Telegram with Matthew Green

Show Notes

We finally have an excuse to tear down Telegram! Their CEO got arrested by the French, apparently not because the cryptography in Telegram is bad, but special guest Matt Green joined us to talk about how the cryptography is bad anyway, and you probably shouldn't use Telegram as a secure messenger of any kind!


Transcript: https://securitycryptographywhatever.com/2024/09/06/telegram

Links:

- https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/
- Lavabit / Ladar Levinson: https://en.wikipedia.org/wiki/Lavabit
- Pavel Durov indictment statement from French authorities: https://www.tribunal-de-paris.justice.fr/sites/default/files/2024-08/2024-08-28%20-%20CP%20TELEGRAM%20mise%20en%20examen.pdf
- MTProto 2.0 protocol spec: https://core.telegram.org/api/end-to-end
- https://words.filippo.io/dispatches/telegram-ecdh/
- MTProto 1.0 (old no longer used): - https://web.archive.org/web/20131220000537/https://core.telegram.org/api/end-to-end#key-generation
- OTR: https://otr.cypherpunks.ca/otr-wpes.pdf
- AES and sha2 used in ‘Infinite Garble Extension’ mode: https://eprint.iacr.org/2015/1177.pdf
- Four Attacks and a Proof for Telegram: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833666
- History of Telegram e2ee chats availability: https://en.wikipedia.org/wiki/Telegram_(software)#Architecture
- https://securitycryptographywhatever.com/2023/01/27/threema/
- https://securitycryptographywhatever.com/2022/11/02/Matrix-with-Martin-Albrecht-Dan-Jones/
- https://en.wikipedia.org/wiki/Matrix_(protocol), introduced in September 2014

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Chapters

• 0:12: Cryptocurrency and the French Legal System
• 9:42: Telegram's Finite Field Crypto Parameters
• 16:22: Cryptographic Protocol Vulnerabilities and Concerns
• 27:35: Messaging Protocol Security Concerns
• 31:49: Modern Messaging Protocol Security Evaluation
• 35:42: Inadequacies of IGE Encryption Mode
• 45:29: Encrypted Messaging Protocol Vulnerabilities
• 59:08: Cross-Border Legal System Comparison

Transcript

Speaker 1: 0:12

Hello, welcome to Security Cryptography, whatever I'm Deirdre.

Speaker 2: 0:16

I'm David, I'm drinking and there's Matt I'm.

Speaker 1: 0:20

Matt, our special guest today is returning champion Matt Green. How are you, matt? I'm good. Thanks for having me. Oh, matt, our special guest today is returning champion Matt Green. How are you, matt?

Speaker 3: 0:26

I'm good Thanks for having me.

Speaker 1: 0:27

Oh yeah, we're bringing Matt on because Telegram is in the news and we finally have a reason to talk about fucking Telegram, and Matt both wrote an up-to-date blog post about it and has written about telegram in the past, and we just thought he was the best person to come and just have a drink and talk about telegram because it's in the news thanks, thanks for having me, and I am having a drink, so that, hell yeah, we're done.

Speaker 1: 0:59

Um all right. Telegram's in the news because the CEO of Telegram what's his name? Pavel Durov, who is a French citizen, was arrested in France for things including basically not cooperating with law enforcement when trying to prosecute crimes happening on Telegram, such as child sexual abuse, material being spread about on Telegram, material being spread about on Telegram, and also there were a couple of items in the press release of the indictment about basically operating cryptology in France without an import license. We're used to export restrictions, but apparently France has this weird law, but we you know there's tons of public stuff happening on Telegram, never mind the crap end-to-end encrypted opt-in, only private DMs that are not used by a lot of people, and yet they are throwing that in for reasons into their charges, and so that's why we're talking about Telegram.

Speaker 2: 2:10

I think a good place for Matt to start would be to explain to our listeners the workings of the French legal system and how it differs from our own. There was a movie like I don't like to a good movie like a year and a half ago or whatever Anatomy of a Fall, which is like a French criminal legal drama or whatever. And then, right as that movie came out, debevois and Plimpton I'm probably'm probably pronouncing that wrong. So I'm not a lawyer, but they're a huge law firm, they they published like this big white paper on like the distinctions between the french criminal legal system and ours. And it's fucking crazy. French criminal law is bananas. The prosecutor works for the judge.

Speaker 1: 2:38

It's how it works in france, um, so yeah, it's, it's fun um, so just to kind of cover, like we're not going to get into like the other crap about, like OK, telegram is run by this guy, pavel Durov. He was originally Russian. He fled Russia at some point. He created Telegram I don't remember if it started as a messenger or turned into a social media platform. Slash has DMs or the other way around or whatever. But Telegram has ostensibly 900 million users. It's pretty big, but it's much more of like a kind of Twitter plus DMs than like an encrypted messenger like WhatsApp or Signal. But it has DMs and it has opt-in private DMs and it has that.

Speaker 1: 3:31

But also their public persona is very hands-off and this is part of the thing that got them in trouble. Instead of building in like we couldn't backdoor this if we wanted to, or we couldn't snoop on your messages if we wanted to, they're just we couldn't like backdoor this if we wanted to or we couldn't snoop on your messages if we wanted to, they're just we don't want to and we won't. And if you don't do bad things in public channels, this is like on their website, like we'll leave you alone. They're basically like don't do crimes in public, full stop. And I think that's what's got them into trouble, but also their whole persona is like we don't care, we're not going to like throw you under the bus. And also we have end to end encrypted DMs. But also the end to end encrypted DMs are shit Rude, so I don't know, I just want to note that this podcast also endorses not doing crimes in public.

Speaker 1: 4:33

Oh sure, but unlike other platforms like, say, whatsapp owned by Meta or Signal or other places that have end-to-end encrypted communications or DMs or whatever it is, meta is the largest reporter to NCMEC, the National Center for Child Expectation or whatever. They are huge and they cooperate, and this includes, like public information on WhatsApp. So like, if your profile picture is like advertising, bad shit they'll report you, even though they can't get at the contents of your end-to-end encrypted WhatsApp or Facebook Messenger. They cooperate like crazy because they want to comply with the law and they're a United States based company. But Telegram explicitly, explicitly does not cooperate, and it's interesting because they only have about 30 people and even if they wanted to cooperate, it's unclear if they could with that many people, they'd have to scale up, spend money and things like that.

Speaker 3: 5:26

And they have cooperated there. That's the worst thing is that they have cooperated. They seem to be very right.

Speaker 1: 5:32

They have cooperated with other countries.

Speaker 2: 5:36

I was before this started up, I was talking to David. So, like every other provider, they have published terms of service and in their terms of service they have things like you can't spam and you can't advocate violence. And then the last term for the acceptable use of the terms of services you may not publish illegal pornography on publicly visible telegram channels.

Speaker 4: 5:59

It's right there, right, you can see it right now.

Speaker 2: 6:01

Very specific. Yeah, it's real, real, specific.

Speaker 1: 6:05

Yeah, yeah, okay. But the crypto, the crypto has always been bad.

Speaker 2: 6:11

The crypto is like you know before you go there. That's kind of that's the thing I'm super interested in here too is just kind of like picking apart and trying to figure out how the hell they wound up, where they wound up with cryptography, right, not as like a snarky comment, but just as kind of a sanity check. Matt, do you remember?

Speaker 3: 6:27

LavaBit, I do, I remember LavaBit, yes.

