This article is good news, precisely because they show how willing they are to improve their service.
EDIT: Of course it's good PR. So what? That's how Google, Apple and most other big companies operate. They don't have to be altruistic to work and create value for people.
> precisely because they show how willing they are to improve their service.
Multiple people that know what they are doing have remarked that the system Telegram has created is a bad idea and it would be much better to use any established protocol. They have also pointed out multiple places where Telegram is committing obvious cryptographic blunders in their protocol.
Telegram decided to pay out $100k under contest rules that are weaker than known plaintext attacks. If they wanted to actually improve their security they would switch to a more secure protocol that doesn't require a server to actively participate in the conversation. I guess if they want to hemorrhage money via the hubris that is their crypto contest they should just keep on as they are.
> They have also pointed out multiple places where Telegram is committing obvious cryptographic blunders in their protocol.
They have pointed out multiple places where Telegram MAY BE committing blunders, namely their internal server - server communication MIGHT be susceptible to MITM attacks. It's not the same thing.
It is, though. If the protocol relies on servers to be good actors, then servers are a weak point. People aren't willing to let that by because, besides just good security standards, servers are being targetted by government spying.
If they were willing to improve their service they would listen to that crypto experts had to say from the very start instead of playing "we've got a bunch of smart mathematicians there, we are the best" card.
With respect, I think what you are suggesting would only complicate the evaluation of this complex situation. Dropping relevant context and focusing only on a specific action is not the way to reach a rational conclusion.
In my view, we must integrate this action on the part of Telegram with all of the other things we know about the situation. That's a tall order, because it means integrating this specific action (paying the $100K) with many other topics, such as the various people making claims, their expertise and possible motivations, computer cryptography and computer security, strategies that companies sometimes use to gain access to personal information, the dangers posed by weak cryptography, etc.
Only when all of the facts square with each other will we have a rational basis for trusting Telegram Messenger and the people behind it.
Don't get me wrong, I lean towards the "Telegram's security is a joke and the contest is even more so" camp. I was commenting solely on the specific issue: that if someone uncovers a flaw in your software and you pay out in order to get some good publicity, the fact remains that you've still done a good thing by paying out.
> Unless it turned out they'd set the whole thing up
That's an important question, really curious to know if the user x7mz steps up to take the reward and if telegram would release any proof of payment (minus any obvious info that would give away the identity of x7mz).
This vulnerability seems to be connected to Diffie-Hellman, right? Even a rudimentary search shows that a MITM is easy on it. I wonder if its even possible that they did not know this one?
This article is good news, precisely because they show how willing they are to improve their service.
EDIT: Of course it's good PR. So what? That's how Google, Apple and most other big companies operate. They don't have to be altruistic to work and create value for people.