
Russia threatens to block Telegram - tomfloyer
http://www.reuters.com/article/us-russia-telegram-regulator-idUSKBN19E0H4
======
raverbashing
For the amount of haters telegram had when they launched for their purported
security failures, it's funny that people are looking to block it instead of
silently explore its flaws

~~~
dsacco
_> purported security failures_

 _> people are looking to block it instead of silently explore its flaws_

This is not a good heuristic for determining if security failures are
"purported."

In point of fact, Telegram is widely lampooned by every self-respecting
professional cryptographer who has written about it. There's nothing
"purported" about Telegram's security failures - they are empirically
demonstrable, and have been exposed through multiple cryptanalytic
reviews.[1][2]

Frankly, I don't think I've ever seen anyone defend Telegram here on HN who
actually has professional crypto experience (whether academia or industry), or
any other similar proxy for credibility in the field. The popular contention
is that (poor, harmless) Telegram is plagued by a persistent astroturfing
campaign perpetrated by the likes of Moxie Marlinspike and Thomas Ptacek in
order to elevate Signal's status. That's:

1) not true, in my opinion (though to be fair at least one of those people is
obviously biased); and

2) irrelevant, because we have the benefit of empirical rigor to instruct our
opinions of secure messaging systems. We don't need to rely on infosec
ideologues on HN or Twitter.

Telegram is very much like climate change. There is a widespread consensus
among the informed (read: academic and professional cryptographers) that
Telegram's security failures exist, and that these failures are empirically
demonstrable. At the same time, there is a controversy led almost entirely by
the uninformed (read: non-cryptographers) that denies Telegram's security
failures and undermines attempts at demonstrating them through accusations of
shilling or misdirection.

To put it very succinctly: there are _no_ valid arguments that Telegram has an
optimal security model from the perspective of cryptanalysis and cryptographic
design best practices.

____________________________________________________________

1\. [https://www.alexrad.me/discourse/a-264-attack-on-telegram-
an...](https://www.alexrad.me/discourse/a-264-attack-on-telegram-and-why-a-
super-villain-doesnt-need-it-to-read-your-telegram-chats.html)

2\. [https://cs.au.dk/~jakjak/master-
thesis.pdf](https://cs.au.dk/~jakjak/master-thesis.pdf)

~~~
out_of_protocol
Ok, valid argument: telegram servers DO receive and store plaintext version of
every conversation done (except private chats), while, as a reference,
whatsapp don't do this, applying end-to-end encryption by default. So,
basically, hack telegram servers -> you have all the convos. Bribe some
employers, locate and grab their servers -> see above. Also, how would you
know they're not connected with some 3-letter agency already?

~~~
reitanqild
FWIW - I have no way of verifying this - Telegram says they try to work around
this by (IIRC) :

\- Using some kind of crypto with multiple keys

\- These keys are located in multiple independent datacenters in independent
jurisdictions

According to what I read this was supposed prevent leaking of user data just
by bribing/coercing/etc or suing any Telegram employee or datacenter provider.

As I've mentioned before I don't use Telegram for security, I use it because

1\. Facebook failed its Whatsapp acquisition so badly

2\. It is way more user friendly

Also keep in mind that when I left WhatsApp for Telegram WhatsApp still didn't
have e2e.

------
qznc
"if the app is banned in Russia then the government officials will entrust
their communications to other countries' messengers"

Nice counter :)

~~~
zanny
They could just use Matrix / Riot, since they are both fully open source and
auditable on client and server.

Hell, I'd _like_ the Russian gov't to start using Riot. Would definitely give
them that security audit they need for trustability on their olm. Maybe you
shouldn't trust a Russian state audit, but it just takes large users to
motivate third parties to start auditing it.

~~~
ivan_gammel
You don't get it. They do not need secure messengers. They want mass
surveillance. For secure communications within the government networks there
exist other means.

------
r721
>Fri Jun 23, 2017 | 5:00pm EDT

Here is a newer article (there were a couple of developments on weekend):

[https://en.crimerussia.com/gromkie-dela/durov-criticizes-
ros...](https://en.crimerussia.com/gromkie-dela/durov-criticizes-roskomnadzor-
for-incompetence/)

