Hacker Newsnew | comments | show | ask | jobs | submit login
Telegram protocol defeated. Authors are going to modify crypto-algorithm (translate.google.com)
360 points by xytop 619 days ago | 207 comments



There's a lesson here. I genuinely don't mean to sound smug, but -- remember how confident the Telegram guys were? Remember how sure they were that their protocol would be able to resist the eavesdropping efforts of the NSA and whatever other nefarious interlopers may come along? Remember how they said they'd been working on it for years, and presumably expected for it to last many more years?

Remember how that was, like, five days ago?

-----


Never forget.

RIP Telegram (2013-2013).

This whole thing has been interesting to follow because it seems this same thing happens every time someone make macho Crypto-claims. From seeing how confident the Telegram team was to reading all the detractors who were so ready to criticize. It's an interesting dynamic in the Crypto community.

-----


Hate tone discussion makes me sad.

Telegram is very young project and it has bugs for sure. Some guy found potential issue in protocol and developers committed to fix it soon. There is no information that any messages were revealed due to this bug but Telegram should go away and developers should do something else.

Whatsapp is less secure then Telegram but I have not seed “Whatsapp RIP” messages. Not so hard to save videos in snapchat but no one propose to close the application. About a year ago YAML vulnerability was found but no one proposed dhh to stop development and focus on race driver career.

I think that we need more competition for TextSecure.

Terms of bug bounty are very hard to satisfy even with bad protocol but Durov seems decided to play safe with such amount of money. Guy that found problem in MTproto doesn’t win money according to conditions of the bug bounty because message is not decrypted.

Disclaimer: I don’t have any affiliation with telegram besides living in the same city as telegram developers.

-----


You must not have followed Telegram much. From the beginning they've done nothing but pretend their protocol is absolutely secure ("military-grade encryption", "world's most secure protocol", etc) and rejected any attempt from the crypto community to help them fix problems before they endanger people.

So, let's put it this way: Was it ok of them to lie through their teeth to users? If so, then that's a sad state of marketing. If not, then what are you proposing here?

-----


I’m not security expert, but I believe that:

- military-grade encryption – true

- world's most secure protocol – I’d consider this statement as false, I don’t know what they mean by most secure and what protocols were considered. May be messengers available at app store, better to ask them

Why do you think that they “rejected any attempt from the crypto community to help them”, especially after bug bounty proposition?

Why do you think that they lie more then TextSecure advocates? Each of these messengers is safe to passive listening. But unsecure to similar degree if user downloads them from app store and runs on hardware and software that could be easily patched. Current implementation of telegram api is prone to MiM attack but I would not consider TextSecure completely safe app and that every other app should be thrown out.

-----


Why do you think that they “rejected any attempt from the crypto community to help them”, especially after bug bounty proposition?

I've written about this pretty extensively: https://www.hnsearch.com/search#request/all&q=by%3Asillysaur...

It's an interesting contrast in cultures that you phrase it like "Why do you think Telegram lies more than TextSecure advocates?" .... As far as I'm aware, TextSecure advocates haven't lied at all. TextSecure's interest is in security, whereas Telegram's interest seems to be in money and power.

Current implementation of telegram api is prone to MiM attack but I would not consider TextSecure completely safe app

I just don't know what to say to this. Telegram has been proven insecure, TextSecure hasn't. Telegram isn't designed by cryptographers, TextSecure is. There is absolutely every reason to assume Telegram is broken.

Each of these messengers is safe to passive listening.

This is mistaken because Telegram has been proven vulnerable to MITM attacks. Even after they patch this latest security problem, it would be very unwise to trust them.

-----


> Current implementation of telegram api is prone to MiM attack but I would not consider TextSecure completely safe app

> I just don't know what to say to this. Telegram has been proven insecure, TextSecure hasn't. Telegram isn't designed by cryptographers, TextSecure is. There is absolutely every reason to assume Telegram is broken.

Textsecure is designed by cryptographers, and hasn't been broken yet, but that doesn't mean that it is secure. People need to risk assess when they're using any software.

> If you want to be secure from the NSA, use TextSecure [...]. It's really that simple.

That claim is far too confidant! If you want to be secure from NSA you need to do many things - have a look at the specifications for buildings that handle secret documents for example, as well as just using a piece of well designed but relatively untested software.

Most people do not have nearly enough operational discipline to withstand investigation by well funded government agencies. Merely using this software is not enough.

-----


> If you want to be secure from the NSA, use TextSecure [...]. It's really that simple.

That claim is far too confidant! If you want to be secure from NSA you need to do many things - have a look at the specifications for buildings that handle secret documents for example, as well as just using a piece of well designed but relatively untested software.

That's why I removed it 15 seconds after I wrote it. But perhaps it could be downgraded to "if you want to live in a world where it's very difficult for governments to vacuum up all your data by default, then use TextSecure, because it's the first step towards that." Telegram offers no such protection since it's vulnerable to MITM attacks (even after they fix this one).

-----


If you rely on a single secure (for certain values of the word 'secure') messaging system or protocol you're absolutely insane. You'd want to be splitting your communication across multiple communication sources, with none of them ever seeing enough data to compromise whatever it is you're worried about. Deep and computationally expensive is great; deep, computationally expensive and broad is better. If one form (e.g. Telegraph) falls they've not got the full message, and they've still got a lot more work to do to get the whole thing.

-----


I've not found any attempts to help them apart from this bug report.

>TextSecure's interest is in security, whereas Telegram's interest seems to be in money and power

I can't read minds or even their messenger logs so I can't comment what is their interest but I'd be interested to know why you think so

> TextSecure completely safe app

Just wrong. How could you call something "completely safe" or bug free?

>Each of these messengers is safe to passive listening >This is mistaken because Telegram has been proven vulnerable to MITM attacks

How Telegram is prone to passive listening?

-----


>> TextSecure completely safe app

> Just wrong. How could you call something "completely safe" or bug free?

Where did he say that "TextSecure [was a] completely safe app"?

Why are you misrepresenting his words?

He said TextSecure was not proven insecure (As was Telegram). That does not mean or imply that it is safe or secure.

-----


Telegram seems to be interested in money and power because they've turned down offers from Moxie (the creator of TextSecure and a well-known cryptographer) to join forces. There's no reason to do that unless they were interested in money or power more than security.

I didn't say TextSecure is completely safe. I said Telegram has been demonstrated to be broken.

Telegram is prone to passive listening because their design doesn't prevent it. There's nothing stopping someone from MITM'ing every Telegram secret chat when it's first initiated. It's in the design.

Their contest means nothing, because due to the way the contest is designed, it's impossible to MITM or other side channel attacks like timing attacks. These are the real attack vectors, yet the format of the contest prevents anyone from employing them.

-----


>Telegram seems to be interested in money and power because they've turned down offers from Moxie (the creator of TextSecure and a well-known cryptographer) to join forces.

Is there a cause-effect relationship I'm missing here?

-----


> I didn't say TextSecure is completely safe.

Yes you do. "TextSecure completely safe app" was copied from your message before you or someone else edited it. I've not typed it but copied exact phrase from your message.

-----


You copied it from your own message, not mine. http://i.imgur.com/pxMVDwA.png

-----


The best part was when he copied it from your quoting of his message, but removed the "not" that came before it

-----


You seem to be missing the larger point. Nobody is proposing that secure messaging apps should not exist. Everyone is better when more people try, iterate and fail (then recover and fix) to create secure messaging solutions.

What's unsafe and unproductive is when bozos jump in the pool, apparently ignorant or otherwise misrepresentative of the reality of how difficult it is to create a correct solution -- and confidently declare their implementations to be trustable.

If the messaging on Telegram had been, the world needs a secure messaging solution and we're committed to building it starting with this thing which we think is pretty good for XYZ, nobody would be objecting. Instead, these guys presented themselves as having solved a problem which is known to be difficult, and moreover using an unlikely method.

