The reason that cryptographers laugh at people who advertise "military grade cryptography" or "we use AES256" is because the choice of crypto primitives is often less important than how they're composed. Those phrases tend to reflect a critical misunderstanding of that, and often mean that a project is using secure primitives in a way that completely undermines their security.<p>At a glance, while this project is using secure (if aging) primitives, they've made some extremely unusual protocol choices that they need to publicly justify rather than simply describing in an API doc. Just at a glance, the use of modes like Infinite Garble Extension (a failed mode for Kerberos) is troubling, they made up their own KDF (with no proof), and they make what appear to be some amateur mistakes with how they use RSA.<p>I'm obviously biased, but if you want a mobile-oriented asynchronous messaging protocol, at this point I think the Axolotl ratchet should absolutely be its basis: <a href="https://www.whispersystems.org/blog/advanced-ratcheting/" rel="nofollow">https://www.whispersystems.org/blog/advanced-ratcheting/</a><p>If Telegram folks are on this thread, I'd encourage you to take a look at the TextSecure protocol. If you think it's interesting, you can federate into our network, get a provably secure asynchronous forward secrecy protocol, and also have access to an existing 10MM user base.
I have not run the app, but from the Android source code it looks like this "secure" app is uploading your contacts including full names and all their phone numbers into the "cloud":<p>MessagesController.readContacts() [0] is called on creation of the MessagesActivity. When invoked for the first time, it collects first names, last names and phone numbers from the Android Contacts interface, creates a table containing the data, and passes that to importContacts() [1], which performs an RPC call to "the cloud", passing the contact list upstream and obtaining a server-processed list as a reply.<p>For me this is a major trust breach, and makes all the fuzzy claims about the app's security absolutely worthless.<p>[0] <a href="https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/MessagesController.java#L555" rel="nofollow">https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...</a><p>[1] <a href="https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/MessagesController.java#L1323" rel="nofollow">https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...</a>
From their FAQ:<p>><i>Q: How secure is Telegram?</i><p>><i>Very secure. We are based on a new protocol, MTProto, built by our own specialists from scratch, with security in mind. At this moment, the biggest security threat to your Telegram messages is your mother reading over your shoulder. We took care of the rest.</i><p>Oh good, a bunch of randoms have rolled their own crypto. I stopped reading at this point.
Looking at [1], it has several red flags.<p>The replay protection is overly complicated and doesn't kick in <i>after</i> the message is decrypted. This makes it possible to DoS the server with forged messages.<p>Key derivation uses a custom scheme. Typically there's no reason NOT to piggy-back on existing schemes and there's plenty to choose from - from TLS to IKE.<p>Also, as already mentioned, there's again NO reason not to use TLS in Anonymous DH mode with an app-level authentication of the session handshake.<p>Designing your own crypto protocols is a very interesting challenge, but for practical purposes you just <i>have to</i> recycle existing designs. There's really no other way about it. A custom crypto doesn't make any difference for those who doesn't know/care about it, but it certainly will not make you any friends between those who does. Unless, of course, you can explain and prove why your design is better than those that exist already, and these guys don't do this.<p>[1] <a href="http://core.telegram.org/mtproto/description" rel="nofollow">http://core.telegram.org/mtproto/description</a>
<p><pre><code> The important thing to remember is that all Telegram messages
are always securely encrypted. The difference between messages
in Secret Chats and ordinary Telegram messages is in the
encryption type: client-client in case of Secret Chats,
client-server/server-client for ordinary chats.
</code></pre>
Where "securely encrypted" means that the Telegram server has full access to message contents for ordinary chats. All chats should be "Secret Chats", not the other way around.
> Telegram is decentralized!<p>Great. Then...<p>> Telegram servers are spread worldwide for security and speed.<p>So this is what they mean by decentralized....<p>> As a result, Telegram is the fastest and most secure messaging system in the world<p>And this has exist for how many years?<p>I can probably say everything except private message, google hangout or Facebook chat is already doing it. They have some of the top-notch security, network and distributed system developers and they have their own cable delivering more volume than your new service can combine together. and if I want true privateness? I'd one-time pad everything. in reality, I guess PGP is good enough.
So many dubious claims on just the front page:<p>* 'delivers messages faster than any other application' - <i>any</i> application? Hmmm. They must be using magic.<p>* 'messages are heavily encrypted and can self-destruct' - but like every system, the self-destruction is not assured since it's impossible to enforce.<p>* 'keeps your messages safe from hacker attacks' - a bold claim. Maybe they do some stuff to protect messages, but it's not the perfect safety that this statement implies.
People here are complaining a lot about this app, and rightfully so.
