Telegram responds to WhatsApp allegations

Telegram spokesperson Remi Vaughn reached out to us to refute claims by Wired and WhatsApp head Will Cathcart about the security of the popular chat app. According to Vaughn, the Wired article contains many errors and the editorial team ignored comments and responses from Telegram, which in turn mislead Cathcart.

Telegram has compiled a list of 9 errors in the Wired article, which you can find over on telegra.ph (a minimalistic publishing tool by Telegram). The post ends with “This list is being expanded”.

This post addresses various claims in the Wired article, including the one about location tracking – this is only possible if the user explicitly makes their location publicly visible, which only 0.01% of users have done, writes Telegram.

A visualization of the MTProto 2.0 protocol

As for the privacy of secret chats, Vaughn points out that Cathcart is wrong about Telegram’s End To End Encryption (E2EE) protocol not being independently verified. A team from Italy’s University of Udine has verified the MTProto 2.0 protocol used by Telegram for securing its chats – you can find their paper here (PDF).

Note that this is a verification of the protocol rather than a specific implementation. But Telegram’s app is open source and has used reproducible builds since version 5.13. “Reproducible builds” means that you can compile the publicly available source code and verify that the resulting machine code is identical to the one hosted on the Apple App Store, Google Play Store and Telegram’s own website. Telegram servers are not open source, though the Udine team also verified the MTProto 2.0 protocol in the presence of malicious servers.

They do point out one problem that could break the security of secret chats – when starting a secret chat, it is vital for the user to check the fingerprint of the authentication keys through a safe external channel. Otherwise, man-in-the-middle attacks are possible (i.e. a third party eavesdropping on and possibly even altering messages). The researchers point out that such user error is possible when using the Signal app as well.

Creating a secret chat and verifying the encryption key

So if you’re using either app, make sure to properly check the fingerprint – a secret chat isn’t truly secret until you do and you can’t use the same or other unsecure chat to check that the fingerprint matches.