Telegram made up.

If you want a real secure means of communication on your phone, look to more reputable projects such as Signal or WhatsApp (which, since this answer was first written, now uses the Signal Protocol for end-to-end message encryption).

UPDATE

  • 09 January 2015: A new 2^64 attack On Telegram has been announced.
  • 12 December 2015: A new paper demonstrating that MTProto is not IND-CCA secure.
  • 22 December 2017: Replaced outdated recommendation for CryptoCat with a more up-to-date recommendation for Signal and WhatsApp.
Ale
  • 103
  • 2
  • Also Threema: https://www.threema.ch – TwentyMiles Apr 04 '14 at 18:22
  • 1
    Yes, Threema is 'trust no one': they don't have the keys so they cannot decrypt your messages. It costs $2 IIRC. Threema also does authentication on several levels, the strongest being that if you exchange QR code between phone displays, you know from that moment on that you are communication with that phone ('person' would be incorrect, someone could have stolen your contacts' phone). –  Apr 05 '14 at 16:04
  • 35
    Reiterates lots of the criticism, but so far I have yet to hear a non-theoretical vulnerability. Can anyone read encrypted messages as they go over the wire, change contents without the other party noticing (even if the attacker doesn't know what the decrypted output will be), or spoof the sender? If not, I don't see a problem with this self-designed protocol. All protocols have been designed by one team or another at some point. – Luc Apr 05 '14 at 16:27
  • 82
    @Luc I really wish I can downvote comments. Really? Non-standard crypto doesn't make you nervous? Do you want to encourage people to use crypto protocols without strong theoretical foundations? What happens when adoption reaches critical mass and a serious vulnerability is found? Yes, protocols need to be designed by people. But the people designing them should be trained cryptographers and the protocol needs to be peer reviewed by other trained cryptographers. –  Apr 05 '14 at 16:39
  • 10
    @TerryChia I understand your point, and I too distrust any crypto in new apps, but I don't think this is the major concern when using Telegram right now. The protocol has been looked at by a few smart people and so far I've yet to hear actual issues, so that in my opinion that moves it from "distrusted" to "probably one of the lesser issues". Things like not having plausible deniability, leaking metadata, devices being pwned, people not comparing the encryption key out of band, etc. seem like much bigger issues when deciding whether one should say product X can be ultimately trusted. – Luc Apr 05 '14 at 19:23
  • 5
    @Luc the point that Terry mentioned, which I wholeheartedly agree, is that if (when) an actual issue is found, it may be too late if it has already got critical mass, and because messages are stored on the server. – Daniel Serodio May 08 '14 at 20:04
  • 10
    You've proven that Telegram uses a non standard protocol, that, we already know. But who knows, it might turn out to be secure, no one has objectively examined MTProto yet. The only claim is "This is not standard, therefore this is not secure". – Hello World May 15 '14 at 18:16
  • 25
    Using Cryptocat as an security exemplar is actually quite dangerous. It has a very controversial history, and lots of well known security professionals think it's actually dangerous. So, please remove that from your answer. You should also mention that Moxie worked for OpenWhisper. And that OpenWhisper don't have a usable iOS client. – anu May 21 '14 at 14:36
  • 30
    An update would be nice. Telegram responded to the linked blogs and it looks like a lot of accusations were based on an out-dated documentation or misunderstanding of it. They also adjusted rules for their hacking contest. Therefore this answer seems deprecated to me. – Christian Strempfer Aug 18 '14 at 11:54
  • 4
    The "Unhandled expression" article contains serious errors and is not a reliable source. Please consider not referencing it. An example of an error (out of many): "Encryption can happen end to end between clients, but there is no authentication, so the server can perform a MITM attack." http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-maths/ – Hello World Dec 08 '14 at 19:10
  • 3
