In this episode, Marc and Darren discuss the recent arrest of Telegram founder Pavel Durov, the broader implications of platform security, and more. Join in the conversation at The DEVOPS Conference in Copenhagen and Stockholm and experience a fantastic group of speakers.
[Darren] (0:05 - 0:13)
It's not even about technology. If something can be abused, it will be abused, but that doesn't mean we shouldn't have it.
[Marc] (0:20 - 0:29)
Welcome to the DevOps Sauna, the podcast where we dive deep into the world where software security and platform engineering converge with the principles of DevOps.
[Darren] (0:29 - 0:33)
Enjoy some steam and let's forge some new ideas together.
[Marc] (0:42 - 0:47)
We're back in the sauna. Hello, Darren. Is it good afternoon?
[Darren] (0:47 - 0:52)
I think it's a good afternoon, but it's early days yet, so we'll have to figure that out as we go.
[Marc] (0:52 - 1:05)
All right. Well, I hope it becomes a good afternoon later if it's not so certain today, but something that is certain is the founder of Telegram has recently been arrested in France. What's going on, Darren?
[Darren] (1:06 - 2:05)
Yeah. So it seems the French have decided to arrest the founder of Telegram in relation to some cyber crime allegations, and the allegations are basically a failure to kind of moderate the platform properly because Telegram is, I don't know, let's just go into Telegram for a moment to explain it to those who don't know what it is. Briefly, we can say Telegram is an instant messaging platform, but over time it's kind of evolved to have more things like groups and more social activities that actually make it a little bit closer to something like Facebook than it is a direct messaging platform these days.
And the French authorities have asserted that, and not incorrectly, that the platform is being used for crime. Essentially, there are groups where various illicit activities are occurring, and the arrest seems to be because the founder, this Pavel Durov, and the company have not done enough to moderate this.
[Marc] (2:05 - 2:26)
That's quite an interesting global phenomena, how moderating or not moderating social media chats. In this case, I consider Telegram practically a social media channel, right? So how much moderation, in what ways?
But it's funny, I thought that Telegram was encrypted.
[Darren] (2:27 - 3:02)
Well there's the rub of it, I guess. So you're absolutely right about moderation and Telegram being more of a social media platform, and the EU uses the Digital Services Act as, among other things, to call for moderation. They're actually, since April I think, using it against Meta.
So against Facebook and Instagram, because of this failure to moderate, and now it seems that Telegram is caught up in something similar. Not from the EU's perspective, but it could easily go in that direction. But yeah, you're asking is Telegram encrypted?
[Marc] (3:03 - 3:11)
I mean I thought it was, that was one of the features here, and that's one of the things that allows people to be so bold over there, right? And that's actually the interesting thing.
[Darren] (3:11 - 3:23)
The Telegram is marketed as an encrypted platform, and when looking into it, my realization is, if you ask is Telegram encrypted, the answer is yes, but also no.
[Marc] (3:24 - 3:32)
How can, is this like, is this a physics experiment that we're getting in? Is this Schrodinger's encryption now?
[Darren] (3:33 - 5:26)
Yeah, yeah, basically, no. So what we actually have is, Telegram has the option to apply end-to-end encryption to messages sent directly between two people. This is an option that- One-on-one.
Yeah, one-on-one. This is an option that has to be configured, it has to be toggled by going into a separate settings menu and starting that secret chat while two people are online. The standard messages are encrypted, but they are not end-to-end encrypted.
And this is the thing, end-to-end encryption basically means that if you have a conversation of two people, only two people are able to read the contents of that conversation. And that is how encryption should be done for a messaging protocol. You should be able to have a private conversation with the person you're exchanging information and ideas with.
Now Telegram, instead, encrypts it in such a way that the conversations are encrypted, but they are not end-to-end encrypted. And this brings us to this kind of interesting idea that maybe Telegram has shot themselves in the foot. Because if the chat is encrypted in such a way that Telegram, as a company, are able to decrypt it, it means they should be able to moderate it.
Does the law account for this, or do you know? I mean, the EU law does, because this is exactly what's happening with the Digital Services Act. So the requirement for moderation is there, and the irony is that if Telegram had actually been a fully encrypted medium, like it advertises itself, like a fully encrypted end-to-end encryption for groups, for all conversations, they would have had the defense of, well, we can't possibly track these things because we can't decrypt any of the traffic.
