Hacker News new | ask | show | jobs
by p2detar 2654 days ago
> It is that they rolled their own poor crypto instead of using battle-tested crypto.

I come across this a lot about Telegram and while I do agree, I think there have been no reports so far about hacks in Telegram's service, and it's online since 2013 or so.
2 comments
kuhhk 2654 days ago
6 years is a short time in cryptography. That isn't battle-tested.

"Even worse, security doesn't provide immediate feedback. A dead patient on the operating table tells the doctor that maybe he doesn't understand brain surgery just because he read a book, but an insecure cryptosystem works just fine. It's not until someone takes the time to break it that the engineer might realize that he didn't do as good a job as he thought. Remember: Anyone can design a security system that he himself cannot break. Even the experts regularly get it wrong." -- Bruce Schneier

Source: https://www.schneier.com/crypto-gram/archives/2009/0915.html

link
p2detar 2654 days ago
Yep, I'm familiar with Schneier's comments. I still find the whole thing funny though. For example, services like Viber seem to have 260 mil. active monthly users [1] which is a tad more than Telegram's 200 mil. on monthly basis, however, I don't hear people bashing Viber that much even though it practices security through obscurity [2]. Hats off to Telegram for at least publishing their stuff and I remain curious as to how it will all unfold in the future.

[1] - https://en.wikipedia.org/wiki/Viber#Market_share [2] - https://techcrunch.com/2016/04/20/viber-defends-new-end-to-e...

link
r3bl 2654 days ago
It's a simple problem of where the market is.

India, Russia, and Brazil isn't the target market for people like Schneier. If you narrow the market to the US, Statista reports that Telegram has twice as many users in the US as Viber.

I'm from one of those countries where Viber is hugely popular (by far more popular than WhatsApp and Telegram), and I hate it with passion. Kind of like Telegram, its end-to-end encryption was also home-made last time I've checked, but at least it's turned on by default.

link
cfrs 2651 days ago
I recalled leaking phone number for user's handle or vice versa, and while searching for the source found few more security issues.
link