Also: Telegram’s encryption is fake. Consider moving your people to SimpleX.
4 Likes
about telegram
2 Likes
Yes. Exactly what @newqube just posted.
1 Like
Should I ask about why not Signal?
or why you say Telegram has fake encryption?
1 Like
Telegram’s MTProto: Assessing Deanonymization Potential for a Network Attacker
Dr. Nadim Kobeissi
Symbolic Softwar
This report presents a technical assessment of Telegrams MTProto protocol,
focusing on the privacy implications of its transport layer design. We examine
the persistent device identifier (auth_key_id) that appears in every MTProto
message header and investigate whether this identifier is exposed to passive
network observers through Telegram’s transport protocol choices.
Our analysis reveals that both Telegram for Android and Telegram Desktop
transmit MTProto over unencrypted TCP connections, exposing the auth_-
key_id to passive observation despite the availability of encrypted transport
alternatives. This 64-bit identifier remains constant across application restarts,
network changes, and extended time periods, enabling device tracking by any
network intermediary positioned between client and server.
We evaluate claims from public reporting about these vulnerabilities, finding
the core technical assertions regarding auth_key_id exposure and tracking ca-
pability to be accurate and reproducible. The exposure affects all Telegram
users including those using end-to-end encrypted Secret Chats, as the vulner-
ability occurs at the transport layer beneath the application-layer encryption.
The implications extend beyond theoretical concerns. The exposure ofpersis-
tent device identifiers through unencrypted transports enables tracking that
persists across network changes, undermines anonymity tools, and creates
surveillance opportunities for a broad range of adversaries including ISPs,
netivork administrators, and state-level actors. This is particularly significant
given Telegrams adoption by journalists, activists, and other high-risk users.
We conclude that this vulnerability results from Telegram’s architectural de-
cision not to mandate transport-layer encryption, despite this being standard
practice among competing platforms. The technical solution—implementing
mandatory TLS for all MTProto connections—would eliminate the tracking
capability while requiring minimal implementation changes. Until such mea-
sures are implemented, Telegram bears responsibility for the privacy implica-
tions of exposing persistent device identifiers to netivork observers.
1 Like
1 Like
I moved off-topic messages about Telegram encryption to their own topic and I’m closing it because it has no relation to Qubes OS.
1 Like