[Marc] (5:26 - 5:29)
Yes, but they don't seem to have that defense now.
[Darren] (5:29 - 5:34)
Yeah. So it puts them in kind of a problematic position, in my opinion.
[Marc] (5:34 - 5:40)
Right. There's this old adage, like, don't roll your own cryptography. Is that in play here?
[Darren] (5:41 - 7:40)
Yeah. So it's very true. It's like, think about reinventing the wheel.
The wheel just works. We probably don't need to reinvent the wheel at any point. There are certain things that just work.
And I feel like the don't roll your own crypto adage is sometimes problematic, because cryptography does need innovation. And if no one's rolling their own crypto, it means no one's innovating its stalls. It becomes stagnant and no development happens.
And the kind of people who have the power, the funding, the drive to roll their own crypto should absolutely do it. The question becomes, is Telegram such a company? Is Telegram such an entity that they should be rolling their own crypto?
Because Telegram actually have this interesting cryptographic protocol called MT Proto, and they're currently on version 2.0. They're depreciating version 1 at the moment. And let's say there are some interesting things. I found this cryptography engineering blog, which put out a post a couple of days ago regarding the actual encryption.
And there are a lot of question marks. I'm not an expert in encryption, but there are a lot of question marks that is raised in this one paragraph where it's saying things like, group parameters are chosen by the server, which might be questionable. Encryption can't be started while users are offline, which is questionable.
It used to be that there was some random sequences provided by the server that no one understood the purpose of, and in the past actually actively made Telegram insecure against a malicious server attack. It has been fixed. But it's kind of showing that in trying to make their own cryptography, Telegram have in the past fallen into the trap of creating something non-standard and running into problems that they really shouldn't.
[Marc] (7:40 - 7:53)
Is there any idea here, have they gotten any fruit from this? It's like, I understand not invented here, and I see that an awful lot in my career, but was it a case of not invented here, or do you believe that they were after something?
[Darren] (7:53 - 7:54)
After something, how do you mean?
[Marc] (7:54 - 7:55)
By rolling their own crypto.
[Darren] (7:56 - 9:00)
Yeah, I actually don't know. I mean, that would be pure speculation. And it's hard to say.
It's entirely possible that, because the Telegram user base does just keep growing, the, you know, for the idea that there is cybercrime on the platform, and there definitely is, just like there's cybercrime on every social media network, Telegram kind of secured a place in when we talk about Ukraine and communication throughout Ukraine in the time of the invasion. It's also actually been used inside Russia as a way of communicating without propaganda, of communicating things that are actually going on outside Russia, because it's one of the safest platforms for them to do so. So I feel like the encryption may have been created in good faith, and when it comes to whether it's secure, it might be, but the problem is it's not standardized, and it's not that well understood.
So there are just a lot of question marks where I think a lot of security professionals would not like them.
[Marc] (9:01 - 9:20)
Well, you've got me on the ropes here a little bit, because if it's not end-to-end encrypted, then there is the possibility for someone to intercept a message, and if there is the opportunity for someone to intercept a message, there's an opportunity for a malicious actor to intercept a message one way or another, right?
[Darren] (9:20 - 9:48)
Potentially. The fact that it's not end-to-end encrypted just means that it is accessible at some point along the line, which is not from either the sender or the intended recipient, and it's likely that this is just that it could possibly be visible from a telegram server. Now of course, if there was a breach in a telegram server, that might open up these private messages to being read by whoever breached that system.
[Marc] (9:48 - 9:53)
Or a backdoor, or an administrator console, or a log.
[Darren] (9:54 - 10:20)
Yep, and that's the thing, like the backdoor, one of the charges against the founder is failing to provide information to a legal investigation. So it seems that the lack of backdoor, the lack of that kind of channel, is one of the sticking points here, where it's understood that telegram should be able to review these private conversations and they're refusing to comply with that order.
[Marc] (10:20 - 10:30)
Or it could be that in fact, as you suggested, that they do not actually have the capability to do so, which would mean it could be secure. It'll be really interesting to see how this goes.
