
Telegram protocol defeated. Authors are going to modify crypto-algorithm - xytop
http://translate.google.com/translate?hl=en&sl=ru&u=http://habrahabr.ru/post/206900/
======
pjscott
There's a lesson here. I genuinely don't mean to sound smug, but -- remember
how confident the Telegram guys were? Remember how sure they were that their
protocol would be able to resist the eavesdropping efforts of the NSA and
whatever other nefarious interlopers may come along? Remember how they said
they'd been working on it for years, and presumably expected for it to last
many more years?

Remember how that was, like, five days ago?

~~~
onedev
Never forget.

RIP Telegram (2013-2013).

This whole thing has been interesting to follow because it seems this same
thing happens every time someone make macho Crypto-claims. From seeing how
confident the Telegram team was to reading all the detractors who were so
ready to criticize. It's an interesting dynamic in the Crypto community.

~~~
yatsyk
Hate tone discussion makes me sad.

Telegram is very young project and it has bugs for sure. Some guy found
potential issue in protocol and developers committed to fix it soon. There is
no information that any messages were revealed due to this bug but Telegram
should go away and developers should do something else.

Whatsapp is less secure then Telegram but I have not seed “Whatsapp RIP”
messages. Not so hard to save videos in snapchat but no one propose to close
the application. About a year ago YAML vulnerability was found but no one
proposed dhh to stop development and focus on race driver career.

I think that we need more competition for TextSecure.

Terms of bug bounty are very hard to satisfy even with bad protocol but Durov
seems decided to play safe with such amount of money. Guy that found problem
in MTproto doesn’t win money according to conditions of the bug bounty because
message is not decrypted.

Disclaimer: I don’t have any affiliation with telegram besides living in the
same city as telegram developers.

~~~
sillysaurus2
You must not have followed Telegram much. From the beginning they've done
nothing but pretend their protocol is absolutely secure ("military-grade
encryption", "world's most secure protocol", etc) and rejected any attempt
from the crypto community to help them fix problems before they endanger
people.

So, let's put it this way: Was it ok of them to lie through their teeth to
users? If so, then that's a sad state of marketing. If not, then what are you
proposing here?

~~~
yatsyk
I’m not security expert, but I believe that:

\- military-grade encryption – true

\- world's most secure protocol – I’d consider this statement as false, I
don’t know what they mean by most secure and what protocols were considered.
May be messengers available at app store, better to ask them

Why do you think that they “rejected any attempt from the crypto community to
help them”, especially after bug bounty proposition?

Why do you think that they lie more then TextSecure advocates? Each of these
messengers is safe to passive listening. But unsecure to similar degree if
user downloads them from app store and runs on hardware and software that
could be easily patched. Current implementation of telegram api is prone to
MiM attack but I would not consider TextSecure completely safe app and that
every other app should be thrown out.

~~~
sillysaurus2
_Why do you think that they “rejected any attempt from the crypto community to
help them”, especially after bug bounty proposition?_

I've written about this pretty extensively:
[https://www.hnsearch.com/search#request/all&q=by%3Asillysaur...](https://www.hnsearch.com/search#request/all&q=by%3Asillysaurus2+textsecure)

It's an interesting contrast in cultures that you phrase it like "Why do you
think Telegram lies more than TextSecure advocates?" .... As far as I'm aware,
TextSecure advocates haven't lied at all. TextSecure's interest is in
security, whereas Telegram's interest seems to be in money and power.

 _Current implementation of telegram api is prone to MiM attack but I would
not consider TextSecure completely safe app_

I just don't know what to say to this. Telegram has been proven insecure,
TextSecure hasn't. Telegram isn't designed by cryptographers, TextSecure is.
There is absolutely every reason to assume Telegram is broken.

 _Each of these messengers is safe to passive listening._

This is mistaken because Telegram has been proven vulnerable to MITM attacks.
Even after they patch this latest security problem, it would be very unwise to
trust them.

~~~
yatsyk
I've not found any attempts to help them apart from this bug report.

