The developer who found the potential weakness has earned a reward of $100,000. We have contacted him to find out how he would like to collect his prize.
This is great news. Contrast this with other security contests were finding out-of-scope security flaws weren't rewarded.
People in this thread: Good for Telegram, seems arbitrary, disingenuous, just for publicity.
Short of them being in a conspiracy with the researchers, I can't imagine how this is not good news for everyone. Cool it with the hate, people.
This article is good news, precisely because they show how willing they are to improve their service.
EDIT: Of course it's good PR. So what? That's how Google, Apple and most other big companies operate. They don't have to be altruistic to work and create value for people.
> precisely because they show how willing they are to improve their service.
Multiple people that know what they are doing have remarked that the system Telegram has created is a bad idea and it would be much better to use any established protocol. They have also pointed out multiple places where Telegram is committing obvious cryptographic blunders in their protocol.
Telegram decided to pay out $100k under contest rules that are weaker than known plaintext attacks. If they wanted to actually improve their security they would switch to a more secure protocol that doesn't require a server to actively participate in the conversation. I guess if they want to hemorrhage money via the hubris that is their crypto contest they should just keep on as they are.
> They have also pointed out multiple places where Telegram is committing obvious cryptographic blunders in their protocol.
They have pointed out multiple places where Telegram MAY BE committing blunders, namely their internal server - server communication MIGHT be susceptible to MITM attacks. It's not the same thing.
It is, though. If the protocol relies on servers to be good actors, then servers are a weak point. People aren't willing to let that by because, besides just good security standards, servers are being targetted by government spying.
If they were willing to improve their service they would listen to that crypto experts had to say from the very start instead of playing "we've got a bunch of smart mathematicians there, we are the best" card.
With respect, I think what you are suggesting would only complicate the evaluation of this complex situation. Dropping relevant context and focusing only on a specific action is not the way to reach a rational conclusion.
In my view, we must integrate this action on the part of Telegram with all of the other things we know about the situation. That's a tall order, because it means integrating this specific action (paying the $100K) with many other topics, such as the various people making claims, their expertise and possible motivations, computer cryptography and computer security, strategies that companies sometimes use to gain access to personal information, the dangers posed by weak cryptography, etc.
Only when all of the facts square with each other will we have a rational basis for trusting Telegram Messenger and the people behind it.
Don't get me wrong, I lean towards the "Telegram's security is a joke and the contest is even more so" camp. I was commenting solely on the specific issue: that if someone uncovers a flaw in your software and you pay out in order to get some good publicity, the fact remains that you've still done a good thing by paying out.
> Unless it turned out they'd set the whole thing up
That's an important question, really curious to know if the user x7mz steps up to take the reward and if telegram would release any proof of payment (minus any obvious info that would give away the identity of x7mz).
This vulnerability seems to be connected to Diffie-Hellman, right? Even a rudimentary search shows that a MITM is easy on it. I wonder if its even possible that they did not know this one?
On it's own, it's great news. In context of everything Telegram have said and done before, it's not hard to come to the conclusion of 'disingenuous' or 'just for publicity'. A company that launches a crypto challenge which can only be for publicity / marketing purposes, gets called out on it and then starts handing out cash to anyone who finds a bug looks like a company that doesn't really know what they're doing.
Good for Telegram. I haven't downloaded and installed their App yet, but I applaud their effort at putting out a secure chat app that everyone can use.
I've been using TextSecure for a while (as everyone on HN ruthlessly suggests) but guess how many encrypted texts I've sent? 0. That's because they have no iOS app and very few Android users.
There are two problems when it comes to creating a good, secure messaging app: strong, proven security and popularity! Hopefully Telegram either solves both or forces TextSecure to solve the latter.
I applaud their effort at putting out a secure chat app that everyone can use.
They aren't making a reasonable effort to put out a secure chat app. If they were, then they would use some of that $200k to hire a company like Matasano to fly out and audit their architecture for flaws. Matasano probably would've caught this bug, because it was a pretty basic mistake.
