Telegram Traffic Can Now Be Disguised as HTTPS Protocol

Thanks to recent updates, Telegram traffic can now be disguised as HTTPS protocol (TLS + HTTP/2.0). To achieve this, a “ee” secret prefix was added to the client code. Additionally, besides base16 (hex), it is now possible to encrypt the secret in the proxy server address using base64.

Currently, Telegram uses its own protocol called MTProto, which was introduced about a year ago along with an official proxy. MTProto does not have service headers that would allow it to be easily identified. However, it is still possible to detect the use of the protocol—and thus the messenger itself—by analyzing packet lengths. When a connection is established between the client and the proxy server, packets of a certain length are exchanged, and during operation, packets of the same length are transmitted. This allowed providers to identify Telegram traffic by the length of packets sent via MTProto.

To address this issue and better disguise the protocol, the messenger’s developers added a random byte to each packet. However, this step affected compatibility, so the developers introduced a “dd” prefix in the secret.

Since using MTProto continued to reveal Telegram traffic (which is why it is successfully blocked in Iran and China using replay attacks), the developers decided to implement the ability to disguise it as other protocols. Specifically, an additional encapsulation layer was added on top of TCP, so now the data is “wrapped” in TLS records. TLS handshake emulation was also implemented.

• Our other channels
• Our friends and partners