>The lead Telegram dev is a 3x International Math Olympiad gold medalist
The lead dev
* doesn't have ANY qualifications as a cryptographer (he got his position through nothing other than nepotism) and thus
* thought AES-IGE was best practice
* used SHA-1 10 years after SHA256 was published
* didn't understand the importance of DH parameter pinning
* left in a 64-bit pre-computation MITM attack vector
* initially implemented crappy QR-code like fingerprint for secret chats without understanding the need for hex-decimals that could be compared over authenticated channels
* couldn't implement IND-CCA secure protocol
* didn't prevent these FOUR new vulnerabilities
But most importantly:
* doesn't have the know-how on how to implement E2EE for groups
* doesn't have the know-how on how to implement E2EE for 1:1 on Win/Linux desktop clients
* doesn't understand E2EE needs to be enabled by default
They are literally just winging it. Their Russian Pride would take too large a hit from publishing a CVE wrt the most recent issues, thus they downplayed the issues and wiggled out to maintain the prestigious image in front of the cult that is their users.
The lead dev
* doesn't have ANY qualifications as a cryptographer (he got his position through nothing other than nepotism) and thus
* thought AES-IGE was best practice
* used SHA-1 10 years after SHA256 was published
* didn't understand the importance of DH parameter pinning
* left in a 64-bit pre-computation MITM attack vector
* initially implemented crappy QR-code like fingerprint for secret chats without understanding the need for hex-decimals that could be compared over authenticated channels
* couldn't implement IND-CCA secure protocol
* didn't prevent these FOUR new vulnerabilities
But most importantly:
* doesn't have the know-how on how to implement E2EE for groups
* doesn't have the know-how on how to implement E2EE for 1:1 on Win/Linux desktop clients
* doesn't understand E2EE needs to be enabled by default
They are literally just winging it. Their Russian Pride would take too large a hit from publishing a CVE wrt the most recent issues, thus they downplayed the issues and wiggled out to maintain the prestigious image in front of the cult that is their users.