Speaker 2: 6:36

So to me and you can tell me I'm crazy about this and that would be valuable to me but to me these situations are uncannily similar, right? So LavaBit was the encrypted email provider that Snowden was using in part at the time of, like, the release to Greenwald and all that stuff. Right, like they were a little bit tied up in the Snowden drama and a lot of people on message boards know about LavaBit because they wound up in a situation where the DOJ was requiring them to disclose TLS keys because they didn't do end-to-end encryption, which is a distinction we'll get into in a minute. Right, if you had the TLS keys for LavaBit, you had all the messages there and, like, leder Leveson, who is like the operator of LavaBit, played chicken with the DOJ but ultimately gave in and gave them. Like there was a thing where he was like almost in contempt because he tried to give the DOJ the TLS keys printed out on paper, which is an awesome move.

Speaker 3: 7:23

I remember he made the font very small.

Speaker 2: 7:25

That was his that was great, it's awesome, but, like if we're trying to think about, like the war on cryptography or, you know, an escalating war against people's privacy or whatever, like these are kind of the same situation, right, like the issue here is don't run providers that put you in a position where, like everybody knows that you can trivially comply with like a CSAM investigation.

Speaker 3: 7:48

So what I think I would say about this is and maybe I was going to save this part to the end because it's not something I can say with any confidence it's just a feeling. You know the difference between Ladar it was Ladar Levinson, right, that was the LavaBit gentleman.

Speaker 1: 8:00

I think so.

Speaker 3: 8:01

The difference between him and the Telegram folks is, I feel like Levinson was basically naive, right? He didn't know how to build a system, so he built the best system he could, and the best system he could was not very good, and then in the end it turned out that all someone needed was a TLS secret key and then they were toast, whereas I feel like Telegram knows exactly what it's doing, and I feel like the great thing about knowing what you're doing is when somebody shows up and says you know, can I get these messages?

Speaker 3: 8:26

You have three choices, right, it can be sorry, I don't have the keys at all, there's nothing I can do for you, which is a bad place to be if you're really in trouble. The second thing you could do is be like, well, I'm going to try not to give you the keys and then ultimately fail, and then the third place you can be is hey, this is a negotiation and I feel like that's what Telegram folks are, kind of, that's the position they're in. But again, I have no reason to believe that. But it's interesting that that probably is more the case than the other way around.

Speaker 2: 8:52

So Telegram crypto, I hear it's pretty good.

Speaker 4: 8:56

But it notably probably doesn't apply to whatever Pavel's being arrested for. That could entirely be over the public channels that are by default in in in Telegram.

Speaker 3: 9:09

So, so I think that would be the general case. But then there are these two charges and I think you mentioned them which are importing without a license. I actually had to sort of like read that again and try to remember my French and then go through Google Translate without prior authorization Maybe that's a better word I'm not quite sure what the list. So you know, it would be a much simpler thing to argue about if those two charges weren't there. But those charges really do sound like this is about cryptography, so leave it to the French to kind of make everything much more confusing than it need to be. But yeah, the telegrams crypto. Well, we can go there, but telegrams crypto. We all have been around long enough to know a lot about Telegram's crypto and its history.

Speaker 1: 9:47

But we've never talked about it on this channel in three years. We've just been sort of like, ah, that's a piece of shit. So now we finally have a real reason to bring it up. One thing that so all right Telegram purports so they're not open source number one. So we are kind of just trusting that they are saying what they say publicly, which is they implement MT Proto 2.0 version 2. They originally had MT Proto 1 that had some hilarious things in it that practically look like a backdoor even if they thought they were putting randomness into it or whatever but now they're doing 2.0.

Speaker 1: 10:31

And one thing that jumps out to me for MT Proto 2.0 is they're still doing finite field Diffie-Hellman for these. We mentioned this, but these are not on by default. You have to go on your nice blog post that we'll link in the show notes. You have to go through several menus to get into the opt-in end-to-end encrypted DM option and they're doing parameter negotiation on the fly. You can't send someone a DM if they're offline. An encrypted DM offline, they have to be both online to agree on. You can't send it out of band async like you can on basically every other platform.

Speaker 2: 11:11

Can you send Telegram DMs that are not encrypted to people when they're offline? I think so.

Speaker 3: 11:17

Really. Yes, absolutely, it works just like old fashioned. Yeah, absolutely, I was sending my friend. I sent him a message saying hey, do you mind if I start an encrypted DM with you and like post pictures of it? And I was sending these messages, just fine. And then, like, when I started the encrypted DM, it was you know, sorry, he's offline, Can't do anything.

Speaker 2: 11:35

I was going to be like, if they just don't have async message delivery, that I feel sympathy for them but they don't have async negotiation have async negotiation of data.

Speaker 1: 11:46

That's great, awesome, okay. So I'm sorry, when you're doing this like negotiation thing, um, some of us may remember, uh, I think signal still kind of has it uh, but it's in like a different, uh, different part of the product, different surface where, like you can compare fingerprints of like the things that I'm sending you over here and the thing I'm sending you over here and you can compare them. Uh, and this is supposed to be, uh, you know, out of band mitigation for some sort of man, the middle attacker or whatever, um, but you know, for basically every other system that's doing this, they're doing this for, um, like elliptic curve, diffie-hallman, like identity keys, but like telegram is doing it for like on the fly, finite field. If he, hellman, negotiated key material there's like it and it's like it's, it's like crypto from like 25 years ago.

Speaker 3: 12:31

I don't think there are signatures on it. I actually have to check. I don't even do they.

Speaker 2: 12:36

I'm not. They use a fixed finite field or do they negotiate the group on the fly?

Speaker 3: 12:40

No server gets to make one up. You ask this Give me a group, and then it generates parameters. And then you're like, painstakingly, you have to check all the parameters and make sure. But this is a place where we could talk about it because that's, you know, an opportunity. There are these SNFS parameters you can come up with and I don't know how plausible it is to make you know a backdoor set of parameters.

Speaker 4: 13:07

Probably not very, but like it's the invitation for that kind of stuff that makes me worried. Their own docs say that you should check and make sure that the prime is a safe prime, meaning that P minus one over two is also prime. But the funny thing about that is that it immediately goes on to describe how to check that you have a valid generator and it picks the most complicated method, because if you have a safe prime, you just raise it G to the P minus one over two when you check if that's P minus one. This is the one thing in cryptography I remember how to do, but they're like no, we need quadratic residues. It's very like weird.

Speaker 2: 13:31

This is like the message crypto nerd app that I was hoping for, right, but just to bring people in who are not message crypto nerds. Right, if you were using curves like. If you read like, and we'll get a little bit more into what Filippo wrote about the DH exchange there in the past too. But if you read Filippo's thing, it's like the problem with finite field Diffie-Hellman is that it's weaker for every bit of key than with elliptic curve, which sends smaller messages. It's better studied, blah, blah, blah, blah, blah, right. But the other thing about using elliptic curve is when you build a curve system, usually you always fix a curve. You're doing it over, like P256 or most likely curve 25519. But like there isn't a negotiation about what they're normally in the same systems, isn't a negotiation about what curve you're using In finite field Diffie-Hellman, for reasons I don't fully have my head around, like there could be the curve 25519 of finite field Diffie-Hellman. You can just say this is the best group to use, right, but there isn't. So all these systems negotiate them.

Speaker 3: 14:26

So in TLS they still support finite field Diffie-Hellman. There is a set of recommend. I think DKG over at ACLU actually came up with them. There's like three you should use and obviously Telegram does not use any of that stuff but they could and they're like 3072 bits, so they're not, they're bigger than the telegram parameters. But yes, they did the absolute worst, most error prone thing you could do in Diffie-Hellman.

Speaker 1: 14:49

For Friday Field Diffie-Hellman yeah.

