back to article Homebrew crypto in Telegram hangout app full of holes, say security pros

Security experts have poured scorn on claims by developers of the Telegram messaging app – said to be popular amongst the cadres of the so-called Islamic State – that it’s more secure than its rivals. Telegram, which claims to be "way more secure" than WhatsApp, uses the MTProto protocol developed by the Russian brothers who …

  1. Your alien overlord - fear me

    The NSA paid me a million dollars for breaking their encryption. Oops, wasn't supposed to mention that.

    1. Destroy All Monsters Silver badge
      Big Brother

      Oops, wasn't supposed to mention that.

      Too late. Two cleaners have already been dispatched. Prepare to be served.

    2. Anonymous Coward
      Anonymous Coward

      Makes sense, since Telegram is probably an FSB product.

    3. gollux

      The NSA paid me a million dollars to create a roll-my-own encryption scheme, create a hangout app and use some privacy drivel to get Jihadists to think it would be really cool to use...

  2. JimmyPage
    FAIL

    Deja Vu ???

    Aren't there some numpty jihadists enjoying state-sponsored B&B after deciding to cook-up their own encryption on the basis that "infidel technology" was bound to be compromised. Thus proving paranoia does erode rational thought.

    1. Tom Womack
      Facepalm

      Re: Deja Vu ???

      Is it really wise to point out in public the faults in the encryption technology being used by your adversaries while the war is still on? OK, with luck if they move away they will move away onto even worse home-brewed encryption, but it seems somehow better to leave them in the swamp they're happy with.

      (can we have a Snowden icon?)

  3. Voland's right hand Silver badge

    The "attack" described is not on the messaging, it is on initial authentication

    El-reg should read the referred articles before repeating unsubstantiated opinions.

    1. The attack described is not on the messaging which is DH with a 2048 bit followed by AES. That so far is not broken.

    It is on the "usability" feature in authentication which visualizes the public key based on fingerprint same as f.e. SSH, etc - you do not see the full key, you see only X bits on first connection.

    That attack works only for initial authentication. Once the two parties have authenticated for private chat, the full 2048 bit keys are used. In most cases, for the "unpleasant" type of characters using Telegram that authentication will be performed the moment the phone is handed in to the new recruit. So the window of opportunity for a MIM is rather slim (and not much different than for example SSH).

    2. Making identity == phone. So what? A user can go in and get a phone with Pay-As-You Go SIM in most of the world with next to nothing identity checks. Then they use it for authentication of the initial setup during training and then it is game over - you cannot snoop on the channel.

    The only weakness I can see is the fact that Telegram pinches your address-book and metadata and maps it to contacts. Even this is not particularly relevant if the phone is used as a dedicated device _ONLY_ for encrypted communication. If it is used normally as the user you can pick out the "interesting" ones based on their subscriptions and their contact book.

    All in all - if this is used purely for encrypted IM and nothing else, it looks OK.

    1. Dan 55 Silver badge

      Re: The "attack" described is not on the messaging, it is on initial authentication

      Well, where else do you get 'em if not at the initial authentication? That's how you MITM everything AFAIK.

      And Moxie says it's crap... http://thoughtcrime.org/blog/telegram-crypto-challenge/

      1. Voland's right hand Silver badge

        Re: The "attack" described is not on the messaging, it is on initial authentication

        Well, where else do you get 'em if not at the initial authentication? That's how you MITM everything AFAIK.

        Initial authentication in the Telegram case is same as ssh - recognize other party's key and cache it. That allows MITM with any system (ssh, OTR2, etc). For that, it does not look any better or worse than any system which does not rely on x509 certificates (again, ssh or OTR2 are examples).

        The more interesting MITM would have been a MITM on sessions. Now that would have been an encryption failure.

        While Moxie is generally right, he sets the bar too high. There should be encryption for the masses and this looks like a reasonably good implementation of a mass market encryption product. Not as good as the top of the line stuff, but miles ahead of what you get out of the box.

  4. Florida1920
    Happy

    Where's the downside?

    A terrorist hangout has poor security? Good!

    1. Old Handle

      Re: Where's the downside?

      The downside is someone else might see that and think "Wow, good enough for terrorism, must be really secure. I should use that."

  5. CAPS LOCK

    Hmmm, my spider senses are tingling on this one...

    ... at the risk of going tin-foil-hat it seems to me to be an effort to spread fud about something that MIGHT work as advertised. I can guess why...

  6. TeeCee Gold badge
    Facepalm

    Cat out of bag alert!

    ....error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book....

    Can't help thinking that if you were a western intelligence agency and wished to build a honeypot to entrap daesh, you'd be pushed to do a better job.

    "Secure" comms easily intercepted, tells you everything you need to know about those using it and snarfs everything it can get about their friends too. What's not to like?

    Also, read what Zimmerman has to say on the subject of amateurs[1] doing crypto.......

    [1] He found out the hard way that when you think you're so clever you can do a better job than an off-the-shelf solution, you're invariably wrong. As do all pros.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021