-----


Hey, you forgot to plug TextSecure.

-----


> Whatsapp is less secure then Telegram

Whatsapp never claimed to keep your chat secure. Telegram did. Many people offered gentle advice to Telegram, and they ignored it.

Maybe it's a cultural thing? Not just domains-of-expertise (mathematicians going into crypto) but international?

-----


Snapchat creators claim (at least imply) that messages could not be saved which is untrue.

Most advices to telegram developers at previous HN discussion were to stop doing crypto and do something else. I would not consider them as “gentle advices”. The only help from the community to their application is the bug report x7mz user from habrahabr site.

-----


Crypto is life and death. I have spent a lot of years learning it as a hobby... Its a dangerous field to play in. It's super complex, and all it takes is one tiny mistake anywhere in the program (be it at the protocol level or implementation) and then bam: game over. So, when you release something, you are nervous about it. Telegram wasn't, and as it turns out, they should have been. That is bad.

-----


Thank you yatsyk, I share your opinion. The app name is really great. I hope they fix it and come back with a stronger app.

I would suggest they hire security consultats to check the security in a first stage. Review by third parties is the best method to avoid things we overlooked. The prize shoud be for after all these consultancy options have been exhausted.

As a side node I see there is still a lot of room to improve automatic translation. It's difficult to understand in some places.

-----


Everyone who has been criticising Telegram would actually love for them to do what you've suggested. We want good, secure encrypted messaging. Telegram is not it, and people are worried, as their actions so far smack far too much of a project that ignores best practices...

In the crypto world, projects like Telegram have popped up over and over again. A new protocol, designed by non cryptographers, that turns out to be heavily insecure. I wish that wasn't the case, but that is why people have reacted the way that we have. This is literally life and death, so it pays to be cautious.

I hope Telegram learn from all this, and go and get audited and tested by reputable experts. Then, fix all the issues raised. Then release their apps to the public, when they are proven secure. Until that time I personally will not trust their application.

-----


>Terms of bug bounty are very hard to satisfy even with bad protocol but Durov seems decided to play safe with such amount of money. Guy that found problem in MTproto doesn’t win money according to conditions of the bug bounty because message is not decrypted.

The guy gets $100 000:

https://vk.com/wall-52630202_7858

You may want to check before you post.

-----


At first my statement is still valid even after Durov decided to pay for bug report. This bug report has no connection with extracting plain message I've written.

Apart from that I can't check Durov's posts that from the future. My post was written before Durov's announcement.

-----


Technically you're right. I thought that “decided” wasn't the right word to use before you give him a chance to decide. In other words, I read your post as conveying the idea that Pavel actively dismissed the bug report as unworthy of rewarding, when in fact the opposite was true. Perhaps I misread your post being a non-native English speaker. Apologies for that.

-----


Sorry if I have not been clear, I am non-native speaker too.

-----


It's impossible to tell whether any messages were revealed due to this bug - that's what makes it so nasty. Users would have had the same level of security if Telegram had no end to end encryption whatsoever and simply promised they wouldn't log or read the messages they had access to; it's seriously that broken. (Worse, there's a good chance this is an intentional backdoor since the way they combine the nonce and Diffie-Hellman result is incredibly fishy.)

-----


Whatsapp doesn't say that it's the most secure messaging app in the world. Telegram did. And they were wrong.

-----


you don't go tell you got the best thing in the world while its just another random thing that doesn't do what you say - its just for fame/ego/money - without getting hateful feedback.

And guess what, hate isn't always wrong.

-----


RIP Telegram (2013-2013) would make an interesting T-shirt. No one except a few cryptography buffs might understand it, but it would be a funny way to start conversations about information security.

-----


Would indeed be interesting to get to know some other cryptography-interetsted people on the bus, metro and other public places, so here you go: http://teespring.com/riptelegram

-----


Haha. I love it!

-----


HN readers might also understand it.

-----


By that logic, Linux, Chrome, Android are RIP at least a hundred times.

-----


While I'm not saying that Telegram "is RIP" (whatever it means in this thread), Linux, Chrome and Android don't have crypto as their main killer feature.

-----


    RIP Telegram (2013-2013).
omg made me lol super hard

-----


I see you've only been here for 33 days so I'll lend you a hand.

This is HN, and we don't make posts like that.

-----


Counterexamples:

1) Every Bitcoin thread

2) Every NSA/Snowden thread

Source (cough): I've been around for 6.3 years, am in the top 40 users in terms of net karma, and am actually very frustrated with the unfortunate turn the community has taken in the past 12-18 months. And am considering leaving, which makes me sad.

-----


I've only been here slightly under five years, but I've lost track of how many people have made "unfortunate turn"/"this place is going downhill all of a sudden"/"Oh no, the proles have discovered the site" complaints over those years.

That behavior certainly doesn't add anything to the site.

-----


It's not all of a sudden. It's been the past couple years

-----


I think it would be sad if you left.

-----


thank you. i'd be very sad if i left, too.

-----


I, too, would be sad. Why do you want to leave?

-----


For the two reasons I mentioned in my OP. Thanks, too. It's very nice to hear.

-----


I think it's going to become more necessary to moderate through downvotes. I've almost never downvoted anybody on HN ever, especially not in comparison to reddit where downvoting is extremely rampant, but I think, sadly, the times might be changing.

-----


Maybe they need to turn down the account-ghosting requirements a few notches?

-----


I'm not actually familiar with that one. Clue me in?

-----


Well chances are that the OP I responded to (I can't even see his name well enough to repeat it he's so faded now) will have his account ghosted if he keeps this up. One too many mega-downvote-comments by a new user and you end up being ghosted. Where you still think you're posting to HN, and you are, but nobody else can read it.

All I was saying is perhaps if pg et all decreased whatever threshold they have set for account ghosting, that we may see less of these pointless comments in the future.

-----


It is not automatic, as far as I know. It requires human intervention for someone to be hellbanned, or "ghosted". It isn't very systematic, and I've seen people hellbanned who probably didn't deserve it (and it usually does get fixed when that happens).

-----


Perhaps it would make sense to automatically hellban possibly problematic posters and then hand review those hellbans later. Worst case scenario is a good posters posts aren't seen for a short period of time.

-----


They're referring to "hellbanning"

-----


Not sure what either of those two topics has to do with this thread..

-----


Absolutely nothing, so downvote away. I'm just expressing my overall frustration with this board.

-----


There is an unstated willingness to have content-less congratulatory posts on threads of those two topics. Usually puffed up with a few "look how smart I am" sentences.

That said, I'm pretty sure my highest karma (~50) comment was a joke about Tau Day back in 2008. Soooooooo.

-----


My highest scored comment ever was a one line throwaway at 250 or so. So I hear you.

-----


Did you write the encryption algorithm? Did you have the balls to put 200 grand on the table for anyone who could break it? Did you rise to the challenge and claim the cash?

No, you just stood on the sideline and waited for somebody to fail so you could come down off your branch and peck at the corpse.

Indeed, there is a lesson here. Don't expect anybody to pat you on the back when you put it all on black and win. Because, sure as shit, they'll be there to kick it in your face when you lose.

-----


Are you suffering from testosterone poisoning or something?

-----


Why would you post such an inane one-liner like that? Jimmytucson made a very good point, which is that the very intelligent Telegram authors tried really hard to make a solid product, made a huge gamble that didn't quite pay off like they wanted, and that all we see now are the smug, told-you-so vultures swooping in to pat themselves on the back for being oh so much smarter than the stupid crypto guys.

-----


The problem is that if the authors had actually consulted crypto guys, none of this would have happened. Their lack of security shouldn't be excused.

-----


The author of the hack himself declares at the very bottom of the article: "An expert in cryptography [I] am not, please correct [me] if I'm wrong."

How embarassing for telegram if what he says is true.