Speaker 2: 14:51

Now we say all this, but they have never been broken that way. Although you're saying that there's like a plausible like, ok, there are parameters that are weak to particular, like numeric fields of attacks and things like that. Yeah, and Eric Fields' attacks and things like that.

Speaker 3: 15:02

Yeah and think about this, right? So the way it works is I log in as me, you log in as you, and then one of us starts communication. The first thing we do with our logged in account is we say, hey, server, give me parameters. And so imagine, like you know, some academics get together and they say that we want to look at these parameters. Are they any good? There is no reason to believe their parameters are going to be bad. Right, they're logged in as random accounts. They're nobody, nobody's going to be targeting them. But maybe you're a Ukrainian general and you know somebody knows your account is something important. Maybe you're not going to get the same parameter. So it's a very, very hard thing to test for, even if we had good algorithms for testing for that.

Speaker 2: 15:34

This is awesome because they are. I haven't thought about web-based, like HTML-based, javascript, right, which is like they could say here are the parameters and we're going to use the good, like the TLS-based parameters or whatever right, like the good finance field, group definition or all that right. But every time you do a chat, the server tells you what your parameters are going to be and you are trusting that they are giving you the same parameters as every other DM that you set up. Okay, that's awesome.

Speaker 3: 16:01

There is no reason forever to have a server handing you Diffie-Hellman parameters like this. There's just one Right.

Speaker 2: 16:06

it should just be in the protocol, right. They should just say we're going to use these parameters, or at least in the TLS setting.

Speaker 1: 16:10

there is a set of three, and we will figure out which one of those three sets of predetermined offline elsewhere parameters we are going to agree to use on for this session.

Speaker 4: 16:22

Yeah, I don't want to use the parameters from the man man.

Speaker 1: 16:27

Yeah, well, this is the corollary of that.

Speaker 2: 16:31

Yeah, they're NIST parameters. Their problem is there aren't brain pool DH parameters for them to use. That's a good question.

Speaker 1: 16:37

I killed the whole conversation dead with that weird reference, so move on right along and so not in the current version of Telegram, of MT Proto 2.0, but when, okay, say, you got these parameters from the server they're also in MT Proto 1.0, you would do your Diffie-Hellman, your finite field, diffie-hellman over the you know, the prime field, that the parameter was given to you by the server, that the parameter was given to you by the server. But then they also let you. You do your Diffie-Hellman, you get the share from the other side and you raise it to the secret value that you have on your side, but then they also take that shared secret value and XOR a nonce into it. In the old version this is not live, but this used to be in there- Deirdre, Deirdre, Deirdre.

Speaker 2: 17:22

What you don't understand, what you don't understand, what you don't understand and what they do understand is that some of the systems that are running the telegram client have bad random number generators.

Speaker 3: 17:32

Oh right, so you can't.

Speaker 2: 17:33

You can't simply trust them to run a DH. You have to mix in some server random information so you can be guaranteed that they're using real random numbers Sure. Right Matt.

Speaker 3: 17:46

Yes, pavel Durov is much better at picking random numbers than me and I would rather have him choosing my randomness. Yes, the serious answer is that bug. He's a few years old, so I hate to pick on it.

Speaker 3: 17:57

A few years old so I hate to pick on it, but it was a crazy bad bug because you know, as you were about to say, what it does, is it lets Telegram server basically take you know, make it so that we are on both sides picking. You know, if we do a man in the middle attack, if they do a man in the middle attack, what's going to happen normally is I'm going to end up with one key shared with the man in the middle, which would be Telegram, and then my counterparty is going to end up with another key shared with Telegram, which will be different, and this way they can fix it up. So they're saying the same key and the key fingerprints will match. So it was a really scary looking bug because the implications were everything you would expect from a backdoor. Now, allegedly, ostensibly, it's been fixed for a few years, but it's the kind of thing where you just don't really feel comfortable after seeing something like that in a product but they're also, they're not like they're not signing the key exchange right now.

Speaker 2: 18:41

If they're not doing like or like doing a triple diffy helman, authenticating against an identity key or whatever, it's still just like a plain old. We'll get into my opinions about what may have happened building this, this whole crypto system, later on, but like it's still just like a I read this bit of schneier and immediately put it into practice kind of situation yeah, yeah, even that.

Speaker 4: 18:58

that backdoor is like, if you didn't think about how to build it, you'd think you're building it more secure. It's, it's, it's like it's a very um, hanlon's razor backdoor.

Speaker 3: 19:09

Okay, but I do want to add one thing, which is that this particular group of people, and I think literally this particular group of people, had multiple conversations in public about this, several of them and I'm going by memory here mostly involving Pavel Durov himself being involved in this conversation, or at least jumping into different Twitter threads, and some of his other folks too. So this was not something that, like, they did not know about. They were heavily criticized by people on Twitter you know, cryptographers on Twitter, by academics and over, I think now let's go on, let's say, maybe nine years. You know, they have never upgraded this protocol to be better, and like that starts to feel a little ugly to me at this point.

Speaker 4: 19:46

They did. I mean they did take this specific they rev from one oh to two oh and that took this specific backdoor out and probably made some other changes.

Speaker 3: 19:53

But they did still in terms of like the Helman parameters and all the things make me uncomfortable. They're all there.

Speaker 2: 20:00

We're bouncing back and forth, which I think is a good thing, but like we're bouncing back and forth topically here, I do kind of want to call out like a thing that I'm not sure it's a weird thing, for it's a weird thing to say about a system, so I'm not sure it's intuitive to everybody. But when we're talking about this mt proto system, right, where, like, we set up you know, you know we set up a d8 shared key and then we run a transport protocol over that, right, like that is, um, they do that for dms, but that is also, I think it's their like baseline protocol, right, I think it's their normal, like when you do client the server. That I think I'm. I think I'm right about this. They don't run tls, even right, they run tcp.

Speaker 2: 20:38

they run tcp on port 443 or an hdp transport on port 80 but they run their weird mt proto thing instead of tls um well, you know what, like, let's not, let's be a little fair, because, like signal and other messengers use noise, right, right noise, not tls, and so we can't be totally mean about this, right and actually that's I, I'm that, that's not where I'm going, right, like it's uh, it's, it's not that, like that's a smoking gun kind of deal, it's just like I think it's kind of important to understand that this is like a, a property of their whole system. Like everywhere they do communications, they have these issues, right. But like a thing that you will hear telegram advocates say like again. Like the most important thing to understand about Telegram is that none of this is happening by default, right? Like you have to ask for secure messaging in a one to one conversation.

Speaker 2: 21:23

They don't do it with groups, right. But they will also say they run this empty proto system with identity keys and a secure transport and blah, blah, blah For all communications between the client and the server. Ergo, their group messages are encrypted. Their group messages are encrypted because they run empty proto between the client and the server. Ergo, their group messages are encrypted. Their group messages are encrypted because they run an empty proto between the client and the server. Like they'll get real mad if you say that the server has plain text because they don't have plain text. They have whatever the product of this empty proto. They talk about client-server encryption as opposed to end-to-end encryption.

Speaker 3: 21:53

But they have plain text. I mean, the whole point is their server can decrypt the messages as it has to to put them into a database, and so they have plain text. I understand what they're trying to say, but it's certainly not true in that sense queue or whatever they're like.