[Darren] (10:30 - 10:45)
And that's entirely possible, but the question is then, if they don't have that possibility, why are they not using end-to-end encryption? Why are they only allowing that on direct chats between two people instead as a part of their group offering? Why is it not active as standard?
[Marc] (10:46 - 11:01)
Is there something about, I'll use the word economy here, where it's easier to do end-to-end encryption between two points than it is between some wildly changing groups of different types of actors in group chats?
[Darren] (11:02 - 11:25)
I don't think so, not really. It's all a case of public key infrastructure. Just making sure that when you start a chat, you generate a key that identifies you and you share that with the people in the chat.
There's no economy in not implementing that for groups. And if there was, it wouldn't change the fact that it could be on for direct connections by default.
[Marc] (11:26 - 11:28)
By default, as advertised.
[Darren] (11:28 - 12:04)
Yeah. Okay. And this actually, it kind of leads back into something we've been discussing before the summer where we had this kind of misleading messaging.
At the time we were talking about open source and people using the term open to insinuate open source, but not actually be open source. And this seems to be a case of the same. I think we were talking about it with Amanda Brock, where it was open source or open, but not open source.
And it was confusing. And now we have the same where it's encrypted, but not end-to-end encrypted. And people should maybe be taking a closer look at whether they want to use Telegram.
[Marc] (12:05 - 12:17)
I was thinking this as well. So should we compare to some of the other big chats? Let's start with WhatsApp, which has been through quite a, quite a journey since its original startup.
So how about WhatsApp?
[Darren] (12:17 - 13:21)
Yeah. Honestly, nothing would make me happier than to throw WhatsApp out the window at this point and just say, it's the worst platform that's ever been created, but we have to acknowledge one thing and that's that WhatsApp currently uses end-to-end encryption as a default for all communication. Now that, in my opinion, like it's, am I saying that it's kind of more secure than Telegram?
And it's kind of a coin toss because both have their advantages. WhatsApp does have the encryption, but it is closed source. So no one's really able to take a look behind the curtain of WhatsApp.
Telegram is open source. So anyone can go and clone the repo and make their own version of Telegram right now. They can do that.
And that means it's allowed for a lot more scrutiny, a lot more investigation, which has turned up problems. And so it's kind of, one is more open, but is using custom security and not end-to-end and one is using end-to-end security, but is not open. So I guess it matters where your interests lie.
[Marc] (13:21 - 13:44)
So I've heard a lot of anecdotes and I've seen some kind of suspicious things with WhatsApp about like immediately getting an ad for the, you know, the cast iron 18th century French hand railing that I was just chatting about someone with. And then all of a sudden I go to my computer and I get an ad. Is WhatsApp, although it is using end-to-end encryption, is it still leaking things somehow?
[Darren] (13:44 - 14:59)
Well, there comes the question of metadata. Now metadata, when it comes to these kinds of communication platforms is often overlooked. Frankly, metadata is something we could do an episode on just by itself because it's so overlooked and so interesting.
But if we go briefly into it now, metadata is data that is definitely accessible by whoever runs the platform. And this metadata won't contain your conversations, but it will contain who you talk to and it will contain when you talk to. So you'll hear the horror story.
Yeah, I was advertised a cast iron pan by saying to person X, I want to cast iron pan. But what is most likely happening is that metadata of the identity of person X and you is being pulled together. You had a conversation.
It's then checking your search histories. It's likely seeing that you've searched for a cast iron pan. Maybe that this conversation prompted person X to search for a cast iron pan.
All of a sudden you are being advertised to. And this kind of metadata is very easily accessible because it's basically how meta make money. It's how telegram make money.
This is the advertising data they're selling to their advertising providers.
[Marc] (14:59 - 15:06)
Okay, so how about signal? How about signal? How about signal as a messaging platform?
How is signal security?
[Darren] (15:06 - 17:11)
Uh, signal is the best. So signal is a bit subjective for, I think it's quite objective because signal do three things really well, in my opinion. First off, they are fully open source.
You can go to their GitHub and download the source code for any and all of their clients right now. And that means they can be looked at with a level of scrutiny that telegram can as well, but whatsapp cannot. Then they also have the true end to end encryption like whatsapp have.
