Many people who focus on information security, including myself, have
long considered
Telegram suspicious and untrustworthy.
Now, based on findings
published by the investigative journalism outlet ISt
How would you use it if abandoning it is not an option, safety-wise, on android? Like, opening it in browser instead, killing app from the background, or using some app\tool? Not using it for anything sensitive is obvious.
What are other potential worms is in there you may think of? Recently, Yandex and Meta analytics tools got caught in sending browsing data to phone’s localhost - where their locally installed apps caught it and sent back home. If the FSB conection is that deep, there is no end to what they’d want to mine from users.
It’s not the first time I see your discovery shared and I want to thank you. It won’t completely disencourage people around me from using it but it’d pile up with other many reasons to do so. Someday there would be just enough of them, like it happened with VK, Facebook etc, I believe.
I do information security work, and I used to work closely with investigative journalists hailing from Russia, Kazachstan, Ukraine, and other places in that general area. Telegram is massively popular there. Because of this Telegram has been on my radar for a very long time as a serious security threat – not just because its protocol and management are suspect, there are plenty of other IMs like that, but also because of how many people I worked with had used it.
I’ve written about Telegram before, on amore general level (linked in the blog post), so when IStories reached out to me for comment on this it was a good inspiration to dive deeper.
How would you use it if abandoning it is not an option, safety-wise, on android? Like, opening it in browser instead, killing app from the background, or using some app\tool? Not using it for anything sensitive is obvious.
I would not use it. I refuse to accept that abandoning it is not an option. There are plenty of options. It’s always a decision one can make.
Please remember that even if hypothetically you could use it in a way that protects you from the spying – something I am very, very doubtful of! – the mere fact you are using it sucks other people into using it. You personally become one more reason for someone to start using or keep using Telegram. You personally become one more “user” of Telegram, justifying another media organization or NGO to set up or maintain a presence there – which in turn pulls in even more users into the dragnet.
In other words, your decision to use Telegram anyway, even though you know what the issues are, becomes one of the many things that make other people feel that “abandoning is not an option”. I refuse to be a part of that. The only thing I can recommend is to stop using it.
What are other potential worms is in there you may think of? Recently, Yandex and Meta analytics tools got caught in sending browsing data to phone’s localhost - where their locally installed apps caught it and sent back home. If the FSB conection is that deep, there is no end to what they’d want to mine from users.
I think this hits the nail on the head: If the FSB conection is that deep, there is no end to what they’d want to mine from users.
I don’t want to speculate. The possibilities are vast. But I will say what I said in the blogpost: Telegram is indistinguishable from an FSB honeypot.
I don’t trust Telegram the company, I don’t trust Telegram the software, I don’t trust MTProto. I certainly do not trust Pavel Durov. I don’t think we need to speculate on what more could possibly be hiding there, what is already known about Telegram should really be enough to stop using it.
Awesome analysis. Thank you!
I’m not the author. You can thank @rysiek@szmer.info for this amazing write-up
Heh, thanks. AMA I guess.
Not a question, but you’ve written some fantastic articles, thanks — I’ve added your website to my RSS feed!
Thank you, that’s really great to hear!
AMA is AMA
It’s not the first time I see your discovery shared and I want to thank you. It won’t completely disencourage people around me from using it but it’d pile up with other many reasons to do so. Someday there would be just enough of them, like it happened with VK, Facebook etc, I believe.
What have I done.
I do information security work, and I used to work closely with investigative journalists hailing from Russia, Kazachstan, Ukraine, and other places in that general area. Telegram is massively popular there. Because of this Telegram has been on my radar for a very long time as a serious security threat – not just because its protocol and management are suspect, there are plenty of other IMs like that, but also because of how many people I worked with had used it.
I’ve written about Telegram before, on amore general level (linked in the blog post), so when IStories reached out to me for comment on this it was a good inspiration to dive deeper.
I would not use it. I refuse to accept that abandoning it is not an option. There are plenty of options. It’s always a decision one can make.
Please remember that even if hypothetically you could use it in a way that protects you from the spying – something I am very, very doubtful of! – the mere fact you are using it sucks other people into using it. You personally become one more reason for someone to start using or keep using Telegram. You personally become one more “user” of Telegram, justifying another media organization or NGO to set up or maintain a presence there – which in turn pulls in even more users into the dragnet.
In other words, your decision to use Telegram anyway, even though you know what the issues are, becomes one of the many things that make other people feel that “abandoning is not an option”. I refuse to be a part of that. The only thing I can recommend is to stop using it.
I think this hits the nail on the head: If the FSB conection is that deep, there is no end to what they’d want to mine from users.
I don’t want to speculate. The possibilities are vast. But I will say what I said in the blogpost: Telegram is indistinguishable from an FSB honeypot.
I don’t trust Telegram the company, I don’t trust Telegram the software, I don’t trust MTProto. I certainly do not trust Pavel Durov. I don’t think we need to speculate on what more could possibly be hiding there, what is already known about Telegram should really be enough to stop using it.