>TextSecure's interest is in security, whereas Telegram's interest seems to be
in money and power

I can't read minds or even their messenger logs so I can't comment what is
their interest but I'd be interested to know why you think so

> TextSecure completely safe app

Just wrong. How could you call something "completely safe" or bug free?

>Each of these messengers is safe to passive listening >This is mistaken
because Telegram has been proven vulnerable to MITM attacks

How Telegram is prone to passive listening?

~~~
sillysaurus2
Telegram seems to be interested in money and power because they've turned down
offers from Moxie (the creator of TextSecure and a well-known cryptographer)
to join forces. There's no reason to do that unless they were interested in
money or power more than security.

I didn't say TextSecure is completely safe. I said Telegram has been
demonstrated to be broken.

Telegram is prone to passive listening because their design doesn't prevent
it. There's nothing stopping someone from MITM'ing every Telegram secret chat
when it's first initiated. It's in the design.

Their contest means nothing, because due to the way the contest is designed,
it's impossible to MITM or other side channel attacks like timing attacks.
These are the real attack vectors, yet the format of the contest prevents
anyone from employing them.

~~~
yatsyk
> I didn't say TextSecure is completely safe.

Yes you do. "TextSecure completely safe app" was copied from your message
before you or someone else edited it. I've not typed it but copied exact
phrase from your message.

~~~
sillysaurus2
You copied it from your own message, not mine.
[http://i.imgur.com/pxMVDwA.png](http://i.imgur.com/pxMVDwA.png)

~~~
garethadams
The best part was when he copied it from your quoting of his message, but
removed the "not" that came before it

------
xytop
In short: telegram in secure chats ([http://core.telegram.org/api/end-to-
end](http://core.telegram.org/api/end-to-end)) was using modified version of
Diffie-Hellman algorithm: key = (pow(g_b, a) mod dh_prime) xor nonce
(original: key = pow(g_b, a) mod dh_prime) That custom 'nonce' is derived from
server and in theory server can send a specially formed nonce which will lead
to known client keys ("bookmark"). It means that server as MITM can read all
needed chats by request.. Authors of Telegram agreed that it is a big hole and
their algorithm needs modification. User, who found the issue will get a prize
(not 200,000$, but good enough).

~~~
Jemaclus
Why not the 200K? Was it outside the parameters of the contest or something?

~~~
hdevalence
Yes. The contest is not about actually exposing flaws in their cryptosystem,
which is why the rules are rigged up in a way that would allow even a terribly
insecure protocol (like Telegram's, or Moxie's counter-challenge protocol) to
pass as "secure".

~~~
h0cked
Telegram's contest itself is meaningless regarding the security of its
protocol (as others explained in details). Finding bugs such as this deserves
200k more than anything else

~~~
ballard
Offering the contest was shady and stupid enough. Not paying just proves
they're chiselers that never intended to pay in the first place. This wins the
runner-up award for second most botched PR disaster ever. The consolation
prize is a lump of coal.

~~~
danabramov
They're paying $100 000.

[https://vk.com/wall-52630202_7858](https://vk.com/wall-52630202_7858)

~~~
ballard
It's too late to matter. But good for him that they're only half crooked.

------
OoTheNigerian
This is my first comment on the Telegram bruhaha.

Sometimes, I get embarrassed by what I experience here on HN. The gang up, the
unnecessary pride.

To those saying RIP, Telegram will succeed. Without using it (I use a
Blackberry), it looks to be top two of the chat apps when you combine
usability/security. I will download it once I get an Android phone in January.

I will not wish failure on anyone that is confident in his product. Of course
they could have shown more humility but it he face of "take downs" on all
sides especially the ones sponsored or initiated by the
Whispersystem/Texsecure chaps, I do not see why they should have bowed down to
be crushed.

Considering the type of responses given by Pavel Durov, I am almost certain he
would have been much more humble if his attackers toned it down a notch.

To the person that found a flaw, kudos to you on doing something and not
spending all your time doing take downs of telegram on HN threads and blogs.

Pavel, I am hopeful that you will reward the chap even though the discovery
was not within the "guidelines". it is all about the spirit of the
competition.

