Ask HN: What is known about recent Telegram security claims?

4 points

10 years ago

Does anyone have more information concerning the claim that Telegram stores "EVERY MESSAGE" in plaintext? [1] Specifically is this true in any way for their end-to-end "Secret Chat"? I've been unable to find any proof to claims Moxie and Ptacek have been making on twitter. Considering Moxie makes a competitive messaging app, making these claims without clearer proof seems a bit reckless. So I would like to know if there is some proof out there that we have missed.

So far the responses Moxie and Ptacek have given to multiple requests are:

* API shows a string message object stored on server [2]. No clear indication that this is itself not a string representation of an end-to-end encrypted object.

* iOS devices receive push notifications indicating Telegram servers must be able to decrypt in order to send plaintext to Apple [3]. Not clear if this is true also for end-to-end encrypted secret chats.

1. "By default Telegram stores the PLAINTEXT of EVERY MESSAGE every user has ever sent or received on THEIR SERVER." https://twitter.com/tqbf/status/678065993587945472

2. "It's just how Telegram works and is self-documented to work: https://core.telegram.org/method/messages.getMessages Only their marketing copy suggests otherwise." https://twitter.com/moxie/status/678219238394298372

3. "@stefannnooo If you're on an iPhone, they also send a plaintext copy of every msg you receive to Apple's servers. So not even in transit." https://twitter.com/moxie/status/678277776391077888