Summary: no. On the other hand, the TextSecure protocol rules and is pretty straightforward. That being said, I still use Telegram because it’s so nifty, and just don’t send any confidential information with it.
I would not be so sure. While having a Ph.D. doesn’t make you a top-notch cryptographer, it’s not something that should be easily dismissed because a 20 year old hacker said so.
The attack posted is interesting and probably could be mitigated by a 256-bit fingerprint. However even the author of the attack acknowledges that the attack described is unreal:
Overall, I would estimate that a full attack costs in the tens of millions USD in infrastructure and electricity to pull off and get a full fingerprint collision in reasonable time. Attackers may also be able to steal or borrow existing infrastructure, like a botnet or supercomputer system. In other words, this should be within some Super Villain’s budget.
Their protocol is open source and anyone can take the time and try to break it a real-world scenario, not in a hypothetical world were the super-villain has nuclear reactors running john-the-ripper in quantum-computers…
Just because you can’t think of a way to break it doesn’t mean it’s secure. Just because there isn’t a published exploit doesn’t mean it’s secure. There is still a fundamental difference between:
I’m not dismissing the PhDs that designed the Telegram protocol because they aren’t crypto experts, I’m dismissing their work because they chose option 2 rather than option 1. They used techniques that are not well understood. For all we know MTProto is totally secure, or totally insecure, there’s no way to tell.
I might have more appreciation for their design decisions if there was a technical advantage gained, in any way. But there isn’t. Everything telegram does can be accomplished with mainstream crypto, all the funky stuff they’ve done is totally unnecessary.
Just because you can’t think of a way to break it doesn’t mean it’s secure.
I don’t recall saying that if I can’t break something, it’s secure. You’re twisting my words, but I won’t repeat myself.
For all we know MTProto is totally secure, or totally insecure, there’s no way to tell.
That can be said for OpenSSH too: For all I know it’s either totally secure or totally insecure (if you are Gobbles and have a 0day sshut-up-theo remote root exploit). So what we do is the following: Until someone comes up with a way to decrypt data from an encryption technology, we consider that technology secure.
Until someone comes up with a way to decrypt data from an encryption technology, we consider that technology secure.
All crypto systems should always be considered suspicious, dangerous and broken. Novel crypto systems invented by non-cryptographers doubly so.
[Comment removed by author]
Don’t roll your own crypto. That and more extremely useful tips are found in Cryptographic Engineering. I highly recommend anyone who is considering work that involves cryptography (or application security) to read this book.
When I was looking at using Telegram, wondering if it was truly secure, I found Bruce Schneier talking about how security is a sliding scale depending on threat model. Telegram may not be the best security ever, but it’s security combined with convenience combo gives me a lot of value.
Telegram is insecure, but it has things OTR+XMPP don’t: ease of use, marketing, good clients for popular operating systems, and a bit of momentum.