This excerpt was taken from the google translate version of the article.

-----


Yeah you're right, the 'crypto guys' would've probably just said "Don't even try it because you'll kill people and even we wouldn't want to try and do it".

Crypto is hard to get right, that doesn't mean anyone shouldn't even bother trying.

-----


If you want to build new crypto, people would be absolutely happy for you to design and present a new cryptographic scheme - hopefully with some advantages over existing ones. People will analyze it, tell you where the weaknesses are, and if they're not critical flaws you can fix them and come out stronger - and if they are critical flaws, you know your scheme is broken before it's been used for anything important.

Likewise, building a hot new secure messaging app with existing well-analyzed, battle-tested cryptographic schemes is generally going to be welcomed.

If you try to do both at once, you're building your application on shaky, untested cryptographical foundations. Cryptographers would similarly probably warn you not to base your application on a new cipher someone else announced at a cryptography conference last week - give it a bit of time for others to analyze it and spot any flaws it might have before you entrust anything sensitive to it.

-----


You're welcome "try" crypto, like everybody else is. Just don't go market your product as "the most secure" encryption ever when you don't even bother to put it to the test beforehand and get it reviewed by actual experts.

I could go and try to play around with real time systems for flying planes, it still wouldn't make sense for me to sell you the "safest" plane in the world without going through the proper steps to get such system certified beforehand.

-----


The reason for these comments is because you're exactly right– they are gambling. Putting $200k on the line in the hopes of winning mindshare, reputation, etc. Of course if you lose, you'll lose all of that and your money. I'm really happy that more people are getting into crypto and not browbeating themselves out of creating new stuff because it's necessary for any field to grow. These negative responses are also necessary so that those people stop trying to raise their own victory flags prematurely, making it even harder for outsiders to be appreciated for their work.

Note: This is not so much in response to thom's comment, but rather the criticism of jimmytucson's comment (which actually has some substance).

-----


I'm not sure they were gambling. My feeling is ghat they were victim of the bias of self judgment regarding the security of the protocol they designed.

They overlooked some security weakness and didn't see it. They didn't do it on purpose like the NSA. In their eyes, the protocol was perfectly secure and most of it is of course.

The only way to avoid this self judgment bias is to use review by other people.

-----


> In their eyes, the protocol was perfectly secure and most of it is of course.

That there is exactly the problem. There is no reason to believe the protocol is secure, and when looking at crypto you start from the assumption that it's "maybe broken", not "perfectly secure". Assuming that some new crypto is secure is hubris.

-----


Actually, this security hole is almost exactly what you'd expect well-done deliberate sabotage of the protocol to look like - it's a small, easy to miss and just about plausibly deniable modification of a standard crypto primitive that totally destroys its security. (Though it's a bit weak in the area of plausible deniablity - why use xor rather than some more sensible key derivation function?)

-----


Actually, I'm pretty sure they weren't gambling at all.

Pavel previously set up contests with monetary rewards about half the same value for developing a mobile VK app for iOS, Android and WP.

It's not a gamble—it is really an expensive way to find holes. What I don't understand is why they don't hire a crypto consultant instead.

-----


The problem is, people who know better told them they were in over their heads and gave them some constructive criticism. Sure moxie can sound condescending, but he was right about telegram.

Telegram's response was basically, "LOL. We know better cuz' we got binders full of mathematicians and I'm not listening unless you win our rigged contest designed purposefully to instill a false sense of security in our customers."

Cryptographic software isn't developed the same way as ordinary software. A normal program is launched with tons of bugs and gets fixed over the course of years. Custom crypto solutions should not be delivered to customers in a similar state without explicitly telling them that it hasn't been proven secure.

-----


No one cares that you tried really hard before failing, doubly so with security products.

-----


This comment seems to harshly dismiss failures, but that's not the heart of the issue.

Failure is celebrated -- if you make an effort, and try, and you fail, and you learn, and you share what you learned, people care.

But when you (Telegram, not you, XorNot) have a bad idea, and people smarter than you patiently explain why its broken, and you try to buffalo and bluster and bullshit past them, and your product's entire purpose is to provide a security, then your product is worse than a buggy tool; it's worse than not using the product at all. It's the modern-day equivalent of patent-medicine snake oil, and it hurts people.

-----


> stupid crypto guys.

Because it is dangerous to everyone when non-crypto guys call themselves crypto guys.

-----


No, the exact problem is that Telegram guys did not try really hard, and did not listen to crypto experts. There are no "stupid crypto guys": there are smart Telegram guys who are not crypto guys and there are smart crypto guys who told why Telegram's solution if lame. Alas, smart guys from Telegram probably considered themselves too smart to listen. That's why they should fall: security is not the field where each lame effort should be cheered and encouraged just for the sake of it.

-----


I don't think the response to catastrophic hubris should be back-slapping, crotch-grabbing praise.

-----


jimmytucson's point is valid in the case of business risks.

What you have here is homeopathy.

-----


I didn't write the algorithm, and neither did they, that would have been another bad move on their part. They used public, known algorithms and did it wrong.

They also didn't put 200k on the table for anyone that could break it. They put 200k on the table for anyone that could break it in a very specific way that proves nothing.

They used a combo of known bad and unproven stuff in weird ways and then claimed it was the best thing ever, which is just crazy.

-----


Here are some of their comments:

ibeatle

Большое спасибо, автор поста полностью прав. Со своей стороны хотим пояснить, что сделано это было из лучших побуждений: исправление плохого рандома на клиентах. С настоящего момента в nonce всегда будет приходить ноль, и в следующем слое мы обязательно удалим это поле из схемы и поясним в документации. Автор топика безусловно заслужил награды, просьба обратиться хабраюзера x7mz на email support@telegram.org для уточнения деталей.

Translation:

Thanks very much, the author is absolutely correct. Just wanted to explain that the intentions were good: to correct bad "random" on the client side.

From this point on nonce will always be set to 0, and next we will definitely remove it from our diagram and explanations in the docs.

The author definitely deserves a prize, please enquire at the following email for details.

W_K

Товарищ прав — похоже, сервер в принципе может с помощью манипуляции с nonce выполнить MiTM на DH между клиентами. Не знаю, кто именно внедрил этот nonce в такой форме, хотя и знаю, какое предъявлялось обоснование — он был нужен для того, чтобы защититься от слабого рандома на клиентах, которых в принципе может писать кто угодно. Очевидно, нужно сделать этот nonce нулём и написать, что клиенты впредь не должны принимать секретные чаты с ненулевым nonce.

Удивительно, что человек, называющий себя «чайником» в криптографии, нашёл действительно серьёзный недостаток протокола, в отличие от многих якобы «профессионалов», постоянно придирающихся не по существу.

Не знаю как насчёт 200k$ — расшифровать трафик это не поможет, а сервер не знает ключа от секретного чата, поскольку на нём нет такой закладки. Но мне очень не нравится, что в будущем такая закладка могла бы быть в принципе кем-нибудь добавлена.

Тем не менее, считаю, за это ценное наблюдение Вам положен ценный приз. Пусть и не такой большой. Если Вы или кто-либо ещё найдёт какие-либо ещё потенциальные дыры в протоколе — сообщайте, будем награждать.

Translation:

He is correct, looks like the server can manipulate nonce and succeed at MiTM on DH between the clients. Not sure who's idea it was to introduce that nonce in this form, but I do understand the motivation, to protect against the "weak random" on the clients that can in theory be written by anyone. Obviously, we need to make nonce=0 and refuse secret chats with non-zero nonce.

It is quite amazing that the man who calls himself "a crypto noob" found a real vulnerability, as opposed to all those so-called professionals whose criticisms were largely unfounded.

Not sure about the $200k since this vulnerability won't really help to decipher the traffic and the server doesn't know the key from the secret chat, because it doesn't have any "bookmark". But I really don't like that in the future such a bookmark could be added.

