Remember how that was, like, five days ago?
RIP Telegram (2013-2013).
This whole thing has been interesting to follow because it seems this same thing happens every time someone make macho Crypto-claims. From seeing how confident the Telegram team was to reading all the detractors who were so ready to criticize. It's an interesting dynamic in the Crypto community.
Telegram is very young project and it has bugs for sure. Some guy found potential issue in protocol and developers committed to fix it soon. There is no information that any messages were revealed due to this bug but Telegram should go away and developers should do something else.
Whatsapp is less secure then Telegram but I have not seed “Whatsapp RIP” messages. Not so hard to save videos in snapchat but no one propose to close the application. About a year ago YAML vulnerability was found but no one proposed dhh to stop development and focus on race driver career.
I think that we need more competition for TextSecure.
Terms of bug bounty are very hard to satisfy even with bad protocol but Durov seems decided to play safe with such amount of money. Guy that found problem in MTproto doesn’t win money according to conditions of the bug bounty because message is not decrypted.
Disclaimer: I don’t have any affiliation with telegram besides living in the same city as telegram developers.
So, let's put it this way: Was it ok of them to lie through their teeth to users? If so, then that's a sad state of marketing. If not, then what are you proposing here?
- military-grade encryption – true
- world's most secure protocol – I’d consider this statement as false, I don’t know what they mean by most secure and what protocols were considered. May be messengers available at app store, better to ask them
Why do you think that they “rejected any attempt from the crypto community to help them”, especially after bug bounty proposition?
Why do you think that they lie more then TextSecure advocates? Each of these messengers is safe to passive listening. But unsecure to similar degree if user downloads them from app store and runs on hardware and software that could be easily patched. Current implementation of telegram api is prone to MiM attack but I would not consider TextSecure completely safe app and that every other app should be thrown out.
I've written about this pretty extensively: https://www.hnsearch.com/search#request/all&q=by%3Asillysaur...
It's an interesting contrast in cultures that you phrase it like "Why do you think Telegram lies more than TextSecure advocates?" .... As far as I'm aware, TextSecure advocates haven't lied at all. TextSecure's interest is in security, whereas Telegram's interest seems to be in money and power.
Current implementation of telegram api is prone to MiM attack but I would not consider TextSecure completely safe app
I just don't know what to say to this. Telegram has been proven insecure, TextSecure hasn't. Telegram isn't designed by cryptographers, TextSecure is. There is absolutely every reason to assume Telegram is broken.
Each of these messengers is safe to passive listening.
This is mistaken because Telegram has been proven vulnerable to MITM attacks. Even after they patch this latest security problem, it would be very unwise to trust them.
> I just don't know what to say to this. Telegram has been proven insecure, TextSecure hasn't. Telegram isn't designed by cryptographers, TextSecure is. There is absolutely every reason to assume Telegram is broken.
Textsecure is designed by cryptographers, and hasn't been broken yet, but that doesn't mean that it is secure. People need to risk assess when they're using any software.
> If you want to be secure from the NSA, use TextSecure [...]. It's really that simple.
That claim is far too confidant! If you want to be secure from NSA you need to do many things - have a look at the specifications for buildings that handle secret documents for example, as well as just using a piece of well designed but relatively untested software.
Most people do not have nearly enough operational discipline to withstand investigation by well funded government agencies. Merely using this software is not enough.
That claim is far too confidant! If you want to be secure from NSA you need to do many things - have a look at the specifications for buildings that handle secret documents for example, as well as just using a piece of well designed but relatively untested software.
That's why I removed it 15 seconds after I wrote it. But perhaps it could be downgraded to "if you want to live in a world where it's very difficult for governments to vacuum up all your data by default, then use TextSecure, because it's the first step towards that." Telegram offers no such protection since it's vulnerable to MITM attacks (even after they fix this one).
>TextSecure's interest is in security, whereas Telegram's interest seems to be in money and power
I can't read minds or even their messenger logs so I can't comment what is their interest but I'd be interested to know why you think so
> TextSecure completely safe app
Just wrong. How could you call something "completely safe" or bug free?
>Each of these messengers is safe to passive listening
>This is mistaken because Telegram has been proven vulnerable to MITM attacks
How Telegram is prone to passive listening?
I didn't say TextSecure is completely safe. I said Telegram has been demonstrated to be broken.
