ESET warns Telegram is unsafe for sensitive communication, citing lack of default end-to-end encryption
Cybersecurity firm ESET has released a new study concluding that Telegram is not a secure messaging platform, largely because end-to-end encryption is not enabled by default.
According to the report, only Telegram’s secret chats offer true end-to-end encryption, while all other communication—private chats, group messages, and public channels—remains accessible to Telegram’s servers.
ESET explains that standard Telegram conversations use client-server encryption, meaning messages are encrypted on a user’s device but then decrypted on Telegram’s servers before being stored in the cloud. The system is based on Telegram’s proprietary MTProto 2.0 protocol, which uses AES-256 encryption and SHA-256 hashing, but places the decryption keys in Telegram’s possession.
“Telegram servers can access the contents of your cloud chats if necessary,” the report states. “Since Telegram holds the decryption keys for your cloud chats, they can access or share your messages with law enforcement.”
ESET emphasizes that this architecture, combined with real-world cases, makes Telegram particularly risky for users living under authoritarian governments. The researchers highlight incidents in which Russian activists and opposition figures had their Telegram activity examined during interrogations and used as evidence in criminal proceedings.
“Telegram should never be considered safe for high-risk users,” the study warns. “Whether through device compromise, legal pressure, or exploitation of Telegram’s architecture, the bottom line is the same: if your freedom or physical safety depends on privacy, Telegram—even in secret chat mode—is a risky choice.”
ESET recommends using Telegram only for public-channel monitoring or low-risk everyday communication, and urges activists, journalists, and whistleblowers to avoid relying on the platform for sensitive messages.
Explore more:
Comments:
comments powered by Disqus