So you can be sure that your communication is only being read by the people who are intended to read it. But it also does this third thing, which none of the others do. And it's kind of rare.
And in my opinion, it's kind of cool. And it again, kind of hails back to Amanda Brock's discussions here. The signal group who put out signal are a nonprofit.
They operate entirely on like Wikipedia. They operate from benefactors and donations. So they are not in the business of selling metadata.
They are not in the business of trying to make money from you. They are trying to provide a service. And these are where the kind of great parts of the internet spring up from, in my opinion, just like Wikipedia.
Wikipedia, the Wikimedia Foundation is trying to provide the service. They are not interested in sales. They are not interested in that.
They struggle to make their fundraising goals, but they operate as nonprofits specifically to ensure that these extremely useful tools are available to everyone who needs them. And Signal have actually gone on record saying that they would pull out of countries before adding any kind of back doors for governmental use. So there are some people on the internet who are taking the responsibilities of people's privacy very seriously.
So are the bad guys going to move to Signal then? I'm assuming the bad guys are already in Signal.
[Marc] (17:11 - 17:19)
So what do you do then if you're fully encrypted and you have bad actors organizing things on your platform?
[Darren] (17:20 - 18:39)
Well, that's the question. There's not a lot you can do. And this was actually, I think the US Supreme Court brought this up some time ago when they tried to have cryptography classed as weaponry, just so that they could kind of restrict it so they could control it and could control the use of it.
And this is kind of the problem. When you have something like cryptography and encryption, it is going to be used by bad actors. It is going to be abused by people who want to keep their actions private.
And if they are smart about it, cryptography will allow them to. And there's not a lot we can do about that. The metadata is useful, as we discussed, because Signal, I'm sure, also gathers metadata.
And that means if they have a leak of like identifying one user who is doing illicit activities, they can use the metadata to find out who they've been talking to, but not why. And that kind of metadata investigation is useful. But in general, if these things can, it's not even about technology.
If something can be abused, it will be abused. But that doesn't mean we shouldn't have it. If we look at things like Social Security, Social Security will be abused by a percentage of the population.
But that doesn't negate the good it does to a much larger percentage of people.
[Marc] (18:40 - 18:48)
Well put, Darren. So let's go back around. So what's going on with Telegram today?
[Darren] (18:48 - 18:58)
Basically, the founder has been arrested for cybercrime charges, and it may or may not be encrypted, depending on how in-depth you want to look at it.
[Marc] (18:58 - 19:06)
And then the Digital Services Act, it's been used against Meta. That's being used against Telegram today.
[Darren] (19:06 - 19:14)
I'm not sure if that's being used against Telegram. It's been used against Meta. So there is a precedent for it to be used against Telegram.
[Marc] (19:14 - 19:18)
All right. And then does Telegram do its own cryptography?
[Darren] (19:19 - 19:21)
It does, and it probably shouldn't.
[Marc] (19:21 - 19:25)
And is WhatsApp more secure than Telegram today?
[Darren] (19:25 - 19:28)
It pains me to say, but I have to say probably.
[Marc] (19:28 - 19:34)
And what do you think is the most secure chat protocol that we have available generally for use?
[Darren] (19:34 - 19:37)
Signal. Signal should be used everywhere by everyone.
[Marc] (19:37 - 19:57)
And I'll repeat the three reasons that Darren is recommending Signal for secure communication. It's truly open source. It's owned by a nonprofit that is not trying to sell the metadata, and it is fully encrypted into it.
There you have it. Thank you, Darren. I learned a lot today.
[Darren] (19:57 - 20:00)
Thanks, Marc. It's always fun to talk about these things with you.
[Marc] (20:00 - 20:19)
It sure is. Hey, we'll see you next time in the DevOps sauna. Goodbye, Darren.
Bye. We'll now tell you a little bit about who we are. Hi, I'm Marc Dillon, lead consultant and EFICODE in the advisory and coaching team.
And I specialize in enterprise transformations.
[Darren] (20:19 - 20:26)
Hey, I'm Darren Richardson, security architect at EFICODE, and I work to ensure the security of our managed services offerings.
[Marc] (20:27 - 20:33)
If you like what you hear, please like, rate, and subscribe on your favorite podcast platform. It means the world to us.