Not sure hiring a US security firm is a safer approach than crowdsourcing using the power of the global community.
After all, Matasano's tptacek obviously did spend some of his time inspecting and criticizing Telegram this week. However, he overlooked the 100K vulnerability that was later discovered by a Russian guy who considers himself a newbie in cryptography.
The other reason that makes me somewhat reluctant to spend money on hiring Matasano is the recent RSA-gate (and the strange role of tptacek in it).
I understand that you care about Telegram and want to defend it when it is attacked, but comments like this are inappropriate and will damage Telegram's reputation.
It is unfair to imply incompetence on tptacek's part given only that he spent some finite amount of time looking at your protocol and did not find the nonce vulnerability. It is also unfair to say that he didn't find any vulnerabilities despite the potential for a 100k reward as the potential for such a reward (outside of your specific contest) had not been stated clearly.
If you do in fact have evidence that tptacek was involved in RSA's deal with the NSA, you should state your accusations explicitly and provide that evidence. If you do not, I think the accusation is inappropriate and certainly counterproductive.
That said, I very much appreciate the resources you are donating to open source crypto software. It is undeniable that the potential for a 100k reward will send a lot of eyes to your source code. I would encourage you to also consider hiring a security firm (US based or otherwise) and to consider how your comments will affect public perception of Telegram.
Wow, you really are as arrogant as you seemed. I'm sorry I'm normally not rude, but attack tptaeck like that? That's just pathetic mate.
Oh, and the vuln was outside your contest. You gave him 100k, instead of the 200k because of that. No one knew that you'd pay out if they found something outside your competition. So saying that people here looked at it but missed that vuln because they didn't claim the reward is disingenuous -- it was outside the contest.
So, to make it clear, do you imply that "professionals" are just bragging that they know what's better, but they're not much when it comes to the real deal?
Matasano is known crypto company, why would they volonterouly spend their working time fixing telegram for you? Hire them formfew days to see them in action.
I don't mean to sound snide, but judging from your comment history on Telegram related posts, are you really the right person to determine what "reasonable effort" means in this context? Every single post you make is biased negatively towards Telegram.
What I applaud is their effort here and I hope it continues and moves in the right direction. This announcement makes it seem like they are in fact moving in the right direction.
If you don't think "hire people that know what they are doing with crypto" is better advice than "have a contest that doesn't even prove security under known plaintext attacks and pay out $100k to someone who finds a MITM attack to prove you're serious", you're actually not qualified to determine who the right person to determine "reasonable effort" is. I know I sound like a complete jerk, but that's just the honest truth.
The fact is that it is highly inappropriate to have a new, completely unvetted cryptographic protocol in a context where people are relying on it to provide actual security, and they are flat-out ignoring advice from talented and knowledgable people.
This announcement makes it seem like they are in fact moving in the right direction.
Why? Because they're literally paying people to like their product? This developer who found the bug wasn't even trying to get any money. He was, by his own admission, a cryptography newbie who happened to be looking over their protocol and found a serious bug. Now they're throwing money at him. How is that in any way a good thing?
>they're literally paying people to like their product
I don't think this statement is reasonable. Are you suggesting that they gave the 100k reward out because they wanted the recipient to like their product?
>Now they're throwing money at him. How is that in any way a good thing?
I think bug bounty programs have a track record of efficacy. Do you disagree?
I meant they're giving out $100k because they want more people to like their product. If they cared about security more than getting users, then they wouldn't intentionally ignore advice from every crypto expert.
"They aren't making a reasonable effort to put out a secure chat app. If they were, then they would use some of that $200k to hire a company like Matasano to fly out and audit their architecture for flaws."
I don't know whether user sillysaurus2 is connected to Matasano or not but... oh boy... this does come across as a shameless ad for that company.
perhaps we could be more positive and constructive?
