I don't think people give credit for just how deep this actually does cut. On one project I worked on, which stored obscenely sensitive information, their product manager gave a speech about password security and told us he had a better algorithm than bcrypt. You couldn't explain why this was a bad idea - he wasn't taking feedback. When it landed, I found the botched the algorithm so this "sql injection detection code" basically changed every character to a ' mark. You just needed the right number in a password and it would always match. So I logged a bug, used it to push that they just use bcrypt, I got a big story about how he knows exactly what he was doing and he would fix the bug. It was "fixed" for a few days. Apparently what happened was, the developer didn't know how to use git properly and copied an older file on top the repo and brought the bug back. After it was known, disclosed, and every one was told it was fixed. The algorithm turned out to only handle a-z, and every other character was left in place. So I went though this again. Same speech about incredibly great design. They could have easily snuck a backdoor in because I never looked at 90% of the code, but this ongoing nonsense was 100% Hanlon's razor.
It is encrypted with a per user key known to WhatsApp.
That means for a third party to access the chats, they need Google to hand over the data, and Facebook to hand over the key.
The logical next step to add would be for Google to additionally encrypt the data with the users logon password or something derived from it. Google won't do this anytime soon for business reasons.
> It is encrypted with a per user key known to WhatsApp.
This is no longer true! For a few years now. The backup is stored on Google Drive in plain text.
https://faq.whatsapp.com/android/chats/about-google-drive-ba...
1) The backup can only be made to Google drive, you cannot create a manual backup to a location of your chosing
2) The backup is created in a secret folder that cannot be accessed by the user
3) The backup is deleted if you delete your account. (not much of a backup, eh?)
4) You can only create per-channel exports, but this won't export the entire chat, it will export up to ~12MB of recent media, and ignore the rest, silently. WhatsApp would only share the last 40 messages of a 4-year-old chat because the last few messages contained a few images.
This leads to inability to restore a backup if you forget your password and need to reset it.
That's going to lead to screams/tears from a lot of folks who don't realise those implications.
National intelligence agencies (plural) would already have both.
Are historic chats that important to have them backed up? To me, if there's anything of value, i'll save it via other means...
How many times things looks like meaningless when they are said but have a lot of values at a later date?
For example, sometimes you wonder, "when was it that time when XXX event happened". Or "I remember that one day someone told me that he had the same problem as me, but who was it and what was his solution?"
Otherwise, we are used to share thousands of links and snippets with my friends that we usually discuss. A lot of time, after a very long time (sometimes years), for some reason we remember that something or link about a topic was discussed long time ago, and then it is convenient to look into the history with keywords to find back the links and what was said at that time!
I made a card for my girlfriend on our 5th anniversary by going back and finding our first messages to each other on WhatsApp, and putting a screenshot of them on the front of the card with some corny message. She balled up and was crying for quite some time. Anyway we are broken up now, but that's not the point!
These things really do have sentimental value, and it's not always obvious at the time.
Do I have a backup per contact? Per app? Are they stored in my Google Drive? In flat files on my local PC? What happens if my PC's hard drive crashes? How do I automatically keep the backups up to date? How do I keep them in sync? How do I access and query them remotely if I'm not at my PC?
Now multiply that across every different service you use, and that's a lot of mental effort that I don't want to go through if I don't have to. Most users don't want to either.
- Half-admission that the clickbait title might not apply (at the end of the article by mentioning Hanlon's Razor): Check.
- Actual good criticism on "don't roll your own crypto": Check (this is not a sarcasm, I liked that part of the article very much).
- Casual mention that the incident is from 7 years ago but implying that today there's a backdoor: Check.
- HN going crazy negative when Telegram is mentioned, as it always happens: Check.
---
I am not shilling for Telegram. I have no reason to. I can switch to Signal with my most important contacts in the space of one hour if I wanted to. I never invested any money in them either. I won't get sad if they get nuked from orbit tomorrow.
