Subverting Telegram's End-to-End Encryption (2023)
Key topics
The story discusses a cryptographic attack on Telegram's end-to-end encryption, with the community questioning Telegram's encryption implementation and its security claims. The discussion highlights concerns about Telegram's custom cryptography and lack of auditing.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
17m
Peak period
38
0-2h
Avg / period
8.8
Based on 88 loaded comments
Key moments
- 01Story posted
Oct 14, 2025 at 11:23 AM EDT
3 months ago
Step 01 - 02First comment
Oct 14, 2025 at 11:39 AM EDT
17m after posting
Step 02 - 03Peak activity
38 comments in 0-2h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 15, 2025 at 1:15 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Granted, I don't know how MTProto actually works all that well, but IMO Telegram should've just used Noise or something. Would've saved them a lot of trouble. Although that doesn't really resolve the underlying problem that people think Telegram is secure when it's not (i.e., you have to explicitly enable E2EE and it's off by default), at least last time I checked. I haven't used telegram in years so my knowledge might be out of date though.
Most people dislike Telegram because:
A) It takes away from Signals market share
B) They don't enable E2EE by default
C) They're owned by Pavel Durov, the Russian Zuckerberg.
I am aware that it's an unpopular opinion, but the FUD spread against Telegram and the hagiographies of Signal make me think something weird is going on.
Telegram has third party clients, so you can just roll your own client that runs another encryption on top if you want, like Pidgin used to do with OTR.
[0]: https://mtpsym.github.io
E) (I believe) don't enable E2EE with more than one device
E) Neither does Whatsapp/Signal; they rely on a backdoor interface to your phone to send messages.
But I'm having trouble discerning what you mean.
Either you're saying group chats are encrypted E2EE - which, I never claimed.
Or, you're mentioning that you can have multiple phones/devices on the same account, which doesn't work the last time I checked.
That's wrong as `tptacek noted. If you meant something else, that wasn't clear.
my response was:
> E) Neither does Signal/Whatsapp.
The thread of the "E" topic is relevant here, i'm not claiming that Signal/Whatsapp support (or do not support) encryption for group chats.
Sorry that it wasn't clear, I thought referring to them directly by letter would make it easier to differentiate.
However, after doing a smidge more research it seems like somehow Signal is sharing it's key with the desktop app and only syncing history of messages directly: https://news.ycombinator.com/item?id=15596980
I'm not 100% sure how it works as the server is fake-open-source and not actual open-source.
Wonder how that works then? Weird.
https://t.me/durov/452
Can you point at anything in his message that's not factually correct?
Otherwise, the "doomer manifest" is OK, but the comically inflated ego of Durov is annoying, him thinking that such banal and commonplace sentiments are worth pushing as an alert message to all users, wrapping everything into announcing his birthday (that he doesn't want to celebrate, oh no).
He also got involved in Romanian and Moldovan elections, by sending a message to target users in the day of the elections( when doing campaign is illegal) with claims he presented no evidence for, basically the bastard works for Ruzzia, he might be forced to but the facts do not lie.
With the amount of known use of Telegram by unsavory actors, combined with Durov's own leveraging of his platform for activism, I've been using Whatsapp more and more lately, and don't feel bad about that.
I respect Signal, but it's missing too many product features and it doesn't have the reach Whatsapp does, so it's not compelling as a switching option at this point, even for family use.
People outside the US prefer telegram because they assume that Signal is probably compromised, or at least highly vulnerable to compromise, by US intelligence - they trust Pavel Durov's history of expropriation and arrest more than they trust some nerds who claim that our product is secure.
So it shouldn't be a surprise that Signal users speak against Telegram. It's simply not private for most people. It's like recommending using Facebook Messenger (pre-E2EE)... privacy minded people won't do that. Signal itself is criticised by other more privacy minded users because it requires a phone number.
Signal doesn't have the best call quality (voice/video) especially on slow connections, sending media can be a pain in the rear, their desktop client is way too simple, they move slowly, etc. Telegram beats them in almost everything, but not privacy...
Between having to trust Durov forever with our texts and system that uses e2ee by default and may or may not (no proof) have some flaw, I think most people that want privacy will use the option that uses e2ee for everything.
I suppose it's what the actual goals of the app are, potentially it works out very well for someone.
https://i.imgur.com/Pft8r3B.png
This ticket suggests that there's no such option: https://github.com/telegramdesktop/tdesktop/issues/871
See also: https://github.com/telegramdesktop/tdesktop/issues/6491
I am using telegram-desktop from aur, I clicked the three dots (…) at the top next to the magnifying glass, then info (i) to get to the profile, then there is a “more” (…) button where there was a “Secret” option.