You find DanBC's comment interesting. It explains why there's been a general tone of negativity towards Telegram's security product. https://news.ycombinator.com/item?id=6949842
I question whether Telegram is actually delighted with how this unfolded. I also think it's disingenuous to call the discovered issue a potential vulnerability. Either it is a vulnerability or it is not.
even if people are being unfair with these criticisms, what telegram should focus on is to make their designs more secure, and ignore all this publicity. if they truly believe in the "importance of keeping the [system] open", then they should understand that all this publicity (good or bad) is insignificant - especially as they say they have rich guys backing them, so they're not relying on public opinion influencing investors.
it's very easy to make statements like "Together we can make Telegram unbreakable"; harder to turn this into a reality. the current round of attention is a red herring, both for Telegram and for us commenters. let's give them a year and see what it's like after that.
These latest news have convinced me that Telegram currently has the highest potential to be the right IM tool at my current workplace. I have one question that doesn't seem to be covered anywhere (FAQ, Google): What about Offline messages? I'd like to be able to send encrypted messages even when people are offline - on smartphones it could make use of push notifications, on the Desktop it would just wait until the client goes online again. Skype doesn't work reliably for this scenario, as in both clients (for the sender even the same client on the same device) need to be online for the message to be sent. The last implementation that worked reliably seemed to be MSN, which is dead now. How does Telegram behave?
Why? They just announced that one of the main advertised features of their IM software - the secret chat functionality - was so badly broken that it was worse than not having it at all. It provided absolutely no protection against them eavesdropping on their users, yet those users were chatting under the illusion that they were secure against such eavesdropping. Worse, it seems like the Telegram developers consider this to be a theoretical problem rather than an actual compromise because you can trust them not to spy on you.
That's interesting, I didn't interpret the news this way. I haven't seen secret chat functionality mentioned anywhere yet - I was assuming that secret chat shouldn't be affected by these nonce messages since the secret key shouldn't touch their servers according to their documentation. Do you have any source on this?
The linked blogpost actually says that the attack is against secure chat and explains what it does, it just underplays how serious it is.
Basically, when setting up a secret chat the two parties use something called a Diffie-Hellman key exchange to agree on a secret encryption key without eavesdroppers being able to tell what the key is. However, the parties can't tell whether they've securely agreed on a key with the right person - the Telegram server could do a man-in-the-middle attack by doing the other side of the DH key exchange with each party itself so that it knows all the keys, and then decrypt log, and re-encrypt all the messages between them. The fairly standard solution Telegram uses is to allow both parties to manually check that they agreed on the same keys - with normal Diffie-Hellman, this is enough to ensure no-one has MITMed the connection. Unfortunately, their protocol is modified from normal DH in a way that makes this check useless. The server can launch a MITM attack that causes both parties to agree on the same key, so they think they've securely agreed on a key that no-one else has when the server's got a copy too and is decrypting all their messages.
Seems like I had potatoes on my eyes. Your explanation made the whole thing quite a bit clearer to me than the original post, thanks for that. I think it's good that this weakness is now in the open - this will create some pressure on Telegram to solve it since, as I understand, it compromises one of the main features of their service. Their way of handling the fix will decide whether they should be taken seriously I think.
Really? The fact that they addressed security concerns with "they're bullshit, here, we'll prove it - break out system!" and then had to pay out nearly immediately convinced you they're awesome?
Yes it does. Show me another non-profit Open Source (mostly) IM service that invests this heavily in seamless encryption and I'll change my opinion. The weakness that they found could have easily been brushed off as non-exploitable, yet they didn't, instead encouraging more security experts to become involved by paying out immediately.
To name just one alternative, the OTR developers have done far more to make seamless, open source encryption of IMs possible than Telegram - regardless of how much cash Telegram are willing to throw around. Even if the secret chat feature worked perfectly as intended, it'd still be both less usable and less secure than OTR. It requires users to manually validate key hashes in order to stay secure, a requirement the OTR developers dealt with years ago because they found users simply didn't do it. It also lacks forward secrecy which is especially important for mobile devices that can be stolen or lost.
