Trevor Perrin and Moxie Marlinspike won the Levchin Prize at Real World Crypto for Signal's cryptography; the Levchin Prize referees are a who's who of academic cryptography, including Dan Boneh, Kenny Paterson, and Nigel Smart; other Levchin winners have included Hugo Krawczyk, Mihir Bellare, and Joan Daemon.
Any suggestion that Telegram's cryptography is somehow comparable owing to "half of them Ph.D's in math", or that Signal's extensively-reviewed cryptography is backdoored, is pretty clearly risible.
OTF, meanwhile, funded basically the whole of the privacy-preserving cryptography field, for years (they may still, for all I know); for many years, they were simply throwing money at privacy projects to hire 3rd party auditors, none of whom were at all affiliated with OTF (how I know this is that we participated). People who claim OTF is somehow a snakey USG backdooring enterprise are saying more about themselves than they are about any kind of sophisticated understanding of how crypto software is built.
Signal protocol might be airtight but nobody knows if any part of an app that is built on top of it doesn't leak keys somewhere in the pipeline. All crypto protocols work under certain assumptions and no protocol is 100% secure from all possible misuses when Mallory owns certain portions of infrastructure.
Wasn't he talking about WhatsApp that integrates Signal protocol? Asking if integrating protocol allows the "host" app to leak keys is completely valid.
Again, reading bytecode is not hard. Even reading decompiled binaries isn't very hard. If WhatsApp was leaking keys on the side it wouldn't be too difficult to find, especially given how incredibly high profile it is as a target.
Open source vs closed source is not meaningful here.
Alright, I got what you meant. Do you know if anyone performed bytecode-level analysis on WhatsApp clients already? Just curious, it's nothing I really need.
While there's only one vuln that have been discussed publicly at HN.
The only issue is they are in russian as well.
At least one more was exposed[0] by the same person shortly after, i mean days after the initial.
Over here[1] the same researcher wonders whether any other flaws exist.
And here's[2] how the self-proclaimed `part time-troll` Pavel Durov (the Telegram CEO) reacts to [1]. To me it's obvious he
is being haugty towards HN community with `venerable HN cryptographers`.
To add to his general slandering approach towards competition while handling own product flaws without any transparency and publicity mind his company is now under investigation by SEC[3].
Its default settings are nothing to be desired from a messenger app.
And for the paltry $200k they are offering for breaking it I'd bet you could find a magnitude more with little effort on the grey markets.
But no, absolutely no proof the underlying crypto has been broken. It doesn't need to be when government requests for data stored on their servers does more than enough.
Meanwhile, whatsapp still not blocked in Russia and there is no good explanation for that besides:
So far, Roskomnadzor has "no urgent request" to include Viber and WhatsApp messengers in the register of organizers and distributors of information. According to Interfax, this was stated by the head of the Department, Alexander Zharov. He was asked when these companies will be included in the register.
"We had a stormy substantive dialogue with the telegram messenger," the official recalled. "We are consulting with all other companies on this topic until there is an urgent request to include them in the register."
Maybe gn. Zharov uses whatsapp for chatting with his family and they didn’t like the appearance of mail.ru’s tamtam.chat.
If you know some basic things about Russian government, this can easily be explained by the fact that policy makers are very inefficient, incompetent in technical matters and more often than not decisions are very poorly researched. Just look at the fact that Telegram still works everywhere or the way that even the supposedly most secret russian organization (the secret military police GRU) have handled the poisoning of Sergei and Yulia Skripal, and subsequent outage of the agent that did it... It seems that russian governemnt or police still have a hard time understanding even the basics of what the internet is and how the information can be shared or found or leaked in our age. So banning of Telegram vs not banning of Whatsapp really does not say a lot.
On the other hand it could also be done on purpose in both cases you mention. Deliberately showing incompetence of your digital capabilities is a very efficient way of counter intelligence. The Skripal case was and is a very effective way for the Kremlin to spread fear. Vladimir Putin was most important person of the year for 5 years at Fortune while controlling a GDP of Italy. Vladimir Putin is maximizing the resources he has in a very good way irrespectively what one thinks about his actions and consequences specifically. As long as most people think incompetence every investment he makes will have a significant better outcome.
Well that is certainly a valid theory. Although I have a hard time believing that you have lived any long time in Russia recently or followed closely on the developments, because most people that do would not entertain that theory for more than a minute because it's quite clear that the level of incompetency and corruption in the government is insane. Putin sure has a lot of power, but it does not come from technical prowess or IT/infosec departments, it comes from sheer corruption and what is basically a military dictatorship structure of the country, where he is the one that has and is appointing most "friends" in/to the right places.
