Looks like #Telegram leaks usernames in #TLS SNI:
https://nitter.it/fo0_/status/1580146963579740160
?♀️
TLS SNI is sent in *clear text*, because it is a mechanism that informs the server hosting multiple websites on a single IP address which TLS certificate to present to the client.
Putting username in SNI makes it *trivial* for anyone listening on the wire to track who and when is communicating with Telegram servers. Add some timing analysis and one can reason about who is talking to whom.
Metadata kills.