Telegram is prone to passive listening because their design doesn't prevent it. There's nothing stopping someone from MITM'ing every Telegram secret chat when it's first initiated. It's in the design.
Their contest means nothing, because due to the way the contest is designed, it's impossible to MITM or other side channel attacks like timing attacks. These are the real attack vectors, yet the format of the contest prevents anyone from employing them.
Is there a cause-effect relationship I'm missing here?
Yes you do. "TextSecure completely safe app" was copied from your message before you or someone else edited it. I've not typed it but copied exact phrase from your message.
> Just wrong. How could you call something "completely safe" or bug free?
Where did he say that "TextSecure [was a] completely safe app"?
Why are you misrepresenting his words?
He said TextSecure was not proven insecure (As was Telegram). That does not mean or imply that it is safe or secure.
What's unsafe and unproductive is when bozos jump in the pool, apparently ignorant or otherwise misrepresentative of the reality of how difficult it is to create a correct solution -- and confidently declare their implementations to be trustable.
If the messaging on Telegram had been, the world needs a secure messaging solution and we're committed to building it starting with this thing which we think is pretty good for XYZ, nobody would be objecting. Instead, these guys presented themselves as having solved a problem which is known to be difficult, and moreover using an unlikely method.
Whatsapp never claimed to keep your chat secure. Telegram did. Many people offered gentle advice to Telegram, and they ignored it.
Maybe it's a cultural thing? Not just domains-of-expertise (mathematicians going into crypto) but international?
Most advices to telegram developers at previous HN discussion were to stop doing crypto and do something else. I would not consider them as “gentle advices”. The only help from the community to their application is the bug report x7mz user from habrahabr site.
I would suggest they hire security consultats to check the security in a first stage. Review by third parties is the best method to avoid things we overlooked. The prize shoud be for after all these consultancy options have been exhausted.
As a side node I see there is still a lot of room to improve automatic translation. It's difficult to understand in some places.
In the crypto world, projects like Telegram have popped up over and over again. A new protocol, designed by non cryptographers, that turns out to be heavily insecure. I wish that wasn't the case, but that is why people have reacted the way that we have. This is literally life and death, so it pays to be cautious.
I hope Telegram learn from all this, and go and get audited and tested by reputable experts. Then, fix all the issues raised. Then release their apps to the public, when they are proven secure. Until that time I personally will not trust their application.
The guy gets $100 000:
You may want to check before you post.
Apart from that I can't check Durov's posts that from the future. My post was written before Durov's announcement.
And guess what, hate isn't always wrong.
RIP Telegram (2013-2013).
This is HN, and we don't make posts like that.
1) Every Bitcoin thread
2) Every NSA/Snowden thread
Source (cough): I've been around for 6.3 years, am in the top 40 users in terms of net karma, and am actually very frustrated with the unfortunate turn the community has taken in the past 12-18 months. And am considering leaving, which makes me sad.
That behavior certainly doesn't add anything to the site.
That said, I'm pretty sure my highest karma (~50) comment was a joke about Tau Day back in 2008. Soooooooo.
All I was saying is perhaps if pg et all decreased whatever threshold they have set for account ghosting, that we may see less of these pointless comments in the future.
No, you just stood on the sideline and waited for somebody to fail so you could come down off your branch and peck at the corpse.
Indeed, there is a lesson here. Don't expect anybody to pat you on the back when you put it all on black and win. Because, sure as shit, they'll be there to kick it in your face when you lose.
How embarassing for telegram if what he says is true.
This excerpt was taken from the google translate version of the article.
Crypto is hard to get right, that doesn't mean anyone shouldn't even bother trying.
Likewise, building a hot new secure messaging app with existing well-analyzed, battle-tested cryptographic schemes is generally going to be welcomed.
If you try to do both at once, you're building your application on shaky, untested cryptographical foundations. Cryptographers would similarly probably warn you not to base your application on a new cipher someone else announced at a cryptography conference last week - give it a bit of time for others to analyze it and spot any flaws it might have before you entrust anything sensitive to it.
I could go and try to play around with real time systems for flying planes, it still wouldn't make sense for me to sell you the "safest" plane in the world without going through the proper steps to get such system certified beforehand.
Note: This is not so much in response to thom's comment, but rather the criticism of jimmytucson's comment (which actually has some substance).