OTR sounds great, I just wish I'd find an easy-to-setup-and-use, good looking Windows client, such that I could convince non technical decision makers to adopt it. Adium does that for me on OSX, but I don't think Pidgin is a good match, except if something big has changed since 2-3 years ago when I last gave it a try.
The question whether their Crypto is bad is still out IMO - these recent findings still don't seem to be that big of a deal to me - as with all other IM services I have to trust the service provider for their integrity - yet here I have an alternative provided by a non-profit organization with some scientific credentials that offer an open API - as opposed to Skype, WhatsApp, Facebook et al. We currently use Skype for business purposes, but Microsoft's investment away from P2P makes me think that for privacy reasons alone, it's a bad idea. I'm always open for suggestions, but so far I haven't found anything really viable (well designed clients, well integrated encryption, open APIs). That's why I'm excited for Telegram.
On OSX I'm happy with Adium, but last time I've used Pidgin it was a lot of work to configure it the way I want. That would still work for me, but to roll it out for an organization it would meet quite some resistance. So the problem with XMPP for me is the client situation.
> So the problem with XMPP for me is the client situation
... which is fixed by a better client. That requires skills, but different ones from designing a new crypto protocol.
Given the PR efforts of the telegram people, they might actually be better XMPP+OTR+TextSecure+... client implementers than crypto designers (and maybe even better client implementers than most of the people who build clients right now since the situation _is_ bad).
I agree with that. Why they didn't go with this route is something I'd like to know as well - Telegram's FAQ is quite vague on this issue. But still, I prefer a reasonably secure service with great clients on all platforms, over a perfectly secure service with ugly clients that I can never 'sell' to decision makers.
Messages in secret chats are stored on server until downloaded by recipient. So there is no such problem like in Skype.
Push notifications also work fine there, except on iOS they don't contain any message data, just "You have a new message", probably because server doesn't know what's inside encrypted message. Although havent tried their android client.
Great info, thanks. I didn't expect the message to be visible in Push notifications, it's obvious to me that this couldn't work - especially with client side encryption. Whether 'Secret Chats' are truly client side encrypted is another question (see the discussion with one of your siblings).
Very secure. We are based on the MTProto protocol (see description and advanced FAQ), built by our own specialists, employing time-tested algorithms, to make security compatible with high speed delivery and reliability. At this moment, the biggest security threat to your Telegram messages is your mother reading over your shoulder. We took care of the rest.
While Telegram may be on the way to a secure future it is not there yet and the FAQ needs to be less certain before I can applaud them.
Edit: Actually I think the FAQ been toned down a bit but I think some acknowledgement of how new the protocol is and the risks associated with that should be mentioned.
While it is very generous, I doubt they would give a sum like that if it wasn't for the publicity. I'm sure news like this can help their image quite a lot in their target audience (security-aware computer people).
I actually have a theory that this is all a scam... the person who found the bug is actually the authors (or a friend) of the Telegram protocol. They published the security issue and reward themselves so that 1) they don't have to pay anyone else; 2) they get good publicity by doing this; 3) shut others up up front as this is really a very easy bug to figure out (a few others hinted the possibility as the key exchange is unautenticated DH, which is bound to flaws like this)
Bravo Son! you have earned respect for your this deed. Appreciated.
On a side note, I am still not sure, if i will ever use this app. This is primarily because, I act on the internet in the same fashion as i do in real life. I won't do anything online, what I can't do in real life. Hence I don't and perhaps would never need an app like this.
As for sending someone 'secret' message, I always whisper that in the ears. It's an old fashioned trick but has proven to be most secured.
If someone takes a photo in the street, and you are in the photo, then you will probably not mind. But if someone follows you around everyday and takes thousands of photos, then that is slightly creepy.
For me it is the same with my chat messages. If someone reads one or two, I don't mind: they aren't very sensitive. But I don't like it if someone can find everything I've ever written.