Speaker 1: 22:07

Is this end-to-end encrypted? And they said, yes, we have encryption from your client to other clients in the Zoom. And then people had to be like, no, no, no, no, no, the thing that you're saying on your website and what people are asking about is not true. And they hired a whole bunch of people to actually make deployable end-to-end encrypted Zoom because they have a TLS connection or a web RTC DTLS connection from the client to a server and the server has to be in the loop to do all sorts of things like transcription and cleaning up noise and all this sort of stuff. That was a big feature and they had to go do all this work. Zoom got burned by the thing that telegram is advertising and they like they to what matt was saying. They've been notified for ages that this is not.

Speaker 3: 23:05

This is not true, this is not accurate, this is misleading and they don't care or something I also just want to say, before I forget, something dare just said just a few minutes ago, which is it's not open source. I kind of agree with you. I have looked multiple times over the last few years at Telegram's clients and found things that weren't officially supported were way out of date. People could not claim that they were actually to think that they built into the client. However, I have not looked in the last few months and it's sort of the thing I want to do, but I do know that Pavel Durov specifically made a big post about they now have reproducible builds for iOS, which Signal does not have, and yet I've also heard a lot of people saying that's not really true. So unfortunately, I'm in a position where I just you know it's such a confusing mess that I don't know the truth, and I really wish I did, but in the past it has not been true that you could not build it from code reliably.

Speaker 1: 23:57

Okay, stepping back like a hot second, we just jumped right into finding a field, diffie-hellman and what was in 1.0 and what's no longer there. Matt, can you give us like a quick walkthrough of what we are supposed to get in MT Proto 2.0, in these private chats from Telegram clients, whether or not we can confirm or deny that they're actually getting shipped?

Speaker 3: 24:22

Okay. So if everything works the way it's supposed to work. So first of all, you make a connection to somebody else. It has to be a one-to-one, not a group connect, group chat. You make a one-to-one chat with somebody, you can talk to them. At this point everything's on encryptor. It is not encrypted at the server, it's not end and encrypted. Now you, um, you press a button, I think you go to the users. This is four clicks, uh, to the profile page on my iPhone and then from there there's kind of nothing there that says encrypt. There is a little more menu. You click that. You click that again. There's a start encrypted chat and then if your partner is online, then you get to. You know, start an encrypted chat. But if they're offline, it basically just says sorry, waiting for them to come online.

Speaker 1: 24:58

God, I hate that so much. Yeah, that's crazy.

Speaker 4: 25:01

I can't like it's not a good UX. I have flashbacks to like AOL and like middle school.

Speaker 1: 25:06

Yeah, and like Pidgin or something, or maybe like really shitty OTR Pidgin.

Speaker 3: 25:11

Yeah, this is not like wild technology, like the way this has all been handled in modern messengers for years. Okay, what you're supposed to get, though if you get through this process and you start a secret chat, you are supposed to get a Diffie-Hellman established key with your remote counterparty that the server doesn't know, and you know you have to check a key fingerprint, maybe read it over a phone to be absolutely sure the server is not tampering with that, but if you do that, then you should have, hopefully, end to end, encrypted messages that just appear as junk to Telegram servers. It's just you and the person you're talking to can decrypt them.

Speaker 1: 25:46

And anyone who happens to be listening or whatever, happens to be sitting on that channel or whatever.

Speaker 3: 25:52

Well, even they shouldn't be able to see what you're talking about. But, like, obviously if they get on your phone, then you're in trouble.

Speaker 1: 25:57

Yeah, yeah, I mean, and that is also like the case for basically all of these clients Like you have to have a little bit of trust and like to be fair with the open source stuff. Like you know, WhatsApp is not open source, iMessage is not open source Like there's a lot more trust in what they're saying than Telegram. People Signal is open source.

Speaker 4: 26:22

Let's back up to the protocol again a little bit. So like I feel like we all like open the protocol docs on Telegram site and are like good God, what is going on, and I feel like most people don't have enough context to know why we would have that reaction. Could you maybe explain what Telegram is doing, as compared to what you might expect a sort of more normal end-to-end secure messaging application to do?

Speaker 3: 26:48

Okay. So a normal end-to-end secure messaging application would do something kind of similar to what Telegram is doing. Right, it would publish some kind of key exchange public key Maybe it's an identity public key or something, but it would publish some public key, it would upload that to the server, whether it's Signal or WhatsApp or whoever else is operating a system. And it would also do a thing which is really nice when you want to make a connection to somebody offline is it would also send the first move of that key exchange protocol maybe a hundred times, and it would ship that up to the server as well. And that's really nice, because when somebody else wants to send me a message and my phone is off, those first moves are ready. They can just go ahead and complete the protocol and establish a key with me. This is a little bit in the weeds, but it's really really important. So this is like a very straightforward thing, and so that's what another messenger would do. Then the messenger would use proper Diffie-Hellman, preferably elliptic curve Diffie-Hellman with normal parameters, would also check that all the messages sent by the counterparty are signed by what appears to be their public key, which is called an identity key, would do a whole bunch of checks and then would only then actually start a communication using a normal encryption, symmetric encryption protocol, authenticated encryption, something that people trust, and every place where I'm saying these things it sounds like it's, you know, kind of boring, but this is every single place where I'm saying and then would do this.

Speaker 3: 28:07

That is something that Telegram does in a weird nonstandard way. So, like it's not all a given, the only thing I would say is, like with all of these protocols, there is a fear that the server could be tampering with the messages and like swapping out, let's say, Deirdre's public key, the key that she's trying to send me, for somebody else's public key, like the FBI's public key, and this can lead to man in the middle attacks on all of these different services. So it's not a totally unique thing. This key fingerprint checking they call it safety numbers and signal is supposed to help you check for that. Fingerprint checking they call it safety numbers and signal is supposed to help you check for that. However, the way the telegram does everything with all these parameters and extra stuff means that the reason we're so nervous about that is the safety numbers could maybe not work if they found some way to bypass them with these parameters. That's one of the reasons we're so nervous about it.

Speaker 1: 28:52

And to mitigate the whole checking fingerprints out of band. Whatsapp and I think maybe Facebook Messenger, have basically deployed key transparency and you know you have to kind of do. It's a lot of infrastructure that you have to put trust in WhatsApp themselves. But if you already trust WhatsApp or Meta themselves, they look at keys and they notify you. If you, if me, deirdre am starting a new session with Matt and Matt is showing me an identity key that seems very different than what Meta is used to seeing from Matt's devices, it will alert me rather than I have to be proactively checking my fingerprint and Matt's fingerprint and if there's any time that I may forget to check them and miss that it change. Oopsie daisy, you know there's a FBI in the middle or whatever. This is a lot of infra to deploy this. But you know, for example, signal does not have this yet, but it's no surprise that telegrams not have anything like this. It's even worse.

Speaker 3: 30:00

I think that's kind of the story here, right? So like there are some old protocols for messaging, like off the record messaging, which is called OTR I don't know when that came out in the 2000, sometime, maybe before 2010, I don't know and it looks a lot like telegrams protocol today and what we've seen like out in the real world is OTR. You know, kind of got Signal came along and took OTR and then made it better and better and then, like WhatsApp, you know kind of got U-Signal and so messaging over the last 15, 16 years has been improving a bit at a time, and you mentioned this key transparency thing. That's just like the most recent set of improvements. But things like being able to send messages offline and using proper protocols these are much older. Telegram has done none of that. They're basically at the level of like the 2000 something. Otr, yeah, and they stopped.