They overlooked some security weakness and didn't see it. They didn't do it on purpose like the NSA. In their eyes, the protocol was perfectly secure and most of it is of course.
The only way to avoid this self judgment bias is to use review by other people.
That there is exactly the problem. There is no reason to believe the protocol is secure, and when looking at crypto you start from the assumption that it's "maybe broken", not "perfectly secure". Assuming that some new crypto is secure is hubris.
Pavel previously set up contests with monetary rewards about half the same value for developing a mobile VK app for iOS, Android and WP.
It's not a gamble—it is really an expensive way to find holes. What I don't understand is why they don't hire a crypto consultant instead.
Telegram's response was basically, "LOL. We know better cuz' we got binders full of mathematicians and I'm not listening unless you win our rigged contest designed purposefully to instill a false sense of security in our customers."
Cryptographic software isn't developed the same way as ordinary software. A normal program is launched with tons of bugs and gets fixed over the course of years. Custom crypto solutions should not be delivered to customers in a similar state without explicitly telling them that it hasn't been proven secure.
Because it is dangerous to everyone when non-crypto guys call themselves crypto guys.
Failure is celebrated -- if you make an effort, and try, and you fail, and you learn, and you share what you learned, people care.
But when you (Telegram, not you, XorNot) have a bad idea, and people smarter than you patiently explain why its broken, and you try to buffalo and bluster and bullshit past them, and your product's entire purpose is to provide a security, then your product is worse than a buggy tool; it's worse than not using the product at all. It's the modern-day equivalent of patent-medicine snake oil, and it hurts people.
What you have here is homeopathy.
They also didn't put 200k on the table for anyone that could break it. They put 200k on the table for anyone that could break it in a very specific way that proves nothing.
They used a combo of known bad and unproven stuff in weird ways and then claimed it was the best thing ever, which is just crazy.
Sometimes, I get embarrassed by what I experience here on HN. The gang up, the unnecessary pride.
To those saying RIP, Telegram will succeed. Without using it (I use a Blackberry), it looks to be top two of the chat apps when you combine usability/security. I will download it once I get an Android phone in January.
I will not wish failure on anyone that is confident in his product. Of course they could have shown more humility but it he face of "take downs" on all sides especially the ones sponsored or initiated by the Whispersystem/Texsecure chaps, I do not see why they should have bowed down to be crushed.
Considering the type of responses given by Pavel Durov, I am almost certain he would have been much more humble if his attackers toned it down a notch.
To the person that found a flaw, kudos to you on doing something and not spending all your time doing take downs of telegram on HN threads and blogs.
Pavel, I am hopeful that you will reward the chap even though the discovery was not within the "guidelines". it is all about the spirit of the competition.
As for the TextSecure/WhisperSystems guys, stop being like the politicians we hate who campaign by slinging mud on opponents instead of selling their stuff. Focus on selling the TextSecure app and not looking to takeout anyone who has a different approach.
PS: I have no relationship with either party. I am a neutral observer that has his own opinions.
But it is not secure! That's the entire point.
Never mind "not secure against a well funded government agency", it's not secure against other attackers.
There are lots of usable chat apps that do not give you the illusion of security.
> and not looking to takeout anyone who has a different approach.
You seem to be mistaken about why they do this. It's nothing to do with pushing their app or their approach. They'd welcome good well-formed apps to compete with them. But when they see an app that claims to be secure they have an ethical duty to let people know if it is obviously not secure.
Most people are not bashing just for the sake of bashing. Some people need good cryptography software to avoid imprisonment, or torture, or state-killing. This isn't about stopping someone's teen-angsty poetry from being discovered by a sibling, it's about protecting political dissidents from an oppressive regime. In that context pointing out that a software is broken is not mindless bashing, it is a crucial part of the cryptography process.
(I'll accept that a few people are missing the mark with their criticisms.)
Pointing out flawed crypto software is part of a long tradition going back many years. It's part of the culture. Most cryptographer will start by analysing other software and finding flaws before implementing their own software.
I like your commentary it is level headed and explains the position of the non biased "other side".
I think the conflicted position of the lead bashers did not help their position. It would have been much more useful for a neutral party to do a comparative analysis and stated the pros and cons of each side.
