Is it possible to ensure absolute communication anonymity nowadays? This issue became even more topical after Snowden’s disclosures. It is security concept which Pavel Durov kept in mind when creating anonymous Telegram with his brother Nikolai. According to the statement made by the developers, the given messenger is able to provide security both from ordinary hackers and the actions of government intelligence agencies. But is it real state of things? Let’s figure it out below.
Basic information security parameters
The application is based on the innovative development – it is the MTProto protocol which involves the usage of several encryption protocols. The following algorithms are used for data security:
DH-2048, RSA-2048 (for authorization and authentication);
AES (for the forwarded messages);
SHA-1, MD5 (cryptographic hash algorithms).
During transmitting the messages, the encryption is performed by means of the AES algorithm with a key known to the client and the server. At the same time, the protection from message interception by the server is ensured only in a special anonymous Telegram mode called Secret Chats where the participants have a common key known only to them. In contrast to a standard mode, End-to-End encryption excludes the possibility of message decryption and conversation history is stored only on the users’ devices.
Organization of flaw-seeking contests
Since this anonymous messenger entered the market (August 2013), its developers and Pavel Durov in particular have started organizing the contests among cryptography experts in order to reveal security flaws.
The first of its kind project was taking place in late 2013. The task of the contestants consisted in decrypting Pavel Durov and his brother’s conversation in a secret chat by using encrypted data exchange between the server and the application. In just a few days after starting the contests, one of the participants managed to find a system flaw. The point is that a user received the parameters for a key from the server without verification. Such bug reduced cryptographic integrity and allowed executing a hidden MITM attack. Although that person failed to decrypt the conversation between Pavel and Nikolai, he was paid one half of a fee, 100 thousand dollars in particular.
Regardless of the developersʼ sociability and striving to reveal security flaws by combined efforts, lots of experts are skeptical about such contests. The absence of the winners is not yet a guarantee of absolute security, as the conditions are set by a developer but the analysis is frequently carried out by random people. Besides, 200 thousand dollars is a small sum of money for cryptography experts, so it is unlikely that the best representatives take part in such contests.
Does anonymous Telegram allow ensuring complete communication security?
The basic argument of the opponents of the given application consists in binding a user to his phone number. The question at issue is whether this messenger can be considered anonymous if the server contains telephony data which can tell practically everything about a person, including the following information:
exact geographic coordinates;
personal data, etc.
Authentication is carried out by means of a text message where a one-time login verification code is indicated. The absence of a password is even more alarming. In other words, it is enough for the user to enter a code from the message in order to log in. The service is characterized by lots of complicated encryption algorithms but it has no elementary password. Thus, it is possible to sign in to the client’s account by means of text message interception (which is not a matter of extreme difficulty for intelligence agencies).
Surely, information storage on the protected US server platforms provides the users with some guarantee. However, the sheer fact that personal information of a client may become available to a third party contradicts the idea of absolute anonymity. Furthermore, the recent events in the USA (when an email account owned by Hillary Clinton, a presidential hopeful, was hacked due to hacking attack) are indicative of vulnerability of modern computer security systems.
Without a doubt, Telegram has complex encryption algorithms which allow achieving a high level of data security when communicating in secret chat mode. At the same time, the phone number binding does not allow talking about absolute security and confirming that information will not be accessible to third parties as a result of hacking attack.
In summary: is it worth using the given application? It is a perfect variant for those users who want to get a quick and convenient service for the purpose of private communication. However, when it comes to people with paranoid frame of mind who want to be certain of absolute conversation and personal data security, Telegram cannot guarantee this. It is another matter that the existence of any other messenger providing such guarantees remains doubtful today.