It's not about being creepy, it's about having enough time on hands and why. I would be interested to find someone, who values taking 1000s picture of mine than his time spent making money for himself. In the case of celebrities for instance, they have almost their entire life public, and i don't think it had harmed them any way, unless, they committed something illegal and it was made known.
People over the internet, are little too much over-sensitive. I am not implying 'Privacy' has no value, but we have taken this issue bit too far over the 'internet'.
A prime example of so-called 'anonymity' over the internet is 4chan, you pretty much know what sort site that is.
I am not implying it's an illegal website, but frankly, anonymity mostly leads to creepy, drugs (silkroad), and everything else considered wrong and bad, than something good which is pretty rare. Snowden is an exception, but again, he committed a crime for a good cause. Most people however commit a crime for every possible wrong reasons.
Other people claimed that the Telegram team might find that bug to be outside of the scope of their bounty contest, so $100k is better than nothing (and to be frank I'm quite surprised they were _that_ generous).
But you're right - they should have a clear reward structure.
Yes, they did. This was not the goal of the bounty, but was still a serious issue. They couldn't give away the prize for the contest and instead decided on a still quite generous $100,000.
Yeah. In essence, it made their nominally end-to-end encrypted secret chat feature no more secure than simply giving the Telegram server operators a plaintext copy of every message you sent and trusting them not to log, read or tamper with it.
Worse, it's the kind of flaw you'd expect someone subtly sabotaging the protocol to create. It's a small, superficially plausible modification that turns an apparently secure scheme into something completely broken. Yet if they'd made that modification in the obvious way - by combining the nonce and Diffie-Hellman result with a secure hash function - it wouldn't have caused the problem; for the vulnerability to exist the nonce has to be handled in a very particular way.
Vulnerability to passive attacks is worse than vulnerability to active attacks. I'm not downplaying the severity of a MITM vulnerability, but certainly there could exist more serious issues.
What I don't understand is: where do they get the money from if their intention is to be "free forever"? Are they funded by a non-profit incubator? Why is it that a "new" app spends relatively much money on white-hat hacking bonuses? What do they get out of this other than a deemed secure application?
I always get a bit annoyed when apps use the phone number as the primary identifier.
As somebody that just moved to another country, I now end up with a situation where I can either decide to lose my German whatsapp friends or not being discovered by my American whatsapp friends.
I would love to see the ability to get some sort of ID number and then being able to register more than 1 phone number with it.
We believe in fast and secure messaging that is also 100% free. Therefore Telegram is not a commercial project. It is not intended to sell ads, bring revenue or accept outside investment.
If Telegram runs out of money, we'll invite our users to donate or add non-essential paid options.
For the original "$200K" bounty, it was stated that it would be paid out in bitcoin. So it's quite possible that the person or organization funding the bounty simply has some old bitcoin laying around, and it cost them next to nothing to get it initially, and it might even be difficult for them to exchange for their preferred fiat currency today. So don't think of it as "Somebody just spent $100K," think of it as "A bitcoin speculator just traded some coins that were not worth much two years ago for something that is pretty darn valuable today."
There are a lot of haters of Telegram on HN and I think one of the reason is that they are a Russian company or the fact that a Russian developer found the flaw first. :) But wasn't Pavel Durov the one who offered Edward Snowden a job back then? There are many "secure messaging" apps out there, but they all suck in terms of UX. Telegram looks nice and will only get better. Also, they have an API since day one. Show some respect!
Wow...Telegram. The only thing you will ever get from engaging the "public" on forums like HN is heartache. You will never get them to like you...they just aren't that in to you.
Contact people that are actually in the crypto community and go the normal route. Once their betters tell them to love you there is actually nothing that you could do to make them stop.
This is great news. Contrast this with other security contests were finding out-of-scope security flaws weren't rewarded.
People in this thread: Good for Telegram, seems arbitrary, disingenuous, just for publicity.
Short of them being in a conspiracy with the researchers, I can't imagine how this is not good news for everyone. Cool it with the hate, people.