undefined | Better HN

0 pointssillysaurus212y ago0 comments

This was not the goal of the bounty, but was still a serious issue.

To be clear, this bug was enough to compromise the security of every Telegram secret chat session. I can't think of a more serious issue.

0 comments

2 comments · 2 top-level

makomk12y ago

Yeah. In essence, it made their nominally end-to-end encrypted secret chat feature no more secure than simply giving the Telegram server operators a plaintext copy of every message you sent and trusting them not to log, read or tamper with it.

Worse, it's the kind of flaw you'd expect someone subtly sabotaging the protocol to create. It's a small, superficially plausible modification that turns an apparently secure scheme into something completely broken. Yet if they'd made that modification in the obvious way - by combining the nonce and Diffie-Hellman result with a secure hash function - it wouldn't have caused the problem; for the vulnerability to exist the nonce has to be handled in a very particular way.

bhitov12y ago

Vulnerability to passive attacks is worse than vulnerability to active attacks. I'm not downplaying the severity of a MITM vulnerability, but certainly there could exist more serious issues.

j / k navigate · click thread line to collapse