Telegram – HTTP over HTTPS


When we think about instant messaging, we think about WhatsApp and Telegram. Today I want to write about Telegram, an application that got popularity after the PRISM project was known and after WhatsApp was unavailable in 24th of February 2014, and particularly I want to write about a behavior that I don't really understand very well. It is said that Telegram is highly secure and this is the reason why ISIS uses Telegram, because they can send secret messages without any tracking but we are going to see that everything isn't encrypted.
Telegram uses MTProto or Mobile Transport Protocol which was released in 2013 by Digital Fortress and it is different from the XMPP protocol. MTProto uses SHA-1 algorithm to encrypt secret messages and XOR-128 for digital sign. In addtion, Diffie-Hellman protocol is used to get session keys. However, what it is weird for me is how Telegram Mobile Apps send POST request in plaintext over the HTTPS port to Telegram servers where we can also see what API is used by the user. Is this useful for an attacker? Maybe yes.
In fact, I have realised about this, looking and analysing an alarm in the Ariolo Probe which detected a network anomaly because there were HTTP traffic over the HTTPS port. In a deep analysis, we can see that the destination IP is from the Telegram company, and POST actions are sent in plaintext to Telegram servers through HTTPS (tcp/443) port. What is this?

Ariolo Probe Alarms

Alarm HTTP over HTTPS

Next, I downloaded the wireshark pcap to analyse thoroughly this behavior and we can even see the API identifier that the user is using. Is this information useful?

Analysis with Wireshark

According to Telegram, this kind of connection is made to send messages:

POST from Telegram
 
I don't know if this is the normal behavior but I don't think so. Meanwhile, we can use other instant messaging applications to protect our communications like Signal Private Messenger or Cryptocat.
Regards my friends and remember, drop a line with the first thing you're thinking.

Commentaires