Most people in my social circle use Telegram, mainly because they think it’s the most secure messaging platform out there. I’m sure the network effect has something to do with its popularity too, and if that’s the case then this article might not be for you. However, if you are using Telegram because it’s secure, you should keep reading.

When I mention to my friends or family that Telegram might not be as secure as they think I’m frequently countered with:

“But I’ve heard that it’s so advanced that ISIS uses it.” — Paraphrasing my sister.

First, let’s address the ISIS thing. It might be true that ISIS uses a particular technology — in this case, Telegram — but that isn’t necessarily a good testament to its security. Not because ISIS is evil, but because there is nothing about ISIS that makes them experts in cryptography.
Sometimes we assume that people in compromising situations or critical positions are good trendsetters for information security. But let me give you an example; Hillary R. Clinton ran the most expensive campaign in human history while being backed and supported by the most influential and cutting-edge technology companies in the world. Some of these companies are pioneers in security. Meanwhile, her campaign, as well as DNC, still managed to fail at protecting themselves… and in various amusing ways. As such, perhaps we shouldn’t be looking to ISIS for examples of security best practices.

I’m not going to get into the details of who runs Telegram and why you should or should not trust them. This is primarily because it has been well documented, and secondly, it implies a level of personal trust, which shouldn’t matter as much as some people may want you to think. After all, a general principle in information security is “Trust no one”.

To be clear, I’m by no means an expert in cyphers or cryptography. But, I know enough to spot rhetoric and fallacies.

Cryptography and encryption at their core aren’t about faith, jurisdictions or laws. It all comes down to math. Very complicated, borderline-magic-math, but still math. And just like when you were in school, you have to show your work or you don’t get any marks. Pavel Durov (founder of Telegram) can say “Telegram is secure” and the press can blindly quote him until they are both blue in the face, but until he shows his work all we have is his word.

The biggest red-flag with Telegram isn’t that they don’t show their work; that we have no idea what encryption algorithm they use; whether or not it’s secure; or whether it has any backdoors. The red flag is the fact that they decided to invent their own in-house encryption algorithm. Anyone in the industry knows (I hope) and will tell you that developing your own encryption isn’t just a bad idea — it’s an irresponsible and dangerous one.

So what should you be using? This might come as a surprise, but the answer is either Signal, WhatsApp or even Facebook Messenger. Why? Because of all the reasons you shouldn’t be using Telegram as far as security is concerned. They are all based on an open source protocol called “Signal Protocol” by Open Whisper Systems. The protocol is built on top of industry-standard crypto algorithms which have been battle tested for years or even decades, and peer reviewed by some of the smartest people in the world.

Use anything by Open Whisper Systems. — Edward Snowden.

Telegram’s security is a dubious suggestion. Signal Protocol’s security is as good as we can get in 2017.