Speaker 2: 30:45

The OTR people are going to jump at you right now, right, because like so OTR is like I think it's like I think of it as being roughly 2005 vintage, which is like right around the time where we were kind of solidifying notions of like authenticated encryption and stuff like that, right, but like I think they would say it's like it's like Sigma. I think they're like an implementation of of Sigma key exchange, if I'm remembering that right, so think about key exchanges that much anymore, but like there's a theoretical basis for it and it's not like what you would do now. Because now, like, modern messaging encryption and modern messaging key exchanges are all like the gold standard, is signal protocol or these kind of in some way intellectually derived or informed by signal, right, but that didn't exist back then. So they would say, like we were based on the literature of the time is what the OTR people would say Right, and like Telegram can't say that Right, telegram is doing something much weirder than that.

Speaker 3: 31:35

And Telegram is a lot more money right. Like Telegram isn't some open source project. They have apparently hundreds of millions of users and I don't know how they make money, but they also started a cryptocurrency and made billions of dollars on that. I think at some point today they could do things. They just haven't.

Speaker 2: 31:49

My other thing here and like, maybe maybe the vibe shift I'm sensing here is not one that you all sense and I will let you talk about it after I insert the vibe into the conversation.

Speaker 2: 32:00

But, like 10 years ago, you could not have this conversation without it being kind of an implicit defense or advocacy of Signal where, like, signal was the only thing in the world that was doing this.

Speaker 2: 32:09

Right, that was like doing a serious implementation of message crypto with a thought out, like you know, a theoretical design model for what they were doing. Right, and I think that, like I think Telegram in public discussions about security and message security capitalizes on the signal versus Telegram thing of this whole conversation. Like, well, you're all just shills for Moxie Marlin Spike, right, where it's like I said a thing about this earlier on Twitter. Right, like, if you're, if you bring up Moxie Marlin Spike's name in one of these conversations, which I just did, it's kind of a red flag for the whole conversation. Right, like, at this point, we have multiple like good theoretical models for how to do messaging encryption. Right, like MLS is a you know, a strongly theoretical you know whatever for this whole thing. Right, so like we don't to like make reference to Signal at this point, I think to you know to point out how wacky Telegram is.

Speaker 3: 33:03

Even Apple iMessage now has a lot of speeches, it does ratcheting, it does post-quantum, it does all kinds of crazy stuff and like, yeah, everyone who's doing serious crypto and end-to-end encryption is doing it much differently.

Speaker 4: 33:14

WebEx has ratcheting differently. Webex has ratcheting Like if your messaging system is behind WebEx, we'll call this a.

Speaker 2: 33:22

That's my new law for secure messengers is your Our listeners are not seeing David's gesticulations, as he says, behind WebEx.

Speaker 4: 33:30

Like your security should be at least as good as Cisco WebEx, which has good people working on it. Credit to them.

Speaker 1: 33:36

And they are actively like involved with MLS development and moving that sort of stuff forward. Yeah, and I just put the original OTR paper in the show notes. It doesn't go into specific details about some of the details that we are cringing at in mt proto 20. Uh, one of the fun things is like to go really deep is like their kdf is shot 56.

Speaker 2: 34:03

We've learned a lot about kdfs I'm hoping I guess hope that matt is conversant a little bit with the details of how this stuff works. I I'm not like I'm I'm faking it right now because I just read the paper before this, but I'm hoping to get Matt's walkthrough of it's. So like I have to say, going into this, that it's not a broken protocol but we don't have. We have there are some attacks and they're not cosmetic attacks, but they're not like you know. They're not attacks in the sense that Packer news would think of an attack on the system, Right, but it's. It's a fun transport protocol, right, Like once you've actually gotten through the diffie hellman part of this and established keys, everything else they do is also it's, pretty wacky. Are you, how familiar are you with this match?

Speaker 3: 34:45

oh, in terms of the kdf stuff, not so much. I know that they use some bad kdfs and they do like max using shot 2 as well. Um, and I know that there is theoretically some attack on it, but I actually don't know the details yeah, so like.

Speaker 2: 34:57

Um. So, first of all, they're using IGE mode, right, which any like crypto nerd conversation about any crypto nerd conversation about telegram and empty proto has to come down to IGE mode, which is it's whatever, it's fine, it's whatever, right. So I it's not fine, it's not fine.

Speaker 3: 35:16

It was not fine, it was, it was. It's not funny. It was not funny. It was kind of amusing when they did it the first time in version one of this and then they were heavily criticized. People wrote papers saying it wasn't CCA secure and it wasn't really a big deal. It wasn't broken broken, but it was just theoretically kind of broken. And then they went ahead and upgraded it to MT Proto 2, and they kept all this stuff. So it's not like they haven't made changes and it's not like they haven't been told that there's a problem. They just haven't done anything.

Speaker 2: 35:42

I thought IGE was super, super wacky. Like until this moment, I thought IGE was super, super wacky because it's like it's yet another cypher mode in a world where you have like CBC and CTR and CFB and you know FB, whatever, and I don't know what the hell fucking are Right. But like you know FB, whatever, and I don't know what the hell fucking are right, but like you know, you really should only need to have in your head two of them, right. And they found another one which I thought was crazy back then, but I never really looked into it, I stopped there.

Speaker 2: 36:06

But IGE is just a CBC with an extra chain, right, like it's a what. The thing you're trying to do with IGE is. When you've got your CBC, you know ciphertext that you're building up, right, and you're chaining the previous block and it's like the thing you're trying to get is, when you have a bit flip in one of the blocks, instead of the CBC behavior where it totally fucks the first block and then gives you a targeted edit of the next block, what they want is it totally fucks every subsequent block, which is kind of like a reasonable property to want.

Speaker 3: 36:42

Except for the reason they're doing so. First of all, there's this whole literature on like self-synchronizing ciphers that have this property that they don't get screwed up forever when there's an error. So they're building the opposite. They're building a self like non-synchronizing cipher which never comes back Right If there's a single bit error, then, like, everything is screwed forever. And you'd ask, like, why do you want this? And someone who's never done crypto before would say, well, this is great because, like, if somebody tampers with my message, it'll be really, really obvious.

Speaker 3: 37:03

But the way we detect tampering in messages is we use Macs or we use an authenticated encryption mode to actually properly detect tampering. We don't have to deal with weird modes that scramble up the message and they seem to have not known about Macs as being a thing. So the meaning, the cryptographers and telegrams. So what they did is they invented this weird new mode that, like a single error scrambles the message forever and then they have a check at the end to see if the message is still scrambled, and so they kind of reinvented, reinvented, authenticated encryption from scratch, and it's very boring. Everything I'm saying is very boring, except it's also like finding out you know your car has wood inside the engine instead of metal Right Like it's probably fine, it runs OK.

Speaker 3: 37:43

But like why is there wood inside my car? It doesn't make any sense, it's nonstandard.

Speaker 1: 37:47

It's also like I hear like an adversary gets to corrupt a block and that corruption like propagates through all the subsequent blocks and like that gives me the willies.

Speaker 3: 37:56

Like I feel like that's just like the opposite of what I want in my cipher mode, my authenticated encryption mode, um yeah, the only thing I wanted to say is they could have just gotten rid of ig and like swapped it for something modern. They had plenty of years of knowledge. They made the decision to like upgrade the algorithms.

Speaker 2: 38:14

They're doing something weird with um so friend of the show martin albrecht and friend of the show ken.

Speaker 3: 38:19

Kenny.

Speaker 2: 38:19

Patterson wrote a paper where I don't know if this is just funny to me because I'm ignorant of theoretical computer science and cryptography, or if it genuinely is funny. But I'm reading a paper where they're trying to do a formal model for the telegram protocol, for the telegram protocol has a section in there where it's like we need new novel assumptions for shock or one or shock or two or whatever, because, like whatever we would normally do to prove a protocol, we need to actually have certain new things about shots who, in order to actually talk about this protocol, which I find hysterical. But I might just be wrong, this might just be me being ignorant. Am I being ignorant or is that really funny?