However, I think this is a valuable observation and you do deserve a prize, even if not such a big one. If you, or anyone else, will find other potential vulnerabilities, please let us know, we will be rewarding.

-----


A small correction: use "irrelevant" instead of "unfounded" to translate "не по существу".

"unfounded" is closer to "не обосновано".

It is a English-speaking forum, put English text first.

-----


I agree, "irrelevant" would be a better choice.

-----


The criticism was mostly very well founded. Just because you don't understand it, that does not mean that it is unfounded. Just because a civil engineer only tells you that a newly built bridge will collapse in about 30 years due to corrosion and then a day later someone points out that you can make it fall down right now by parking trucks on it from end to end, that does not mean that the warning of the civil engineer was unfounded, it simply means that she pointed out a different weakness, and possibly one that you lack the knowledge to tell whether it is reasonable or not.

Or in short: We don't generally consider things safe until they collapse/explode/poison/... and people are actually dead. When an expert understands that something is not safe anymore for reasons that you don't understand, that still is a well-founded reason for considering it unsafe.

-----


and it's "backdoor", not "bookmark"

-----


Second comment (W_K) is by Nick Durov, the leading author of MTProto, Telegram's protocol.

-----


Ah this explains a lot. About the whole thing, not just the comment.

-----


  as opposed to all those so-called professionals whose 
  criticisms were largely unfounded.
Those criticisms still stand. Your perjorative 'so-called' is the only thing unfounded. And actually, the DH modification was one of the red flags mentioned.

-----


Does "nonce" here have a meaning I don't know? Its just that here in the UK, its common meaning isnt exactly positive.

-----


https://en.wikipedia.org/wiki/Cryptographic_nonce

-----


In short: telegram in secure chats (http://core.telegram.org/api/end-to-end) was using modified version of Diffie-Hellman algorithm: key = (pow(g_b, a) mod dh_prime) xor nonce (original: key = pow(g_b, a) mod dh_prime) That custom 'nonce' is derived from server and in theory server can send a specially formed nonce which will lead to known client keys ("bookmark"). It means that server as MITM can read all needed chats by request.. Authors of Telegram agreed that it is a big hole and their algorithm needs modification. User, who found the issue will get a prize (not 200,000$, but good enough).

-----


Why not the 200K? Was it outside the parameters of the contest or something?

-----


Yes. The contest is not about actually exposing flaws in their cryptosystem, which is why the rules are rigged up in a way that would allow even a terribly insecure protocol (like Telegram's, or Moxie's counter-challenge protocol) to pass as "secure".

-----


Telegram's contest itself is meaningless regarding the security of its protocol (as others explained in details). Finding bugs such as this deserves 200k more than anything else

-----


Offering the contest was shady and stupid enough. Not paying just proves they're chiselers that never intended to pay in the first place. This wins the runner-up award for second most botched PR disaster ever. The consolation prize is a lump of coal.

-----


The contest was stupid and shady, but they did explicitly state the rules. Its not really fair to accuse them of wrongdoing if they don't give this guy $200,000. If I were in charge of telegram, I'd pay the guy the whole amount, but that would just be out of the kindness of my heart. Morally, they aren't obligated to pay just because the rules of their contest are ridiculous.

-----


They're paying $100 000.

https://vk.com/wall-52630202_7858

-----


It's too late to matter. But good for him that they're only half crooked.

-----


Yes, outside. Although the underground of this contest was to prove security and inability to read messages by 3rd parties contest was about decrypting Durov's chat. Chat is not decrypted and as many say - it's nearly impossible (http://thoughtcrime.org/blog/telegram-crypto-challenge/). But "bookmark" is found and it means that all the PR was shit. Telegram already removed 'xor nonce' from their documentation and added a new layer to their api but who knows where they will put a next bookmark. Probably it will be hidden in a deeper place. But trust is already lost. It appears that either their secure protocol was containing the bookmark specially or that protocol is getting written by non-specialists which cant guarantee any security.

-----


old copy of their doc which has 'xor nonce' inside: http://webcache.googleusercontent.com/search?q=cache:FAntx8l...

-----


Their contest was based on a sample packet capture only.

-----


Their contest had very restrictive parameters if I recall correctly.

-----


TextSecure's protocol, on the other hand, hasn't ever been compromised. Don't use Telegram. Use TextSecure. https://whispersystems.org/

-----


That's absolutely true, but I think the reason this seems so devastating for Telegram is not necessarily because there was a vulnerability, but because they were so dismissive of the feedback they got and so willing to immediately make such strong claims.

The way I hope TextSecure can be different from Telegram is not by having an absolutely perfect security record forever (although that'd be great), but by publicly talking about the protocol choices we've made, employing constructions with proofs where possible, and actively soliciting feedback. Thanks for being involved!

-----


To be fair, no one here mentioned anything related to the found vulnerability. Instead people seemed to have focused on their choice of SHA1 and IGE.

-----


To be fair, no one actually discovered the bridge was made of rotting wood. They seemed focused on the fact that math PhDs design it with no civil engineering background and stated plastic had no known defects.

-----


No. They saw that the bridge was made of such a material, that it would collapse if the material turns out to be anything but steel-reinforced concrete. Which it was pretty likely to be, because it was designed by people who have been, up until now, building igloos.

-----


I think that is incorrect. This is a problem with the protocol which is the main thing people were raising as having a distinct smell and being novel for no good reason so while most of the comments were not about specific flaws they were not unrelated. IGE and SHA1 were the obvious red flags that people involved were not up to date with the latest crypto research.

[Edit: I can't find the comment so I withdraw this claim:

There was at least one comment possibly from moxie mentioning odd use of nonces that may have been in this area, if so it was right on target.]

To make a harsh analogy it's like using a colander for a boat and then complaining that a particular hole wasn't pointed out to them.

-----


Better still, fund TextSecure not Telegram.

-----


What about iOS? I wish there was one go-to secure messenger for iOS, and I thought telegram would be it.

-----


Excruciating evidence that supports Moxie's position.

Vuln rewards should exist for two purposes:

1)An act of good faith on the part of the developer that says "I am interested in securing my product and I won't prosecute direct disclosure"

2) The Dev knows exploitable vuln discovery has value, but cannot compete with black market pricing. Instead, the reward is a token of appreciation for a shared code of ethics.

I wish bug bounties could compete with the budgets of nation states. They can't.

Companies shouldn't pretend to compete. Shame on telegram for stupidly false promises.

-----


I have no idea what you are trying to say here.

The guy is rewarded half the bounty: https://vk.com/wall-52630202_7858

-----


Vuln reward programs that payout at this level are broken.

1) They don't achieve their objective of securing a product. Moxie eloquently captured why here: http://thoughtcrime.org/blog/telegram-crypto-challenge/

2) At this level of payout, they are inefficient and unsustainable. There were less expensive ways to discover implementation flaws, and certainly more direct ways to discover design flaws. Was the lesson they just learned really worth $100 grand from some random dude on the Internet? Seems to me you could find more problems per dollar by directly engaging with some of the top class security consultancies out there.

So to summarize, telegram's reward was an extremely inefficient stunt that did not achieve it's likely real objective. I imagine the team is licking it's wounds right now and regretting their approach. We'll be able to tell by whether or not they continue their offer under the same rules and same budget.

I expect this to continue for another couple of rounds because random security people on the Internet will be smelling blood right now.

-----


The Telegram guys chose to view it as a proof of inherent superiority of humble Russian programmers over NSA-backed American haters (I wish I was kidding!). Here is what Pavel Durov had to say on the matter (translated from his public post on vk.com http://vk.com/wall-52630202_7858):

> This story makes me once again admire Russian programmers. For a whole week esteemed American cryptographers on HackerNews were picking on the protocol fruitlessly - mostly demanding to replace our own solution with algorithms from NSA-backed Suite B [sic!]. An yet a Russian programmer, who calls himself "a novice", could immediately recognize the weak spot in the secret chats, in the context of an article on Habrahabr.ru.

