Russia is Banning Telegram

Russia has banned the secure messaging app Telegram. It's making an absolute mess of the ban -- blocking 16 million IP addresses, many belonging to the Amazon and Google clouds -- and it's not even clear that it's working. But, more importantly, I'm not convinced Telegram is secure in the first place.

Such a weird story. If you want secure messaging, use Signal. If you're concerned that having Signal on your phone will itself arouse suspicion, use WhatsApp.

Posted on April 23, 2018 at 2:15 PM • 31 Comments

Comments

Bumper CropApril 23, 2018 2:23 PM

Reverse psychology. The best way to make some people want something is to tell them they shouldn't have it.

VladApril 23, 2018 3:07 PM

This article is several days out of date. There are now 18 million banned IP addresses according to the real-time updates on https://usher2.club, including, as of me writing this, 118 IP addresses of google.com (the Google Search itself), and about ~40 addresses of each of docs.google.com, play.google.com, drive.google.com, etc. Some IP addresses of YouTube are banned, too. Subnet bans of Hetzner, DigitalOcean, Microsoft, and many smaller companies are also old news.

The Cat Man ReturnsApril 23, 2018 3:25 PM

They came for Megaupload and we said nothing.
They came for Silk Road and we said nothing.
They came for AlphaBay and we said nothing.
They came for Backpage and we said nothing.

Now Russia goes after Telegram and the story is "weird"? I can't possibly see how. It is one more instance of Russia playing catch up with the West.

Fred PApril 23, 2018 3:27 PM

Stanislav Shakirov (technical director of roskomsvoboda.org) appears to think that it may be a test case:

"According to Shakirov, Russian authorities could be using the blocking of Telegram as a test before they go on to other much bigger internet companies.

"Our government wants the Chinese model in which all Western services are replaced by local, sovereign ones. They've started with Telegram, which is popular but not so powerful service," he said."

source:
https://www.aljazeera.com/news/2018/04/internet-civil-war-erupted-russia-180423124936679.html

(required)April 23, 2018 3:46 PM

"They came for Megaupload and we said nothing." - Illegal file sharing / copyright concerns

"They came for Silk Road and we said nothing." - Illicit drug / crime market w/ mgmt blessing

"They came for AlphaBay and we said nothing." - Another illicit darknet market, ditto

"They came for Backpage and we said nothing." - Illicit sex act marketing w/ mgmt blessing


Sure, those are kind of controversial I guess in different ways, some more than others obviously.
Of those Megaupload is probably the more controversial enforcement action, IMO.

But you really can't see any difference between these four and Signal, a secure messaging app?

Or the rationale in going after them?

The Cat Man ReturnsApril 23, 2018 5:15 PM

@(required)

What AlphaBay, Megaupload, Silk Road, and Backpage are guilty of is the crime of lèse-majesté against the gangsters that the rule the USA. Signal's time will come. It may not be today, it may not be next year, but it too will be found sooner or later to be "harboring terrorists" or some other appeal to the Four Horsemen of the Info Apocalypse. Lavabit is the precedent. The question isn't IF, it is WHEN.

"But you really can't see any difference between these four and Signal, a secure messaging app?"

Nope, I cannot. In that way I am exactly like Putin's Russia who can see no difference between Telegram and any ordinary e-mail or chat program that the State secret services should have unfettered access to. Neither of us will be blinded by technological irrelevancies like encryption. The difference between Putin (or the FBI for that matter) and myself is that I am willing to tolerate a zone of lawlessness in which a minority can hide in order to enhance freedom and creativity of the majority and he is not. Our difference is a difference in social philosophy, not a difference in understanding power and control. i don't dispute that power of Russia to shut down Telegram no more than I dispute the power of the FBI to shut down Backpage. I simply think it is bad public policy to do so.

ThothApril 23, 2018 5:49 PM

@all

Signal as secure ?

I would differ from that view.

