Hacker News new | ask | show | jobs
by nwh 4573 days ago
We already know the system is hopelessly vulnerable to server side MITM attacks, it makes no effort to defend against that attack model. It's mentioned in the comments that they might do manual key verification in the future, but that doesn't happen now. Compromise is silent.
3 comments
paveldurov 4573 days ago
Let me respectfully disagree with you here. Secret Chats in Telegram provide users with a way to detect a server-side MITM attack. http://core.telegram.org/techfaq#q-how-are-telegram-users-pr...
link
nwh 4573 days ago
That only protects against a MITM between peers who have communicated with a "secret chat" previously, not two fresh peers. As "secret charts" are disabled by default it's not really a defence against infiltration; users will presumably only enabled the "secret chat" mode when they have something sensitive to talk about.

When they do enabled it for the first time, we can instantly MITM them using the attack against the "image verification" I mentioned lower down (https://news.ycombinator.com/item?id=6932053), and we can assume that the conversation is worth our while listening in on. The user will hopefully expose themselves in the belief that they are safe, and the game is over.

link
h0cked 4573 days ago
It's simple unauthenticated Diffie-Hellman key agreement, which is known for MITM attack. Yes, you ask A to accept B's identity upon key exchange, but to what extend A would know B is really B not the server playing along? A plausible method would have A and B exchange certificates separate from the Diffie-Hellman key exchange process, and use those as the identity verification mechanism.
link
Ihmahr 4572 days ago
Not only is it possible, they are doing it already. I installed telegram on two devices (android and ipad) and they somehow were both able to decrypt incoming messages. How did the second device get the key..?
link
nwh 4572 days ago
Ah! You were mistaken in the functioning of the service (I thought this might happen). You have to specifically ask for a secure chat with a button press, normally everything is effectively plaintext.
link
Ihmahr 4572 days ago
wtf...
link
sillysaurus2 4573 days ago
Is that really the case? Would you mind linking to that? Because if that's true, then this contest is dangerously misleading.
link
nwh 4573 days ago
https://news.ycombinator.com/item?id=6924866
link
pmelendez 4573 days ago
If you read the comments on that blog, telegram actually negate that:

> the server can perform a MITM attack. > you cannot detect MITM between you and your peers.

>> NOT true. You can compare key visualization in the clients.

link
nwh 4573 days ago
https://news.ycombinator.com/item?id=6932053

The key is not shown in hex, so a MITM is quite simple.

link