Edit: To make it clear, that is not the whole post, just the first paragraph relevant to my point

-----


Not sure if the VK post was edited later on, but you are missing the other important statements by Pavel:

* There was no data leak, the vulnerability is fixed, there is no danger. * It was a good idea to open the source and protocol for review. * The founder of the vulnerability deserved a reward of $100k, and comparable rewards will be made for further attacks of similar grade.

-----


I didn't mean to present his whole post. It was the first statement that I had issue with. I amended my comment to make it clear.

-----


I'm excited by the insight and modesty of this guy. I will see to it that he gets a mighty prize.

It's great to see how open software can leverage the power of the community to find weak spots and become stronger.

-----


It is good to see that you recognise modesty as a virtue.

May I suggest that you guys take a leaf out of his book and rewrite the security claims in your FAQ to reflect the fact that the protocol is new and at this point there are likely to be some bugs but that you are working hard to make it secure.

-----


This, a thousand times.

Somebody finally expressed this thought politely.

-----


He has essentially defeated your protocol, so he deserves the full $200,000. After Lavabit, it is no longer a fair assumption that you (or government agencies forcing your hand) will not interfere with the protocol to compromise it.

-----


How much might a mighty prize be, if I may ask?

-----


$100 000 http://vk.com/wall-52630202_7858

Эта история заставляет в очередной раз восхититься российскими программистами. Целую неделю маститые американские криптографы на HackerNews безуспешно цеплялись к протоколу — в основном, с требованием заменить наше решение на алгоритмы, которые продвигает АНБ в своем Suite B. А российский программист, называющий себя "новичком", смог в рамках статьи на Хабре с ходу определить потенциально уязвимое место в секретных чатах.

На всякий случай, поясню для массовых пользователей: утечки данных не было, уязвимость закрыта, опасности нет.

Еще раз убедился в том, насколько правильным решением было полностью открывать протокол и исходный код. Это позволяет привлекать тысячи умных людей, которые могут помогать нам постоянно совершенствовать систему, находя потенциально уязвимые места.

Разработчик, нашедший слабое место в нашем алгоритме, заслужил награду в $100,000. Подобную награду заслужит любой, кто найдет возможности схожей атаки (напоминаю, за расшифровку потока трафика мной была объявлена награда в $200,000). Продолжаем искать — вместе мы сделаем протокол нерушимым.

This story makes us once again admire the Russian programmers . Whole week at the venerable American cryptographers HackerNews unsuccessfully clung to the protocol - mainly with our decision to replace the requirement for algorithms that promotes its NSA Suite B. A Russian programmer who calls himself a "newcomer " could under Article Habré stride identify potential vulnerabilities in secret chats .

In any case , I will explain the bulk of users : data leakage was not a vulnerability is closed, there is no danger .

Once again convinced of how the right decision was fully open protocol, and source code. This allows you to attract thousands of smart people who can help us to constantly improve the system by finding potential vulnerabilities .

The developer, who found a weak spot in our algorithm , deserve a reward of $ 100,000 . Deserve such an award anyone who finds the possibility of similar attacks (remember, for decrypting traffic flow me was declared a reward of $ 200,000) . Continue to seek - together we will make a protocol indestructible .

-----


Good God.. Россия - родина слонов.

As a programmer from that neck of the woods, allow me to use this opportunity to distance myself from these clowns.

-----


That's a literal jawdropper. I'm stunned.

-----


This is a very respectable move.

-----


Well nice knowing you Telegram. I don't see a good way for them to recover from this. First the bogus contest that Moxie debunked. Now this. The best option is to close shop, open a new company, new names and do something else.

-----


The best part is that the debunker wrote this in Russian. The language barrier has probably been responsible for them getting so many users. So now everyone is very clear that Telegram is snakeoil.

-----


>The language barrier has probably been responsible for them getting so many users.

What do you mean?

-----


Demoralized twice, first for finding a flaw, second for not giving the prize.

-----


He's getting $100 000, and note that the vulnerability he found was outside the first contest's scope.

HN seems to hate by default.

https://vk.com/wall-52630202_7858

-----


Why give the prize for not doing what was needed to win the prize, namely reveal the message?

-----


As others have already said, the prize was essentially meaningless because the terms were so narrow.

If the spirit of the prize was "if you break our crypto you win", this guy should win it. If the spirit of the prize was "we don't want to give away 200k, but we want to pretend we're secure", he shouldn't

-----


Holiday banter may go something like this: "Carnival booths, lawyers and politicians maybe the most honest... But there was once this company called Telegram that went the way of its namesake. Blah blah... for screwing over a Russian guy in a PR disaster of an unpaid $200k contest award. Maybe they should have offered a canned ham instead."

-----


I don't get it. If it's not secure why can't the message be revealed? What's the value of breaking someone's crypto if you are still unable to see the data unencrypted? Was the recipe for decryption given, with the actual decryption being much harder (terms so narrow, as you say)?

-----


genwin, I’ve invented a secure system. If you can tell me what this message says, you win $200k:

  jo
You don’t know what the message says, because it’s so short. You will never win the prize.

But my system was not so secure. My cipher system was this: Take a message and type it on a US Qwerty keyboard, but shift every letter over one place. So `hi` became `jo`. Not very strong. It would easily be cracked with a message consisting of an actual sentence or two.

Now, with Telegraph, it wasn’t just length of the message involved, but additional information; still, the conditions are so narrow that it doesn’t apply to the real world. Just like I’d never simply send you a message that said "hi", Telegraph would be used in ways beyond one simple back-and-forth exchange, so it artificially limits the information available to a cracker. Make sense?

See also: The BEAST attack or the general class of side channel attacks.

-----


FWIW, "hi" was my first guess when I saw "jo". $200k, please. :-)

-----


I think I get it now, thanks. So if Telegraph provided a much longer conversation to decrypt, the contest could be fair.

-----


Moxie's blog post does a better job explaining the problems than I can [1].

Basically, the framework of the contest precludes many avenues of attack to which a given cryptosystem could be vulnerable. The researcher who discovered the vulnerability in the OP used a man-in-the-middle attack, which cannot be used in the Telegram contest.

-----


[1] http://thoughtcrime.org/blog/telegram-crypto-challenge/

-----


Thanks, I totally forgot!

-----


you forgot to post the link

-----


If you search back a few days of HN posts there was an explanation posted.

-----


They did give a prize.

-----


Noone should trust a service that advertises itself as being safe from governments ears. Pure and simple.

First, there's a risk the NSA is actually the one initiating those services.

Secondly, in cryptography, it's very hard if not impossible to effectively prove your messages are not read by someone else. Cryptography experts do not tend to work for people's interests. And if some do, the NSA has too many resources to just defeat those who try to not be listened to.

I understand the intention is noble, but if you release such a safe tool, the NSA will view it as a terrorist threat, because that's the job they have been given, and they will end up listening anyways.

I can't understand the paranoia about all this. If you're really afraid the NSA might use information against you, it's because you made political enemies, in this case, why use digital means of communication at all ?

I really tend to think it's being cool to use those cryptographic features, rather than anything else, and that's worrying.

-----


As a side note, I didn't notice it was google translate until half way through the article. It's getting really good.

Is Russian an "easy" language to translate to English?

-----


My understanding is that it isn't but recent-ish statistical approaches have had lots of success. I know that almost overnight Arabic went from an unreadable mess to about as good as a basic non-native speaker.

I wish it'd find its way into usage for East Asian languages more, but I suppose finding dual-equivalent corpuses to build the models off of is hard.

https://en.wikipedia.org/wiki/Statistical_machine_translatio...

-----


Interesting, thanks!