Hmmm... I thought the expectations for secure communications would be higher but it seems storing cryptographic keys in an insecure smartphone is considered any more secure than the protocol itself.

Regardless of the security of the cryptographic protocol and as our host, @Bruce Schneier have repeatedly mentioned, people dont break crypto protocols and ciphers anymore as they are difficult. People attack the endpoints as they are a softer target and people are more gullible to be tricked into installing malware on their own accord without all too much affords.

ALL civilian communications are technically insecure unless you want to go through the trouble of setting up your own TFC setup by @maqp and take the trouble to get all endpoints secured via TFCs then you are a step closer to secure comms.

And even if you use TFC, you are no more secure unless you can obfuscate your communication via some SSL/TLS tunneling to make it look more ordinary and if possible use it in a broadcast manner so that tracing is much harder otherwise forget about "secure comms". Harsh but it's the truth on how hard it is to maintain a secure and hard to trace comms for civilians especially for those people who are targeted by state actors and well funded corporations and individuals.

TOR will not be of much use due to it's architectural flaws that @Clive Robinson have pointed out and for the TOR fanbois, please search the site on why we think TOR is flawed and good luck using it :) .

Same problem, just repeating the same answers that @Clive Robinson, myself and many others have iterated again and again for a long time.

Impossibly StupidApril 23, 2018 6:34 PM

It's making an absolute mess of the ban -- blocking 16 million IP addresses, many belonging to the Amazon and Google clouds

From a security perspective, I'm not sure that's the wrong choice. Cloud services mix "good" and "bad" traffic. When I'm on the receiving end of abuse, Amazon and Google (and other cloud providers) don't seem to give a damn about the fact that they allow all their other customers to act as a human shield for that abuse. This is just chickens coming home to roost. Not that Russia is in the right here, just that undifferentiated traffic from large hosting providers is going to be increasingly unwelcome in all corners of the Internet. Hell, I myself block complete IP ranges of RU providers for the same reason.

(required)April 23, 2018 8:26 PM

" Hell, I myself block complete IP ranges of RU providers for the same reason. "

Exactly, there should be nothing wrong with that. If you have zero business with Russia, Malaysia, Austria, why a need to have direct IP contact enabled by default for everyone in the world?
Most won't miss it in their lives nor the thousands of extra random trusted certs in their browsers.
If needed, let them click accept! That was the point of certificates, wasn't it?

(required)April 23, 2018 11:51 PM

"i don't dispute that power of Russia to shut down Telegram no more than I dispute the power of the FBI to shut down Backpage."

Well I'd say two things - there was an ongoing crime specifically facilitated by backpage as its evolved raison d'etre in final form, advertising actual sex work. Similarly the Silk Road was an illicit marketplace exclusively and not a Disney chat room being abused by a subset of individuals, it was deliberate facility.

So that's kind of a far cry from a communications platform that actually is being abused by only a very small group of individuals, in as much as the company has refused to give information on all other individuals to help target that few. When the FBI secures a warrant that's key to them getting access. When Russia has the as-demanded private keys, it no longer requires even any legal pageantry for them to get access, and that access is not limited to a legal warrant subject's data, it's everything, everywhere.

They're really very different considerations both legally in terms of process and in scope.
Also, the FBI tends not to target reporters for being thrown off buildings. It's subtle.


65535April 24, 2018 12:17 AM

Place your bets.

Was Russia’s banning of Telegram and endorsement for the crypt'd chat app?

Yes

No

lattenwaldApril 24, 2018 12:23 AM

I am Russian, as probably are some commenters here, but didntreadlol.

So, Telegram ban here in Russia works in a strange way: nothing works but Telegram. My heart rate app doesn't work (syncs history with some cloud probably), Whatsapp is crippled (doesn't back up or restore history to/from google drive), video calls in Viber not working. Site where one could pay road fines didn't work for some time, tickets to Kremlin museum weren't sold for almost a day, cash registers in Diksi — one of the largest grocery store networks in Russia — didn't work for almost a day, Decathlon site doesn't work, giphy, ticktick, — my day routine is broken if not for VPN. I did never think I would need VPN. I mean, sometimes I do need too be more anonymous than other times, but now I actually need it. I didn't turn VPN off on my phone since Friday, I think.