However, this is definitely the best encrypted communications app there is for ios and therefore also the only app that is cross platform and able to reach a wide audience.
I know they didn't do it completely right, but it definitely seems to be the best option that is currently available.
Is HTTPS not secure channel for communication between client-server? What is the reason behind using an entirely different protocol for client-server communication[0] over HTTP?<p>[0] - <a href="http://core.telegram.org/mtproto" rel="nofollow">http://core.telegram.org/mtproto</a>
A lot of haters in this thread. To be expected.<p>I've been following this space for a while and telegram is the best app out there right now. The usability is great and they are trying to do the right things when it comes to security.<p>The apps are open source and can be audited. I fully expect there to be bugs, that is part of the process! You would be insane to trust your life to a crypto app thats been around a few months. So yes, there will be bugs. But that doesn't mean they should just give up. In a few years this could turn into a really nice , secure app.<p>I think their big competition will be: Textsecure, also a great app and better for security due to OTR. But the iphone app is still in development as is their data channel. Once those are complete, they could take the #1 spot.<p>Also, hemlis is one to look out for. But they take about the same security approach as telegram but seem to be less open so far.
To whom it may concern: Pavel Durov, one of the authors of Telegram, announced he will pay $200K (or 200 BTC) to decrypt his traffic <a href="http://tjournal.ru/paper/durov-decifer-telegram" rel="nofollow">http://tjournal.ru/paper/durov-decifer-telegram</a>
>Q: Who are the people behind Telegram?<p>>Telegram is supported by Pavel and Nikolai Durov.<p>I would not trust social network owner with my messages.
Their HTTPS server isn't configured with the right certificate :(<p>Firefox gives me "The certificate is only valid for the following names: *.stel.com , stel.com" for <a href="https://telegram.org/" rel="nofollow">https://telegram.org/</a>
The authors' education credentials are impressive, and I admire their initiative. However, they do not seem to have employed a cryptographer to review their design and protocols, so I expect that serious security problems will be discovered.<p>Personally, my expertise is rather in application security, so I will review some of the source code over the holidays. At first glance the C client is not bad.<p>The real metric of this project's success will be how they react to criticism, harsh as it may be. I hope they learn from their inevitable mistakes and succeed in the long term.
Everybody is so negative here. Ok rolling your own security protocol might not be the best move. However, they want to be competetive with whatsapp.<p>Most people who try to make a whatsapp killer suck in uix. But this app is really good and fast. I think its better than whatsapp in a multitude of terms.<p>Okay, there are improvements. But I can submit a pull request to the android app and improve it myself! How Awesome!
<a href="http://telegram.org/privacy" rel="nofollow">http://telegram.org/privacy</a><p>That such a policy even exists should suggest that "secure" is the wrong way to describe this. Reading through this, it looks like <i>yet another attempt</i> at what Lavabit and Hushmail were trying to do. In other words, snake oil.
More info about their secure protocol is here: <a href="http://core.telegram.org/mtproto" rel="nofollow">http://core.telegram.org/mtproto</a><p>technical description here : <a href="http://core.telegram.org/mtproto/description" rel="nofollow">http://core.telegram.org/mtproto/description</a>
Devs of this app: Don't be disappointed by these harsh comments because most of them contain technical fixes you need to do asap!<p>These suggestions, if implemented/fixed will surely get you some really dedicated early adopters!
tptacek should write up a block like <a href="http://craphound.com/spamsolutions.txt" rel="nofollow">http://craphound.com/spamsolutions.txt</a> for everytime somebody rolls up their own crypto solution.
If this is closed source (and the source seems to be only implementing API calls to a closed system) then it's fair to assume that this application is probably insecure or has backdoors.<p>Also if the private key is stored in the cloud then it's likely to be subject to requisitions.
Looks like they kept the interface exactly the same as What's App to attract users. The smiley selection has the entire list of What's App smileys in exactly the same order. What's App is going to be upset, but it might help users.
I see source code for clients, but nothing for the server side.<p>Are they using something standard or do they want to lock-down users to their own proprietary servers ?
If this get popular and the people behind it can be trusted, this could replace sms and e-mail. The iOS, Android and CLI clients are open source, but I they need to open source the backend too. I also like the idea of giving the noun "telegram" a new meaning.
Wow, there are so many cryptography experts with world names in this thread!<p>And interesting why you think that it's not possible to read most of cryptography/cryptanalysis books and check common mistakes of implementation afterward? Do you really think that this is <i>THAT</i> hard?<p>Your scepsis would be understandable if they used <i>OWN</i> cryptoalgorithm. However their protocol is based on well known strong crypto.