Are Telegram chats actually encrypted?

Authorities in France have arrested Pavel Durov, the founder of Telegram and Russia’s largest social network, VK. Last week, he was in Azerbaijan at the same time as Vladimir Putin. Around the world, hundreds of millions of Telegram users are suddenly questioning a fundamental promise of Pavel Durov: “All chats are secure.”

As of May 2020, Telegram claimed that Durov was the sole financier of its messenger. The application boasts between 700 and 950 million monthly active users. Since 2017, he has repeatedly assured his fans, “Everything is secure.”

However, many cybersecurity experts have questioned this characterization.

Although Telegram’s end-to-end encrypted “Secret Chats” are widely regarded as a truly secure messenger between two devices, there are vulnerabilities in Telegram’s group and standard chats – dwarfing the popularity of Secret Chats by orders of magnitude.

In Telegram, end-to-end encryption is optional. Creating a Secret Chat requires several extra steps and does not allow cloud backups. Most users opt for default settings, which initiate and maintain group and standard chats using non-end-to-end, Telegram-operated services. Telegram calls this “client-server encryption.”

Telegram chats by Jane Street and Jump Crypto staff probed in Terra case

Generally speaking, the overwhelming popularity of non-end-to-end encrypted chats on Telegram is the primary concern for most users. Most Telegram users have chat histories that rely on Telegram’s services. This means users are relying on Telegram to be honest, secure, and trustworthy. However, there are no guarantees.

Concerns of unencrypted Telegram chat history

The second concern about Telegram’s encryption is its ​​proprietary encryption protocol, MTProto. For its part, Telegram claims that it needs a non-open source protocol for “reliability on weak mobile connections as well as speed when dealing with large files.” Skeptics doubt this claim.

A third concern about Telegram is that it refuses to disclose the location of its servers. Rather than permitting independent audits of its data centers, Telegram leaves users to rely on the company’s assurances. Without the ability to independently verify its actual security practices, there is no way to know if its servers are physically secured from tampering.

Vladimir #Putin declined a meeting with the founder of Telegram Pavel Durov in Azerbaijan.

A few days before Putin's visit to Baku, officials from the Presidential Administration suggested arranging a meeting with #Durov, but Putin refused. The reason for the refusal remains… pic.twitter.com/oNVxxlwT2U

— Russian Market (@runews) August 20, 2024

Transparency is crucial in building trust, especially in cybersecurity. Open-source encryption protocols allow developers to verify claims. Telegram’s choice to not enable end-to-end encrypted settings by default, maintain a proprietary protocol MTProto, and prohibit audits of its servers are three of its biggest criticisms.

Read more: Telegram trading bots force crypto traders to sacrifice self-custody for UX

Many users are unaware that most Telegrams chats are not end-to-end encrypted, relying instead on client-server encryption, which requires trust in Telegram. 

With its founder and CEO now detained in France with limited information available about his charges or reasons for being in Azerbaijan around the same time as Vladimir Putin, Telegram users are left to wonder whether their information is at the center of a geopolitical scandal.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.