As for the TextSecure/WhisperSystems guys, stop being like the politicians we
hate who campaign by slinging mud on opponents instead of selling their stuff.
Focus on selling the TextSecure app and not looking to takeout anyone who has
a different approach.

PS: I have no relationship with either party. I am a neutral observer that has
his own opinions.

~~~
DanBC
> To those saying RIP, Telegram will succeed. Without using it (I use a
> Blackberry), it looks to be top two of the chat apps when you combine
> usability/security. I will download it once I get an Android phone in
> January.

But it is not secure! That's the entire point.

Never mind "not secure against a well funded government agency", it's not
secure against other attackers.

There are lots of usable chat apps that do not give you the illusion of
security.

> and not looking to takeout anyone who has a different approach.

You seem to be mistaken about _why_ they do this. It's nothing to do with
pushing their app or their approach. They'd welcome good well-formed apps to
compete with them. But when they see an app that claims to be secure they have
an ethical duty to let people know if it is obviously not secure.

Most people are not bashing just for the sake of bashing. Some people need
good cryptography software to avoid imprisonment, or torture, or state-
killing. This isn't about stopping someone's teen-angsty poetry from being
discovered by a sibling, it's about protecting political dissidents from an
oppressive regime. In that context pointing out that a software is broken is
not mindless bashing, it is a crucial part of the cryptography process.

(I'll accept that a few people are missing the mark with their criticisms.)

Pointing out flawed crypto software is part of a long tradition going back
many years. It's part of the culture. Most cryptographer will start by
analysing other software and finding flaws before implementing their own
software.

~~~
OoTheNigerian
_Most people are not bashing just for the sake of bashing. Some people need
good cryptography software to avoid imprisonment, or torture, or state-
killing. This isn 't about stopping someone's teen-angsty poetry from being
discovered by a sibling, it's about protecting political dissidents from an
oppressive regime. In that context pointing out that a software is broken is
not mindless bashing, it is a crucial part of the cryptography process._

I like your commentary it is level headed and explains the position of the non
biased "other side".

I think the conflicted position of the lead bashers did not help their
position. It would have been much more useful for a neutral party to do a
comparative analysis and stated the pros and cons of each side.

As for me and most _normal users_ , the security we need is not from NSA type
of snooping but from mid level risks. There may be some sacrifices that may
have to be made. Just like the position Ubuntu plays where Linux distros are
concerned

For people like Snowden, Greenwald and others with NSA level adversaries, I do
not expect them to rely on any third party application at all.

Now your argument may be that they have created stuff for sexting teens and
claimed to be good enough for Snowden. In that case, I would argue that it
could have been pointed out that in a different and perhaps more polite way.

I would worry about anyone who has created any crypto tool who is not over
confident in his product. I will also expect the person to be receptive to
constructive feedback NOT "leave your product and join us" or "This is shit
because no noted crypto person is on your team"

I remember when cperciva that built Tarsnap, an online "backup for paranoid
users" launched, he was rather confident in his product and I did not see any
intense bashing of him. As expected,there have been bugs in his system and he
has fixed them as they have arisen.

We should help things grow right here on HN not hope for things to fail if
they do not support the view of the crowd.

~~~
6d0debc071
> As for me and most normal users, the security we need is not from NSA type
> of snooping but from mid level risks.

Most users, disregarding the government for the moment, don't need encryption
full stop. They don't send anything commercially sensitive that an attacker's
going to be interested enough in to try to intercept their messages.

The use of encryption _presupposes_ a motivated threat, and it's not clear to
me that the NSA is significantly more powerful than other adversaries in that
area. They've more computing power, more political power, they can buy zero
day exploits. They probably even have some very smart people, who can find
flaws faster than the attackers in civ-space. But speed isn't required, only
persistence; motivation, interest. Which is, after all, what we're supposing
in the first place if someone's going to go to the trouble of intercepting
your messages.

It's not clear to me that unless your goal is _' make something that the NSA
can't break into'_, you're going to make something that a well motivated
attacker can't break into either. And this stuff only has to be broken _once_
, then they'll just sell or share the attack. The conflict is asymmetrical.

Your argument seems to be posited on the idea that there will be no attacker;
no-one anywhere, ever; sufficiently motivated to breach the protocol. And I
find that highly questionable, given that a flaw has already been found - and
with far lower levels of incentive than will be present if the system is
widely deployed and used to protect valuable information.