-----


I had to struggle to read it. I mean:

After logout, one of the key interlocutors for chat will regenerate, and to check that I have the same key as the source, I can only look in his eyes phone.

...did it translate "iPhone" to "eyes phone"? I'm not sure. If that isn't what happened, then something far more horrible must have.

-----


The original:

После логаута одного из собеседников ключ для чата будет перегенерирован, а проверить то, что я имею тот же ключ что и собеседник я могу только посмотрев в его телефон глазами.

My (human) translation:

After one of the participants will log out, the key from the chat will be re-generated, but in order to check that I have the same key as them, I would need to see their phone with my own eyes.

This sentence has a particularly non-English word order, plus some missed punctuation. I can see how it would be a hard case for machine translation.

-----


The thing is, I though it was poorly written English, written by a non native speaker, rather than a computer.

I must also clarify that I was a little distracted.

-----


I noticed it instantly (the title). I also noticed many irregularities throughout the article. I don't know if you're a native speaker, but to me it was obviously computer translated.

-----


Does this seem good to you? Damn, I feel I should stop worrying about my English.

-----


English to Russian is a bit easier than Russian to English. Word order doesn't mean as much in Russian as in English, so the translation is lossy.

-----


This is my first comment on the Telegram bruhaha.

Sometimes, I get embarrassed by what I experience here on HN. The gang up, the unnecessary pride.

To those saying RIP, Telegram will succeed. Without using it (I use a Blackberry), it looks to be top two of the chat apps when you combine usability/security. I will download it once I get an Android phone in January.

I will not wish failure on anyone that is confident in his product. Of course they could have shown more humility but it he face of "take downs" on all sides especially the ones sponsored or initiated by the Whispersystem/Texsecure chaps, I do not see why they should have bowed down to be crushed.

Considering the type of responses given by Pavel Durov, I am almost certain he would have been much more humble if his attackers toned it down a notch.

To the person that found a flaw, kudos to you on doing something and not spending all your time doing take downs of telegram on HN threads and blogs.

Pavel, I am hopeful that you will reward the chap even though the discovery was not within the "guidelines". it is all about the spirit of the competition.

As for the TextSecure/WhisperSystems guys, stop being like the politicians we hate who campaign by slinging mud on opponents instead of selling their stuff. Focus on selling the TextSecure app and not looking to takeout anyone who has a different approach.

PS: I have no relationship with either party. I am a neutral observer that has his own opinions.

-----


> To those saying RIP, Telegram will succeed. Without using it (I use a Blackberry), it looks to be top two of the chat apps when you combine usability/security. I will download it once I get an Android phone in January.

But it is not secure! That's the entire point.

Never mind "not secure against a well funded government agency", it's not secure against other attackers.

There are lots of usable chat apps that do not give you the illusion of security.

> and not looking to takeout anyone who has a different approach.

You seem to be mistaken about why they do this. It's nothing to do with pushing their app or their approach. They'd welcome good well-formed apps to compete with them. But when they see an app that claims to be secure they have an ethical duty to let people know if it is obviously not secure.

Most people are not bashing just for the sake of bashing. Some people need good cryptography software to avoid imprisonment, or torture, or state-killing. This isn't about stopping someone's teen-angsty poetry from being discovered by a sibling, it's about protecting political dissidents from an oppressive regime. In that context pointing out that a software is broken is not mindless bashing, it is a crucial part of the cryptography process.

(I'll accept that a few people are missing the mark with their criticisms.)

Pointing out flawed crypto software is part of a long tradition going back many years. It's part of the culture. Most cryptographer will start by analysing other software and finding flaws before implementing their own software.

-----


Most people are not bashing just for the sake of bashing. Some people need good cryptography software to avoid imprisonment, or torture, or state-killing. This isn't about stopping someone's teen-angsty poetry from being discovered by a sibling, it's about protecting political dissidents from an oppressive regime. In that context pointing out that a software is broken is not mindless bashing, it is a crucial part of the cryptography process.

I like your commentary it is level headed and explains the position of the non biased "other side".

I think the conflicted position of the lead bashers did not help their position. It would have been much more useful for a neutral party to do a comparative analysis and stated the pros and cons of each side.

As for me and most normal users, the security we need is not from NSA type of snooping but from mid level risks. There may be some sacrifices that may have to be made. Just like the position Ubuntu plays where Linux distros are concerned

For people like Snowden, Greenwald and others with NSA level adversaries, I do not expect them to rely on any third party application at all.

Now your argument may be that they have created stuff for sexting teens and claimed to be good enough for Snowden. In that case, I would argue that it could have been pointed out that in a different and perhaps more polite way.

I would worry about anyone who has created any crypto tool who is not over confident in his product. I will also expect the person to be receptive to constructive feedback NOT "leave your product and join us" or "This is shit because no noted crypto person is on your team"

I remember when cperciva that built Tarsnap, an online "backup for paranoid users" launched, he was rather confident in his product and I did not see any intense bashing of him. As expected,there have been bugs in his system and he has fixed them as they have arisen.

We should help things grow right here on HN not hope for things to fail if they do not support the view of the crowd.

-----


I don't think your arguments make a lot of sense:

> It would have been much more useful for a neutral party to do a comparative analysis and stated the pros and cons of each side.

And what would this neutral party be?

> As for me and most normal users, the security we need is not from NSA type of snooping but from mid level risks. There may be some sacrifices that may have to be made. Just like the position Ubuntu plays where Linux distros are concerned

You make it sound as if having government-grade encryption was very hard or very costly but that's obviously not the case, there are many open encryption standard who wouldn't have had the kind of issues Telegram has. Do you want to start a new contest targeting a properly configured openSSH for instance? There is no need for tradeoff there.

> I remember when cperciva that built Tarsnap, an online "backup for paranoid users" launched, he was rather confident in his product and I did not see any intense bashing of him. As expected,there have been bugs in his system and he has fixed them as they have arisen.

Colin Percival has credentials and experience in the cryptoworld. When he makes "new" crypto like scrypt he publishes it and it's been thoroughly reviewed. It also has distinct advantages over previous technologies, it's not just new for the sake of being new.

Crypto is serious business, people can get hurt. Toying with crypto, proposing new ideas is of course to be encouraged, but be humble about it and listen to the feedback. Actually, this last part is true for everything.

-----


> Colin Percival has credentials and experience in the cryptoworld. When he makes "new" crypto like scrypt he publishes it and it's been thoroughly reviewed. It also has distinct advantages over previous technologies, it's not just new for the sake of being new.

He also, AFAICR, did not appear over confident, he was clear in delineating what his application does and does not protect against, and what his goals are (that is one reason why he deserves these crypto credentials).

He published his entire source code.

And when he launched a contest, it was in the form of a bug bounty, he accepted any kind of bugs (up to and including spelling errors in his code comments :) ).

-----


It would have been much more useful for a neutral party to do a comparative analysis and stated the pros and cons of each side.

Like, say, tptacek, who is not in the "instant messenger" business, who is in the security audit business, and whose comments here on the technical details of the Telegram protocol have been absolutely damning? See https://news.ycombinator.com/item?id=6941934 for example.

-----


I wholeheartedly disagree. For any user, the security we need is prevent eavesdropping & data mining by our governments. They use it to profile us, to find thoughtcrime and to secure their standing in a surveillance society. We should not let that happen.

-----


Do you live or work in a building that has windows on the ground floor?

Who made your doors? What specification were your doors built to? Who made your door locks? What specification were they built to? Who has authority to cut keys to those locks? How do you know?

If you truly are as worried by governments as you claim why are you not fortifying your home?

-----


Using good crypto is fortifying your home. People could easily learn information that could help them secretly enter my home if they could monitor my communications.

-----


Because they do not have omnipresent sensors. That is a completely silly comparison.

