The point the parent is making is that ‘not a single researcher has found fault’ is not actually a valid baseline for considering cryptographic protocol to be secure.
We have to assume that all protocols are insecure by default. That is standard practice.
Only protocols which have withstood serious scrutiny and incentivized adversaries can be considered to have a level of security.
So if you want to claim MTProto 2 to be secure, it isn’t enough to say ‘it uses standard primitives’. It also isn’t enough to say ‘nobody has found any bugs yet’.
You need to demonstrate that received sufficient attention from motivated attackers before you can claim it is secure. That’s just how it is with crypto.
Great. Go ahead and demonstrate that Signal Protocol has received sufficient attention from motivated hackers to your satisfaction. Telegram has an open invitation to crack their protocol for 100k USD. Nobody's collecting. I guess those high-value targets using Telegram must be worth more than 100k.
I don't need to demonstrate anything other than what I have already: when would we know a protocol has received significant attention from motivated hackers? I'll take a gander and say it's when that protocol is broken and is discovered by a security researcher or someone on the crisis response team.
I'm not claiming MTProto 2 is secure. Neither am I claiming Signal Protocol is secure. Undoubtedly both protocols have undiscovered vulnerabilities. I am directly refuting and admonishing a user for linking to a Stack Exchange comment that addresses a previous protocol with almost nothing in common to the present one.
Eh, thanks for the info on MTProto2. They made poor decisions initially, and doubled down on them, and thus I didn't (and still don't) think it worth my time to follow their changelog.
The contests are not remotely sufficient. Here's a good article:
"I’ll repeat it again: If you want to show that a system is secure, give the adversary as much power as possible, and if they still can’t break it, the security is good."
Secure protocols take a lot of expert analysis to build consensus that they're worthwhile. That requires engaging with the community of researchers on their own terms and using established best practices.
Finally, Telegram's server code is still closed source and thus can't be reasonably audited. Could an attacker (or state actor) with server access decrypt stored messages? Maybe! That's why default e2e encryption with well-audited, open-source code is the gold standard...
Is there a reason you continue to link to outdated articles? This one is from 2013(!) We're getting close to a decade now.
> and thus I didn't (and still don't) think it worth my time to follow their changelog.
I strongly advise you not to comment on topics you don't find worth following. You directly harm a project that has done a lot of good (for protestors in Hong Kong, Belarus, and Russia) with your ignorance.
Now you're putting words in my mouth. I did indeed say MTProto 2 was based on standard primitives and no one has publicly claimed it insecure or vulnerable. I did not say to trust MTProto 2 any more than you would trust the Signal Protocol: that is given the information we have on known vulnerabilities one appears about as good as the other.
“You are welcome to develop your argument and point out where in MTProto 2 you find fault or why using standard crypto primitives isn't enough and what you'd like to see from MTProto 2 to secure it in your mind.”
The only person putting words in someone’s mouth is you - I never compared MTProto 2 to signal. You keep claiming that you never said MTProto 2 is more secure than signal. I never said you did.
The idea that being based on standard primitives is enough is a commonly held but dangerous piece of cryptographic reasoning.
> You claimed that the reason to trust MTProto 2 because it is based on standard primitives and because no security research had yet found a bug.
Those are the words you put in my mouth. I don't trust MTProto 2. When did I say that I trusted MTProto 2?
This whole argument was me putting bad research to shame and then challenging another user not you to develop their argument.
But you wanted to back them up with something about concentrated efforts from serious adversaries which is an impossible argument to refute because neither of us has the insider knowledge to know what these protocols have endured and survived since only knowledge of their successful exploitation would be on the menu for public consumption.
So please, do bring something of greater meat to the table if you have something to share.
Directly from the first three sentences of your link:
> Paying people rewards for finding security flaws is not the same as hiring your own analysts and testers. It’s a reasonable addition to a software security program, but no substitute.
We have to assume that all protocols are insecure by default. That is standard practice.
Only protocols which have withstood serious scrutiny and incentivized adversaries can be considered to have a level of security.
So if you want to claim MTProto 2 to be secure, it isn’t enough to say ‘it uses standard primitives’. It also isn’t enough to say ‘nobody has found any bugs yet’.
You need to demonstrate that received sufficient attention from motivated attackers before you can claim it is secure. That’s just how it is with crypto.