As for me and most normal users, the security we need is not from NSA type of snooping but from mid level risks. There may be some sacrifices that may have to be made. Just like the position Ubuntu plays where Linux distros are concerned
For people like Snowden, Greenwald and others with NSA level adversaries, I do not expect them to rely on any third party application at all.
Now your argument may be that they have created stuff for sexting teens and claimed to be good enough for Snowden. In that case, I would argue that it could have been pointed out that in a different and perhaps more polite way.
I would worry about anyone who has created any crypto tool who is not over confident in his product. I will also expect the person to be receptive to constructive feedback NOT "leave your product and join us" or "This is shit because no noted crypto person is on your team"
I remember when cperciva that built Tarsnap, an online "backup for paranoid users" launched, he was rather confident in his product and I did not see any intense bashing of him. As expected,there have been bugs in his system and he has fixed them as they have arisen.
We should help things grow right here on HN not hope for things to fail if they do not support the view of the crowd.
> It would have been much more useful for a neutral party to do a comparative analysis and stated the pros and cons of each side.
And what would this neutral party be?
> As for me and most normal users, the security we need is not from NSA type of snooping but from mid level risks. There may be some sacrifices that may have to be made. Just like the position Ubuntu plays where Linux distros are concerned
You make it sound as if having government-grade encryption was very hard or very costly but that's obviously not the case, there are many open encryption standard who wouldn't have had the kind of issues Telegram has. Do you want to start a new contest targeting a properly configured openSSH for instance? There is no need for tradeoff there.
> I remember when cperciva that built Tarsnap, an online "backup for paranoid users" launched, he was rather confident in his product and I did not see any intense bashing of him. As expected,there have been bugs in his system and he has fixed them as they have arisen.
Colin Percival has credentials and experience in the cryptoworld. When he makes "new" crypto like scrypt he publishes it and it's been thoroughly reviewed. It also has distinct advantages over previous technologies, it's not just new for the sake of being new.
Crypto is serious business, people can get hurt. Toying with crypto, proposing new ideas is of course to be encouraged, but be humble about it and listen to the feedback. Actually, this last part is true for everything.
He also, AFAICR, did not appear over confident, he was clear in delineating what his application does and does not protect against, and what his goals are (that is one reason why he deserves these crypto credentials).
He published his entire source code.
And when he launched a contest, it was in the form of a bug bounty, he accepted any kind of bugs (up to and including spelling errors in his code comments :) ).
Also all "secure apps" that aren't fully open source should be considered insecure by default. No compromises. Whatsapp, Snapchat, Hangouts, Skype, they're all insecure and you can't rely on them for keeping your communications private.
Like, say, tptacek, who is not in the "instant messenger" business, who is in the security audit business, and whose comments here on the technical details of the Telegram protocol have been absolutely damning? See https://news.ycombinator.com/item?id=6941934 for example.
Who made your doors? What specification were your doors built to? Who made your door locks? What specification were they built to? Who has authority to cut keys to those locks? How do you know?
If you truly are as worried by governments as you claim why are you not fortifying your home?
Most users, disregarding the government for the moment, don't need encryption full stop. They don't send anything commercially sensitive that an attacker's going to be interested enough in to try to intercept their messages.
The use of encryption presupposes a motivated threat, and it's not clear to me that the NSA is significantly more powerful than other adversaries in that area. They've more computing power, more political power, they can buy zero day exploits. They probably even have some very smart people, who can find flaws faster than the attackers in civ-space. But speed isn't required, only persistence; motivation, interest. Which is, after all, what we're supposing in the first place if someone's going to go to the trouble of intercepting your messages.
It's not clear to me that unless your goal is 'make something that the NSA can't break into', you're going to make something that a well motivated attacker can't break into either. And this stuff only has to be broken once, then they'll just sell or share the attack. The conflict is asymmetrical.
Your argument seems to be posited on the idea that there will be no attacker; no-one anywhere, ever; sufficiently motivated to breach the protocol. And I find that highly questionable, given that a flaw has already been found - and with far lower levels of incentive than will be present if the system is widely deployed and used to protect valuable information.
You've no idea what you're talking about. Please stop spreading such bullshit around; other people might fall for it!
Fireship is an app that allows you to hijack the account of any user on the same Wi-Fi network as you are, if the network is not encrypted, and the user used a non-encrypted connection to the website. Facebook, Google, Twitter and Flicker were all susceptible to such attacks before the advent of this tool; afterwards, they fixed it by using https by default.
