Evan Sultanik Profile picture
May 16, 2019 15 tweets 4 min read Read on X
Telegram is _never_ the solution. Friends don't let friends use Telegram. This'll be a thread!
Telegram does not provide end-to-end encryption of group chats, and it is disabled by default for two person chats. Anyone with admin access to a Telegram server can read all of your messages.
Telegram uses a proprietary messaging protocol that was not created by cryptographers. Parts of the protocol rely on SHA-1, which can nowadays be defeated relatively easily and cheaply: eprint.iacr.org/2019/459.pdf
Telegram's reliance on SMS for 2FA has made it vulnerable to SS7 attacks. news.softpedia.com/news/ss7-attac…
There have also been an embarrassing series of man-in-the-middle attacks, e.g., incibe.es/extfrontinteco…
Even with all of its optional security features enabled, Telegram leaks user availability information. This can be used to guess who is talking to whom. courses.csail.mit.edu/6.857/2017/pro…
Telegram's bot API is insecure and has been used to propagate malware: forbes.com/sites/kateofla…
The Telegram client is shipped as an obfuscated binary. Does anyone really compile it from source? No, they download it from an app store. Was that binary compiled from the open source codebase? No; the open source codebase lags behind in features.
Telegram's server code is closed source.
Until recently, an attacker on the network could surreptitiously reorder telegram messages. If someone asks, “Are you busy? Do you want to do crime with me?” an attacker could change your reply from “Yes” / “No” to “No” / “Yes”.
From that same paper: An attacker-in-the-middle — particularly, but not necessarily, if they have privileged access to the Telegram servers — can compromise the confidentiality and integrity of communication between users.
Here’s a less technical thread on the issues with Telegram:
Until very recently, Telegram allowed anyone to retrieve meter-accurate location data for arbitrary users. Telegram knew about this issue for at least a year but chose not to do anything about it. It wasn’t until recent public outcry over Ukrainian users that they addressed it.
Yet another way that Telegram leaks information about who talks to whom:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Evan Sultanik

Evan Sultanik Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESultanik

Apr 5, 2019
Fifteen years ago, a handful of my grad school labmates and I found ourselves at the brand new Googleplex. Dear reader, I think it’s finally safe for me to tell the story of that one time I trespassed into Google headquarters and took a bunch of pictures. This'll be a thread!
First of all, for posterity—and to further tempt the criminal justice system while flaunting the California statute of limitations—this is all also available in high resolution on my website: sultanik.com/blog/GoogleInt…
T’was 8pm on a Wednesday. I don’t think Google had finished moving to the new campus yet, so it was relatively quiet. We wanted to go inside, but the lobby was locked and there was no one at the front desk. So we did what any reasonable group of bored grad students would've done:
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(