Do the Secret Chats of Telegram really support Perfect Forward Secrecy?

In the Telegram API it is stated that Telegram support Perfect Forward Secrecy in their “secret chats”. It is also stated that

official Telegram clients will initiate re-keying once a key has been used to decrypt and encrypt more than 100 messages, or has been in use for more than one week, provided the key has been used to encrypt at least one message.

So my question is, in this case, if a session key gets compromised, is it possible for an attacker to read 100 messages (or possibly more)? If yes, can we still say that perfect forward secrecy is satisfied here?


I'd like to introduce you to a new unique Bot to increase the views on your channel. [​IMG] [​IMG] [​IMG]
Incredible speed and quality of work

Auto view increse function. Once connected, all new posts on your channel will automatically receive views.
Speed of about 1,000 views per hour
Unlimited number of posts in your channel…


Is Signal still more secure when compared to WhatsApp and Telegram?

I have recently been reading several articles about Signal and (suposedly) how secure it is next to other well-known apps like WhatsApp and Telegram, both of which are claimed to be less private due to both using external servers. I saw here that Signal apparently uses the same protocols as WhatsApp, which does not fill me with confidence due to it’s use in WhatsApp, and only blurs the picture more for me.

Is Signal still more secure compared to WhatsApp?

EDIT: It has been highlighted to me that there is a very similar question about WhatsApp and Signal from 2016, but it has not been updated since 2016, So unless the information in that answer is still accurate (which I’m not sure is the case) I’m going to keep my question open.

How is Telegram encryption is poroprietary, yet their client is open-source?

It is often noted (for example in this question&answer) that one of the major flaws of the Telegram messenger is that it uses ‘proprietary‘ encryption instead of peer reviewed and open-source one. At the same time the source code of the app is open-source.

How is this possible that encryption algorithm is ‘proprietary‘ (i.e. close-sourced and can not be reviewed) and yet open-source client is somehow is able to decrypt received messages. To explain what I mean (assuming end-to-end encrypted secret chat): message sent from device A to device B, in order to be end-to-end encrypted must not left device A before it encrypted and must not be decrypted until it reaches device B (at least that is my current understanding), if so – algorithm of encyption/decription must be contained in the client itself, so, how then such encryption algorithm could be considered ‘proprietary‘? What am I missing here?

Can Google and Apple read Telegram notifications’s body?

When using e2e encryption (secret chats), the answer is obviously no (I hope), but I am talking about NOT e2e-encrypted messages, the ones stored in the cloud.

I am of course aware that the messages are travelling on SSL encrypted connections, but are the body of the messages encrypted in any way when they reach Google/Firebase Cloud Message, APN and other 3rd party push notifications services?

In other words, if I send a message to Bob over a NON-secret chat, can Google, Apple, etc. read the body of the message I sent to him when it passes through their push notifications servers or is it encrypted?