Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Evan Sultanik Profile picture
Evan Sultanik
@ESultanik
Ph.D. computer security researcher @TrailOfBits. Editor of and frequent contributor to #pocorgtfo. My CV is a PDF that’s also an NES ROM https://t.co/lDrC4Hz6AI

May 16, 2019, 15 tweets

Telegram is _never_ the solution. Friends don't let friends use Telegram. This'll be a thread!

Telegram does not provide end-to-end encryption of group chats, and it is disabled by default for two person chats. Anyone with admin access to a Telegram server can read all of your messages.

Telegram uses a proprietary messaging protocol that was not created by cryptographers. Parts of the protocol rely on SHA-1, which can nowadays be defeated relatively easily and cheaply: eprint.iacr.org/2019/459.pdf

Telegram's reliance on SMS for 2FA has made it vulnerable to SS7 attacks. news.softpedia.com/news/ss7-attac…

There have also been an embarrassing series of man-in-the-middle attacks, e.g., incibe.es/extfrontinteco…

Even with all of its optional security features enabled, Telegram leaks user availability information. This can be used to guess who is talking to whom. courses.csail.mit.edu/6.857/2017/pro…

Telegram's bot API is insecure and has been used to propagate malware: forbes.com/sites/kateofla…

The Telegram client is shipped as an obfuscated binary. Does anyone really compile it from source? No, they download it from an app store. Was that binary compiled from the open source codebase? No; the open source codebase lags behind in features.

Telegram's server code is closed source.

Until recently, an attacker on the network could surreptitiously reorder telegram messages. If someone asks, “Are you busy? Do you want to do crime with me?” an attacker could change your reply from “Yes” / “No” to “No” / “Yes”.

From that same paper: An attacker-in-the-middle — particularly, but not necessarily, if they have privileged access to the Telegram servers — can compromise the confidentiality and integrity of communication between users.

Here’s a less technical thread on the issues with Telegram:

Until very recently, Telegram allowed anyone to retrieve meter-accurate location data for arbitrary users. Telegram knew about this issue for at least a year but chose not to do anything about it. It wasn’t until recent public outcry over Ukrainian users that they addressed it.

Yet another way that Telegram leaks information about who talks to whom:

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling