Telegram leaks username in TLS header
twitter.com~~It's a false alarm from the thread.~~ See Below.
The link they're opening is a telegram vanity link that looks like:
https://username.t.me
https://t.me/username
Edit: Though, it's worth pointing out if this is how the official Telegram app works, and it loads this from your account and other users, it will leak not just your account but the other users you're browsing too. Not quite a false alarm if that's what the default app does, but other users are failing to reproduce in thread (I also don't see it).
So indeed, instead of using ESNI, Telegram is trying to hide yet another spy channel by using insecure addition to the TLS protocol.
> if this is how the official Telegram app works
Doesn’t look like it. Both Telegram android and desktop are resolving the username links (in any format) using in-app logic for me.
Telegram's response: https://twitter.com/telegram/status/1580564448011784194
Is this for Russian FSB monitoring? the post is very very low information. Who doesn't post how they got to seeing the leak in wireshark? Even twitter has enough characters for that.