Speaker 3: 38:56

It's pretty funny because, like, usually, you get away with collision resistance or you should be able to get away with, like, some preimage. However, I will say, like, generally speaking, I'm not picky about this. Like, if you use the random Oracle model to analyze SHA-2, like, I'm mostly okay with it. It's not usually that bad. So I'm not sure if this is a question of cryptographers being very picky for Eurocrypt or if this is actually Telegram being really weird. I can't tell you right now.

Speaker 2: 39:24

So they do a weird thing with the way that they actually encrypt messages where, like, they're doing IGE mode and like part of like in the back of it. So like, first of all, I want to point out that friend of the show, ben Laurie, is responsible for all of this.

Speaker 1: 39:34

What is all of this?

Speaker 2: 39:37

Everything that happened with Telegram. Ok, telegram would not be using Telegram, ben, I'm talking to you right now. Telegram would not be using IGE mode had you not implemented it, for reasons passing understanding, in OpenSSL. Like 10 years ago, for whatever reason, ben actually implemented IGE and Telegram uses the OpenSSL BoringSSL implementation of IGE, right.

Speaker 2: 40:00

So there's a weird thing going on here where, like, they don't have a standard Mac, they have sort of like an MDC type model. The paper says it's like an encrypt and Mac model. Where it's like, if you're reading a paper with a proof of the transport protocol and it says encrypt and Mac and then the thing in between is not then that something weird is happening, right, something weird is happening here, right. But like part of the idea I think behind IGE is like, if you can prove that you're chaining like ciphertext, block corruption all the way at the end of the message, then there's like a CBC MAC thing happening here, right, like you only have to look at the last block of the message to authenticate it. Like I think there's like some intuition here for why they would have done this.

Speaker 3: 40:36

Yeah, that like some intuition here for why they would have done this. Yeah, that is definitely what they're doing. They're like a single bit corrupts the encryption and like carries forward this bad thing and then we can just check and it makes a lot of sense if you're in 2006. In fact, just googling quickly and I'm looking for ben lori and ig, I find you know emailing mailing lists from like 2006 or so people complaining about ig being broken in OpenSSL. But it doesn't make any sense as of 2015. What are we talking about? When Telegram came out? This is years later.

Speaker 2: 41:05

Yeah, I have a sort of thing where, like, I explain this whole system to myself by, like, if you literally left it up to Hacker News to design a transport protocol, right, and like you have that weird mix of people and what they bring to the conversation what they've actually read about. It's like, if you're like doing it from first principles, like you could wind up in a weird place here where, like, basically you're rederiving all of you know, the last 20 years of cryptography without the benefit of anybody's papers. It's like if you tie your arm behind your back, we're like I'm going to build a new crypto system based only on the cryptography knowledge that we had in 2003, not 2004, very specifically, 2003. And I'm not allowed to Google anything. I might wind up with this system.

Speaker 3: 41:44

I just want to stress that I can accept that for draft one and maybe for, like, version two, but, come on, we had many years of conversations and people writing papers and making fun of them and I really the thing that I think you and I both saw maybe we saw this and nobody else listening remembers this is Pavel Durov came back at us and said you know, the truth is that my guys in Russia who invented this are just smarter than you Like. The reason it's so bad is that my brilliant Russian mathematicians I found they're smarter than you. You Americans are just using this broken NSA cryptography and we are using stuff that is not broken. Like it was pretty nuts and when I say nuts, I want to drill down into the nuttiness Right Like it uses this is using a yes and shot.

Speaker 3: 42:27

This is using algorithms that were standardized by the US government, so it's not like it's avoiding, you know, this kind of US government cryptography. It's just using it in ridiculous ways. Yeah, but like Pavel was very, very militant about the fact that no, if we used it correctly, that would be the wrong thing, and these guys were smarter. He did not just say like oops, we made a mistake, he pushed back and really stuck to his guns and I admire him for sticking to his guns, but his guns were very bad.

Speaker 1: 42:54

They're very bad guns. I was originally going to give sort of an argument of ah, they have such a lean team, they have approximately 30 people running Telegram for almost 900 million users worldwide or whatever. And if you want to be so lean, there's only so much development, advanced development work you can do to completely upgrade your end-to-end encrypted blah, blah, blah. But yeah, it doesn't seem like they're just trying to keep it really lean. It seems like they're just sort of willfully just not don't want to contend with the fact of what they've built is actually kind of a pile of crap and actually not doing their users a service at all, and this is kind of just a fig leaf of encryption at this point.

Speaker 3: 43:42

I don't think it's even a fig leaf. I think it's, I don't know. I am trying to say this in a nice way. I think it is a deliberate effort to send the message that any time you use a telegram, chat is encrypted, when it is very deliberately designed so that it will not be encrypted. That is my feeling. Now, that could be an accident, but I definitely feel like the marketing has been done wrong. Let's just leave it at that.

Speaker 1: 44:11

I mean, the marketing is very and the marketing is basically what they write on their website the fact that they don't cooperate with any sort of like endeavors to be like, hey, someone's trying to like organize a murder on your channel, like kind of, will you kind of help us prevent a murder, and they're like no, we don't cooperate for anything at all.

Speaker 1: 44:28

And Pavel Durov just kind of talking like this in public for I don't know 15 years or whatever. The one thing that really bothers me is that, even like it seems like all these choices are not willfully designed to be friction for you to actually get the best possible secure option out of Telegram but you could be forgiven to to confuse them for that. Because it's literally you and your person have to be online to even start an end to end encrypted chat. You have to negotiate like maybe you negotiate getting online over a not end-to-end encrypted chat. You have to go through like three or four or five menus to actually find this option in the first place. And then, once you've actually done everything and like you've checked your fingerprint, your your randomly generated, generated fingerprints at the, at the, at the point that you finally communicating, even then it's shitty and I don't know. It's just, they just don't want to do anything, they don't care, they think they're right, they don't want to make it better, so.

Speaker 3: 45:29

It's like those places that say you know you can cancel your subscription anytime, but I could go there in person and like do it in writing and stuff, and like that's how I feel about starting an encrypted chat. Like just by making little choices in the way that user experience works, you can make it vastly less likely that anyone's going to do the thing that you're you're trying to make hard.

Speaker 2: 45:48

So I feel like there's like a you know, there are like smoking gun design decisions they've made with their user experience where, like I think everybody kind of uniformly agrees, like this is a system designed to make messages insecure, the not being on by default, the fact that it doesn't work, async, the fact that it doesn't work for group messages, blah, blah, blah. Right, like, yeah, sure, I'm with you 100%. I'm going to say something that will make you angry, though, right, which is, if you look at Matrix or if you look at Prima, two other encrypted messaging systems that have had public you know papers written about them, right? So, like you know, martin Albrecht and his team did the thing where they went in and I don't know if it's Martin Albrecht, I'm sorry if you were not the lead on this, whatever, I don't know how academia works, but whatever, that team went in and built a formal model for, you know, for Telegram, and then evaluated the system against it and they came up with some things, right, like, you can reorder messages.

Speaker 2: 46:45

Um, it depends on which direction you're going, like client to server versus server to client, because, like, the server has control over timestamps or something, but, like, in one of those directions, you can change the order in which messages will appear, because I think timestamps are not authenticated cybertext in the system. And then there's like, um, they do a thing where, for, I'm not really sure I understand what's going on here. But there's a retry mechanism in mt proto where, like, if you don't get it back from the, the, uh, the, the node that you're sending a message to, right, like, you'll re-encrypt it, um, instead of again, and there's an oracle there, you can distinguish if you know what was sent originally, you can, you can verify that the same message was sent or a different message was sent, right. That's one of the real problems in the sense where, like, if you find an encrypted transport where you can reorder messages, like it's fucked, okay, fine, I get it, it's fucked, it's not a good transport, no one should use it. Right.