The only thing that works that I use daily, without VPN or proxies, is Telegram. And I don't feel it's some marketing trick, though it could be. I like to think it's David beating Goliaph. If that's the case, either Goliaph will feel so embarassed it would stop, or it will destroy everything we, more or less free Russian people, used to, and turn Russia into China. If not for infamous incompetence and corruption, I would bet for it, but they would mess up, so there's still hope my hole to the free internet will work as long as I need it.

WinterApril 24, 2018 4:24 AM

"If not for infamous incompetence and corruption, I would bet for it, but they would mess up, so there's still hope my hole to the free internet will work as long as I need it."

This could be the best prediction. Russia might want to build a Great Fire Wall of Russia. But it is unclear whether they are actually capable of doing so.

RatioApril 24, 2018 7:00 AM

@lattenwald, Голиа́ф is Goliath in English. (Greek Γολιάθ → Голиа́ѳ → Голиа́ф?)

Impossibly StupidApril 24, 2018 8:37 AM

@lattenwald

So, Telegram ban here in Russia works in a strange way: nothing works but Telegram.

Honestly, from a security standpoint, that supports Putin's protectionist agenda. If services of Russian organizations are failing because non-Russian IP ranges are blacklisted, it says a lot about the flow of their/your information around the Internet. If blocking Google or Amazon puts you out of business, then we know who really owns your business.

The only thing that works that I use daily, without VPN or proxies, is Telegram.

For now. Unless the blacklisting stops, more IPs will keep getting swallowed up until Telegram no longer works, too. That actually puts Russia in a very good place, because they'd no longer be routing so much internal information through foreign networks.

So, again, I don't think specifically going after Telegram this way is the right approach, but from a security perspective, it makes a hell of a lot of sense to not be shuffling data around the globe unnecessarily. The Internet is a nice thing to have, but that doesn't mean treating it like a "cloud" was ever a wise thing to do.

TheInformedOneApril 24, 2018 11:08 AM

The real story here is whether privacy should be treated like a "human rights" issue. Currently, crypto is freely available and makes it expensive for governments to violate your privacy (using your tax dollars) so they try to fight it the only way they can, legislatively. In the future, when AES and Elliptic Curve are solved in seconds by quantum computing, we had better have a new breed of quantum-resistant crypto ready to go or the world will be a very different place. The scary thing I see is that currently this new crypto is not being developed by freedom-loving internet pioneers (like in the past) but by greedy corporations who are (or will be) in bed with the "Big Data(mining)" industry. Honestly, GDPR aside, I don't think privacy has a long-term chance as long as the sheeple are in the majority.

a_userApril 24, 2018 7:07 PM

If you're concerned that having Signal on your phone will itself arouse suspicion, use WhatsApp

Sorry, but I prefer Telegram. If the evil guys want to spy on me, there's nothing I can do other than not using a smartphone at all.

WhatsApp's UX is a pain in the ass compared to Telegram (at least the Android version), and has terrible bugs and hilarious error messages (i.e. I deny access to camera, and the app says "please reboot your phone"). It makes me feel like there are no good developers behind.

And when it comes to privacy, I can't really understand that WhatsApp shows your phone number to all the people in a group, or that you cannot communicate with other ID than your phone number (with Telegram, you can use a nickname).
Today I discovered that WhatsApp's joining groups links ARE NOT single-use. Does it make any sense at all?

Regards.

mtveApril 25, 2018 9:32 AM

@Impossibly Stupid

If blocking Google or Amazon puts you out of business, then we know who really owns your business.

You're not serious, are you? What do you imply, KGB/FSB should own those businesses?

That actually puts Russia in a very good place, because they'd no longer be routing so much internal information through foreign networks.