    @JanDoggen Threema is "trust our closed code to be doing what it's claiming to be doing". – Hello World Dec 08 '14 at 19:12
  • 26
    Just found out that EFF has given 7/7 of it's secure messaging checklist to Telegram secret chat https://www.eff.org/secure-messaging-scorecard – Bibhas Mar 13 '15 at 11:34
  • 2
    @ChristianStrempfer Where is Telegram's reply? I can't find it on the blog. I'm really interested in seeing what they have to say. – Seth Aug 25 '15 at 00:59
  • 3
    @Seth: There are several answers on https://news.ycombinator.com/item?id=6916860. They also updated their [TechFaq](https://core.telegram.org/techfaq). Telegram is not as secure as some alternatives, but it is not insecure. Even in the blog post on alexrad.me it is estimated that full attack costs will be in tens of millions US dollars. That's enough for most users. If you're life is at risk, use another messenger. – Christian Strempfer Aug 25 '15 at 05:54
  • 9
    @Bibhas I have no idea where that figure is from but it’s pure fantasy. For instance, it credits Telegram with having an open, auditable source code. But only parts of the code are (still!) open, and (like in most/all other programs) there’s no verifiable build process. The EFF scoreboard a farce, really. “Points for trying (or pretending)” are nice and all but not an indicator of security. – Konrad Rudolph Nov 12 '15 at 22:31
  • 6
    So, more than a year later, the very insecure protocol and application is still not broken. :) – Apache Jan 14 '16 at 13:39
  • 6
    Why does this answer still list Cryptocat as a 'real secure alternative'? Given its [history](https://tobtu.com/decryptocat.php), that seems quite a dangerous recommendation. – Sven Slootweg Feb 15 '16 at 15:37
  • 2
    According to a [recently leaked documents](http://download.omroep.nl/nos/docs/110117_rusland-trump.pdf) ("COMPANY INTELLIGENCE REPORT 2016/080" page 6) post on [an NOS.nl article](http://nos.nl/artikel/2152420-russen-hebben-compromitterende-informatie-over-trump.html), Telegram is insecure: "His/her understanding was that the FSB now successfully had cracked this communications software". There are no details available yet about the validity of these claims. – Byte Welder Jan 18 '17 at 13:26
  • 3
    @Ken Van Hoeylandt [Read Telegram's response here.](https://motherboard.vice.com/en_us/article/this-is-how-russian-spies-could-crack-telegram) Allegedly, the weakness is not Telegram's encryption but the SMS auth. Which is easier: breaking a wall or opening a door with no lock? The Russian government was able to hijack SMS from Russian service provider MTS and takeover any account. The same attack was done in Iran and Germany. Everyone should stop using SMS. SMS is not secure. Anyone, even a teenager, can hijack SMS. – XP1 Mar 25 '17 at 23:56
  • @Bibbas The [EFF scorecard link has been moved](https://www.eff.org/pages/secure-messaging-scorecard) and it is worth noting it gave 7/7 to *Telegram (secret chats)*, not to *Telegram* standard chats. Furthermore, if we want to listen to EFF (and I'm not saying we shouldn't), then note they are not recommending any other messenger but Signal in their [security-self-defense how tos](https://ssd.eff.org/module-categories/tool-guides). – acorello Mar 07 '20 at 18:12
  • Unlike Signal, WhatsApp code is not open to independent review. This makes it less secure according to the EFF. Obviously that makes it possible for the FBI and NSA to work with Facebook to install back doors in WhatsApp, as it does with most other US app and hardware makers. – hobs Jun 09 '20 at 15:19
  • Also Signal is an open source volunteer project and pretty buggy and poor quality overall compared to the others. Their crypto may be theoretically invulnerable, but I don't know if I trust the app in practice. – endolith Jul 31 '20 at 06:47
  • @Apache How do you know? https://archive.vn/SIl9M – chefarov Nov 04 '20 at 11:41
  • 2
    WhatsApp privacy considered highly suspect. https://arstechnica.com/tech-policy/2021/01/whatsapp-users-must-share-their-data-with-facebook-or-stop-using-the-app/ – savolai ᯓ Jan 07 '21 at 09:34
  • 1
    I find "Math Ph.Ds are not cryptographers." to be very biased. On minimal to be cryptographer, you need to be beyond excellent on math. Everything is based on math. – Niklas Jan 16 '21 at 12:58
17

