> Even the closed source WhatsApp (uses ETE from the Signal guys) and iMessage are arguably less likely to contain cryptographic flaws than Telegram

Even though you used the words "arguably less likely" to soften your statement, there's no way to check what WhatsApp or iMessage are doing because they're not open source. So even if security researchers want to look at the code or build their own clients, it's not possible. Reverse engineering is possible, but is tedious compared to having the source code. At least the Telegram client code is open source to support examining it.

That said, the criticism of Telegram for using home brewed encryption is appropriate and needs to be mentioned often (hopefully Telegram will change the protocol). Even the authors of this paper state:

> The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes.

> no way to check what WhatsApp or iMessage are doing because they're not open source

> Reverse engineering is possible, but is tedious

I think for a security-related application, trusting that the code you have is the one being built and distributed as binary is a huge oversight. I'd argue that sniffing packets and stepping through code is the proper way (of course having code /does/ help with this) Consider: what idiot would put a backdoor in plain sight?

The original commenter specifically mentioned the use-case of building clients from the source. Your comment doesn't counter anything that was said. Btw, most backdoors are disguised as 0-days for corner cases for deniability. They are primarily errors breaking memory safety or side channels. One can also exploit compiler properties but I've never seen that in the wild. Would be easier on iOS, though, due to standardized tools & platform details.

So, no, sniffing packets or stepping through code isn't the best way to do it. Best way is combining docs, source code, covert channel analysis, execution traces, and looking at them all for issues. That's still not even minimum requirement for high assurance security but how many problems are caught that exist in low-assurance source & binary distributed software.

The point I'm trying to make is that you can audit some copy of the Telegram source code all you want, you have no idea if that's what's deployed in the app store and thus what's on everyone's phone. So it makes sense to audit what's actually being distributed to end users.

That should definitely be audited on top of the source code. You have no disagreement from me, there.

The Android Telegram app uses a closed source blob for messaging, so we can't check what it does either.

The server sofware is closed source too, so we can't check what it does either.

What is your point then when both ends of the communication are closed source?

Is the android telegram client not open: https://github.com/DrKLO/Telegram ? I may be missing something.

It seems to me that we could just fork the app and add in any ETE encryption we want. I get that everyone is annoyed at the Telegram people, but there are a bunch of open clients and the encryption we'd want must be independent of the server. For instance I could paste in PGP encrypted messages. Maybe there is some technical reason this wouldn't work?

I think people would rather develop their own app from the ground up instead of squeaking into another app / network when all the users must download the custom app anyway.

There's "no way" to check what iMessage is doing?

I guess it’s possible on a jailbroken device. (Perhaps even on a non-jailbroken device…?)

All you need is to capture and view the traffic at the network level. You can easily do that off-device when using wifi.

That's not enough. The keys could be distributed later when it's not obvious. System or network timing channels can be used. Subversion is a very difficult problem to deal with. Having the source code is a start on it. Not having the source code is a no-go for trustworthiness if malicious insiders exist.

That way you can't know for sure what is happening all the times you aren't watching (maybe the client is coded with "use shitty encryption [when client receives message X from server / the year is 2016 / your message includes a word on a blacklist]").

In theory you could reverse engineer the binary (which is compiled code), this is how security firms try to understand malware (like stuxnet). But this is pretty hard to do.

Your ability to reverse engineer a binary isn't "theoretical", nor is it hard. These programs haven't been obfuscated.

The hard part of evaluating cryptographic messaging services isn't binary reversing; it's that evaluating cryptographic constructions is hard. The flaw we're discussing today in Telegram is evident from the documentation, but despite the fact that every cryptographer who has commented on Telegram has had nothing but bad things to say about how it does crypto, nobody connected these particular dots.

Crypto is hard. Next to crypto, reversing a program compiled with a normal compiler is just a speed bump.

Of course it's possible, just not as easy. The binaries are available, you decompile them, and you step through the resulting low level code. I bet many people had done that already.

Sorry, I was doing multiple edits on my comment in the last few minutes without noticing the replies. I did mention that reverse engineering is possible, but it's really tedious and not as easy to interpret all the code flows compared to having the source code.

WhatsApp encryption is broken.

WhatsApp can just turn off encryption when they want, without users knowing:

http://heise.de/-2630361

That's probably what happened in June:

"Investigators said earlier they had detained 16 people in the anti-terror raids after working with U.S. authorities to monitor suspects' communications on WhatsApp Inc.'s messaging service."

http://www.bloomberg.com/news/articles/2015-06-08/belgium-ar...

I'm saddened by this. I'm a heavy user of Telegram, and i think it's in many respects superior to WhatsApp and iMessage. The weird stance on cryptography is such a shame.

Please consider switching your team over to Signal. Or at least give it a try if you are on an iOS or an Android phone.

Any suggestion for Windows Phone 8 users?

How recent is your device? Is it scheduled to get Windows 10? I'd say our best bet at this time is to push for a Universal Windows Platform app.

How good is your C#?

I think quite good although I haven't tried to write anything in Universal Windows Platform yet. Sorry for the late reply.

I can't find any official statements by WA/FB that WhatsApp uses ETE.

Do you have further sources aside from [1]?

[1] http://www.wired.com/2014/11/whatsapp-encrypted-messaging/

It's a good question. But I think the contents of their users' communications are less important for their revenues than the metadata.

Is there a description of this somewhere? (Such as in public filings.)

Is the advertising so coarse as to ignore the content of what people say? Are they only propagating information about purchasing and browsing history through the metadata offered by the social network information in order to drive advertising?

All the questions should suggest that I'm genuinely curious and looking to understand, so if you read this and get riled up, instead of downvoting please take twenty seconds to guide me to the truth...