Telegram is a messaging app that looks and feels a lot like WhatsApp, however, there are some very distinct differences. Telegram is available for every platform: iOS, Android, Windows Phone, PC, Mac, Linux, and a web version as well. It is cloud based so you can access your messages from multiple devices but also secure (server-client encryption is used in Cloud Chats for private and group chats, Secret Chats use an additional layer of client-client encryption). It is also faster, is open source, allows you to send any type of file without file size restrictions, allows up to 200 member group chats, allows you to create a username for search purposes, has a wonderful GIF search within the app, and is entirely free (no ads, no subscription fees).
Plus you get the cool Great Minds sticker set – what’s not to love? (Image may be clicked on to view a larger size). Click on the following links to get access to the version(s) you are interested in: Android, iOS, Windows Phone, PC, Mac, Linux, Mac OS X, and the web version.
Gadgeteer Comment Policy - Please read before commenting
honestly, without some true form of encryption KEY MANAGEMENT, client to client is only really going to be in transit encryption at best..and thats just a wrapper
I agree. Also, what’s the point in only encrypting certain conversations? And don’t get me started on Telegram’s cryptography. If you care about security, you want to use a messenger with proper encryption, like Threema or Signal.
Unfortunately, I do not know much (or rather anything) about encryption. But Telegram does have a link describing it (they put a lot of faith into it because they offered a $300,000 reward in the past for anyone who could break it). Here is the link describing the encryption:
https://core.telegram.org/mtproto
They also have an FAQ link for those who are technically inclined:
https://core.telegram.org/techfaq
Telegram uses some self-created cryptography; this is generally considered a bad idea (cf. Telegram’s Wikipedia article). Creating reliable cryptography is not exactly a trivial task, there’s no need to reinvent the wheel, and there are time-tested libraries that can be used. Threema, for example, deploys NaCl, an industry standard (open source).
And, again, why only encrypt _certain_ conversations?
I am unable to discuss much about encryption because of my unfamiliarity with it, but digging around in Telegram’s FAQ section they say that they encrypt ALL messages and files:
“WHILE ALL TELEGRAM MESSAGES ARE ALWAYS SECURELY ENCRYPTED, messages in Secret Chats use client-client encryption, while cloud chats use client-server/server-client encryption and are STORED SECURELY ENCRYPTED in the Telegram Cloud. This enables your cloud messages to be both secure and immediately accessible from any of your devices, you can also easily find them using server search — which is very useful at times.
The idea behind Telegram is to bring something more secure to the masses, who understand nothing about security and want none of it. Being merely secure is not enough to achieve this — you also need to be fast, powerful and user friendly. This allows Telegram to be widely adopted in broad circles, not just by activists and dissidents, so that the simple fact of using Telegram does not mark users as targets for heightened surveillance in certain countries.”
And I found this:
“Cloud Chats:
Telegram is a cloud service. We store messages, photos, videos and documents from your cloud chats on our servers, so that you can access your data from any of your devices anytime and use our instant server search to quickly access your messages from waaay back. ALL DATA IS STORED HEAVILY ENCRYPTED AND THE ENCRYPTION KEYS IN EACH CASE ARE STORED IN SEVERAL OTHER DCs IN DIFFERENT JURISDICTIONS. This way local engineers or physical intruders cannot get access to user data.
Secret Chats:
Secret chats use end-to-end encryption. This means that all data is encrypted with a key that only you and the recipient know. There is no way for us or anybody else without direct access to your device to learn what content is being sent in those messages. We do not store your secret chats on our servers. We also do not keep any logs for messages in secret chats, so after a short period of time we no longer know who or when you messaged via secret chats. For the same reasons secret chats are not available in the cloud — you can only access those messages from the device they were sent to or from.”
And this:
“Our encryption is based on 256-bit symmetric AES encryption, RSA 2048 encryption and Diffie–Hellman secure key exchange. You can find more info in the Advanced FAQ.”
Please visit the FAQ links and advanced FAQ links to read much more information about Telegram’s security and encryption:
https://telegram.org/faq
https://core.telegram.org/techfaq#q-why-did-you-go-for-a-custom-protocol
Almost any messenger will encrypt messages in transit. The question is whether end-to-end encryption is deployed. Only this kind of encryption (Telegram calls it “client-client encryption” in the passage you quote) guarantees that only the indented recipient can read your messages. Unless you start a Secret Chat, Telegram can access any message in your conversation. If you use a secure messenger like Threema or Signal, on the other hand, anything you send (text messages, media files, whatever) will be end-to-end encrypted, making it impossible for the service provider to read or pass on your messages.
Look, nobody is really breaking TRANSPORT encryption anymore now with TLS2.0 and SSL X.0..prior versions, yes.. but it’s not really only about TRANSPORT encryption, it’s about local encryption and destination encryption and at their data center as it either passes through or resides there (get your files on the web!)..IF I CONTROL THE KEYS and SHARE MY PUBLIC KEY with a USER, then nobody else can see it, no way no how. But if it’s only truly encypted in transport, and if they maintain a “shared key” to decrypt, store, parse, then it’s certainly not really good encryption. Everyone always says “our encryption is strong our data centers are SECURE”, but that can mean that the door is locked and they trust their admins. The minute the stuff is at rest NOT ENCRYPTED or if the shared key is available to an admin, all bets are off IMHO.
With messengers i’m not firstly concerned with if my little babbles are encrypted (although i am). But i want to know what are they doing with the 150 conctacts they’re pulling from my phone?!?
A secure messenger includes definitely the policy of NOT downloading my address book to the server! Matching my buddies can be done without that (with hashes).
When a service which requires developers, administration, servers and communication is ENTIRELY FREE, I ask: How are they making money?