Thanks, this looks interesting. However, it seems unofficial. There's no such option in the official client from telegram.org.
> Those are the same link
Thanks, I fixed that.
If you don't trust the server, then you shouldn't trust them to supply you a client either. Since a client is basically "whatever code they decided".
Very few people are building from FOSS, and those that do will include binary blobs too. It's theatre.
E2EE provides strong theoretical guarantee's, but not so if the client is under the network providers control. Governments have already pressured companies to alter clients (Australia's "Assistance and Access Act" allows compelling backdoors in software).
If you don't trust the operator, it's irrational to trust the client they supply, they can do anything before E2EE even kicks in.
I'm not saying E2EE is useless technology, it's just useless in cases where the provider and the network are the same thing. You are gaining very little over TLS in those cases. You can configure "self-deleting" messages if you're worried about other clients logging in.
Regardless, most reasonable security researches I know are actually more concerned with supply chain attacks than ensuring E2EE everywhere, which is precisely what I'm arguing.
Point is, E2EE only “protects” against server-side compromise if you assume the client is golden, which loops back to trusting the provider not to mess with it. If they’re bad actors, they can (and govts do compel them to) inject client-side leaks (again, see Australia’s TOLA Act forcing software mods), or historical cases like Lavabit’s key handover pressure.
In trusted-provider scenarios (which is most users’ reality), client/server + TLS + encrypted storage suffices against external threats, with less complexity than E2EE’s multi-device key mgmt headaches.
If distrust is total, bail! Because neither model’s your friend. Supply chain worries aren’t a distraction; they’re the real vector, as SolarWinds and Jia Tanning of xz remind us. E2EE’s great tech, but you are pretending that it is a cure-all, which ignores practical realities.
There isn't an amount of hand-waving that's going to get you to a place where client-server-only encryption is sufficient for secure messaging.
I am also more concerned about supply chain attacks than I am about attacks on E2EE, generally. But that stops being true in the specific case of secure messaging.
If the provider is compromised (maliciously or via hack/subpoena), they can alter the client to capture data before E2EE engages, rendering it moot.
E2EE protects past messages from server-side access, sure, but it doesn’t prevent future compromises via client backdoors, which are a real vector under laws like Australia’s TOLA or US CLOUD Act, again: providers have been compelled to modify software (e.g., Lavabit’s resistance led to shutdown, but others comply quietly).
You’re right that client-server alone fails catastrophically on server compromise, but E2EE isn’t a panacea if the same actor controls the client supply chain.
Trust is binary: If you don’t trust the provider, don’t use their client. reproducible builds help a tiny fraction, but for most, it’s unverifiable.
In partial-trust scenarios (e.g., worrying about hacks but not full malice), client-server with distributed keys and TLS can suffice without E2EE’s complexities.
I’m hand-waving a bit here; but I’m talking about peoples actual realities, not some hypothetical.
How does E2EE hold up if a subpoena forces a silent client update? You won’t know, and history shows that’s the path of least resistance for adversaries.
Slack isn't E2EE secure. The Slack client supply chain is not how I worry about my Slack message history being intercepted.
A better comp might be old-school Skype pre-Microsoft: client-server backbone (after ditching full P2P), tight client/network control, no E2EE, yet no major leaks despite heavy scrutiny.
It worked for millions in a “good enough” threat model without pretending to be bulletproof. Secure messaging apps that default to client-server (like Telegram’s non-secret chats) are similar. They pay lip service to groups but prioritise 1:1, and the security theatre of optional E2EE doesn’t change the core trust calculus.
If you don’t trust the provider, don’t trust their code. Simple as.
Aren't there other telegram clients?
* Plus Messenger (Google Play)
* Nicegram (App Store/Google Play)
* Nekogram (via TG channel or GitHub)
* Neko X (f-droid)
* Forkgram (f-droid)
* Mercurrygram (f-droid)
* AyuGram (both Desktop & Mobile)
* 64Gram (Desktop/GitHub)
* Kotatogram (Desktop/GitHub)
everything listed here: https://telegram.org/apps
and a bunch more that I don’t remember off the top of my gead
I doubt client-server is the only way to accomplish this.
I'm just clarifying. I agree the practical implications of the attack are not really meaningful to a general audience.
https://blog.cryptographyengineering.com/2024/08/25/telegram...
