> Telegram stores all your contacts, groups, media, and every message you've ever sent or received *in plaintext* on their servers. [emphasis mine]
This implies they don’t use encryption “at rest” - unless I’ve missed something in their FAQ[0] (entirely possible, I’m far from an expert on cryptography), they seem to imply they do.
If it is indeed the case that they don’t encrypt data at rest, I can definitely see how that would be a problem.
If data is encrypted at rest though, I don’t see how any of that is fundamentally different from the other messengers I listed in the parent - the server still holds the keys, and thus must be a trusted party - but it’s nothing new.
Even if they store the data encrypted on their servers and hold the keys - it is not different from plaintext.
There's another thing. Some years ago Russian FSB demanded encryption keys from telegram threatening to ban it in Russia, and publicly they refused to do that. But then somehow FSB has quietly dropped the case. Question is - why?
Ultimately what Moxie is doing here is disingenuous and an abuse of language to prop his argument. He could have just stated the facts but instead he's using propaganda to create fear in his audience. You can use correct language (messages are encrypted at rest) and still make the argument that Telegram does not use E2EE unless Secret Chats are turned on but he doesn't do that.
Really poor behavior from a leader in this space.
The Russian FSB dropped the case because there was no way to block Telegram without collateral damage and most of the Russian population uses it, including politicians. There's no need to get "shadowy council" here, especially in light of Durov's quite public support for the Euromaiden protests that got him in such trouble with VK.
If this is the first place your head goes, I don't know what to tell you except perhaps that this paranoia exhibited from the security community is often not rational, and frequently resorts to takes-no-prisoners stakes.
Here's an article [1] that goes over the attempts at blocking Telegram after the FSB demanded the encryption keys, was denied and the collateral damage that resulted from Roskomnadzor attempting to enforce that ban.
I ran this by my Russian friend and he confirms TJournal is reputable. However, he also cautioned believing a known propagandist, deputy Matveychev who made these claims. And toward the bottom of the article you sent:
"A source close to the creators of the messenger, however, doubted the deputy’s statement: when asked what Telegram thinks about Matveychev’s statement, he replied: 'Clowns.' This was reported in the online publication 'Durov's Code'."
It's difficult to believe that Durov who was driven from Russia and from his first company for refusing to hand over information on Euromaiden protestors would so jeopardize the trust he's built over the last decade by allowing hardware backdoors.
All this about him refusing to co-operate is just Durov's words. So you choose to trust him for some reason. But that's not how security works. Zero trust security model exists for a reason. Moxie is right, Telegram is not secure.
From how I understood it, they weren't able to properly block it. Or at least that is the official story. I'm skeptic about this whole ordeal though.
edit: Some article about it says[0]
> Russia on Thursday lifted a ban on the Telegram messaging app that had failed to stop the widely-used programme operating despite being in force for more than two years.
> Some Russian media cast the move as a capitulation, but communications watchdog Roskomnadzor said it had acted because the app’s Russian founder, Pavel Durov, was prepared to cooperate in combating terrorism and extremism on the platform.
> Even if they store the data encrypted on their servers and hold the keys - it is not different from plaintext.
That's the important point. Encryption at rest is little more than a marketing gimmick if the same entity also has the key.
Edit: also, Telegram is hoarding this data and nothing prevents them from using it for financial gain in the future. Or selling it/themselves to someone who does.
Better be safe and do not give this data to the intermediaries. Signal does the right thing here.
The only thing I’m curious about is:
> Telegram stores all your contacts, groups, media, and every message you've ever sent or received *in plaintext* on their servers. [emphasis mine]
This implies they don’t use encryption “at rest” - unless I’ve missed something in their FAQ[0] (entirely possible, I’m far from an expert on cryptography), they seem to imply they do.
If it is indeed the case that they don’t encrypt data at rest, I can definitely see how that would be a problem.
If data is encrypted at rest though, I don’t see how any of that is fundamentally different from the other messengers I listed in the parent - the server still holds the keys, and thus must be a trusted party - but it’s nothing new.
[0] https://core.telegram.org/techfaq#q-how-does-server-client-e...