> So even Telegram employees can't decrypt the chats

I very much doubt that. If Durov wanted to, they could decrypt all of those messages.

That fancy encryption system is worthless when someone can hijack the session of any of the users in a chosen group. This is a risk in many crypto messengers, but those usually come with optional key verification whereas Telegram doesn't have that outside of encrypted one-on-one chats.

This is likely why the grabbed Durov, he has the keys to the kingdom. Telegram is a remarkably small company and not a 800lb gorilla and it would be very easy for him to provide whatever they need if he folds.

Because of the nature of the encryption, it allows more convenience compared to WhatsApp and Signal. For example, on Telegram you can (and we do) have a million people in a group without exposing their phone numbers. This has proven itself to be extremely useful to protestors. Signal failed massively, you couldn't add too many people and you always had the risk of exposing the phone numbers.

Along with that, you can use Telegram on as many devices as you want. The chats instantly appear after login. WhatsApp and Signal both are lacking here.

So there are always tradeoffs when it comes to encryption and convenience.

Telegram's focus has been on the convenience side and providing assurance using a clean record of protecting user-data from governments, which is why Telegram was created in the first place.

Can the encryption be improved? Of course yes! I'd love to! but I think much of the criticism by the WhatsApp loving crowd is not only disingenuous, but also harmful.

"The chats instantly appear after login. "

I agree, that is very convenient. Also for the secret police officer..

I use telegram as social media, but I really would not use it to organize protest somewhere. Then the whole safety depends on whether Durov made a deal with the secret police, or them infiltrating the servers to know everything about anyone involved. What they liked at what time, what pictures they shared, etc.

Can you be more specific how the split-key encryption would prevent the Telegram CEO from reading all chats and users' info?

That’s my concern as well, maybe none of the devs have the capability, but if -anyone- does it’s Durov, so why not just grab him under false pretenses and throw the book at him, trying to scare him into compliance with anything they want or face the rest of his life in the worse French prison they can find for him.

How does it allow me to access all my chats from a new device then, without providing any encryption key?

> That fancy encryption system is worthless when someone can hijack the session of any of the users in a chosen group

what do you mean? user sessions are remotely hijackeable?

Unless I’m missing something, your mproto link only covers transport level encryption not storage.

It doesn’t include E2E encryption in the scheme only client to server.

Whether the server stores it as plaintext or not, is moot to the point of having telegram itself be able to see the chats because they hold the encryption keys of the server and therefore can be made to comply with legal requests.

The person you replied to may be incorrect on the aspect of plain text but imho they’re right that it’s not really relevant in this context.

Encrypted storage would be relevant for the case where a server is compromised by a hacker.

I can't open the telegram.com links, blocked at work :/

But the Arxiv paper says:

"We stress that peer clients never communicate directly: messages always go through a server, where they are stored to permit later retrieval by the recipient. Cloud chat messages are kept in clear text, while secret chat messages are encrypted with the peers’ session key, which should be unknown to the server."

So it doesn't appear to be encrypted-at-rest, but without reading the telegram documentation I can't verify that.

Yeah that feels pretty cut and dry. But even if it was encrypted at rest, it sounds like the server has the key to everything anyway so it’s not E2E.

This rebuttalakes no sense to me. What you cite is about about transport encryption. App -> Server. The end of the process is that the receiver (Telegram servers) receives a decrypted (plaintext) message, just as kelsey98765431 is saying.

> Compared to other apps like WhatsApp with claims of E2EE and no body of verification and validation.

We do have at least some empirical evidence that WhatsApp is properly encrypted. WhatsApp's cryptography has made judges in my country foam at the mouth with rage so hard they ordered retaliatory nation wide blocks of the service at least twice.

People are right to distrust Meta but I for one am glad that everyone I know is using WhatsApp. I also have Signal and Matrix but a grand total of zero people message me through those.

> We do have at least some empirical evidence that WhatsApp is properly encrypted

so do we. Telegram's MTProto 2.0 has been audited multiple times by independent researchers, compared to WhatsApp's closed-source claims of E2EE.

I'd rather trust a company with a proven track record of no security incidents and fight for user privacy than a corporation which lies through its teeth time and again.

What is stopping Telegram from signing in as you and reading all of your past messages by changing how the authentication logic is handled for specific targeted users? Not saying they have done this, but they obviously could.

We can agree on the statement "Telegram does not cooperate with law enforcement authorities".

This is however something completely different from and largely orthogonal to "Telegram does not have access to their users' message contents".

The fact that they are consistently claiming the former and the latter makes them seem extremely untrustworthy to me.

Gaining my trust requires truthfulness and transparencies about the capabilities and limits of a service provider's technology (but of course is in no way sufficient).

basing your assurance that whatsapp is secure because meta didn't care about a Brazilian judge misconstrued wiretap request is wild.

It's not really an "assurance". I don't fully trust them. I do trust them a lot more than others that haven't been put on trial.

The point is moot anyway. Everyone in Brazil uses WhatsApp. They will not use anything else. I'd be ostracized if I refused to use it.

> WhatsApp's cryptography has made judges in my country foam at the mouth with rage

Oh wow, they need to get that checked, could be pulmonary edema.

> FYI, this is a totally misleading and false claim.

No, you seem to have have in fact fallen for Telegram's continuous intentional misinformation.

The only thing that matters for whether we can call something "encrypted" or "plaintext" (or more precisely, "end-to-end encrypted" vs. "storage encrypted at rest" or "encrypted in transit" etc.) is whether they, the service providers, can access it themselves.

Would you argue they can't? And if so, how come can I log in to my Telegram account using only SMS verification and access my old messages?

> FYI, this is a totally misleading and false claim.

> Telegram uses the MTProto 2.0 Cloud algorithm for non-secret chats[1][2].

FYI you don't understand encryption and are spewing pristine BS.

Only p2p secret chats use e2e encryption and are invisible to Telegram employees.

Everything else is stored in plain text on Telegram servers.

The OP was correct and your counter argument is void and null.