[epimenov]

This is absolutely dangerous thinking. There are a lot of people researching crypto and making sure it's secure. If you're using non-standard crypto, you don't have that safety net.

They're using primitives that are proven to be insecure against certain types of attacks (non-checked DH, MAC-then-encrypt, etc). And their code seems to be not perfect (https://twitter.com/matthew_d_green/status/58291636575066931...).

Signal on the other hand uses a variant of OTR (https://whispersystems.org/blog/advanced-ratcheting/). Which was thoroughly reviewed, and mentioned in NSA documents as not-cracked.

You can't just invent something and claim "last time I checked it's not broken". It's not broken (yet) if enough competent eyes looked at it, and the more standard building blocks you use, the easier to make those claims. That is absolutely not what Telegram does. I really wish the myth that Telegram is secure would die.

[the_mitsuhiko]

> This is absolutely dangerous thinking. There are a lot of people researching crypto and making sure it's secure. If you're using non-standard crypto, you don't have that safety net.

Absolutely dangerous thinking is to declare cryptography off limits. With that in mind eventually you just scare more people to participate in this process and eventually be left with a tiny core community.

And this discussion is very moot anyways as telegram uses standard cryptographic primitives.

> They're using primitives that are proven to be insecure against certain types of attacks (non-checked DH, MAC-then-encrypt, etc).

Except they are not using them in any insecure way and they are doing this for very good reasons. This Twitter thread is also full of misinformation collected together from an age old post that was itself misunderstanding how the protocol actually works.

> You can't just invent something and claim "last time I checked it's not broken".

Sure, that's exactly how SSL works. We invented crypto systems and we are using them until they are broken, then we phase them out for something else.

[glogla]

> Absolutely dangerous thinking is to declare cryptography off limits. With that in mind eventually you just scare more people to participate in this process and eventually be left with a tiny core community.

Cryptography is not "off limits". Cryptography is just a place where Not Invented Here approach is not just stupid, and incompetent, but dangerous.

[the_mitsuhiko]

> Cryptography is not "off limits". Cryptography is just a place where Not Invented Here approach is not just stupid, and incompetent, but dangerous.

That should apply equally to all parts of software engineering and with a big exception that says: unless you know what you are doing.

[epimenov]

There was a TOR talk where a person from China told that he recommended two systems to different people: TOR and some other one. The people he recommended the other one ended up in prison.

This kind of consequences you get when you falsely claim security. This is the main reason I want people stop saying that Telegram is somehow secure. It's just another messenger, people who need security should use something else. There must be no confusion about it.

[epimenov]

>Absolutely dangerous thinking is to declare cryptography off limits. With that in mind eventually you just scare more people to participate in this process and eventually be left with a tiny core community.

Anybody can participate, just don't claim it's secure.

> Sure, that's exactly how SSL works. We invented crypto systems and we are using them until they are broken, then we phase them out for something else.

The only difference is there's a maillist with actual cryptographers (https://www.ietf.org/mail-archive/web/tls/current/threads.ht...), that iterate over design. If you look at the history of TLS, you'll see how tricky is to get crypto right. There has been lots of attacks on the protocol, that no one person could've think of. You don't have that if you roll your own and/or have "very good reasons" when people point your mistakes out.

[mehrdada]

> If you look at the history of TLS, you'll see how tricky is to get crypto right. There has been lots of attacks on the protocol, that no one person could've think of.

You'd hope so, but contrary to popular belief, actual cryptographers relatively rarely manage to prevent errors in the standards. For instance, Phil Rogaway warned against MAC-then-Encrypt used in TLS which led to the Padding Oracle attacks many many years before they were exploited, but the suggestions were ignored by the "practitioners" designing the protocols. In fact, the TLS example was one that is relatively easy to get right if the designers wouldn't have gone crazy and listened to actual cryptographers. Telegram will someday fall into the exact same bucket.

[devit]

Is Signal's crypto really "well-reviewed"?

The best description of it seems to be at https://github.com/trevp/axolotl/wiki and it's not really understandable by someone who doesn't already know the protocol, so I doubt many people that don't work on Signal have reviewed it.

It looks like the authors know what they are doing though, so it's probably good, but there might be a small risk that they overlooked something.

[epimenov]

OTR is.

As far as I know there's been one whitepaper on TextSecure itself (https://eprint.iacr.org/2014/904.pdf).

[Aoyagi]

Considering the amount of heat Telegram is receiving, I'd expect someone to demonstrate eavesdropping by now.

Aren't they using "their own" crypto just on top of standard methods?

[mehrdada]

There is a big gap between "this obviously looks bad" and "I have an exploit for it". There are many things that one should obviously not do and you can legitimately strongly advise against, but are not easy to demo an exploit for. The bar for accepting potential security issues should never be set as high as an exploit demo.

[eggie]

As someone who is outside of the security research community, the repeated assertion that "telegram is broken" is rather hard to accept without an example exploit. I would really appreciate if someone with the knowledge of how to break something like this took the time they would spend writing a blog post about it being broken and instead demonstrated an attack.

Having relatively low security requirements (I simply don't want to see ads based on my conversations), I'll continue using it to talk with my friends and family until someone demonstrates an exploit.

[Aoyagi]

I know there's a big gap between the two. But again, given the duration, amount, and variety of the "heat", at least something tangible would be nice. What if it remains like this for another year? Ten years? Fifty years? Will it still be called "insecure, because it doesn't use what 'everyone' else uses"?