Is there a reason why all fad "secure" products lately default to custom protocols and exotic solutions instead of using well tested and trusted solutions?
Designing a protocol so that is does not leak is very hard.
TextSecure is also using a protocol of its own design. I think the difference is largely the motivation at the other end. Moxie is genuinely engaged and interested in crypto and, much much more importantly, improving the trust models associated with it (see Convergence as another example). The Telegram guys seem more interested in being a 'hip' app with the latest secure IM solution. This doesn't even necessarily mean someone with far far less crypto knowledge than Moxie can't make a secure solution, it just means Telegram are suffering from a little arrogance and over-eagerness.
It's far too easy for people outside crypto circles to see cryptography as a panacea. Inside crypto circles however, it's my impression that everyone lives with a slight unease that much of the math they rely on has unproven lower bound complexity, the majority of implementations in existence are horrific, and the key management and trust models we all depend on are terrible and obscured from the users view and understanding. If you pay attention, all the rock star cryptographers spend most of their time talking about trust, not algorithms and protocols.
Designing a simple and secure crypto protocol isn't actually that hard. There are mathematical pitfalls us mortals can't hope to understand, but if you trust and understand the primitives as black boxes, and have the right mindset when analysing protocols, you can still build very secure systems. I'm a casual crypto hobbiest, and still spotted the issues raised in the Telegram protocol as soon as I looked at the diagram presented in the article. None of these weaknesses are outside of a good programmers comprehension.
So why is a custom protocol a bad idea? The same reason it's a bad idea to go and reimplement any other protocol... that problem has been solved, why are you remaking it without a strong incentive?
There are examples of crypto being used by amateurs with success though. Bitcoin has multiple extensions, like deterministic hierarchical wallets, which are easy to understand and reason about but I know for a fact weren't designed by world class crypto-experts. In that case, there was a strong incentive. Asynchronous key splitting to ensure safe generation of vanity addresses by 3rd parties is another example. Nobody should say these solutions aren't innovative and useful.
which are easy to understand and reason about but I know for a fact weren't designed by world class crypto-experts
I though Satoshi was anonymous? Do you know something the rest of us don't, or are you making assumptions on the code (and if so, how can you make those assumptions when you also state it was a success)?
>Bitcoin has multiple extensions, like deterministic hierarchical wallets, which are easy to understand and reason about but I know for a fact weren't designed by world class crypto-experts.
He clearly isn't talking about Satoshi when you look at the entire sentance
Okay, fair enough. I'm curious about the what makes you sure they weren't written by experts though. Do you have knowledge of the implementers that points towards them not being experts?
> Designing a protocol so that is does not leak is very hard.
In some of the security classes in school some of my teachers said it was better to use an open and trusted protocol than reinvent the wheel.
They cautioned against using a closed source or proprietary protocol because there was not way to "vet" the code. I trust industry vetted solutions over "hip" new solutions that arent open. I am not sure if Telegram is open or not.
Well create metadata resistant protocol that communicates on set intervals of time with set length of random data when there is no real payload. This could be done on TLS with little or no effort. The math behind the crypto is strong enough. No need to harden it further.
Every client sends and receives 16KB blob every 30 seconds - this way you could prevent analysis that you are communicating with someone. You could learn a lot just from the size and frequency of packets in a normal chat program.
We really need to make the world at large aware that a USP in the crypto area is a big red flag.
"We use up to date, standard protocols and crypto techniques" really ought to be the top of the marketing blurb. "Ours is better because we invented it" is really terrible.
WhatsApp already does everything that messenger should do - send text, images, video, files, location, group chats. The only thing that's not yet there is super-fast speed and security - and those are Telegram's priorities. They will get feedback from crypto community and update their protocols, they definitely have a potential to do it.
It's far too easy for people outside crypto circles to see cryptography as a panacea. Inside crypto circles however, it's my impression that everyone lives with a slight unease that much of the math they rely on has unproven lower bound complexity, the majority of implementations in existence are horrific, and the key management and trust models we all depend on are terrible and obscured from the users view and understanding. If you pay attention, all the rock star cryptographers spend most of their time talking about trust, not algorithms and protocols.
Designing a simple and secure crypto protocol isn't actually that hard. There are mathematical pitfalls us mortals can't hope to understand, but if you trust and understand the primitives as black boxes, and have the right mindset when analysing protocols, you can still build very secure systems. I'm a casual crypto hobbiest, and still spotted the issues raised in the Telegram protocol as soon as I looked at the diagram presented in the article. None of these weaknesses are outside of a good programmers comprehension.
So why is a custom protocol a bad idea? The same reason it's a bad idea to go and reimplement any other protocol... that problem has been solved, why are you remaking it without a strong incentive?
There are examples of crypto being used by amateurs with success though. Bitcoin has multiple extensions, like deterministic hierarchical wallets, which are easy to understand and reason about but I know for a fact weren't designed by world class crypto-experts. In that case, there was a strong incentive. Asynchronous key splitting to ensure safe generation of vanity addresses by 3rd parties is another example. Nobody should say these solutions aren't innovative and useful.