
Crowdsourcing a More Secure Future - techquery
http://telegram.org/blog/crowdsourcing-a-more-secure-future
======
oskarth
_The developer who found the potential weakness has earned a reward of
$100,000. We have contacted him to find out how he would like to collect his
prize._

This is great news. Contrast this with other security contests were finding
out-of-scope security flaws weren't rewarded.

People in this thread: _Good for Telegram_ , _seems arbitrary_ ,
_disingenuous_ , _just for publicity_.

Short of them being in a conspiracy with the researchers, I can't imagine how
this is not good news for everyone. Cool it with the hate, people.

~~~
sillysaurus2
_Cool it with the hate, people._

There's no hate for Telegram here. There's concern for people's safety.
[https://news.ycombinator.com/item?id=6949842](https://news.ycombinator.com/item?id=6949842)

~~~
oskarth
I don't think you actually read the article.

 _This article_ is good news, precisely because they show how willing they are
to improve their service.

EDIT: Of course it's good PR. So what? That's how Google, Apple and most other
big companies operate. They don't have to be altruistic to work and create
value for people.

~~~
reginaldjcooper
> precisely because they show how willing they are to improve their service.

Multiple people that know what they are doing have remarked that the system
Telegram has created is a bad idea and it would be much better to use any
established protocol. They have also pointed out multiple places where
Telegram is committing obvious cryptographic blunders in their protocol.

Telegram decided to pay out $100k under contest rules that are weaker than
known plaintext attacks. If they wanted to actually improve their security
they would switch to a more secure protocol that doesn't require a server to
actively participate in the conversation. I guess if they want to hemorrhage
money via the hubris that is their crypto contest they should just keep on as
they are.

~~~
sudhirj
> They have also pointed out multiple places where Telegram is committing
> obvious cryptographic blunders in their protocol.

They have pointed out multiple places where Telegram MAY BE committing
blunders, namely their internal server - server communication MIGHT be
susceptible to MITM attacks. It's not the same thing.

~~~
pfraze
It is, though. If the protocol relies on servers to be good actors, then
servers are a weak point. People aren't willing to let that by because,
besides just good security standards, servers are being targetted by
government spying.

------
mikegioia
Good for Telegram. I haven't downloaded and installed their App yet, but I
applaud their effort at putting out a secure chat app that everyone can use.

I've been using TextSecure for a while (as everyone on HN ruthlessly suggests)
but guess how many encrypted texts I've sent? 0. That's because they have no
iOS app and very few Android users.

There are two problems when it comes to creating a good, secure messaging app:
strong, proven security and popularity! Hopefully Telegram either solves both
or forces TextSecure to solve the latter.

~~~
sillysaurus2
_I applaud their effort at putting out a secure chat app that everyone can
use._

They aren't making a reasonable effort to put out a secure chat app. If they
were, then they would use some of that $200k to hire a company like Matasano
to fly out and audit their architecture for flaws. Matasano probably would've
caught this bug, because it was a pretty basic mistake.

~~~
paveldurov
Not sure hiring a US security firm is a safer approach than crowdsourcing
using the power of the global community.

After all, Matasano's tptacek obviously did spend some of his time inspecting
and criticizing Telegram this week. However, he overlooked the 100K
vulnerability that was later discovered by a Russian guy who considers himself
a newbie in cryptography.

The other reason that makes me somewhat reluctant to spend money on hiring
Matasano is the recent RSA-gate (and the strange role of tptacek in it).

~~~
bhitov
I understand that you care about Telegram and want to defend it when it is
attacked, but comments like this are inappropriate and will damage Telegram's
reputation.

It is unfair to imply incompetence on tptacek's part given only that he spent
some finite amount of time looking at your protocol and did not find the nonce
vulnerability. It is also unfair to say that he didn't find any
vulnerabilities despite the potential for a 100k reward as the potential for
such a reward (outside of your specific contest) had not been stated clearly.

