Homebrew crypto in Telegram hangout app full of holes, say security pros Security experts have poured scorn on claims by developers of the Telegram messaging app – said to be popular amongst the cadres of the so-called Islamic State – that it’s more secure than its rivals. Telegram, which claims to be "way more secure" than WhatsApp, uses the MTProto protocol developed by the Russian brothers who …
Is it really wise to point out in public the faults in the encryption technology being used by your adversaries while the war is still on? OK, with luck if they move away they will move away onto even worse home-brewed encryption, but it seems somehow better to leave them in the swamp they're happy with.
(can we have a Snowden icon?)
El-reg should read the referred articles before repeating unsubstantiated opinions.
1. The attack described is not on the messaging which is DH with a 2048 bit followed by AES. That so far is not broken.
It is on the "usability" feature in authentication which visualizes the public key based on fingerprint same as f.e. SSH, etc - you do not see the full key, you see only X bits on first connection.
That attack works only for initial authentication. Once the two parties have authenticated for private chat, the full 2048 bit keys are used. In most cases, for the "unpleasant" type of characters using Telegram that authentication will be performed the moment the phone is handed in to the new recruit. So the window of opportunity for a MIM is rather slim (and not much different than for example SSH).
2. Making identity == phone. So what? A user can go in and get a phone with Pay-As-You Go SIM in most of the world with next to nothing identity checks. Then they use it for authentication of the initial setup during training and then it is game over - you cannot snoop on the channel.
The only weakness I can see is the fact that Telegram pinches your address-book and metadata and maps it to contacts. Even this is not particularly relevant if the phone is used as a dedicated device _ONLY_ for encrypted communication. If it is used normally as the user you can pick out the "interesting" ones based on their subscriptions and their contact book.
All in all - if this is used purely for encrypted IM and nothing else, it looks OK.
Well, where else do you get 'em if not at the initial authentication? That's how you MITM everything AFAIK.
Initial authentication in the Telegram case is same as ssh - recognize other party's key and cache it. That allows MITM with any system (ssh, OTR2, etc). For that, it does not look any better or worse than any system which does not rely on x509 certificates (again, ssh or OTR2 are examples).
The more interesting MITM would have been a MITM on sessions. Now that would have been an encryption failure.
While Moxie is generally right, he sets the bar too high. There should be encryption for the masses and this looks like a reasonably good implementation of a mass market encryption product. Not as good as the top of the line stuff, but miles ahead of what you get out of the box.
....error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book....
Can't help thinking that if you were a western intelligence agency and wished to build a honeypot to entrap daesh, you'd be pushed to do a better job.
"Secure" comms easily intercepted, tells you everything you need to know about those using it and snarfs everything it can get about their friends too. What's not to like?
Also, read what Zimmerman has to say on the subject of amateurs[1] doing crypto.......
[1] He found out the hard way that when you think you're so clever you can do a better job than an off-the-shelf solution, you're invariably wrong. As do all pros.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
