[nwh]

Most of the concerns people had were Telegram's servers acting maliciously or being coerced into acting maliciously, which is obviously not covered by this contest or the protocol they have designed. It's a bit disingenuous that Telegram is broken but not in a way that this bounty could pay for.

[jacquesc]

Yeah, it's probably against the rules of the competition and will get you arrested if you try. But I think if someone does break into their central server and wins the competition that way, they should still be paid out.

[sillysaurus2]

No, the goal of these security products is to defend against the government, not a random guy. In that context, it's extremely important that their server undergo the same level of cryptanalysis.

[nwh]

We already know the system is hopelessly vulnerable to server side MITM attacks, it makes no effort to defend against that attack model. It's mentioned in the comments that they might do manual key verification in the future, but that doesn't happen now. Compromise is silent.

[paveldurov]

Let me respectfully disagree with you here. Secret Chats in Telegram provide users with a way to detect a server-side MITM attack. http://core.telegram.org/techfaq#q-how-are-telegram-users-pr...

[nwh]

That only protects against a MITM between peers who have communicated with a "secret chat" previously, not two fresh peers. As "secret charts" are disabled by default it's not really a defence against infiltration; users will presumably only enabled the "secret chat" mode when they have something sensitive to talk about.

When they do enabled it for the first time, we can instantly MITM them using the attack against the "image verification" I mentioned lower down (https://news.ycombinator.com/item?id=6932053), and we can assume that the conversation is worth our while listening in on. The user will hopefully expose themselves in the belief that they are safe, and the game is over.

[h0cked]

It's simple unauthenticated Diffie-Hellman key agreement, which is known for MITM attack. Yes, you ask A to accept B's identity upon key exchange, but to what extend A would know B is really B not the server playing along? A plausible method would have A and B exchange certificates separate from the Diffie-Hellman key exchange process, and use those as the identity verification mechanism.

[Ihmahr]

Not only is it possible, they are doing it already. I installed telegram on two devices (android and ipad) and they somehow were both able to decrypt incoming messages. How did the second device get the key..?

[nwh]

Ah! You were mistaken in the functioning of the service (I thought this might happen). You have to specifically ask for a secure chat with a button press, normally everything is effectively plaintext.

[Ihmahr]

wtf...

[sillysaurus2]

Is that really the case? Would you mind linking to that? Because if that's true, then this contest is dangerously misleading.

[nwh]

https://news.ycombinator.com/item?id=6924866

[pmelendez]

If you read the comments on that blog, telegram actually negate that:

> the server can perform a MITM attack. > you cannot detect MITM between you and your peers.

>> NOT true. You can compare key visualization in the clients.

[paveldurov]

I'm afraid breaking into Telegram's central server (by the way, there is no such thing) will hardly enable you to decipher end-to-end encrypted secret chats. But certainly worth trying anyway.

[nwh]

It will allow you to conduct a man-in-the-middle attack on all encrypted traffic though, which would certainly be enough to read messages in plaintext.

[paveldurov]

http://core.telegram.org/techfaq#q-how-are-telegram-users-pr...

[sneak]

This is irrelevant - the "secret chat" mode is not the default (according to someone else in this thread) and you're just shoving the key verification process off on to the user with these silly graphic patterns (which, if OTR is any indication, the user won't verify anyway).

This is still vulnerable to server-side _key_ MITM. It's the hushmail/iMessage/etc silent escrow key attack.

[nwh]

The interesting thing with the graphic patterns is that they're lossy. If you assume that a person will just describe the pattern or show a picture of them to one another, it becomes fairly easy to forge them.

http://telegram.org/img/key_image.jpg

Blue in the top and bottom, white line through the middle. So little information that anybody could simply brute force the keys until they found one that matched the description well enough.

I'd happily write a little attack for that, but it's clearly not "breaking" the system enough for the bounty.

[h0cked]

unauthenticated Diffie-Hellman key agreement is known for MITM attack.

[cantfindmypass]

Is there a staging server I can have root on?