~~~
tomp
> Most users, disregarding the government for the moment, don't need
> encryption full stop.

You've no idea what you're talking about. Please stop spreading such bullshit
around; other people might fall for it!

Fireship is an app that allows you to hijack the account of _any_ user on the
same Wi-Fi network as you are, if the network is not encrypted, and the user
used a non-encrypted connection to the website. Facebook, Google, Twitter and
Flicker were all susceptible to such attacks before the advent of this tool;
afterwards, they fixed it by using https by default.

Do you want random strangers to have full access to your Facebook account? No?
Then you should realize that most people _do_ need encryption _full stop_.

Also, only very powerful attackers can hack https encryption (they need either
access to your laptop (hardware access, or a zero-day exploit), or access to
the website (e.g. court warrant, or coercing a certificate authority)).

~~~
6d0debc071
We were having a discussion about Telegram and similar uses of encryption, a
discussion where I specifically responded to a remark on the strength required
of Telegram-style encryption. I would hope that _most_ people are capable of
interpreting the context of a remark - especially embedded in paragraphs that
expand on it. Rather than, _' fall[ing] for it!'_

-sigh-

Beyond that I'm not going to engage with you any further, on this or any other
point. You strike me as a bully, restrained where you are simply by the
absence of an excuse rather than the presence of decency. As such, I've no
interest in associating with you.

~~~
tomp
Yeah, I probably overreacted.

------
droopybuns
Excruciating evidence that supports Moxie's position.

Vuln rewards should exist for two purposes:

1)An act of good faith on the part of the developer that says "I am interested
in securing my product and I won't prosecute direct disclosure"

2) The Dev knows exploitable vuln discovery has value, but cannot compete with
black market pricing. Instead, the reward is a token of appreciation for a
shared code of ethics.

I wish bug bounties could compete with the budgets of nation states. They
can't.

Companies shouldn't pretend to compete. Shame on telegram for stupidly false
promises.

~~~
danabramov
I have no idea what you are trying to say here.

The guy is rewarded half the bounty:
[https://vk.com/wall-52630202_7858](https://vk.com/wall-52630202_7858)

~~~
droopybuns
Vuln reward programs that payout at this level are broken.

1) They don't achieve their objective of securing a product. Moxie eloquently
captured why here: [http://thoughtcrime.org/blog/telegram-crypto-
challenge/](http://thoughtcrime.org/blog/telegram-crypto-challenge/)

2) At this level of payout, they are inefficient and unsustainable. There were
less expensive ways to discover implementation flaws, and certainly more
direct ways to discover design flaws. Was the lesson they just learned really
worth $100 grand from some random dude on the Internet? Seems to me you could
find more problems per dollar by directly engaging with some of the top class
security consultancies out there.

So to summarize, telegram's reward was an extremely inefficient stunt that did
not achieve it's likely real objective. I imagine the team is licking it's
wounds right now and regretting their approach. We'll be able to tell by
whether or not they continue their offer under the same rules and same budget.

I expect this to continue for another couple of rounds because random security
people on the Internet will be smelling blood right now.

------
solyanyk
The Telegram guys chose to view it as a proof of inherent superiority of
humble Russian programmers over NSA-backed American haters (I wish I was
kidding!). Here is what Pavel Durov had to say on the matter (translated from
his public post on vk.com
[http://vk.com/wall-52630202_7858](http://vk.com/wall-52630202_7858)):

> This story makes me once again admire Russian programmers. For a whole week
> esteemed American cryptographers on HackerNews were picking on the protocol
> fruitlessly - mostly demanding to replace our own solution with algorithms
> from NSA-backed Suite B [sic!]. An yet a Russian programmer, who calls
> himself "a novice", could immediately recognize the weak spot in the secret
> chats, in the context of an article on Habrahabr.ru.

