1

In a Telegram public channel, all messages are public, send by the channel creators and contain a timestamp. Suppose I am an ISP. Can I analyse the traffic of all my clients and decide if they are sending a Telegram message? (assume they don't use Tor or VPN)

If so, I can look at the timestamp of all messages ever published by a public channel, and decide which of my clients sent Telegram messages at roughly the same time. Combined with other information, I may be able to deanonymize the channel creators. Does my attack work for a well-funded adversary?

More backgrounds

I am mostly interested in the case of living under an authoritarian government, where legal barriers don't apply and ISPs are required to cooperate with the police department and intelligence agency.

How would you deanonymize channel creators if you were an authortarian government?

user241830
  • 13
  • 3
  • Maybe even VPN/Tor can be deanonymized like that based on timing (you just have to potentially treat even more data including also the non-Telegram data) Websites should really have coarser timestamps/allow delayed posting. – Ciro Santilli OurBigBook.com Feb 10 '21 at 14:00

1 Answers1

0

Probably not

The attack is sound in theory: you check everyone which sent telegram messages at that time and correlate based on timestamp and/or size.

The hurdles you have are:

  • Many people would be sending Telegram messages around that time (it is a popular service, the correlation would be much better if there would be few users connected and apart)
  • Messages are tiny. Uploading a video would produce a bigger signal, but sending a few words would probably be noise amongst the padding blocks. Pretty much everyone will be sending the same amount of traffic
  • Moreover, it could probably be confused with traffic received from telegram (sending a small message vs asking the server if there are pending messages to download¹ or a "message received/seen" reply)
  • Telegram attempts to hide its entrypoints as part of its efforts to avoid being blocked. You might not be sure if certain requests are going to Telegram or not.
  • You have a partial view of the network. Maybe you are a big ISP, and have 5 users that were sending telegram messages ±3 seconds the reported time. But you won't know if it was sent by someone else. Maybe someone using a VPN or living on the other side of the world.

It would work best if you already had one (or maybe a handful) suspects, and then restricted that based on that network data. If you have external evidence that this channel is owned by Alice or Bob, and you are able to snoop on the connections of both of them, I think you could determine which of them is the channel owner quite easily with a few datapoints.

On the other hand, as a generic fishing system, it would be much more complicated. You would need to take into account the legislation you are working with, though. On many countries, it would be illegal to deanonymize the user (lacking a warrant or their consent). While others wouldn't mind jailing and beating the 50 people that were connected to Telegram around that time to discover which of them were at fault (in addition of grabbing and analyzing their phones).

¹ Note: Some Telegram clients can use the system native messaging (like Google Cloud Messaging) to be woken when there are messages to retrieve, but other builds use polling.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • Thanks for the respond! I'm mostly interested in the case of living under an authoritarian gov, where legal barriers don't apply & ISPs are required to coop. The tech barriers you described (popularity of Telegram, tiny size of most msgs, confusion w/ other requests) seem very real to me. For identifying entry points, isn't it possible to just run Telegram and observe which IPs it connets to? https://security.stackexchange.com/questions/111961/filtering-telegram-traffic I edit the question to include more backgrounds. How would you deanonymize channel creators if you were an authoritarian gov? – user241830 Aug 27 '20 at 22:51
  • "For identifying entry points, isn't it possible to just run Telegram and observe which IPs it connets to?" It isn't _that_ simple. Telegram has played cat-and-mouse with Russia for months over that. I recommend to open a new question for that – Ángel Aug 28 '20 at 21:46