Do you want random strangers to have full access to your Facebook account? No? Then you should realize that most people do need encryption full stop.
Also, only very powerful attackers can hack https encryption (they need either access to your laptop (hardware access, or a zero-day exploit), or access to the website (e.g. court warrant, or coercing a certificate authority)).
Beyond that I'm not going to engage with you any further, on this or any other point. You strike me as a bully, restrained where you are simply by the absence of an excuse rather than the presence of decency. As such, I've no interest in associating with you.
Overstated claims of privacy could get people killed if they trust them so it is a serious issue.
Telegram have an arrogance that is inappropriate in security/crypto protocol development. Most crypto protocols, even those developed by experts initially have problems (at the protocol design level even ignoring the implementation bugs) which is why even experts only come up with new ones when there isn't any existing one with the required properties and even then reuse as much existing battle tested technology as possible and submit it to worldwide evaluation tentatively and nervously.
The competition was set up in a way that clearly excluded most threats and was either another sign that Telegram didn't understand most of the threat space OR that they did and wanted to rig the competition to be unwinnable while claiming that it validated the security in some way.
So at least until yesterday Telegram were arrogant and either completely clueless about crypto protocols or PR bullshitters with some clue and a poor protocol. They need to get a clue AND drop the arrogance to get support from me.
Until these things happen Telegram are a danger that people should be warned about and not regard as secure.
I am also a neutral party with no relationship with either party.
he would have been much more humble if his attackers toned
it down a notch.
looking to takeout anyone who has a different approach.
Good. Let's be hard to please. This is not [spoiler]fucking[/spoiler] macaroni paintings we are making and using to please mommy. These are the apps we all use to continue our work and edify our lives. I want it to be a gauntlet; i think it is great that people's products are critiqued so meticulously, and i am happy that a competition with such glaring inconsistencies (to whomever wrote the alternate competition explanation...thank you)did not survive for long. As an American, i am so tired of security theater. If something is touted as secure and is not, i want to know about it.
And as for the ridicule, if you obfuscate and misrepresent, you invite a harsh response.
It's funny that you mention politicians at the end of the post, because as I was reading your posts in this thread, I couldn't help but think you were feeding into the huge cable-newsification of this disagreement. It is what happens when a bunch of lookie-loo viewers want to be involved in the debate but can't keep up on the issues. I struggle to completely follow the tech here but my job occasionally brings me close enough to crypto that if nothing else I understand the huge disparity between the technical discussion and the superficial one at play here.
Attempts to fit this disagreement into the same oblique, non-existent, ideal behavior for a disagreement subverts the ability to productivity disagree and makes behavior worse overall. Your remedy is for them to not disagree. I take it differently. I want them to disagree, but I don't want anyone involved in the disagreement to dishonestly play to the masses. But that would involve conceding a point, and what would that do to the bottom line?
Focus on selling the TextSecure app and not looking to takeout anyone who has a different approach.
You mistakenly seem to think that TextSecure exists primarily for profit. It is obvious the aim is good crypto. They're playing a different ball game than Telegraph's freemium model, one where marketplace success doesn't determine if they implemented their crypto right. Promoting _that_ involves explaining why the Telegraph tech is deficient.
Back to the cable news analogy, in a post of yours further down the thread, you bring up what the right level of security is for this app. That's a good question, one moxie (I think) brought up days ago by pointing out they didn't have threat model and tptacek (I think) called them out for using nation-state actors as the adversary in selling the app. They played that card in technical criticism, you bringing it up here for goalpost shifting now that they're starting to look bad and you want to keep driving down the middle of the disagreement.
PS: I have no relationship with either party. I am a neutral observer that has his own opinions.
Oh, I know. You're playing into the US-politics detached observer rote well. You should know that the system adapted to account for that stance years ago. You're getting played as hard as everyone else.
He does reward the chap—with $100 000:
I figure it's fair.
The protocol is bad, this competition protects only the most basic attacks and still was broken in about 5 days.
It's not "unnecessary pride". You have to be really cautios with cryptography. Not use the first thing that has "Secure!" sticker on it.
