[StavrosK]

It looks a whole lot more likely to me that this is a backdoor, as they added their own thing to a very standard algorithm (the easy and better thing to do would have been to not add anything), and all that thing did was mess with the key exchange.

It's really, really fishy.

[pdimitar]

But is it really that unlikely that it's a misguided attempt to increase entropy?

The fact that a cryptographer might scoff and laugh at the proposition doesn't mean that a normal programmer couldn't fall victim to that illusion?

In any case -- yes. Both things are likely and you made a strong point for the "malice" side.

Still, it makes me wonder why would Durov run from Russia if he was willing to backdoor Telegram? Why not remain in Russia and backdoor it while being there? Why the extra trouble? Or maybe he didn't want to backdoor it for Russia but for other nation(s)?

[StavrosK]

I don't think "people who design a cryptosystem" and "people who send randomness from the server" overlaps a lot, yeah. I don't see how anyone remotely familiar with cryptography would think that sending randomness from an untrusted party is a good idea. It's this bad.

[pdimitar]

Well, a bug I filed to Telegram eventually got closed on petty bureaucratic grounds (wrong repo but nobody moved the issue [I did copy it to the right repo], then X months without action etc.) so this might say something about the average competence and motivation of their technical staff. :)

Thanks for being one of the few to discuss constructively in this sub-thread. It's much appreciated.

[StavrosK]

No problem, your reply did show that you wanted to discuss but was frustrated, so I just continued the discussion.