But it's really baffling how non-constructive most Telegram HN coverage is, both articles and comments. Sure, they have no bulletproof end-to-end encryption of messages. So, like 99.9% of all apps on all app stores then? Some generic marketing on the homepage using vaguely non-accurate language ("secure chats")? So, again, like 99.9% of the apps that have a page and put marketing lingo on them?
What's so uniquely awful about Telegram?
It's legitimately intriguing how hostile HN gets at the mention of Telegram. There might be some interesting sociological study hidden there somewhere.
That it might not apply is already in the title. backdoor-looking already explicitly expresses that.
> - HN going crazy negative when Telegram is mentioned, as it always happens: Check.
glass houses...
And nobody here is claiming that Telegram is "uniquely awful", it's just that Telegram is more notable than 99.9% of other apps, in a field (messengers) where both privacy is generally more looked at and alternatives that are widely considered better in that regard exist, all the while Telegram is widely advertised/recommended as "secure" despite being worse in that regard. On the other hand, this criticism isn't new and widely known. That's why it's called out a lot, and tbh both (paraphrased) other unrelated apps have problems too and (unsourced) people surely understand that it's just advertising and Telegrams limitations are really bad defenses.
EDIT: and I suspect Telegram is especially annoying because it's otherwise really good, so if it also solved the security question it'd be a no-brainer recommendation.
That would be quite hilarious and paradoxical: to attract so much negative reactions because the app is very good but it doesn't do everything as the tech-savvy crowd expects (in terms of cryptography). But I can see it being the true sentiment. Interesting perspective, thank you for it.
Telegram puts its users in danger by lying to them. They claim to be a secure, encrypted messenger but do not actually encrypt chats.
Then there’s the backdoor...
>I am not shilling for Telegram
:)
Even better, make a messenger that does encrypt chats. Make it paid. Prove its end-to-end encryption properties. I'll buy it and advocate for it to my friends and family.
In any case, the constant hate is (a) very tiring and (b) very uncharacteristic for HN.
Further, the fact that this was caught so quickly is in some sense a vindication of Telegram's model - even in its infancy when it had orders of magnitude fewer users, the fact that the client was open source allowed someone to quickly spot a vulnerability.
The verdict? IMO Telegram secret chats are probably secure (90% certain), but if I were plotting a murder or something, I wouldn't do it over a smartphone app anyway. There's just too many leaky, complex layers in the stack, some of which aren't even open, and quite dubiously so. If security is a life-or-death situation for you, you'd be a fool to use any smartphone app.
What saddens me is that Signal seems to be the go to alternative. Which is obviously more secure but still centralised and has a terrible UX (e.g. drains the battery of my laptop very fast when I tried it the last time). Why not directly go for Matrix / Element.io for a secure and decentralised (like eMail) approach? Do you really want to upload your contacts?
I quite like Telegram as well but I am under no illusions that it's bulletproof in terms of protecting my chats. I still think it protects them better than WhatsApp though, by the mere virtue of not being hosted in the USA where you can be ordered to give away an unencrypted dump of your database and keep silent about it until your grave.
And Wikipeida also says that the first version of the Signal Protocol is from 2013[2]
[1] https://en.wikipedia.org/wiki/TextSecure [2] https://en.wikipedia.org/wiki/Signal_Protocol
One of the most vocal critics was Moxie, who later founded Signal. It's ironic that 7 years after Snowden and Telegram, Signal the supposed more secure and privacy focused messaging app still has yet to gain any sizable foothold in the market. I think that says a lot about both Telegram and Signal's product strategies.
In regards to actually validating the protocol, the OP addresses this
>The current consensus seems to be that the latest version is not broken in known ways that are severe or relevant enough to affect end users, assuming the implementation is correct. That is about as safe as leaving exposed wires around your house because they are either not live or placed high enough that no one should touch them.
I wish people will stop repeating this nonsense. Just because they don't do end to end encryption by default, doesn't mean they don't encrypt, which implies messages are sent in plaintext.