The way I hope TextSecure can be different from Telegram is not by having an absolutely perfect security record forever (although that'd be great), but by publicly talking about the protocol choices we've made, employing constructions with proofs where possible, and actively soliciting feedback. Thanks for being involved!
[Edit: I can't find the comment so I withdraw this claim:
There was at least one comment possibly from moxie mentioning odd use of nonces that may have been in this area, if so it was right on target.]
To make a harsh analogy it's like using a colander for a boat and then complaining that a particular hole wasn't pointed out to them.
Vuln rewards should exist for two purposes:
1)An act of good faith on the part of the developer that says "I am interested in securing my product and I won't prosecute direct disclosure"
2) The Dev knows exploitable vuln discovery has value, but cannot compete with black market pricing. Instead, the reward is a token of appreciation for a shared code of ethics.
I wish bug bounties could compete with the budgets of nation states. They can't.
Companies shouldn't pretend to compete. Shame on telegram for stupidly false promises.
The guy is rewarded half the bounty:
1) They don't achieve their objective of securing a product. Moxie eloquently captured why here: http://thoughtcrime.org/blog/telegram-crypto-challenge/
2) At this level of payout, they are inefficient and unsustainable. There were less expensive ways to discover implementation flaws, and certainly more direct ways to discover design flaws. Was the lesson they just learned really worth $100 grand from some random dude on the Internet? Seems to me you could find more problems per dollar by directly engaging with some of the top class security consultancies out there.
So to summarize, telegram's reward was an extremely inefficient stunt that did not achieve it's likely real objective. I imagine the team is licking it's wounds right now and regretting their approach. We'll be able to tell by whether or not they continue their offer under the same rules and same budget.
I expect this to continue for another couple of rounds because random security people on the Internet will be smelling blood right now.
> This story makes me once again admire Russian programmers. For a whole week esteemed American cryptographers on HackerNews were picking on the protocol fruitlessly - mostly demanding to replace our own solution with algorithms from NSA-backed Suite B [sic!]. An yet a Russian programmer, who calls himself "a novice", could immediately recognize the weak spot in the secret chats, in the context of an article on Habrahabr.ru.
Edit: To make it clear, that is not the whole post, just the first paragraph relevant to my point
* There was no data leak, the vulnerability is fixed, there is no danger.
* It was a good idea to open the source and protocol for review.
* The founder of the vulnerability deserved a reward of $100k, and comparable rewards will be made for further attacks of similar grade.
It's great to see how open software can leverage the power of the community to find weak spots and become stronger.
May I suggest that you guys take a leaf out of his book and rewrite the security claims in your FAQ to reflect the fact that the protocol is new and at this point there are likely to be some bugs but that you are working hard to make it secure.
Somebody finally expressed this thought politely.
Эта история заставляет в очередной раз восхититься российскими программистами. Целую неделю маститые американские криптографы на HackerNews безуспешно цеплялись к протоколу — в основном, с требованием заменить наше решение на алгоритмы, которые продвигает АНБ в своем Suite B. А российский программист, называющий себя "новичком", смог в рамках статьи на Хабре с ходу определить потенциально уязвимое место в секретных чатах.
На всякий случай, поясню для массовых пользователей: утечки данных не было, уязвимость закрыта, опасности нет.
Еще раз убедился в том, насколько правильным решением было полностью открывать протокол и исходный код. Это позволяет привлекать тысячи умных людей, которые могут помогать нам постоянно совершенствовать систему, находя потенциально уязвимые места.
Разработчик, нашедший слабое место в нашем алгоритме, заслужил награду в $100,000. Подобную награду заслужит любой, кто найдет возможности схожей атаки (напоминаю, за расшифровку потока трафика мной была объявлена награда в $200,000). Продолжаем искать — вместе мы сделаем протокол нерушимым.
This story makes us once again admire the Russian programmers . Whole week at the venerable American cryptographers HackerNews unsuccessfully clung to the protocol - mainly with our decision to replace the requirement for algorithms that promotes its NSA Suite B. A Russian programmer who calls himself a "newcomer " could under Article Habré stride identify potential vulnerabilities in secret chats .
In any case , I will explain the bulk of users : data leakage was not a vulnerability is closed, there is no danger .
Once again convinced of how the right decision was fully open protocol, and source code. This allows you to attract thousands of smart people who can help us to constantly improve the system by finding potential vulnerabilities .