~~~
vsviridov
Ironically this website does not open from Russia (had to use a VPN to access
it). Same agency's shills in Russian Duma (parliament) are planning another
law banning VPN and Anonymizer services. Censorship is coming down hard, it
seems...

~~~
qb45
Also: [https://www.rt.com/politics/389683-russian-public-
supports-m...](https://www.rt.com/politics/389683-russian-public-supports-
measures-to/)

 _Over 40 percent of Russians support the verification of internet users on
social networks or other internet platforms, as proposed in a bill drafted by
a well-known pro-Orthodox lawmaker._

I wonder if it's real or just propaganda? FWIW,

 _In May, Russian President Vladimir Putin signed the strategy for the
development of the Russian information community between 2017 and 2030. This
document states that in order to successfully develop the internet and the
communications infrastructure as a whole, the country needs working mechanisms
that would introduce a system of trust between users, and eliminate anonymity
and the lack of responsibility that it causes._

~~~
vsviridov
Of course Russia Today is going to toe the Party line... Most people here call
this "Crazy Printer", as in a machine that produces copious amounts of insane
legislation.

Usually people co-sponsoring this kind of legislation have ties to various
corporations or government entities. Most of those things are fast-tracked
without any kind of input from the populace.

------
betaby
Unfortunately looks like P2P messengers are not available/not existent
nowadays. Especially on mobile. All we have phone tied centralized apps.

~~~
voice_of_reason
Is something wrong with tox? It is a p2p messenger that works on smartphones.

~~~
veeti
Homebrew crypto written by 4chan. No offline messages. Drains a gigabyte of
data and battery overnight thanks to P2P.

~~~
shakna
> Homebrew crypto written by 4chan.

Where did you get that from? Tox uses libsodium. [0]

[0]
[https://github.com/irungentoo/toxcore/blob/master/docs/updat...](https://github.com/irungentoo/toxcore/blob/master/docs/updates/Crypto.md)

~~~
veeti
There is more to building a secure end-to-end messaging protocol than dropping
in libsodium and calling it a day. See issues like
[https://github.com/TokTok/c-toxcore/issues/426](https://github.com/TokTok/c-toxcore/issues/426).

~~~
shakna
There is a lot more. But Tox is hardly "homebrew crypto" from "4chan" hackers.

Though, even the issue you've linked show the thought that the tox team have
been putting into their protocol. (A stolen private key is game over, as in
most situations. KCI is hard, let's rework.)

------
mtve
"When you have to shoot, shoot. Don't talk."

~~~
_jal
Exactly. This is framing, with a side of negotiation.

------
EGreg
Can I ask how can a service be blocked in a country?

Is it because it has centralized servers? What if it was open source and could
be hosted on any website?

Then they would have to detect signatures of the protocol and block that,
right? At what level, the national level? But the server would be local.

So what does it mean when they say they block Tor for instance?

How can you block something that is run on many domains and servers inside
your country?

~~~
activis
1\. Telegram IS centralized.

2\. They collect all IPs and domains and ban them on provider level. There is
a law which forces internet providers to sync the list of banned resources and
prohibit access to them.

Basically they ban hundreds of thousands resources already.

Adding few thousands of nodes may take some time, but:

1\. It is possible to do for sure within months

2\. When you ban 20-30% of decentralized system it looses 20-30% of users
which makes it not that attractive compared to allowed alternatives which are
controlled by the government (like vk.com)

~~~
EGreg
What about if the decentralized system uses a DHT and contebt addressable
protocol like IPFS? Banning 20% won't do much to it.

------
zzzcpan
So, I'm guessing Telegram is going to circumvent it in the next release. It's
too popular in Russia to simply leave it at that. Signal showed how to do it.

~~~
aaomidi
They'd need to move their servers to google cloud platform. And then they'd
still be blockable if Russia decides to block Google entirely.

~~~
zzzcpan
Google is officially whitelisted in Russia since the incident with accidental
ban.

~~~
aaomidi
In that case it is definitely possible for them to circumvent the ban.

If that happens, Russia would have no way of blocking the app other than DNS
blocking which can be simply mitigated against as well.

------
rodionos
There is no such agency "Russian Federal Service". You have "Russian Federal
Service for Supervision in the Sphere of Telecom, Information Technologies and
Mass Communications" which is too verbose to refer in the article.

I think a generic name such as "Russian Communications Watchdog" is better
fit.

~~~
andai
Roskomnadzor

Ros - Russian

kom - communications

nadzor - supervision/surveillance