Speaker 2: 47:29

But in terms of actual usability, like usable, what am I trying to say here? Like actual vulnerabilities that people would care about, right, like after Nebuchadnezzar, matrix was a steaming crater, right, and Telegram, again modulo the fact it doesn't encrypt anything at all. Telegram, their cryptography is. I was about to, the words holding up were about to come out of my mouth.

Speaker 2: 47:53

And those are not the right words.

Speaker 3: 47:55

I want to push back on that. So, first of all, let's refocus on nothing is really encrypted, very little is really encrypted. Let's start there. I spent all of my blog posts on the fact that you know, by the way, it's really hard to find this menu, and very little of my blog posts on like all this stuff about Divi Almond Sure, because I do hear what you're saying and I agree with some of it. But let me just say this Telegram is now not a like new system, matrix. How old is matrix? Like a couple, a few years, it's several it's younger than it's younger.

Speaker 3: 48:21

Yes, it's younger than telegram. Telegram was really broken in its early versions and, like that backdoor bug that we mentioned, that felipo was talking about, that was the most devastating kind of bug you could find right, like this is what I do now.

Speaker 2: 48:37

I just got people who are talking I'm the best, so hold on, hold on, because you're. There's a trip wire in this conversation that sets me off. Right, like, I agree, like morally, directionally, I agree with what you're saying. Right, like I know where you're going. I'm just doing a thing now also where I'm finishing a thought, where my wife would throw a shoe at me right now if I did a stir, but like whatever.

Speaker 2: 48:55

So, however, matrix has the vulnerability and I'm bringing this up because this is like a pet issue with me. Matrix had the vulnerability where the server controlled group membership. They did encrypted group membership. Right, they do encrypted group messages, which is like a big thing that we want from these systems. Right, like it's the number one biggest problem with Telegram is that groups aren't encrypted. Right, matrix does encrypted groups, like that's the calling card for Matrix, it's Slack, but the group messages aren't encrypted. Right, but because of really severe vulnerabilities in that system, it might as well not have.

Speaker 2: 49:29

Right, because the server controls group messaging and clients are not adversarial about who's in the group.

Speaker 2: 49:36

Right, like clients just kind of assume the server like this is the whole system where, like, group members are group members, right. So I do want to call out every messaging system that we look at not Threema, by the way, but every messaging system that we look at tends to have this one vulnerability that I think people don't, people are not heeding enough on right, which is you do end-to-end encryption, you get everything right, you do ratcheting, you have the right primitives, but somehow the layer where you're figuring out group membership happens one layer up from all this stuff about how we do the key exchange, how we do the message encrypting. It's a higher level of semantics about how we're going to authorize which people get to join which groups. And I have a thing here where, like I think people don't it like it should be like to me, if you do encrypted group messaging, it should be the first question you ask about that system is what determines who's allowed to join a group, because group membership is key distribution.

Speaker 3: 50:27

Right.

Speaker 2: 50:27

So like it's not really fair to compare Matrix and Telegram on this, in that Telegram has the worst possible case answer here, which is simply that nothing is encrypted at all. But there's also a trick in advertising to it.

Speaker 3: 50:40

Well, hold on a second. The defense of Telegram is we just didn't bother to implement group encryption at all. Right, Like it's not, like it's even like not active. It's just they don't support end-to-end encryption for groups. So in the process of not supporting end-to-end encryption for groups, they magically get to avoid all the bugs that showed up in matrix.

Speaker 3: 50:57

Would those bugs have existed in telegram if they had group encryption and then encryption? I can't tell you. It's the kind of thing where you know, if I was asked in a court case, I would say well, that's hypothetical, but I bet it would be a nightmare and a mess. But going back to the things that they did have right, where you trust the server for this one essential function of giving you some parameters in key exchange for pairwise communication, they, in that early thing, that early version that Filippo commented on, they messed it up so badly that it essentially offered no security against a malicious server. So you don't do a lot worse than that, considering all you're doing is pairwise communication.

Speaker 3: 51:35

And the point that I was trying to get at was that, yes, Telegram has held up well now, eight to 10 years after being introduced. But I think what we're looking at is the result of a lot of band-aids. They started with a bad protocol. People would point out things that were bad, really broken, really broken, and then they would put a band-aid on the really broken thing and now we see a thing that is just like kind of theoretically, academically broken and not like broken in the sense that like, oh my God, I can't use this, because all my messages are going to be toast and we still don't really know if it's any good, because I think the academic description and the protocol descriptions versus the implementation of it, there's probably still a big discrepancy and we don't know what that looks like.

Speaker 4: 52:13

I would also argue that server provided Diffie-Hellman parameters are kind of like DOA, like it's harder than it was in the previous version to do something, but like that's still very close to a backdoor I mean especially because they're.

Speaker 1: 52:30

It would be one thing if it's like I don't know, some like well-known pre-suggested list. Maybe there's some some sort of optimization, some performance thing that the server's trying to do. They're trying to be like here I shall pick from the publicly known set. Here are some parameters, I don't know. Maybe it's doing client detection something, something, but it's not. It's generating some random fucking number on the back end and just handing it to you and then hoping that the client will actually check that it's the right number and that it's within the correct range, and doing all this other stuff. And you have to like you know it's shenanigans, it just feels very shenanigans.

Speaker 3: 53:09

It feels really shenanigans. I actually have to go back and look at the attacks on Telegram paper and see what they say about possible attacks in there. I don't remember seeing it. I'm sure it's in there about possible attacks in there.

Speaker 1: 53:20

I don't remember seeing it. I'm sure it's in there, yeah, to pivot away from this getting into. It feels kind of gross to have some CEO of a company that purports to provide end-to-end encrypted chats and we've kind of covered that. Like it's pretty shitty to have a company it does implement some sort of end-to-end encryption if everything goes perfect and they're not, you know giving you a crappy Find it Field Diffie-Hellman prime and you're online and you pick the thing and you do everything right, like it's giving you something.

Speaker 1: 53:53

It feels pretty shitty that that CEO of a company can just land and get arrested, ostensibly for having an end-to-end encrypted messenger arrested ostensibly for having an encrypted messenger.

Speaker 1: 54:07

We can have Mark Zuckerberg land in India and get arrested for owning being the CEO of the company that controls WhatsApp for ostensibly the same reason. Or we can have, I don't know, pick your CEO of company that provides an end-to-end encrypted messenger. It feels like a pretty shitty precedent. However, it's Pavel Durov's fault that he fucking got into this situation in the first place, because it's not really because he's operating crypto without a license in France. It's because he's not fucking complying with the French, trying to actually investigate crimes that are being organized on the public. The vast, vast majority of activity on Telegram is all public and he's been waving his self in the air saying, yes, we do not do that, we do not, we just do not help, we do not comply, we do not do anything. Now all the other people who operate good end-to-end encrypted messengers find themselves like under threat, because this is a precedent that has now been set, but it's just a big mess and it sucks.

Speaker 3: 55:13

Can we talk about that? That's the thing that makes me really unsure how to process this. Normally, if this was someone, if this was a company that was an end-to-end encrypted messenger even one that I mostly disagreed with their philosophy on, my normal reaction would be look, this is really bad. Even if these are not the most sympathetic case, we want to make sure that encryption is protected, because after they get rid of these people, they'll come after Signal, they'll come after WhatsApp, they'll come after all encryption.