As the Telegram FAQ mentions, there is a 'secret chat' option that does not store chats on their servers.

As for the underlying question of, "does storing chats lower their security?" then that is something to consider. Chats being stored on the server does mean that copies can be made on the server for decryption later. This increases the exposure of the messages. Encrypting the messages means that there is a high cost to decrypt the messages, but there is still some exposure.

Taking this added exposure into account, the real question becomes (as it always does), "what are you protecting from?" If you are worried about secure communications in transit, then Telegram 'appears' to be more secure. If you're worried about secure communications at rest, then WhatsApp 'appears' to have a better model, except that none of it is encrypted.

The answer, then, is 'it depends on your focus', and encryption is better than non-encryption, and there is the Telegram's 'secure chat' option.

November 2015:

New research shows deep problems with the crypto: https://medium.com/@thegrugq/operational-telegram-cbbaadb9013a#.gb7od1j6i

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    WhatsApp claims to be encrypted end-to-end using axolotl and it has been verified by WhisperSystems. It's closed source, so you have to trust WhatsApp/WhisperSystems. – JaviMerino Apr 27 '16 at 07:35
  • 4
    Too many people don't know what they are talking about. In the Medium article, it doesn't talk about "deep problems" with crypto. It just embeds a tweet from Matthew Green with a link to the protocol documentation. The rest of the article has nothing to do with crypto. I suggest you remove the link. – XP1 Apr 20 '18 at 12:54
  • 2
    A Medium article should be considered as authoritative as Buzzfeed. Typically, an opinion expressed on Medium.com yields the opposite of correct information. It cannot conclude a security assessment of Telegram. You can see that the very first sentence of that article exudes garbage. – groovenectar Jun 03 '19 at 15:34
16

EFF's Secure Messaging Scorecard currently rates "Telegram (secret chats)" with a 100% security rating. However, the software of the servers Telegram uses is not open; cf. the FAQ "Why not open source everything?"

WhatsApp was docked on the "Is the code open to independent review?" metric. Telegram is now completely open; source code here. Being open, you can verify for yourself that there is no back-doors which could possibly be in a closed app. WhatsApp is closed-source now that it's gone proprietary (Facebook bought it).

A good alternative is Tox or Signal, which is open and peer-to-peer / end-to-end encrypted only and received a high EFF rating.

Geremia
  • 1,636
  • 3
  • 19
  • 33
7

EFF compares all messenger apps and publishes the results in Secure Messaging Scorecard link.

note:EFF compares Telegram in secret chats mode with WhatsApp

EFF criteria are:

  1. encrypted messages in transit? both,telegram uses MTProto protocol and Whatsapp uses an undisclosed protocol
  2. encrypted so the provider can't read it?this criterion requires that all user communications are end-to-end encrypted. This means the keys necessary to decrypt messages must be generated and stored at the endpoints (i.e. by users, not by servers) telegram has this criterion but Whatsapp has not it
  3. can you verify contacts' identities? this criterion requires that a built-in method exists for users to verify the identity of correspondents they are speaking with and the integrity of the channel, even if the service provider or other third parties are compromised telegram has this criterion but Whatsapp has not it
  4. are past communications secure if your key are stolen? this criterion requires that the app provide forward secrecy telegram has this criterion but Whatsapp has not it
  5. is the code open to independent review? telegram has this criterion but Whatsapp has not it
  6. is security design properly documented? this criterion requires clear and detailed explanations of the cryptography used by the application telegram has this criterion but Whatsapp has not it
  7. has there been any recent code audit? this criterion requires an independent security review has been performed within the 12 months prior to evaluation both have it

finally,the result is that Telegram is more secure than Whatsapp

tanius
  • 105
  • 3
  • 1
    This does not add any information to the existing answers. And honestly it does not make much sense to compare to WhatsApp because it does not really have a focus on security. Just by comparing you also have not proven or disproven the security of Telegram. – John Mar 01 '16 at 20:00
  • 1
    @John plz see above link that EFF criteria are based on security and privacy and EFF cryptographers compare all messengers in these viewpoints –  Mar 01 '16 at 21:31
  • Yes I am aware. This was already posted by Bibhas in a comment Mar 15. See the comments under Terry Chia's answer. The comparison isn't really meaningful. – John Mar 01 '16 at 21:46
5

Besides the protocol issues, the app itself is not very secure. In February 2015, Zimperium published a detailed analysis of Telegram's local vulnerability, allowing the attacker to get full access to plain text messages.

Basically, even if the protocol was secure, the application itself isn't, becoming the weak link in secure communication.

According to Zimperium, the Telegram team has never responded to their vulnerability notification. It tells me something about their attitude to security in general, and goes in line, for example, with how they implement "secure chats": no desktop support, graphical-only fingerprint of the key, no possibility to simply enter the key.

texnic
  • 193
  • 1
  • 7
  • 9
    Messages are not encrypted in memory? If you want to display them on the screen you have to decrypt them, thus storing the string as plain text in memory. How does it make Telegram app not secure? – Buddy Nov 13 '15 at 20:44
  • 3
    Zimperium is a joke. Their "findings" are always useless. They literally do anything to get into the spotlight for a few seconds. Guess who hyped up Stagefright? Who poured so much money into useless vulnerabilities like this one? Yes, Zimperium. Oh and how many people got hacked using Stagefright? Like... 0.0000000...01%? Maybe? Researchers who followed the steps? || **I understand, mobiles are their business. But all they do is fearmongering, nothing else.** – Apache Jan 14 '16 at 13:51
1

According to the Jan. 2021 FBI Infographic re Lawful Access to Secure Messaging Apps Data (PDF), Telegram (along with Signal) are the most secure:

Jan. 2021 FBI Infographic re Lawful Access to Secure Messaging Apps Data

Geremia
  • 1,636
  • 3
  • 19
  • 33