The developer, who found a weak spot in our algorithm , deserve a reward of $ 100,000 . Deserve such an award anyone who finds the possibility of similar attacks (remember, for decrypting traffic flow me was declared a reward of $ 200,000) . Continue to seek - together we will make a protocol indestructible .
As a programmer from that neck of the woods, allow me to use this opportunity to distance myself from these clowns.
What do you mean?
HN seems to hate by default.
If the spirit of the prize was "if you break our crypto you win", this guy should win it. If the spirit of the prize was "we don't want to give away 200k, but we want to pretend we're secure", he shouldn't
But my system was not so secure. My cipher system was this: Take a message and type it on a US Qwerty keyboard, but shift every letter over one place. So `hi` became `jo`. Not very strong. It would easily be cracked with a message consisting of an actual sentence or two.
Now, with Telegraph, it wasn’t just length of the message involved, but additional information; still, the conditions are so narrow that it doesn’t apply to the real world. Just like I’d never simply send you a message that said "hi", Telegraph would be used in ways beyond one simple back-and-forth exchange, so it artificially limits the information available to a cracker. Make sense?
See also: The BEAST attack or the general class of side channel attacks.
Basically, the framework of the contest precludes many avenues of attack to which a given cryptosystem could be vulnerable. The researcher who discovered the vulnerability in the OP used a man-in-the-middle attack, which cannot be used in the Telegram contest.
It hasn't been so long since the last snake oil peddlers had their roasting -- I forget the name, it was some cutesy web-browser "secure" chat thing.
It's cool to report debunkings, but if it weren't for HN, I (and most others?) never would have even seen these products in the first place.
So when something easy to use claims to be secure HN waits for some of the well known cryptographers here to kick the tires.
In this case many people kicked the tires and pointed out some weird obvious flaws. People hoped that Telegram would listen, and seek help and advice, and continue to make a great product.
Telegram's actions made the situation worse, and created a pile-on.
Telegram made a few mistakes.
1) Smart people without crypto experience designed crypto software, but without getting involvement from cryptographers.
2) They released this product as finished, secure, ready to use.
3) They dismissed concerns.
4) To try to quash those concerns they created a rigged challenge with a high value prize. This is a well known red flag for cryptography software, and it's surprising they weren't aware of it, but as soon as people saw that the pile on accelerated.
First, there's a risk the NSA is actually the one initiating those services.
Secondly, in cryptography, it's very hard if not impossible to effectively prove your messages are not read by someone else. Cryptography experts do not tend to work for people's interests. And if some do, the NSA has too many resources to just defeat those who try to not be listened to.
I understand the intention is noble, but if you release such a safe tool, the NSA will view it as a terrorist threat, because that's the job they have been given, and they will end up listening anyways.
I can't understand the paranoia about all this. If you're really afraid the NSA might use information against you, it's because you made political enemies, in this case, why use digital means of communication at all ?
I really tend to think it's being cool to use those cryptographic features, rather than anything else, and that's worrying.
Is Russian an "easy" language to translate to English?
I wish it'd find its way into usage for East Asian languages more, but I suppose finding dual-equivalent corpuses to build the models off of is hard.
After logout, one of the key interlocutors for chat will regenerate, and to check that I have the same key as the source, I can only look in his eyes phone.
...did it translate "iPhone" to "eyes phone"? I'm not sure. If that isn't what happened, then something far more horrible must have.
После логаута одного из собеседников ключ для чата будет перегенерирован, а проверить то, что я имею тот же ключ что и собеседник я могу только посмотрев в его телефон глазами.
My (human) translation:
After one of the participants will log out, the key from the chat will be re-generated, but in order to check that I have the same key as them, I would need to see their phone with my own eyes.
This sentence has a particularly non-English word order, plus some missed punctuation. I can see how it would be a hard case for machine translation.
I must also clarify that I was a little distracted.
Большое спасибо, автор поста полностью прав. Со своей стороны хотим пояснить, что сделано это было из лучших побуждений: исправление плохого рандома на клиентах.
С настоящего момента в nonce всегда будет приходить ноль, и в следующем слое мы обязательно удалим это поле из схемы и поясним в документации.
Автор топика безусловно заслужил награды, просьба обратиться хабраюзера x7mz на email email@example.com для уточнения деталей.