There are plenty of reasons why they did what they did, and these questions are all available publicly in their FAQ or the founder's Telegram channel. Whether you agree with the trade-off or their explanations is up to you, but facts are facts.
Far too few services do strategic logging of data useful to catch attackers like this. Many attackers won't attack if they know traces will be left which can point to them.
This blog post is far too charitable.
It's still likely better than WeChat FB Messenger in terms of privacy. You just get to choose the devil, and some consider Russia no worse than Facebook (and all that it represents) or China.
[1] https://en.wikipedia.org/wiki/Pavel_Durov#Dismissal_from_VK
The problem with Telegram's crypto is that Nikolai Durov is super-smart - he has two Ph.Ds in mathematics - but he thinks he's smarter than everyone else in the world put together, so Telegram roll their own crypto all the time, and keep being a worked example of why "don't roll your own crypto" is a saying.
So please stick to facts and what can be reasonably proven, please. The rest is meaningless noise and mindless hate.
The author himself admits it's much more likely this was an amateurish mistake than some man-in-the-middle conspiracy. Did you make it until the end of the article?
They shipped a backdoor. It's pretty clear that Telegram is actively malicious. They haven't been caught again? They probably realized that the front door of not encrypting chats was sufficient.
>The author himself admits it's much more likely this was an amateurish mistake than some man-in-the-middle conspiracy
This is not at all what the author is saying.
You seem to be exposing a bias.
While a backdoor is not a bug but a feature, it helps to disguise a backdoor as a bug (i.e. plausible deniability). I know of one instance (in MS Windows) where the backdoor feature was not even hidden so much:
https://en.wikipedia.org/wiki/NSAKEY
That's why we need opensource. It's a hedge against tyranny.
It’s been two decades, and nobody has been able to explain how it would’ve been used.
Maybe Yandex in Russia only?
The backdoor was hidden in the plain sight: the s-box was said to be randomly picked, but years long evasive answers of authors about cryptographic properties of the box made people to think that there was something really not right with it.
If not for that specifically putting aim at the s-box, there would have been no chance anybody found that.
3 years later, and Perrin's paper comes, and it is discovered that almost a new domain of math is buried in that s-box.
Nobody yet discovered what unusual math properties of that s-box do, but nobody now doubts it being a backdoor of some kind.
> The eight S-boxes of DES were the subject of intense study for many years out of a concern that a backdoor (a vulnerability known only to its designers) might have been planted in the cipher. The S-box design criteria were eventually published (in Coppersmith 1994) after the public rediscovery of differential cryptanalysis, showing that they had been carefully tuned to increase resistance against this specific attack. Biham and Shamir found that even small modifications to an S-box could significantly weaken DES.
At the very least I suppose we will be able to glean more knowledge out of it in the end.
> designers of Streebog and Kuznyechik purposefully hid a structure in this component. This structure is very strong, very uncommon and interacts in a non-trivial way with the other main component of Streebog.
> In light of these results, we urge security professionals to avoid these algorithms.
It's like this: imagine some government released plans for super-secure safe, and for some reason, deep in those plans, there is an instruction to make an 1/4" hole in the door, at the specific exact position. There is no justification or explanation for this hole, just a mention that it must be present or the safe is not going to be certified.
So people wonder why it was placed on the plan. If there were a good reason, why not tell it? Perhaps NSA/FSB has some new method to crack safes, and this hole is needed for it? Better be careful, and avoid using that specific safe model.
A TG server was sending a "salt" to clients in order to randomize keys (telegram claim) when in fact the "salt" turned out useless in terms of encryption and the only reasonable explanation for the "nonce" was using it as a backdoor to perform MITM attack.
You decide whether it was done intenionally or because of lack of sleep/understanding
PS. an original author got 100k$ for finding/exposing a potential backdoor.
Impossible to succeed at this level without making a few enemies.
