March 10th, 2014
With WhatsApp being acquired by Facebook, and numerous security flaws discovered in WhatsApp being discovered in the past, many people have been looking for a more secure alternative to Instant Messaging. I was doing some online research on this after some users recommended Telegram.
Telegram was spearheaded by Nikolai Durov, the founder of VK, the Facebook of Russia and it’s been gaining popularity due to its focus on privacy and security. It’s been well covered in many news sites and promoted as a super secure instant messaging client:
Let’s see Telegram’s claims:
- It is open-source and therefore subject to public scrutiny
- It is very secure with end to end encryption
- It was designed to defeat Russian secret agencies
- It is so secure that they have issued a $200,000 challenge to anyone who breaks it.
- It will not sell ads or attract outside investment. It will remain free.
However, there appears many people are challenging their claims. The guys at Crypto Fails raised many alarm bells:
First of all it is claimed the $200,000 dollar challenge is designed in such a way that it’s difficult to win even if the underlying protocol is insecure.
The contest works like this:
Every day, Paul sends a message to Nick containing an email address. You win the contest by sending an email to that address. You get a transcript of the network traffic coming in and out of Paul’s account. According to the faq, you can send arbitrary packets to the server, but you can’t intercept/modify the communication.
The problem should be clear now: Telegram’s contest does not give the adversary enough power. The adversary doesn’t doesn’t get known plaintexts, can’t choose plaintexts, can’t choose ciphertexts, can’t modify network traffic, or anything like we covered in the previous sections. The contest barely fits into the known plaintext attack (KPA) model.
If nobody wins the contest, it does not mean Telegram is secure. It means Telegram might be secure within the constraints of the contest. However, there are extremely weak systems that can survive a Telegram-style contest, so if nobody wins the contest, it won’t give us any more confidence in Telegram’s security.
Moxie MarlinSpike from ThoughtCrime (who incidentally created TextSecure , a competitor) echoed these concerns.
Secondly, their cryptographic implementation appears to be designed by people who do not have a cryptographic background and it shows.
Here is what Crypto Fails had to say:
Some problems are immediately apparent:
They use the broken SHA1 hash function.
They include a hash of the plaintext message in the ciphertext. Essentially, they are trying to do “Mac and Encrypt” which is not secure. They should be doing “Encrypt then Mac” with HMAC-SHA512.
They rely on an obscure cipher mode called “Infinite Garble Extension.”
Some really weird stuff about factoring 64-bit integers as part of the protocol.
They do not authenticate public keys.
If their protocol is secure, it is so by accident, not because of good design. They claim the protocol was designed by “six ACM champions” and “Ph.Ds in math.” Quite frankly, the protocol looks like it was made by an amateur. The tight coupling between primitives suggests the designer was not familiar with basic constructs, like authenticated encryption, that you can find in any cryptography textbook.
Thirdly, there was actually a vulnerability discovered in the end to end encryption chat but true to their word, Telegram gave him $100,000 (as it was not a complete break) and issued a fix.
However despite all of this, Telegram is dealing with it well issuing their own counterarguments in all of these blogs and providing further information on their protocol and implementation, which is a vast improvement from other IM messaging clients which often kept quiet on their security breaches (including WhatsApp).
I would suggest that Telegram improves their competition terms and give these people a full go at their system and see if the purported inherent weaknesses are really exploitable. Telegram can be improved of course and let’s hope that the developers continue to improve the security of their system.
As for the suggested alternatives, many of these articles quote TextSecure or CryptoCat. However CryptoCat had its own share of rookie mistakes in vulnerabilities and does not have an Android client yet (it does have a iOS client now). TextSecure improves on the proven OTR system but does not have an iOS client yet. I personally would put my trust more in TextSecure at this point in time but only Telegram has cross platform support and to be frank, Telegram is probably good enough for the average Joe as long as no serious vulnerabilities emerge. Telegram’s interface is also much more polished. It is also noted that both TextSecure and Telegram both require your phone number as well.
It’s early days yet and it’s hard to say whether Telegram will stand the test of time but it’s off to a good start and we would be cautiously optimistic about it. Let’s hope this pushes other mobile instant messaging clients to put a bigger focus on security.