Since its launch in 2013, Telegram has grown in popularity in the secure messaging category (its developers claim the app has over 200 million users), but with controversy. In addition to technical questions about how safe it truly is for users counting on it to keep their messaging activity private, the app has been in the news for political reasons throughout the first half of 2018. The governments of Iran and Russia have banned Telegram for thwarting them from accessing communications conducted on the app by their citizens and others inside their countries.
What is Telegram?
Telegram was designed to be a secure messenger that third-parties wouldn’t be able to intercept.
Telegram, the app and non-profit company supporting it, was founded by brothers Nikolai and Pavel Durov. In 2006, Pavel Durov created a Facebook clone for Russia, VKontakte (also referred to as “VK”). After years of clashing with the Russian government over censorship issues on his social networking site, he and his brother fled Russia in 2013 for Buffalo, New York, where they started Telegram. VK is now purportedly owned by allies of Russian President Vladimir Putin.
The Durovs’ clashes over free speech with their home country’s government, and them living in exile in the U.S., helped to give their messenger an aura of authenticity. Telegram soon gained a following, perceived as a safe tool for activists and journalists for their sensitive communications.
How Telegram works
Telegram uses your smartphone’s phone number as your messenger ID. You can share documents and media files with other Telegram users. Messages and media can be set to “self-destruct” (delete) after they’ve been viewed by the recipient. An “unsend” function lets you delete a message within 48 hours after you’ve sent it.
The Telegram app is available for Android, iOS (iPad, iPhone), Linux, macOS and Windows. It also has a website version that you can use through most browsers.
Is Telegram secure?
Concerns about the security of Telegram were raised not long after its release.
By default, the app doesn’t encrypt end-to-end communications (e.g., between your phone and the person’s phone you are chatting with). You have to manually enable this feature, called Secret Chat. Otherwise, your chats will be saved on Telegram’s servers, which are in various locations throughout the world. The communication between the client (i.e., your phone or other device) and Telegram’s servers is encrypted, and your chat data stored on these servers is encrypted, supposedly.
The Telegram developers emphasize this is so that you can recover your chats should you lose your phone or other device. But why is letting your chat data be stored on their servers not offered as an opt-in, and encrypted end-to-end chatting not set as the default? Keeping your chat data stored on these servers has to be an expense for their non-profit company.
Experts in the encryption field have also questioned why Telegram uses a homegrown encryption protocol, called MTProto, when there are other freely available encryption protocols that have proven to be effective … and that have been vetted by independent experts.
(The Telegram website has available for download the purported source code for the desktop and mobile app versions of Telegram. The Telegram developers say this code allows researchers to evaluate the messenger’s encryption protocol.)
Why (and how) Russia blocked Telegram
The Russian government security agency, the Federal Security Service, ordered Telegram’s developers to turn over the encryption keysfor Telegram’s MTProto protocol to them by April 4, 2018. Pavel Durov refused to comply. According to him, there were about 15 million users of Telegram in Russia.
The Russian Supreme Court then ordered Telegram banned in the country. Roskomnadzor (Russia’s equivalent of the U.S. FCC) ordered Russian ISPs to block the app. As of May 8, 2018, this has resulted in these ISPs blocking more than 10 million IP addresses. This blocklist was so high to prevent a workaround — domain fronting — from working through Telegram.
Generally speaking, domain fronting enables an app to connect to a blocked domain by appearing to connect to another domain that hasn’t been blocked. It is an unintended feature that has been exploited as a security flaw.
Amazon and Google disabled domain fronting from their services in April 2018 after the Russian ban on Telegram. It was reported they did so partly due to request by the Russian government.
Telegram vs. WhatsApp: Secure messaging alternatives
In contrast to Telegram, all of these have encrypted end-to-end communications turned on by default. So your chat data is stored, and encrypted, only on your phone or other device that you’re chatting from, and not on a server. They use the Signal Protocol (developed by the Signal messenger developers), which has been approved by encryption experts and is available for the public to evaluate and freely use.