-----


Completely disagree. It was just a week or two before Snowden came out that New York Times was praising Skype for how "secure" it is, even against government snooping. The poor souls thought Skype was still P2P, when that stopped being true many years before. The NYT journalists were also probably using Skype to talk to their sources, thinking they are secure. That's why it's so important to have such reviews of these apps - especially if they're a more "mainstream app", and there's a potential for hundreds of millions of people to use it. If we can get hundreds of millions of people to use end-to-end encrypted communication, why not do it properly, and give them half-baked secure apps to use instead?

Also all "secure apps" that aren't fully open source should be considered insecure by default. No compromises. Whatsapp, Snapchat, Hangouts, Skype, they're all insecure and you can't rely on them for keeping your communications private.

-----


> As for me and most normal users, the security we need is not from NSA type of snooping but from mid level risks.

Most users, disregarding the government for the moment, don't need encryption full stop. They don't send anything commercially sensitive that an attacker's going to be interested enough in to try to intercept their messages.

The use of encryption presupposes a motivated threat, and it's not clear to me that the NSA is significantly more powerful than other adversaries in that area. They've more computing power, more political power, they can buy zero day exploits. They probably even have some very smart people, who can find flaws faster than the attackers in civ-space. But speed isn't required, only persistence; motivation, interest. Which is, after all, what we're supposing in the first place if someone's going to go to the trouble of intercepting your messages.

It's not clear to me that unless your goal is 'make something that the NSA can't break into', you're going to make something that a well motivated attacker can't break into either. And this stuff only has to be broken once, then they'll just sell or share the attack. The conflict is asymmetrical.

Your argument seems to be posited on the idea that there will be no attacker; no-one anywhere, ever; sufficiently motivated to breach the protocol. And I find that highly questionable, given that a flaw has already been found - and with far lower levels of incentive than will be present if the system is widely deployed and used to protect valuable information.

-----


> Most users, disregarding the government for the moment, don't need encryption full stop.

You've no idea what you're talking about. Please stop spreading such bullshit around; other people might fall for it!

Fireship is an app that allows you to hijack the account of any user on the same Wi-Fi network as you are, if the network is not encrypted, and the user used a non-encrypted connection to the website. Facebook, Google, Twitter and Flicker were all susceptible to such attacks before the advent of this tool; afterwards, they fixed it by using https by default.

Do you want random strangers to have full access to your Facebook account? No? Then you should realize that most people do need encryption full stop.

Also, only very powerful attackers can hack https encryption (they need either access to your laptop (hardware access, or a zero-day exploit), or access to the website (e.g. court warrant, or coercing a certificate authority)).

-----


We were having a discussion about Telegram and similar uses of encryption, a discussion where I specifically responded to a remark on the strength required of Telegram-style encryption. I would hope that most people are capable of interpreting the context of a remark - especially embedded in paragraphs that expand on it. Rather than, 'fall[ing] for it!'

-sigh-

Beyond that I'm not going to engage with you any further, on this or any other point. You strike me as a bully, restrained where you are simply by the absence of an excuse rather than the presence of decency. As such, I've no interest in associating with you.

-----


Yeah, I probably overreacted.

-----


The wishing of failure isn't great, my personal wish would be for the Telegram people to learn the errors of their ways rather than necessarily completely fail.

Overstated claims of privacy could get people killed if they trust them so it is a serious issue.

Telegram have an arrogance that is inappropriate in security/crypto protocol development. Most crypto protocols, even those developed by experts initially have problems (at the protocol design level even ignoring the implementation bugs) which is why even experts only come up with new ones when there isn't any existing one with the required properties and even then reuse as much existing battle tested technology as possible and submit it to worldwide evaluation tentatively and nervously.

The competition was set up in a way that clearly excluded most threats and was either another sign that Telegram didn't understand most of the threat space OR that they did and wanted to rig the competition to be unwinnable while claiming that it validated the security in some way.

So at least until yesterday Telegram were arrogant and either completely clueless about crypto protocols or PR bullshitters with some clue and a poor protocol. They need to get a clue AND drop the arrogance to get support from me.

Until these things happen Telegram are a danger that people should be warned about and not regard as secure.

I am also a neutral party with no relationship with either party.

-----


As for the TextSecure/WhisperSystems guys, stop being like the politicians we hate who campaign by slinging mud on opponents instead of selling their stuff.

It's funny that you mention politicians at the end of the post, because as I was reading your posts in this thread, I couldn't help but think you were feeding into the huge cable-newsification of this disagreement. It is what happens when a bunch of lookie-loo viewers want to be involved in the debate but can't keep up on the issues. I struggle to completely follow the tech here but my job occasionally brings me close enough to crypto that if nothing else I understand the huge disparity between the technical discussion and the superficial one at play here.

Attempts to fit this disagreement into the same oblique, non-existent, ideal behavior for a disagreement subverts the ability to productivity disagree and makes behavior worse overall. Your remedy is for them to not disagree. I take it differently. I want them to disagree, but I don't want anyone involved in the disagreement to dishonestly play to the masses. But that would involve conceding a point, and what would that do to the bottom line?

Focus on selling the TextSecure app and not looking to takeout anyone who has a different approach.

You mistakenly seem to think that TextSecure exists primarily for profit. It is obvious the aim is good crypto. They're playing a different ball game than Telegraph's freemium model, one where marketplace success doesn't determine if they implemented their crypto right. Promoting _that_ involves explaining why the Telegraph tech is deficient.

Back to the cable news analogy, in a post of yours further down the thread, you bring up what the right level of security is for this app. That's a good question, one moxie (I think) brought up days ago by pointing out they didn't have threat model and tptacek (I think) called them out for using nation-state actors as the adversary in selling the app. They played that card in technical criticism, you bringing it up here for goalpost shifting now that they're starting to look bad and you want to keep driving down the middle of the disagreement.

PS: I have no relationship with either party. I am a neutral observer that has his own opinions.

Oh, I know. You're playing into the US-politics detached observer rote well. You should know that the system adapted to account for that stance years ago. You're getting played as hard as everyone else.

-----


Telegram is making ridiculous claims that have the potential to hurt their customers. They are lying and/or incompetent. They absolutely deserve to be made fun of.

-----


>Pavel, I am hopeful that you will reward the chap even though the discovery was not within the "guidelines". it is all about the spirit of the competition.

He does reward the chap—with $100 000: https://vk.com/wall-52630202_7858

I figure it's fair.

-----


  he would have been much more humble if his attackers toned 
  it down a notch.
Conversely you can argue that the 'attackers' would have toned it down a notch if Telegram had been more humble and receptive of the comments. The initial comments were quite civil and they were just dismissed.

  looking to takeout anyone who has a different approach.
It's not just a 'different' approach. It's an approach that's likely to be dangerously flawed, as just demonstrated. It's unfortunate that the people involved have a 'rival' product and they could do with pointing to it a bit less, but it doesn't make any of the criticisms less valid. Painting them as 'politics' is just slander.

-----


Really?

The protocol is bad, this competition protects only the most basic attacks and still was broken in about 5 days.

It's not "unnecessary pride". You have to be really cautios with cryptography. Not use the first thing that has "Secure!" sticker on it.

-----


This trend of ignoring the content because of the tone is pervasive and troubling. I understand that tone matters in regards to reception, but in this place i assume we all, grammar nazis and privilege checkers alike, choose to asses the technical aspects of comments and largely disregard the "gift wrap". In this situation, the problem with Telegram is their words right big checks their work cannot cash. The TextSecure chaps are defending their turf viciously, but i have yet to see one of them make a personal assessment as the predicate for their assault. I have been following it very closely, comment wise, and all it has really been is long winded explanations (on the TextSecure side) of why the Telegram contest was a sham (it was) and why TextSecure is better (i have no way to judge). On the other side (Telegram), all i see are pleas to leave the Telegram guys alone, hate toward Moxie et al., and general pseudo-martyr comments about how mean Hacker News is.