If you do in fact have evidence that tptacek was involved in RSA's deal with
the NSA, you should state your accusations explicitly and provide that
evidence. If you do not, I think the accusation is inappropriate and certainly
counterproductive.

That said, I very much appreciate the resources you are donating to open
source crypto software. It is undeniable that the potential for a 100k reward
will send a lot of eyes to your source code. I would encourage you to also
consider hiring a security firm (US based or otherwise) and to consider how
your comments will affect public perception of Telegram.

------
abus
This is actually really generous considering it didn't meet the terms of the
contest.

They have a long way to go before anyone here trusts them but perhaps we could
be more positive and constructive?

~~~
sillysaurus2
_perhaps we could be more positive and constructive?_

You find DanBC's comment interesting. It explains why there's been a general
tone of negativity towards Telegram's security product.
[https://news.ycombinator.com/item?id=6949842](https://news.ycombinator.com/item?id=6949842)

------
nly
Given the complexity of bug this in cryptography terms, this was an
astonishingly easy earner.

Insanely complex software bugs go for less.

------
jes
I question whether Telegram is actually delighted with how this unfolded. I
also think it's disingenuous to call the discovered issue a potential
vulnerability. Either it is a vulnerability or it is not.

------
infinity0
money is cheap, show me the code.

even if people are being unfair with these criticisms, what telegram __should
__focus on is to make their designs more secure, and ignore all this
publicity. if they truly believe in the "importance of keeping the [system]
open", then they should understand that all this publicity (good or bad) is
insignificant - especially as they say they have rich guys backing them, so
they're not relying on public opinion influencing investors.

it's very easy to make statements like "Together we can make Telegram
unbreakable"; harder to turn this into a reality. the current round of
attention is a red herring, both for Telegram and for us commenters. let's
give them a year and see what it's like after that.

------
m_mueller
These latest news have convinced me that Telegram currently has the highest
potential to be the right IM tool at my current workplace. I have one question
that doesn't seem to be covered anywhere (FAQ, Google): What about Offline
messages? I'd like to be able to send encrypted messages even when people are
offline - on smartphones it could make use of push notifications, on the
Desktop it would just wait until the client goes online again. Skype doesn't
work reliably for this scenario, as in both clients (for the sender even the
same client on the same device) need to be online for the message to be sent.
The last implementation that worked reliably seemed to be MSN, which is dead
now. How does Telegram behave?

~~~
makomk
Why? They just announced that one of the main advertised features of their IM
software - the secret chat functionality - was so badly broken that it was
worse than not having it at all. It provided absolutely no protection against
them eavesdropping on their users, yet those users were chatting under the
illusion that they were secure against such eavesdropping. Worse, it seems
like the Telegram developers consider this to be a theoretical problem rather
than an actual compromise because you can trust them not to spy on you.

~~~
m_mueller
That's interesting, I didn't interpret the news this way. I haven't seen
secret chat functionality mentioned anywhere yet - I was assuming that secret
chat shouldn't be affected by these nonce messages since the secret key
shouldn't touch their servers according to their documentation. Do you have
any source on this?

~~~
makomk
The linked blogpost actually says that the attack is against secure chat and
explains what it does, it just underplays how serious it is.

