top | item 41376712

(no title)

jiiam | 1 year ago

Just to be clear, are you saying that his claim

> Telegram uses the MTProto 2.0 Cloud algorithm for non-secret chats[1][2].

> In fact, it uses a split-key encryption system and the servers are all stored in multiple jurisdictions. So even Telegram employees can't decrypt the chats, because you'd need to compromise all the servers at the same time.

is false? If so can you cite a source? (The claim is just a summary of the FAQ https://www.telegram.org/faq#q-do-you-process-data-requests)

discuss

mr_mitm|1 year ago

Yes. An employee can impersonate a user by registering a device in their name and intercepting the confirmation code and then read all non secret chats and private groups of that user.

At least one employee must have the ability to intercept the code.

(Unless the user has 2fa enabled, but that is not the default configuration.)

There are probably easier ways if we knew more about how the administrate their infrastructure.

jiiam|1 year ago

Maybe? When you login from a new device you're asked to provide an OTP so maybe there is at least that layer of protection and, hopefully, requires some circumvention at the application code level.

However I think the real question is: even if that's possible, can law enforcement compel Durov or an employee to do so?