Edit: To make it clear, that is not the whole post, just the first paragraph
relevant to my point

~~~
ge0rg
Not sure if the VK post was edited later on, but you are missing the other
important statements by Pavel:

* There was no data leak, the vulnerability is fixed, there is no danger. * It was a good idea to open the source and protocol for review. * The founder of the vulnerability deserved a reward of $100k, and comparable rewards will be made for further attacks of similar grade.

~~~
solyanyk
I didn't mean to present his whole post. It was the first statement that I had
issue with. I amended my comment to make it clear.

------
paveldurov
I'm excited by the insight and modesty of this guy. I will see to it that he
gets a mighty prize.

It's great to see how open software can leverage the power of the community to
find weak spots and become stronger.

~~~
josephlord
It is good to see that you recognise modesty as a virtue.

May I suggest that you guys take a leaf out of his book and rewrite the
security claims in your FAQ to reflect the fact that the protocol is new and
at this point there are likely to be some bugs but that you are working hard
to make it secure.

~~~
danabramov
This, a thousand times.

Somebody finally expressed this thought politely.

------
rdtsc
Well nice knowing you Telegram. I don't see a good way for them to recover
from this. First the bogus contest that Moxie debunked. Now this. The best
option is to close shop, open a new company, new names and do something else.

~~~
sillysaurus2
The best part is that the debunker wrote this in Russian. The language barrier
has probably been responsible for them getting so many users. So now everyone
is very clear that Telegram is snakeoil.

~~~
danabramov
_> The language barrier has probably been responsible for them getting so many
users._

What do you mean?

------
hcarvalhoalves
Demoralized twice, first for finding a flaw, second for not giving the prize.

~~~
genwin
Why give the prize for not doing what was needed to win the prize, namely
reveal the message?

~~~
shawabawa3
As others have already said, the prize was essentially meaningless because the
terms were so narrow.

If the spirit of the prize was "if you break our crypto you win", this guy
should win it. If the spirit of the prize was "we don't want to give away
200k, but we want to pretend we're secure", he shouldn't

~~~
genwin
I don't get it. If it's not secure why can't the message be revealed? What's
the value of breaking someone's crypto if you are still unable to see the data
unencrypted? Was the recipe for decryption given, with the actual decryption
being much harder (terms so narrow, as you say)?

~~~
alanh
genwin, I’ve invented a secure system. If you can tell me what this message
says, you win $200k:

    
    
      jo
    

You don’t know what the message says, because it’s so short. You will never
win the prize.

But my system was not so secure. My cipher system was this: Take a message and
type it on a US Qwerty keyboard, but shift every letter over one place. So
`hi` became `jo`. Not very strong. It would easily be cracked with a message
consisting of an actual sentence or two.

Now, with Telegraph, it wasn’t just length of the message involved, but
additional information; still, the conditions are so narrow that it doesn’t
apply to the real world. Just like I’d never simply send you a message that
said "hi", Telegraph would be used in ways beyond one simple back-and-forth
exchange, so it artificially limits the information available to a cracker.
Make sense?

See also: The BEAST attack or the general class of side channel attacks.

~~~
gohrt
FWIW, "hi" was my first guess when I saw "jo". $200k, please. :-)

------
gohrt
Why is Telegram in the HNews so much? Are they part of the YC fraternity? Why
do pay so much attention to crypto hucksters?

It hasn't been so long since the last snake oil peddlers had their roasting --
I forget the name, it was some cutesy web-browser "secure" chat thing.

It's cool to report debunkings, but if it weren't for HN, I (and most others?)
never would have even seen these products in the first place.

~~~
DanBC
HN is (rightly) interested in easy to use secure software.

So when something easy to use claims to be secure HN waits for some of the
well known cryptographers here to kick the tires.

In this case many people kicked the tires and pointed out some weird obvious
flaws. People hoped that Telegram would listen, and seek help and advice, and
continue to make a great product.

Telegram's actions made the situation worse, and created a pile-on.

Telegram made a few mistakes.

1) Smart people without crypto experience designed crypto software, but
without getting involvement from cryptographers.