The Most Backdoor-Looking Bug I’ve Ever Seen
https://words.filippo.io/telegram-ecdh/
Is Telegram really an encrypted messaging app? - https://news.ycombinator.com/item?id=41350530 - Aug 2024 (583 comments)
What confuses me more is how passionate people are about Telegram. Weirdly I see those posts degrade into Signal vs Telegram and it really feels like apples and oranges but very one sided. I get that Telegram is more feature rich, and that's a good argument, but feels weird that many argue it is also more secure. Some of those arguments even appear in the thread r721 linked.
Since it has a public API, I can easily make a custom frontend if I ever want to. Most social media does not offer this or tries to lock you into their shitty ecosystem.
I basically just treat it as unencrypted, but the pretend encryption features at least puts the company in a position where blatantly selling data would be a liability. In this respect, I place it on the same level as WhatsApp. Because even if WhatsApp has solid encryption, all it takes is one forced update from Meta to undo all that. They are like the inverse of each other.
My uncle is the only one I know who refused to use Telegram, insisting Signal was better and because he didn't want to use something with vague connections to Russia. Yet even he did not actually use Signal, and simply insisted if we should all switch to something it's either that or he sticks to SMS. So well, when I couldn't sell Signal to anyone else, Telegram it is, sorry uncle, but Verizon is pretty transparent about how they sell all my data.
Vague only if you don't follow the news. Telegram has added "third-party verification" [1] around January 2025 which conveniently and accidentally coincided with time when Russian authorities made it mandatory to register social network channels having more than 10K subscribers (I was secretly hoping Telegram would instead hide the subscriber count). Such channels are required to add a government bot with high privileges for verification. Note that announce for 3P verification doesn't mention Russia at all and contains some unrealistic examples instead, like a fictional game "Great Theft Starship" channel verified by "Bug-free Agency". Who on Earth would need that.
But to be fair, the western companies are the same, once government hinted they need more control, the companies rushed to introduce face-based "age verification" which allows identification. I would rather use some other body part for this.
[1] https://telegram.org/verify#third-party-verification
Note that you need to get an API key for that, and there are additional conditions for getting it (for example, you cannot remove ads in your version, you cannot remove Instagram-like "stories", and so on).
But I'm curious, what makes Telegram an easier sell to your friends and family? I've gotten most people to switch over to Signal and the hardest problem is just getting them to use another app. I would be surprised if the API is the killer feature lol. And very few people seem to be concerned with the phone number thing with Signal. So I'm just curious, what is the features that normal people are missing?
Know about him for at least 3 decades as I read almost all of his published works.
it's suspicious, but at the same time, iirc, nobody's been able to find a vulnerability in their encryption protocol :shrug
The reason they rolled their own was because it came out before the Double-Ratchet/Axolotl protocol and OtR (which double-ratchet is essentially based on) was extremely inconvenient to use properly and had its own weaknesses.
this actually makes a lot of sense lowkey, thanks :)
if you are on the same network and manage either intercept key to bruteforce it or guess encryption key with emoji it's possible to decrypt the whole chat. It works because telegram random generator uses time and some device information which is predictable
the study managed to decrypt 500 messages out of 500 on emulator devices. Brutewforcing takes like a few $100 worth of computing power
Honestly, durovs are exceptional people and enterpreneurs, however their encryption and what they say isn't always what it presented as
There is no actual cryptographic weakness presented here...
but the protocol itself does not look reliable, since encoding 85% of messages is quite easy once you change your message padding a bit according to the paper unlike what's used in signal
Telegram has functional standalone desktop clients.
So does Signal? You need a phone number to initially register an account on either service last I checked. The Signal desktop app used to be awful, but now it's fine. I use both and have for many years; it used to be the case that Telegram had a much nicer user experience, but nowadays I feel like it's near parity between the two.
I listened to bits of it and I was disappointed by the lack of push back from Lex who was supper excited because he got to hang out with Durov for a couple of weeks in Dubai - the tl;dr I got from what I heard is that Telegram is amazing and Durov is a visionary freedom fighter. Lex's recent history I'm not surprised though.
Here's the transcript of the section about encryption: https://lexfridman.com/pavel-durov-transcript#chapter15_encr... I'll let you judge for yourself.
I'll comment on another section though because I'm somewhat knowledgeable having followed the subject closely in the media and by knowing the country: https://lexfridman.com/pavel-durov-transcript#chapter7_roman...
He claims: 'So, by the time the head of intelligence services met me to ask about Romania to help them silencing conservative voices in Romania, I was already wary of what can be going on next.'
I call bullshit on this. The 'conservative voices' are muppets doing Russia's bidding who broke all sorts of election laws. There was nothing serious happening on Telegram in Romania that would warrant any foreign intervention, it just doesn't make sense.
4 more comments available on Hacker News