I don't have flesh in this game one way or another, but when I read the article, it seemed to be a pretty damning indictment on Telegram, probably not what the author was trying to communicate.
I think the gap in understanding here, is that when it comes to security, cryptography in particular, it's not the case that the critic has to demonstrate where something is broken , the responsibility is on the part of the developer to prove that, in every possible manner, the system is secure.
The telegram people, on the surface, don't appear to be familiar with the crypto-community best practices, and, as a result, are unlikely to have made a product that would survive any real scrutiny, and highly unlikely to survive any actual attack on their protocol, should any adversary desire to do so.
It's not some third party adversary to be worried about, but an internal adversary who might harbor ill intent (or even if they mean well, might be forced to become evil under secret court orders.)
Telegram are advertising a system which they claim is encrypted end-to-end, which means that even with physical access to the servers which are routing messages, one would not be able to perform MITM attacks. However, the contest is an obvious farce because they're asking only to demonstrate flaws which can be done externally without the same access to servers that Telegram have.
It's obviously simpler for someone knowledgeable in cryptography to be critical in a few sentences than to demonstrate vulnerabilities with actual proof of concepts which require lots of work for no apparent gain other than to make a point. If Telegram were offering $100k for every flaw found in their system though, you can bet that there would be less mouthing on HN, because people would direct their effort at demonstrating the flaws.
Right - in this scenario, a user should absolutely consider Telegram to be the adversary. If they can read a message that is sent from one use to another, then the system is broken.
Where's your math PhD???? Posting about why there are huge inherent issues in someone's brand new protocol and having a wealth of experience in the crypto world means nothing... Apparently?
But you haven't cracked their encryption and some amateur Russian did the real job and got $100k. Not that Telegram is more secure than ever you should be ashamed!1one
You're joking right? Also, telling TextSecure to go make their protocol better... Have you even seen their new ratchet? It's awesome. I think you have no idea what you're talking about... I'm sick of attempting to show people like the OP why they're wrong, why Telegram is currently dangerous to rely on for anything secure, and why TextSecure isn't. Also, the smug crap at the end, real classy. Sigh.
Yes, god forbid you actually listen to people in the field who have been working on what you're trying to do longer than you when they say you're not able to promise what you're trying to promise.
This piece is garbage with a very clear undertone of bitterness that is completely unrelated to Telegram.
This bs reminds me of my year working in the US ..everybody tries to burst your bubble/project.
I'm not saying everybody but in my experience i have never seen a bigger group of [ Koolaid chugers , one uppers , non-sense speakers , ass kissers (cause im afraid of getting sacked) ] like the ones i saw during that massively painful year in the US.
>TextSecure folks: instead of ranting that “our stuff exists already, but we got no money and we got no cross-platform support Y U NO USE our protocol?” and using political tricks, go make better protocol and market yourself better.
As DanBC posted[1] in the other thread:
>>You seem to be mistaken about why they do this. It's nothing to do with pushing their app or their approach. They'd welcome good well-formed apps to compete with them. But when they see an app that claims to be secure they have an ethical duty to let people know if it is obviously not secure.
>>Most people are not bashing just for the sake of bashing. Some people need good cryptography software to avoid imprisonment, or torture, or state-killing. This isn't about stopping someone's teen-angsty poetry from being discovered by a sibling, it's about protecting political dissidents from an oppressive regime. In that context pointing out that a software is broken is not mindless bashing, it is a crucial part of the cryptography process.
>Go make your own stuff and don’t listen to HN or any other skeptical community.
Unproven cryptographic systems masquerading as secure need to be criticized. It is very, very dangerous when non-crypto people pretend to be crypto people and call their systems secure.
So, you don't think that just enough people down-voted this bullshit thread? Maybe you are the one wrong on that topic. Maybe you should do your homework.
I think the gap in understanding here, is that when it comes to security, cryptography in particular, it's not the case that the critic has to demonstrate where something is broken , the responsibility is on the part of the developer to prove that, in every possible manner, the system is secure.
The telegram people, on the surface, don't appear to be familiar with the crypto-community best practices, and, as a result, are unlikely to have made a product that would survive any real scrutiny, and highly unlikely to survive any actual attack on their protocol, should any adversary desire to do so.