2) They released this product as finished, secure, ready to use.

3) They dismissed concerns.

4) To try to quash those concerns they created a rigged challenge with a high
value prize. This is a well known red flag for cryptography software, and it's
surprising they weren't aware of it, but as soon as people saw that the pile
on accelerated.

------
jokoon
Noone should trust a service that advertises itself as being safe from
governments ears. Pure and simple.

First, there's a risk the NSA is actually the one initiating those services.

Secondly, in cryptography, it's very hard if not impossible to effectively
prove your messages are not read by someone else. Cryptography experts do not
tend to work for people's interests. And if some do, the NSA has too many
resources to just defeat those who try to not be listened to.

I understand the intention is noble, but if you release such a safe tool, the
NSA will view it as a terrorist threat, because that's the job they have been
given, and they will end up listening anyways.

I can't understand the paranoia about all this. If you're really afraid the
NSA might use information against you, it's because you made political
enemies, in this case, why use digital means of communication at all ?

I really tend to think it's being cool to use those cryptographic features,
rather than anything else, and that's worrying.

------
Trufa
As a side note, I didn't notice it was google translate until half way through
the article. It's getting really good.

Is Russian an "easy" language to translate to English?

~~~
mynameishere
I had to struggle to read it. I mean:

 _After logout, one of the key interlocutors for chat will regenerate, and to
check that I have the same key as the source, I can only look in his eyes
phone._

...did it translate "iPhone" to "eyes phone"? I'm not sure. If that _isn 't_
what happened, then something far more horrible must have.

~~~
11001
The original:

 _После логаута одного из собеседников ключ для чата будет перегенерирован, а
проверить то, что я имею тот же ключ что и собеседник я могу только посмотрев
в его телефон глазами._

My (human) translation:

 _After one of the participants will log out, the key from the chat will be
re-generated, but in order to check that I have the same key as them, I would
need to see their phone with my own eyes._

This sentence has a particularly non-English word order, plus some missed
punctuation. I can see how it would be a hard case for machine translation.

------
11001
Here are some of their comments:

 __ibeatle __

 _Большое спасибо, автор поста полностью прав. Со своей стороны хотим
пояснить, что сделано это было из лучших побуждений: исправление плохого
рандома на клиентах. С настоящего момента в nonce всегда будет приходить ноль,
и в следующем слое мы обязательно удалим это поле из схемы и поясним в
документации. Автор топика безусловно заслужил награды, просьба обратиться
хабраюзера x7mz на email support@telegram.org для уточнения деталей._

Translation:

Thanks very much, the author is absolutely correct. Just wanted to explain
that the intentions were good: to correct bad "random" on the client side.

From this point on nonce will always be set to 0, and next we will definitely
remove it from our diagram and explanations in the docs.

The author definitely deserves a prize, please enquire at the following email
for details.

 __W_K __

 _Товарищ прав — похоже, сервер в принципе может с помощью манипуляции с nonce
выполнить MiTM на DH между клиентами. Не знаю, кто именно внедрил этот nonce в
такой форме, хотя и знаю, какое предъявлялось обоснование — он был нужен для
того, чтобы защититься от слабого рандома на клиентах, которых в принципе
может писать кто угодно. Очевидно, нужно сделать этот nonce нулём и написать,
что клиенты впредь не должны принимать секретные чаты с ненулевым nonce.

Удивительно, что человек, называющий себя «чайником» в криптографии, нашёл
действительно серьёзный недостаток протокола, в отличие от многих якобы
«профессионалов», постоянно придирающихся не по существу.

Не знаю как насчёт 200k$ — расшифровать трафик это не поможет, а сервер не
знает ключа от секретного чата, поскольку на нём нет такой закладки. Но мне
очень не нравится, что в будущем такая закладка могла бы быть в принципе кем-
нибудь добавлена.