AFAIK, Telegram's private conversations are encrypted with private keys stored on device _only_ (not on the server). At least it's what they claim. If true, government requests for data stored on servers are probably not enough.
The secret chats are indeed end to end encrypted, but they have some important exclusions and limitations:
* Group chats can only use the default encryption, not end to end encryption.
* The end to end encrypted chats are tied to a single device, and there's no sync across devices (in contrast, all chats on Wire are end to end encrypted and sync across devices within a limited time period).
The default use cases of almost all users has the chat messages stored in plain text on the Telegram servers. This is one of the reasons search (done on the server side) is quite fast on Telegram.
P.S.: Despite these limitations, I prefer Telegram for its superior UX and for not having metadata shared with Facebook. My wish is that someday Telegram makes E2E the default everywhere.
What encryption? Last I checked, there was no E2E group encryption (Telegram has a bizarre web page claiming that TLS to their servers addresses the privacy threat), and 1:1 E2E is disabled by default.
For a very long time there was no TLS to Telegram servers, only their own MTProto. I think they introduced TLS wrapping at some point as an anti-censorship measure, not sure if that’s even deployed in all markets.
E: Well, I took a look at the desktop client with wireshark. It appears to just do MTProto on port 443, not TLS. When I use iptables to drop traffic on port 443, it falls back to MTProto over HTTP(!).
Common security wasn't respected at Vkontakte as well.
The social network was serving plain http login form and internal communication unencrypted until 2013[0].
I reminisce that when Durov was questioned about the abscence of secure connection to the servers, he told it's a too much of overhead and may impact QoS badly.
Some time they rolled out an `always use https` option and buried it deep in the user preferences. Meaning most of non-tech savvy audience kept using the service unaware they are not secure.
The obvious pattern here is they tend to use plain http as a default transport unerminig established security practices.
Looks like they don’t use TLS at all by default, just MTProto on port 443 or MTProto over HTTP. Comms to the telegram servers are always encrypted with MTProto, but tunneling MTProto over TLS would make any attacks on MTProto much harder (perhaps impossible) to execute.
I thought they used TLS wrapping in some markets for censorship resistance, but apparently that is not the case unless you set up your own proxy.
> What encryption? Last I checked, there was no E2E group encryption
You of all should know better than to conflate the general concept of encryption with the very nice special case that is end-to-end encryption!
> and 1:1 E2E is disabled by default.
It is not disabled in any way. It just isn't default.
There are really enough real reasons to criticize Telegram, absolutely no reason to 1. redefine words to have narrower definitions 2. Write outright misinformation.
I respect you a whole lot but your somewhat sloppy handling of facts detract a whole lot from the overall image.
I don't know of any directly related to it's encryption but multiple protest organizers were identified and arrested by the Hong Kong Police Force through Telegram, I'm not 100% sure but I believe they just added lists of suspected phone numbers onto their phones and looked in Telegram see which one's matched to Group admins.
What happened in Hong Kong was that the authorities created Telegram accounts and added thousands of phone numbers to their contact lists. From that, they got to know which numbers are using Telegram and then were able to do some more tracing. This flaw exists in WhatsApp and Signal too, where anyone who has your number in their contacts list (though you may not have their number in your contacts) will know the moment you join those platforms and will be able to see you on it.
When this design flaw came to be known, Telegram released a newer version where the user has more control on who can know that they're on Telegram. With that change, even if you had someone's number in your contacts list, you wouldn't know if/when they join/are available on Telegram unless they choose to make themselves visible.
That theory is quite possible. If the police join the group, they know the usernames of all of the people in the group, they can then start adding numbers to their contacts and if any of the usernames from the group show up they can then look up who owns the phone number in the government database.
It surprises me that they don't require both of you to have each others phone numbers in your contacts lists before giving away identifiable information.
Telegram released a new version with that exact same requirement to enable visibility. The settings in Telegram have also been expanded for this. On the other hand, this same vulnerability exists (and continues to exist) in WhatsApp and Signal.
There were also claims of android keyboardd being used to log messages on Signal (and maybe Telegram), by Naomi Wu and others. No proof for this though.
Any suggestion that Telegram's cryptography is somehow comparable owing to "half of them Ph.D's in math", or that Signal's extensively-reviewed cryptography is backdoored, is pretty clearly risible.
OTF, meanwhile, funded basically the whole of the privacy-preserving cryptography field, for years (they may still, for all I know); for many years, they were simply throwing money at privacy projects to hire 3rd party auditors, none of whom were at all affiliated with OTF (how I know this is that we participated). People who claim OTF is somehow a snakey USG backdooring enterprise are saying more about themselves than they are about any kind of sophisticated understanding of how crypto software is built.