Telegram: Viable WhatsApp Alternative from Russia, But Still Questionably Secure
BY Jessica McKenzie | Wednesday, February 26 2014
After Facebook bought the messaging application WhatsApp on February 19 for a whopping $19 billion dollars, the messaging app Telegram, a product of the “Russian Zuckerberg” Pavel Durov, surged in popularity.
After the Facebook deal was announced, Telegram downloads increased to more than 800,000 a day on all platforms globally. On the day WhatsApp suffered their “longest and biggest outage in years,” Telegram gained 1.8 million new users.
The founder of the popular Russian social media platform, Vkontakte.ru, says that he designed Telegram to be secure, which seems to be the primary appeal for WhatsApp deserters.
“The No. 1 reason for me to support and help launch Telegram was to build a means of communication that can’t be accessed by the Russian security agencies, so I can talk about it for hours,” Durov told Tech Crunch. He claims the app encryption is of the highest standard available.
To drive this point home, Telegram is advertising a competition: $200,000 in—what else—Bitcoin to the hacker who can break Telegram's encrypted protocol by March 1.
“No one won so far, but a guy from Russia found a serious issue in December and received $100,000 from me,” Durov told Tech Crunch.
Facebook, incidentally, also rewards those who bring bugs and other security glitches to the company's attention. The minimum reward is $500 and there is no maximum reward because “each bug is awarded a bounty based on its severity and creativity.”
However, there is an extensive list of exclusions (bugs on all third party applications, for example) and at least one hacker was rebuffed by the Facebook security team when he reported a legitimate bug. When the hacker reported the bug on Zuckerberg's Facebook page (taking advantage of the vulnerability he wished to expose) his account was subsequently blocked and he was ultimately denied a reward because he had violated Facebook's terms of service.
Pavel Durov and his brother Nikolai began building Telegram in 2012. It features “secret chats,” which are encrypted end-to-end, cannot be forwarded and, like SnapChat, can be made to self-destruct at a particular time. Regular chats are stored in Telegram's cloud; secret chats are not.
While Telegram may be the answer for anyone wanting to avoid big, bad Facebook, many say their security measures are still not good enough.
Geoffroy Couprie, a developer, wrote on his blog:
Basically, their threat model is a simple “trust the server”. What goes around the network may be safely encrypted, although we don’t know anything about their server to server communication, nor about their data storage system. But whatever goes through the server is available in clear. By today’s standards, that’s boring, unsafe and careless. For equivalent systems, see Lavabit or iMessage. They will not protect your messages against law enforcement eavesdropping or server compromise.
Telegram even got a shout-out on the website CryptoFails.com in December:
Telegram is an encrypted instant messaging app for iOS and Android devices. Obviously, I wouldn’t mention it on this blog if its crypto was perfect. In fact, it’s far from perfect. It’s almost horrifying.
They suggest scrapping the whole thing, which is not likely considering recent rampant success.
So I suppose the takeaway is, as with most things, download if you like but proceed with caution. For more on what Geoffroy Couprie thinks a crypto app should include, see here.
Personal Democracy Media is grateful to the Omidyar Network and the UN Foundation for their generous support of techPresident's WeGov section.