Тем не менее, считаю, за это ценное наблюдение Вам положен ценный приз. Пусть
и не такой большой. Если Вы или кто-либо ещё найдёт какие-либо ещё
потенциальные дыры в протоколе — сообщайте, будем награждать._

Translation:

He is correct, looks like the server can manipulate nonce and succeed at MiTM
on DH between the clients. Not sure who's idea it was to introduce that nonce
in this form, but I do understand the motivation, to protect against the "weak
random" on the clients that can in theory be written by anyone. Obviously, we
need to make nonce=0 and refuse secret chats with non-zero nonce.

It is quite amazing that the man who calls himself "a crypto noob" found a
real vulnerability, as opposed to all those so-called professionals whose
criticisms were largely unfounded.

Not sure about the $200k since this vulnerability won't really help to
decipher the traffic and the server doesn't know the key from the secret chat,
because it doesn't have any "bookmark". But I really don't like that in the
future such a bookmark could be added.

However, I think this is a valuable observation and you do deserve a prize,
even if not such a big one. If you, or anyone else, will find other potential
vulnerabilities, please let us know, we will be rewarding.

~~~
d0mine
A small correction: use "irrelevant" instead of "unfounded" to translate "не
по существу".

"unfounded" is closer to "не обосновано".

It is a English-speaking forum, put English text first.

~~~
11001
I agree, "irrelevant" would be a better choice.

------
dewiz
So this was supposed to be secure/robust/mature/trustworthy ? Not impressed,
still too many companies around pretending it's sooo easy to make something
better, how hard can it be ?

------
morj
There is another "tab" for MITM (at least in android client and in the
documentation there are no clues of it) :

Even in the corrected version of Diffie-Hellman (with nonce removed) the
server can slip customers a number which is zero modulo p as g_a or g_b (since
the documentation says about the 2048- bit sequence -- it can be either 0 or p
itself). Then both clients will see the same identicon ("visualization key",
'cause it will be a presentation of SHA1 applied to zero).

However, judging by further manipulation with the "shared secret" key (because
MTProto doesn't use Diffie-Hellman method of multiplying by g^ab^-1 or any
multiplication by the shared key whatsoever) the multiplication by zero will
not happen with client messages and they will successfully flow through the
"bare" AES ( and therefore users will think that everything is fine and will
proceed to transmitting sensitive data in this mode ).

P. S.: Correct me if I missed something . This might be a corner case, but,
nevertheless, it formally differs from the one with server xor salt not much
(at least , need fixes in the client and the doc too). Or am I making ​​a
mistake somewhere? P. S.: Original version of this my comment in russian:
[http://habrahabr.ru/post/206900/#comment_7128970](http://habrahabr.ru/post/206900/#comment_7128970)

------
sciguy77
Am I the only one who read this in my head with a Russian accent?

~~~
rikacomet
nope.. lol!

------
justinzollars
That didn't take long.

------
User1398
This is great news for Telegram. With such a weakness, the NSA will soon be
encouraging wide spread use of their protocol.

------
eliteraspberrie
Great work! I hope this person gets a big piece of the prize, if not all of
it. Perhaps they should have waited for the challenge to be expanded. (That's
what I'm doing. I just hope nobody spills the beans first.)

------
tigerweeds
cool stuff. Give the guy his prize

~~~
a3n
He didn't break the message. They weren't offering a prize for what he did.

------
ge0rg
On [http://vk.com/wall-52630202_7858](http://vk.com/wall-52630202_7858) Pavel
Durov writes that the finder of this vulnerability will receive a reward of
$100k, and that comparable awards will be given for other findings. It looks
like they are slowly making progress from a rigged show to a proper crypto
evaluation situation.

------
knodi
200k gone just like that, better now then later.

~~~
charlesdm
He's not getting it apparently, even though he discovered a major flaw. Sounds
like a great PR stunt gone bad for Telegram. What a joke.

~~~
danabramov
He's getting $100 000.

[https://vk.com/wall-52630202_7858](https://vk.com/wall-52630202_7858)

------
lawnchair_larry
The bad thing about this is that it further advances the delusion that this
contest is a reasonable idea. Nothing was "improved" by finding this. It's
just going to reinforce their bad behavior.

------
ateevchopra
The first thing they teach in hacking class is "Nothing is 100% secure. Even
the brain.exe is vunerable.".. Well proved again. Nice work !