Basically, when setting up a secret chat the two parties use something called
a Diffie-Hellman key exchange to agree on a secret encryption key without
eavesdroppers being able to tell what the key is. However, the parties can't
tell whether they've securely agreed on a key with the right person - the
Telegram server could do a man-in-the-middle attack by doing the other side of
the DH key exchange with each party itself so that it knows all the keys, and
then decrypt log, and re-encrypt all the messages between them. The fairly
standard solution Telegram uses is to allow both parties to manually check
that they agreed on the same keys - with normal Diffie-Hellman, this is enough
to ensure no-one has MITMed the connection. Unfortunately, their protocol is
modified from normal DH in a way that makes this check useless. The server can
launch a MITM attack that causes both parties to agree on the same key, so
they think they've securely agreed on a key that no-one else has when the
server's got a copy too and is decrypting all their messages.

~~~
m_mueller
Seems like I had potatoes on my eyes. Your explanation made the whole thing
quite a bit clearer to me than the original post, thanks for that. I think
it's good that this weakness is now in the open - this will create some
pressure on Telegram to solve it since, as I understand, it compromises one of
the main features of their service. Their way of handling the fix will decide
whether they should be taken seriously I think.

------
josephlord
This is still in the FAQ:

 _Q: How secure is Telegram?

Very secure. We are based on the MTProto protocol (see description and
advanced FAQ), built by our own specialists, employing time-tested algorithms,
to make security compatible with high speed delivery and reliability. At this
moment, the biggest security threat to your Telegram messages is your mother
reading over your shoulder. We took care of the rest._

While Telegram may be on the way to a secure future it is not there yet and
the FAQ needs to be less certain before I can applaud them.

Edit: Actually I think the FAQ been toned down a bit but I think some
acknowledgement of how new the protocol is and the risks associated with that
should be mentioned.

------
s1kx
While it is very generous, I doubt they would give a sum like that if it
wasn't for the publicity. I'm sure news like this can help their image quite a
lot in their target audience (security-aware computer people).

~~~
h0cked
I actually have a theory that this is all a scam... the person who found the
bug is actually the authors (or a friend) of the Telegram protocol. They
published the security issue and reward themselves so that 1) they don't have
to pay anyone else; 2) they get good publicity by doing this; 3) shut others
up up front as this is really a very easy bug to figure out (a few others
hinted the possibility as the key exchange is unautenticated DH, which is
bound to flaws like this)

------
sifarat
Bravo Son! you have earned respect for your this deed. Appreciated.

On a side note, I am still not sure, if i will ever use this app. This is
primarily because, I act on the internet in the same fashion as i do in real
life. I won't do anything online, what I can't do in real life. Hence I don't
and perhaps would never need an app like this.

As for sending someone 'secret' message, I always whisper that in the ears.
It's an old fashioned trick but has proven to be most secured.

~~~
im3w1l
If someone takes a photo in the street, and you are in the photo, then you
will probably not mind. But if someone follows you around everyday and takes
thousands of photos, then that is slightly creepy.

For me it is the same with my chat messages. If someone reads one or two, I
don't mind: they aren't very sensitive. But I don't like it if someone can
find everything I've ever written.

~~~
sifarat
It's not about being creepy, it's about having enough time on hands and why. I
would be interested to find someone, who values taking 1000s picture of mine
than his time spent making money for himself. In the case of celebrities for
instance, they have almost their entire life public, and i don't think it had
harmed them any way, unless, they committed something illegal and it was made
known.

People over the internet, are little too much over-sensitive. I am not
implying 'Privacy' has no value, but we have taken this issue bit too far over
the 'internet'.

A prime example of so-called 'anonymity' over the internet is 4chan, you
pretty much know what sort site that is.

I am not implying it's an illegal website, but frankly, anonymity mostly leads
to creepy, drugs (silkroad), and everything else considered wrong and bad,
than something good which is pretty rare. Snowden is an exception, but again,
he committed a crime for a good cause. Most people however commit a crime for
every possible wrong reasons.

------
growse
Seems a little.... arbitrary....?

Don't people who run bug bounties publish their reward structure beforehand?

~~~
jonknee
Yes, they did. This was not the goal of the bounty, but was still a serious
issue. They couldn't give away the prize for the contest and instead decided
on a still quite generous $100,000.

[http://telegram.org/crypto_contest](http://telegram.org/crypto_contest)

~~~
sillysaurus2
_This was not the goal of the bounty, but was still a serious issue._