No, thanks. Sorry, I can't find any polity words for you, please take this bullsh*t away. This is not how Internet should work, and states should not dictate to ISPs which network if foreign and which is class loyal.

Who?April 25, 2018 12:25 PM

I cannot understand the events at all.

Telegram is a russian corporation, why not just take control over the Telegram servers? I just do not understand all this theater about blocking IP ranges at all [except if the goal is not blocking Telegram itself but taking control over the entire Internet in the country, of course].

LtWorfApril 26, 2018 8:28 AM

Telegram has an open source client for desktop and mobile, that people are free to verify.

And they are very clear that the encryption off by default is because it would cause synchronisation to other devices to not work.

Signal blocks 3rd party clients, so while they are "open source", they really aren't. And same goes for whatsapp. So it boils down to "trust facebook and signal".

Impossibly StupidApril 26, 2018 10:40 AM

@mtve

What do you imply, KGB/FSB should own those businesses?

I'm not implying anything, just stating that an external dependency is a risk for the security of any organization. It's not about who "should" own your business, but about who does own it. Yes, a government (or agency thereof) can act to shut down a business, even indirectly as in this case. A competent architect would have specifically designed their "cloud" solution to prevent services from going offline due to these Telegram blocks.

This is not how Internet should work, and states should not dictate to ISPs which network if foreign and which is class loyal.

Again with the "should"? Face reality as it presents itself, not some wild utopian fantasy. The fact is that all governments have laws regarding which foreign states you can and can't do business with, and laws regarding how the data belonging to their citizens can and can't be used. Like I said, I'm not a fan of what Russia is doing in that regard here, but you've done nothing to support the practice of a Russian company doing business with Russian citizens deciding it must move that data half way around the globe to a non-Russian company's servers. Stop with the "dictate" and "loyal" straw men; the real issue is just poorly staffed IT departments.

A DreApril 27, 2018 8:25 AM

Telegram is a russian corporation, why not just take control over the Telegram servers? I just do not understand all this theater about blocking IP ranges at all

Telegram is not a Russian corporation, it is run by Telegram Messenger LLP, registered in the United Kingdom.

Its founder Pavel Durov has left Russia and bought citizenship in St Kitts after being forced out of his company VKontakte (the facebook of the russian-speaking world) for refusing to give in to Russia's demands on them.

So it's a company registered in Britain, having staff in different parts of the world, led by a man who's in bad standing with Putin and who has left Russia specifically to avoid their influence. I trust them way more than I trust a company like facebook or google, who both have a history of complying with the unethical demands of intelligence agencies and who have a lot more to loose by resisting.

Hmm...April 27, 2018 8:34 PM

So Russia is banning Telegram?

Telegram. Think of the word itself, not the company, that is, a message sent by telegraph. We're on the trail of something here, because that would be http://www.cid.army.mil/ at Russell Knox Building, 27130 Telegraph Road, Quantico, Virginia 22134-2253. Some of Chelsea Manning's problems, among others, such as Russia's offering "asylum" to Eric Snowden, and the ongoing problems with the procurement and outfitting of Air Force One.

The Russians have been doing that a lot. They use a subtle play on words, which would seem at first glance to require extraordinary time and effort to arrange in such a startling coincidence.

Intrepid ICecakeMay 1, 2018 9:21 AM

> I trust them way more than I trust a company like facebook or google

Don't.

There is a lot of strange and suspicious things as well.

You may start with this: https://medium.com/@anton.rozenberg/pavel-durov-sued-senior-tech-lead-for-1-7-b24961dec503

Continue here: http://www.webcitation.org/6Bs5Y8Y5I

What smells bad:

In 2005, Pavel completed his training at the Faculty of Military Studies of St. Petersburg State University with a specialization in Propaganda and Psychological Warfare. While training with the Faculty of Military Studies, he served as Platoon Commander of the Philology Department. Upon completion, he was awarded the title of Lieutenant of the Reserve Force.

There are some other things, but they are in Russian.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.