Good. Let's be hard to please. This is not [spoiler]fucking[/spoiler] macaroni paintings we are making and using to please mommy. These are the apps we all use to continue our work and edify our lives. I want it to be a gauntlet; i think it is great that people's products are critiqued so meticulously, and i am happy that a competition with such glaring inconsistencies (to whomever wrote the alternate competition explanation...thank you)did not survive for long. As an American, i am so tired of security theater. If something is touted as secure and is not, i want to know about it.

And as for the ridicule, if you obfuscate and misrepresent, you invite a harsh response.

-----


They did give him a reward. Telegram has just posted the translation on twitter. Moved to separate discussion: https://news.ycombinator.com/item?id=6950129

-----


well, if someone causes you significant lose, will you turn down a norch? That's why we are bashing on them as they are making BS claims about how secure their protocol is.

-----


The app was far from being a "secure" app. And going by how far they've to promote it as a "secure" app, of course there should be an equal amount of response for why it's not secure (since it isn't!). This is not just about some "guys making an app and being taken down for it". This is serious stuff. They're claiming their security is one of the best in the world, when it couldn't be farther from the truth. Why would you want such an app to be popular and make people think it's actually secure, when it's not?

-----


So this was supposed to be secure/robust/mature/trustworthy ? Not impressed, still too many companies around pretending it's sooo easy to make something better, how hard can it be ?

-----


There is another "tab" for MITM (at least in android client and in the documentation there are no clues of it) :

Even in the corrected version of Diffie-Hellman (with nonce removed) the server can slip customers a number which is zero modulo p as g_a or g_b (since the documentation says about the 2048- bit sequence -- it can be either 0 or p itself). Then both clients will see the same identicon ("visualization key", 'cause it will be a presentation of SHA1 applied to zero).

However, judging by further manipulation with the "shared secret" key (because MTProto doesn't use Diffie-Hellman method of multiplying by g^ab^-1 or any multiplication by the shared key whatsoever) the multiplication by zero will not happen with client messages and they will successfully flow through the "bare" AES ( and therefore users will think that everything is fine and will proceed to transmitting sensitive data in this mode ).

P. S.: Correct me if I missed something . This might be a corner case, but, nevertheless, it formally differs from the one with server xor salt not much (at least , need fixes in the client and the doc too). Or am I making ​​a mistake somewhere? P. S.: Original version of this my comment in russian: http://habrahabr.ru/post/206900/#comment_7128970

-----


Am I the only one who read this in my head with a Russian accent?

-----


nope.. lol!

-----


That didn't take long.

-----


This is great news for Telegram. With such a weakness, the NSA will soon be encouraging wide spread use of their protocol.

-----


Great work! I hope this person gets a big piece of the prize, if not all of it. Perhaps they should have waited for the challenge to be expanded. (That's what I'm doing. I just hope nobody spills the beans first.)

-----


cool stuff. Give the guy his prize

-----


He didn't break the message. They weren't offering a prize for what he did.

-----


He gets $100 000:

https://vk.com/wall-52630202_7858

-----


I hope this person will get the full $200,000. I definitely don't think we can ever trust Telegram's strength again. They won't be paying him the full $200,000 even though he has rendered the Telegram to be weak. Major, major backfire for Telegram stakeholders.

-----


They gave him $100 000. And yet the flaw he pointed out doesn't help you read encrypted messages and has been already fixed/

-----


The flaw he pointed out renders one of the main advertised features of Telegram - end-to-end encrypted chats that they can't eavesdrop on - broken to the point of total worthlessness. Telegram had the ability to undetectably MITM and spy on the supposedly secure communications, as did anyone who managed to compromise them.

They'd have achieved exactly the same level of security by having no end-to-end encryption whatsoever and just promising that they wouldn't log or look at people's messages - this flaw is seriously that bad.

-----


On http://vk.com/wall-52630202_7858 Pavel Durov writes that the finder of this vulnerability will receive a reward of $100k, and that comparable awards will be given for other findings. It looks like they are slowly making progress from a rigged show to a proper crypto evaluation situation.

-----


200k gone just like that, better now then later.

-----


He's not getting it apparently, even though he discovered a major flaw. Sounds like a great PR stunt gone bad for Telegram. What a joke.

-----


He's getting $100 000.

https://vk.com/wall-52630202_7858

-----


The bad thing about this is that it further advances the delusion that this contest is a reasonable idea. Nothing was "improved" by finding this. It's just going to reinforce their bad behavior.

-----


Why is Telegram in the HNews so much? Are they part of the YC fraternity? Why do pay so much attention to crypto hucksters?

It hasn't been so long since the last snake oil peddlers had their roasting -- I forget the name, it was some cutesy web-browser "secure" chat thing.

It's cool to report debunkings, but if it weren't for HN, I (and most others?) never would have even seen these products in the first place.

-----


HN is (rightly) interested in easy to use secure software.

So when something easy to use claims to be secure HN waits for some of the well known cryptographers here to kick the tires.

In this case many people kicked the tires and pointed out some weird obvious flaws. People hoped that Telegram would listen, and seek help and advice, and continue to make a great product.

Telegram's actions made the situation worse, and created a pile-on.

Telegram made a few mistakes.

1) Smart people without crypto experience designed crypto software, but without getting involvement from cryptographers.

2) They released this product as finished, secure, ready to use.

3) They dismissed concerns.

4) To try to quash those concerns they created a rigged challenge with a high value prize. This is a well known red flag for cryptography software, and it's surprising they weren't aware of it, but as soon as people saw that the pile on accelerated.

-----


"It hasn't been so long since the last snake oil peddlers had their roasting -- I forget the name, it was some cutesy web-browser "secure" chat thing."

Cryptocat?

-----


I think the idea is that you get to see the product early so you can warn your activist friends (or your mom) when you happen to see them using it.

-----


Why does Telegram provide the generator (g and p) and then suggest validation and caching? These can be hardcoded parameters

-----


in cryptography nothing is hardcoded (or at least hardcoded values should have enough entropy) :) if client doesnt use caching - then every message user sends should obtain a new pair of p/g (which is expensive) - and it will make telegram not only insecure but also "slow" messenger :P

-----


The only things that aren't hardcoded in your typical secure cryptosystem is your key and a few nonces. In ECC the analogous components to p and g are defined extremely carefully and certainly wouldn't be changed willy nilly. I'm aware classic DH parameters are more liberal, but changing them for every session seems unnecessary.

-----


Interesting. I'm wondering about Threema, I think Moxie is already on them.

-----


Would this hole allow him to decrypt chat text?

-----


This hole allows server (or somebody who can control connection between client and server) to read "encrypted" messages between clients.

-----


no, but it allows server to decrypt it. Government in case of the need can "ask" them to forward your chat and they will do it, but it was stated in their PR that server is unable to decrypt your messages.

-----


exactly, the prize was at their own discretion(telegram) in the first place. And it was still for breaking their End-to-End encryption process.

To simply put it, you don't have to break a wall, just find a loose brick, once that is gone, the wall will have even more loose bricks, and eventually it will fall.

-----


The first thing they teach in hacking class is "Nothing is 100% secure. Even the brain.exe is vunerable.".. Well proved again. Nice work !

-----


Lol, I don't know whats so bad in Telegram being a bit "braggy" about their stuff. I mean, it took them a lot of hard work, in the first place since they did a lot of things on their own, instead of using pre-set standards. Everyone can loose a grip on self control, more than a few times. So what!

Besides, its only to inspire someone to crack their program, it is necessary to come across as a bit arrogant, so someone would loose a screw and crack it. never mind the buttery language post-cracking, since that usually comes from appreciation for each other.

Putting up a challenge publicly is a great PR tool, I feel its not reasonable to only bash 1 company about it. Unless, there is something I don't know, about what they said/did earlier on HN.

-----




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: