This is effectively plaintext, in that one entity has all of those secrets for everyone. That's one entity to subpoena.
If that entity doesn't comply, governments will get upset and charge your executives with crimes if they get the chance.
Different jurisdictions makes it harder to kick down the doors and get the keys, but it doesn't change the fundamental problem.
"Nuh-uh, I put all those records in a box in Switzerland, you can't have them" does not work well for US citizens, unless the government fails to even notice the box.
This is such an ignorant comment I am really disappointed at reading this here.
Besides the protocol used by Telegram being publicly available so you can easily confirm in 5 minutes that what you're saying is completely wrong, but you're also saying that law enforcement can totally see all those plain text messages hosted by Telegram, yet they choose to be really upset about it anyway despite it being, according to you, the best possible honeypot ever created with all criminal activity readily available for their peruse. Why, I ask you, would law enforcement want to stop such an app??? They would be completely silent about it and enjoy catching all criminals in it who are "ignorantly" thinking their messages are safe, wouldn't they??
Given the amount of baseless comments like yours on this topic, I can only imagine there's a concerted effort here to misinform everyone to make Telegram look bad so actual criminals move away from it to some more law enforcement-friendly platform. I have conflicting feelings about that, as perhaps the intention is noble, but I can never agree with misleading people by spreading misinformation and plain lies.
Law enforcement totally could see all those plaintext messages, if Telegram would honor their requests. But they don't, hence their CEO is being detained.
That's a position he knowingly and willingly maneuvered himself into. Compare that with e.g. the way Signal answers subpoenas: https://signal.org/bigbrother/
> Besides the protocol used by Telegram being publicly available so you can easily confirm in 5 minutes that what you're saying is completely wrong
There's absolutely no need to analyzse the protocol, since you can just perform a high-level mud puddle test [1], and Telegram fails it. I've tried this myself.
Yes, the data is encrypted in transit. But Telegram can decrypt the data.
We can see that's true, because when I add a new device I can get into all my group chats.
Only if I explicitly "Start secret chat" does something else happen.
Telegram is sitting on a lot of group chats where a lot of horrible things are happening that governments want to see... and gets upset when Telegram doesn't use this access to share that information in response to lawful orders.
> I can only imagine there's a concerted effort here to misinform everyone
Assume good faith-- it's in the guidelines. I have been here just as long as you. I am not part of some shadowy conspiracy to make people think that Telegram security is bad.
I feel like people just don't understand the term of art "effectively plaintext".
Alternatively, if you thought I was talking about secret chats in general-- note that we are in a subthread talking explicitly about channels and non-secret chats:
"For those unaware, all channel on telegram are NOT ENCRYPTED. They are stored in plaintext on telegram servers. All chats that are not 'secret chat' mode (single device to single device) are NOT ENCRYPTED (stored in plaintext on server)."
Data that is transmitted or stored along with the keys is effectively plaintext, which Telegram does. The data is effectively plaintext on my device, at Telegram, and on the group members' devices, even if it is not plaintext in-between.
Data I send to a website over TLS is effectively plaintext on my computer and on the other side; in transit, it is not.
It all comes down to your threat model. Encryption does not protect information from entities who hold the keys to decrypt that information.
> It's not. They use a split-key encryption system so it's not exactly the same as storing the keys where the data is.
Yes, again, it all comes down to your threat model. No one can kick down the door and get to the keys.
But Telegram can get to all the keys, and thus can be legally expected to. The data is effectively plaintext to Telegram.
> Is MTProto 2.0 Cloud Encryption plaintext? No.
Just to note: "effectively plaintext" has been in use for a couple of decades as a term of art. We don't say it's plaintext, because it's not. It means there's effectively no security properties lent by the encryption.
For example, my web browser encrypts a few passwords for me and stores them on disk, but doesn't need a cryptographic secret from me to decrypt them; they're effectively plaintext, because no one has to break any encryption to read them.
Indeed, here's a thread on HN from 2013, where Durov is participating, where people are using "effectively plaintext" in exactly this way to describe exactly what we're talking about: https://news.ycombinator.com/item?id=6937097
Browsers should be interacting with the OS to require something (like your system password, Touch ID, etc.) to have unlocked the vault before being allowed to auto complete.
Yeah, I don't doubt that it can be improved. I hope it does because Telegram is not a fringe messenger anymore. There can be improvements made to the infrastructure, so that they don't keep facing these issues again and again.
There was no discussion of whether it can be improved. I was just telling you that it meets the established understanding of the term "effectively plaintext," which you were seeming to disagree with.
Yeah, I would still disagree because everything is effectively plaintext in the end. The only difference is how you derive the key. There are levels of encryption, that is true but I think calling an actual encryption as 'effectively plaintext' is wrong.
Telegram CEO has access to all keys and therefore all chats. Matrix foundation has no such access. These two examples should explain the difference between "effectively plaintext" and e2ee. The main difference is not how someone derives the key. It's who can do it.
Signal does not have access to the keys for the text. The government can not decrypt your signal chats no matter how much the company might want them to.
No, end-to-end encrypted systems are not effectively plaintext. That's a distinction anyone familiar with cryptography is well aware of, but Telegram has been gaslighting their user/fanbase and many journalists about it for years.
If that entity doesn't comply, governments will get upset and charge your executives with crimes if they get the chance.
Different jurisdictions makes it harder to kick down the doors and get the keys, but it doesn't change the fundamental problem.
"Nuh-uh, I put all those records in a box in Switzerland, you can't have them" does not work well for US citizens, unless the government fails to even notice the box.