------
nly
Why does Telegram provide the generator (g and p) and then suggest validation
and caching? These can be hardcoded parameters

~~~
xytop
in cryptography nothing is hardcoded (or at least hardcoded values should have
enough entropy) :) if client doesnt use caching - then every message user
sends should obtain a new pair of p/g (which is expensive) - and it will make
telegram not only insecure but also "slow" messenger :P

~~~
nly
The only things that aren't hardcoded in your typical secure cryptosystem is
your key and a few nonces. In ECC the analogous components to p and g are
defined extremely carefully and certainly wouldn't be changed willy nilly. I'm
aware classic DH parameters are more liberal, but changing them for every
session seems unnecessary.

------
xternl
Interesting. I'm wondering about Threema, I think Moxie is already on them.

------
Aloha
Would this hole allow him to decrypt chat text?

~~~
xytop
no, but it allows server to decrypt it. Government in case of the need can
"ask" them to forward your chat and they will do it, but it was stated in
their PR that server is unable to decrypt your messages.

~~~
rikacomet
exactly, the prize was at their own discretion(telegram) in the first place.
And it was still for breaking their End-to-End encryption process.

To simply put it, you don't have to break a wall, just find a loose brick,
once that is gone, the wall will have even more loose bricks, and eventually
it will fall.

------
sillysaurus2
TextSecure's protocol, on the other hand, hasn't ever been compromised. Don't
use Telegram. Use TextSecure.
[https://whispersystems.org/](https://whispersystems.org/)

~~~
moxie
That's absolutely true, but I think the reason this seems so devastating for
Telegram is not necessarily because there was a vulnerability, but because
they were so dismissive of the feedback they got and so willing to immediately
make such strong claims.

The way I hope TextSecure can be different from Telegram is not by having an
absolutely perfect security record forever (although that'd be great), but by
publicly talking about the protocol choices we've made, employing
constructions with proofs where possible, and actively soliciting feedback.
Thanks for being involved!

~~~
11001
To be fair, no one here mentioned anything related to the found vulnerability.
Instead people seemed to have focused on their choice of SHA1 and IGE.

~~~
MichaelGG
To be fair, no one actually discovered the bridge was made of rotting wood.
They seemed focused on the fact that math PhDs design it with no civil
engineering background and stated plastic had no known defects.

~~~
tomp
No. They saw that the bridge was made of such a material, that it would
collapse if the material turns out to be anything but steel-reinforced
concrete. Which it was pretty likely to be, because it was designed by people
who have been, up until now, building igloos.

------
notastartup
I hope this person will get the full $200,000. I definitely don't think we can
ever trust Telegram's strength again. They won't be paying him the full
$200,000 even though he has rendered the Telegram to be weak. Major, major
backfire for Telegram stakeholders.

~~~
lososerg
They gave him $100 000. And yet the flaw he pointed out doesn't help you read
encrypted messages and has been already fixed/

~~~
makomk
The flaw he pointed out renders one of the main advertised features of
Telegram - end-to-end encrypted chats that they can't eavesdrop on - broken to
the point of total worthlessness. Telegram had the ability to undetectably
MITM and spy on the supposedly secure communications, as did anyone who
managed to compromise them.

They'd have achieved exactly the same level of security by having no end-to-
end encryption whatsoever and just promising that they wouldn't log or look at
people's messages - this flaw is seriously that bad.

------
rikacomet
Lol, I don't know whats so bad in Telegram being a bit "braggy" about their
stuff. I mean, it took them a lot of hard work, in the first place since they
did a lot of things on their own, instead of using pre-set standards. Everyone
can loose a grip on self control, more than a few times. So what!

Besides, its only to inspire someone to crack their program, it is necessary
to come across as a bit arrogant, so someone would loose a screw and crack it.
never mind the buttery language post-cracking, since that usually comes from
appreciation for each other.

Putting up a challenge publicly is a great PR tool, I feel its not reasonable
to only bash 1 company about it. Unless, there is something I don't know,
about what they said/did earlier on HN.

