Cryptographic vulnerabilities and security arguments for Telegram

Researchers from the Applied Cryptography Group at ETH Zürich are part of a team who recently published a research paper investigating the security of Telegram, a popular “messaging app with a focus on security and speed”, claiming to offer “heavily encrypted” messaging (citing, visited on 02.08.2021).

Contrary to other messaging apps such as Signal or WhatsApp, Telegram does not use “end-to-end” encryption between users by default, but rather trusts its servers to handle messages in plaintext. The encryption guarantees provided to users in this default scenario are then only between the user’s client and the Telegram servers. Here, instead of relying on publicly scrutinized standard protocols such as TLS, Telegram developers deploy their in-house protocol, MTProto 2.0.

In their recent publication to appear at IEEE S&P 2022, Albrecht, Mareková, Paterson and Stepanovs investigate the security provided by MTProto in the same security model used when evaluating TLS. The authors find a variety of vulnerabilities, but also manage to provide a proof of security of a slight variant of MTProto (once the vulnerabilities are patched), albeit under some unusual assumptions about the building blocks of the protocol.

A press release from ETH Zürich on the content of this work can be found here, while an approachable yet detailed description of their work and the extent of its implications, and the paper itself, can be found here.