To be clear, this bug was enough to compromise the security of every Telegram
secret chat session. I can't think of a more serious issue.

~~~
makomk
Yeah. In essence, it made their nominally end-to-end encrypted secret chat
feature no more secure than simply giving the Telegram server operators a
plaintext copy of every message you sent and trusting them not to log, read or
tamper with it.

Worse, it's the kind of flaw you'd expect someone subtly sabotaging the
protocol to create. It's a small, superficially plausible modification that
turns an apparently secure scheme into something completely broken. Yet if
they'd made that modification in the obvious way - by combining the nonce and
Diffie-Hellman result with a secure hash function - it wouldn't have caused
the problem; for the vulnerability to exist the nonce has to be handled in a
very particular way.

------
pearjuice
What I don't understand is: where do they get the money from if their
intention is to be "free forever"? Are they funded by a non-profit incubator?
Why is it that a "new" app spends relatively much money on white-hat hacking
bonuses? What do they get out of this other than a deemed secure application?

~~~
h0cked
The same reason as why Google provide Gmail for free, 1) to get a huge user
base (fame = money, in today's internet world; 2) get a hold of user data

------
jsumrall
I thought a lot of people pointed out ways to attack the security protocol if
they had physical server access.

~~~
lelf
With this bug _people who run server_ have access to your entire chat.

(Of course they won't formulate it that way in the post)

------
rb2k_
Slightly off-topic, but here it goes:

I always get a bit annoyed when apps use the phone number as the primary
identifier.

As somebody that just moved to another country, I now end up with a situation
where I can either decide to lose my German whatsapp friends or not being
discovered by my American whatsapp friends.

I would love to see the ability to get some sort of ID number and then being
able to register more than 1 phone number with it.

~~~
vitoreiji
I read somewhere that moxie is planning that feature for TextSecure.

------
csomar
_Q: How are you going to make money out of this?

We believe in fast and secure messaging that is also 100% free. Therefore
Telegram is not a commercial project. It is not intended to sell ads, bring
revenue or accept outside investment.

If Telegram runs out of money, we'll invite our users to donate or add non-
essential paid options._

Yeah, but where does there money come from?

~~~
chrislloyd
Pavel Durov[1]. Net worth $260MM[2].

[1] [http://telegram.org/faq#q-who-are-the-people-behind-
telegram](http://telegram.org/faq#q-who-are-the-people-behind-telegram) [2]
[http://en.wikipedia.org/wiki/Pavel_Durov](http://en.wikipedia.org/wiki/Pavel_Durov)

------
deepuj
If Telegram is a non-commercial project, who is funding this bounty?

~~~
jzwinck
For the original "$200K" bounty, it was stated that it would be paid out in
bitcoin. So it's quite possible that the person or organization funding the
bounty simply has some old bitcoin laying around, and it cost them next to
nothing to get it initially, and it might even be difficult for them to
exchange for their preferred fiat currency today. So don't think of it as
"Somebody just spent $100K," think of it as "A bitcoin speculator just traded
some coins that were not worth much two years ago for something that is pretty
darn valuable today."

~~~
alphakappa
Telegram is backed by Pavel Durov who offered the $200k in non-bit ion
currency too in a previous thread here.

------
kolev
There are a lot of haters of Telegram on HN and I think one of the reason is
that they are a Russian company or the fact that a Russian developer found the
flaw first. :) But wasn't Pavel Durov the one who offered Edward Snowden a job
back then? There are many "secure messaging" apps out there, but they all suck
in terms of UX. Telegram looks nice and will only get better. Also, they have
an API since day one. Show some respect!

------
lttlrck
Maybe they should give him a job too.

------
blahbl4hblahtoo
Wow...Telegram. The only thing you will ever get from engaging the "public" on
forums like HN is heartache. You will never get them to like you...they just
aren't that in to you.

Contact people that are actually in the crypto community and go the normal
route. Once their betters tell them to love you there is actually nothing that
you could do to make them stop.

~~~
rimantas
So who are we supposed to listen to more than cperciva, tptacek, moxie?

~~~
nhangen
How about you become smart enough to form your own opinions?