Speaker 3: 55:41

I don't know, I'm not quite prepared to go there. I'm very close to being prepared to go there, but I'm not quite prepared to go there because I feel like this Telegram thing is such a weird unicorn of a company and such a unicorn of a service that, like I don't know if there's a hundred times more going on here than meets the eye. Maybe this is some kind of weird geopolitical thing that is not just about encryption, maybe it's not just about message content, maybe there's something else going on and I feel a little weird like rushing to the barricades to be like save encrypted messengers if it turns out that this has nothing really to do with that. But maybe we'll learn in the next that it does.

Speaker 4: 56:18

There's just so much plain text that like that it does. There's just so much plain text that like like I know some people who like are active in like the tech community and we're like super stressed out about this and we're like freaking out about attack on cryptography or attack on free speech, and it's really hard to tell that this isn't like plain text moderation issue versus yeah, it's not further down the spectrum of plain text moderation issue than it is an attack on cryptography.

Speaker 1: 56:42

Yeah, and if they had filed this indictment, whatever I don't know French law, but they had a press release about their full indictment? Because apparently in French law they don't post publicly the full indictment the way that you do in US law, so we can't just go look at the indictment but they say you know, basically whatever the French equivalent is of like unwilling, like unwilling obstruction of prosecution or investigation or whatever. If it was just that, I don't think anyone would give a fuck. They'd be like, yeah, that's what they do. They basically say it out in public on their website that that's how they behave and that's how they have behaved. But it's the other two things of saying operate like this thing that hardly.

Speaker 1: 57:25

I don't think everyone was surprised that this is a thing, because if Pavel Dorobin and Telegram are found liable for operating cryptography without a correct license in France, it would imply that a whole bunch of other software that has cryptography that doesn't have a license and operates in France would also be liable. And that's the scary thing and it's really unfortunate and I wish we had more information, because that is the scary thing. It might be just kind of padding this actual thing which is we're trying to investigate stuff and you are obstructing us, as opposed to we're trying to investigate stuff and you have encryption, and the fact that you have encryption without a license is the thing we have a problem with. I think it feels like they're throwing it in but we don't know. And if it is just throwing it in, it's just like swirling all this stuff up and it just makes everything very fuzzy and very kind of gross and it's not great.

Speaker 3: 58:25

It would be really nice if they drop those charges or clarify those charges. Yeah, unfortunately, I just don't think that they care. I've never gotten the impression that the French government is pro encryption or cares about that kind of privacy community very much, and so we'll see how this boils down.

Speaker 4: 58:41

You're forgetting the cord tenant, which is that it's not cryptography unless it comes from the cryptology region of France. Otherwise it's just sparkling combinatorics.

Speaker 2: 58:51

I'm going to say right now that on Slack David said like 40 minutes ago that the one thing he had to contribute to this conversation was a sparkling cryptography region joke, which he finally got it in.

Speaker 1: 59:04

And it needs to be licensed by the French government, apparently, or something like that.

Speaker 2: 59:08

I. The only thing I have on the legal side of things and like when trying to understand how Twitter and message board people are reasoning through this is there is a species of YouTube video that I highly recommend you seek out, which is sovereign citizen people getting pulled over by the police. Now that's a whole other thing. Right, there's a million videos of SovSit people getting owned by the police all across the continental United States, but I'm saying there's a very specific species of them where SovSit US people get pulled over in Canada. They've driven over the country line into Alberta, right, and they get pulled over by the police and they try to explain the Fifth Amendment to the Canadian cop.

Speaker 2: 59:51

Who's like we don't have a Fifth Amendment, which I think decodes like 80% of all of the message board conversations about Telegram is people trying to look at what France is doing through the lens of us procedural protections and like I don't want to get too political here. Um, I totally do, but like. One thing I think is not like appreciated enough is just how many weird procedural protections we have in the us that are not, in fact, common in the rest of the world. For instance, when a police officer or a law enforcement agent or whatever collects fucked up evidence by, like you know, pummeling you and getting you to admit it, or like doing a legal search of your car or whatever. Right, we have a rule in the US called the exclusionary rule, which is that that evidence gets struck out from the court case.

Speaker 2: 1:00:42

And again back to what I said earlier in the conversation and we'll have a show note somewhere where I have a link to this white paper, because it's fucking awesome, right, about how the French legal system works. But the prosecutor works for the judge in France. Right, there's no exclusionary rule in France. Right, they could beat whatever they. They're probably beating Pavel right now. Right, and all of that evidence is admissible, because that is not. I don't even know if they have double jeopardy in France right.

Speaker 4: 1:01:00

This is Thomas saying in so many words that France and the United States are two different places.

Speaker 3: 1:01:06

Indeed, but let's just add that Pavel Durov took on French citizenship voluntarily, like two years ago. This wasn't something he didn't stumble into, this, he made this part of his life.

Speaker 4: 1:01:17

Oh, I don't know. Did something happen in Russia a couple of years ago?

Speaker 1: 1:01:21

Yeah, but why France? He's also a citizen of the UAE.

Speaker 3: 1:01:25

So many EU countries you could go to that maybe are maybe not better and like in France.

Speaker 1: 1:01:29

Apparently you have to, like you know, have French, like proficiency, like you have to be sufficiently proficient in France, french, to actually become a French citizen. You do not have to do that to become a citizen of Ireland, for example, and like so somehow he did.

Speaker 4: 1:01:44

You could still buy citizenship in Malta up until like a year or two ago.

Speaker 1: 1:01:47

I think, yeah, so yeah, it's very interesting. Yes, he is Just to do Thomas the Salad. He is a citizen of France, so I don't know if, yeah, he flew into France and he got arrested in France and he is a French citizen. I don't know. It's weird, matt, thank you. Thank you for jumping on, thomas. Do you have anything to say? We're wrapping up.

Speaker 2: 1:02:12

I think I've said enough.

Speaker 4: 1:02:14

Matt, do you have anything else that you want to say, or are you happy that you came on and had Thomas interrupt you for an hour?

Speaker 3: 1:02:19

No, I actually really enjoyed it. You came on and had Thomas interrupt you for an hour. No, I actually really enjoyed it. No, no, it's this. This whole thing's a mess and I, you know I just do.

Speaker 3: 1:02:28

Well, yes, what I do want to say is that I there has been this big debate in the EU about doing chat control which is scanning chat messages, and I just wanted to have this last one thing, which is that France has not been what I consider to be like on the side of the angels in that particular debate. They are very pro scanning, and so if this really is about cryptography, I mean, the friends are not the people that I would, you know, be the happiest to have doing this. So that's really all I wanted to add. That's pretty much it.

Speaker 1: 1:02:51

Yep, not very happy or you know, nothing has like landed for this chat control stuff yet for these sort of internationally run and encrypted things. But, like, there is a reason that people really really care about federation for building the next generation of encrypted messaging or encrypted chat messaging, because they have to care about federation if they want to operate in Europe, which will have its own laws and things like that. Matt, thank you so much. Don't use Telegram. Pretend it's all public, because it basically is.

Speaker 2: 1:03:24

Don't use Telegram.

Speaker 1: 1:03:25

Cool. Security Cartography Whatever is a side project from Deirdre Connolly, thomas Tachek and David Adrian. Our editor is Nettie Smith. You can find the podcast online at SCWPod and the host online at Durham Chrysalum, at TQBF and at David C Adrian. You can buy merchandise online at merch, at security cryptography, whatevercom. If you like the podcast, give us a five-star review wherever you rate your favorite podcasts. Thank you for listening.