Thanks very much, the author is absolutely correct. Just wanted to explain that the intentions were good: to correct bad "random" on the client side.
From this point on nonce will always be set to 0, and next we will definitely remove it from our diagram and explanations in the docs.
The author definitely deserves a prize, please enquire at the following email for details.
Товарищ прав — похоже, сервер в принципе может с помощью манипуляции с nonce выполнить MiTM на DH между клиентами. Не знаю, кто именно внедрил этот nonce в такой форме, хотя и знаю, какое предъявлялось обоснование — он был нужен для того, чтобы защититься от слабого рандома на клиентах, которых в принципе может писать кто угодно. Очевидно, нужно сделать этот nonce нулём и написать, что клиенты впредь не должны принимать секретные чаты с ненулевым nonce.
Удивительно, что человек, называющий себя «чайником» в криптографии, нашёл действительно серьёзный недостаток протокола, в отличие от многих якобы «профессионалов», постоянно придирающихся не по существу.
Не знаю как насчёт 200k$ — расшифровать трафик это не поможет, а сервер не знает ключа от секретного чата, поскольку на нём нет такой закладки. Но мне очень не нравится, что в будущем такая закладка могла бы быть в принципе кем-нибудь добавлена.
Тем не менее, считаю, за это ценное наблюдение Вам положен ценный приз. Пусть и не такой большой.
Если Вы или кто-либо ещё найдёт какие-либо ещё потенциальные дыры в протоколе — сообщайте, будем награждать.
He is correct, looks like the server can manipulate nonce and succeed at MiTM on DH between the clients. Not sure who's idea it was to introduce that nonce in this form, but I do understand the motivation, to protect against the "weak random" on the clients that can in theory be written by anyone. Obviously, we need to make nonce=0 and refuse secret chats with non-zero nonce.
It is quite amazing that the man who calls himself "a crypto noob" found a real vulnerability, as opposed to all those so-called professionals whose criticisms were largely unfounded.
Not sure about the $200k since this vulnerability won't really help to decipher the traffic and the server doesn't know the key from the secret chat, because it doesn't have any "bookmark". But I really don't like that in the future such a bookmark could be added.
However, I think this is a valuable observation and you do deserve a prize, even if not such a big one. If you, or anyone else, will find other potential vulnerabilities, please let us know, we will be rewarding.
"unfounded" is closer to "не обосновано".
It is a English-speaking forum, put English text first.
as opposed to all those so-called professionals whose
criticisms were largely unfounded.
Or in short: We don't generally consider things safe until they collapse/explode/poison/... and people are actually dead. When an expert understands that something is not safe anymore for reasons that you don't understand, that still is a well-founded reason for considering it unsafe.
Even in the corrected version of Diffie-Hellman (with nonce removed) the server can slip customers a number which is zero modulo p as g_a or g_b (since the documentation says about the 2048- bit sequence -- it can be either 0 or p itself). Then both clients will see the same identicon ("visualization key", 'cause it will be a presentation of SHA1 applied to zero).
However, judging by further manipulation with the "shared secret" key (because MTProto doesn't use Diffie-Hellman method of multiplying by g^ab^-1 or any multiplication by the shared key whatsoever) the multiplication by zero will not happen with client messages and they will successfully flow through the "bare" AES ( and therefore users will think that everything is fine and will proceed to transmitting sensitive data in this mode ).
P. S.: Correct me if I missed something . This might be a corner case, but, nevertheless, it formally differs from the one with server xor salt not much (at least , need fixes in the client and the doc too). Or am I making a mistake somewhere?
P. S.: Original version of this my comment in russian: http://habrahabr.ru/post/206900/#comment_7128970
To simply put it, you don't have to break a wall, just find a loose brick, once that is gone, the wall will have even more loose bricks, and eventually it will fall.
They'd have achieved exactly the same level of security by having no end-to-end encryption whatsoever and just promising that they wouldn't log or look at people's messages - this flaw is seriously that bad.
Besides, its only to inspire someone to crack their program, it is necessary to come across as a bit arrogant, so someone would loose a screw and crack it. never mind the buttery language post-cracking, since that usually comes from appreciation for each other.
Putting up a challenge publicly is a great PR tool, I feel its not reasonable to only bash 1 company about it. Unless, there is something I don't know, about what they said/did earlier on HN.