|
|
|
|
|
|
by ghshephard
4568 days ago
|
|
|
I don't have flesh in this game one way or another, but when I read the article, it seemed to be a pretty damning indictment on Telegram, probably not what the author was trying to communicate. I think the gap in understanding here, is that when it comes to security, cryptography in particular, it's not the case that the critic has to demonstrate where something is broken , the responsibility is on the part of the developer to prove that, in every possible manner, the system is secure. The telegram people, on the surface, don't appear to be familiar with the crypto-community best practices, and, as a result, are unlikely to have made a product that would survive any real scrutiny, and highly unlikely to survive any actual attack on their protocol, should any adversary desire to do so. |
|
|
Telegram are advertising a system which they claim is encrypted end-to-end, which means that even with physical access to the servers which are routing messages, one would not be able to perform MITM attacks. However, the contest is an obvious farce because they're asking only to demonstrate flaws which can be done externally without the same access to servers that Telegram have.
It's obviously simpler for someone knowledgeable in cryptography to be critical in a few sentences than to demonstrate vulnerabilities with actual proof of concepts which require lots of work for no apparent gain other than to make a point. If Telegram were offering $100k for every flaw found in their system though, you can bet that there would be less mouthing on HN, because people would direct their effort at demonstrating the flaws.