Why? They just announced that one of the main advertised features of their IM software - the secret chat functionality - was so badly broken that it was worse than not having it at all. It provided absolutely no protection against them eavesdropping on their users, yet those users were chatting under the illusion that they were secure against such eavesdropping. Worse, it seems like the Telegram developers consider this to be a theoretical problem rather than an actual compromise because you can trust them not to spy on you.
That's interesting, I didn't interpret the news this way. I haven't seen secret chat functionality mentioned anywhere yet - I was assuming that secret chat shouldn't be affected by these nonce messages since the secret key shouldn't touch their servers according to their documentation. Do you have any source on this?
The linked blogpost actually says that the attack is against secure chat and explains what it does, it just underplays how serious it is.
Basically, when setting up a secret chat the two parties use something called a Diffie-Hellman key exchange to agree on a secret encryption key without eavesdroppers being able to tell what the key is. However, the parties can't tell whether they've securely agreed on a key with the right person - the Telegram server could do a man-in-the-middle attack by doing the other side of the DH key exchange with each party itself so that it knows all the keys, and then decrypt log, and re-encrypt all the messages between them. The fairly standard solution Telegram uses is to allow both parties to manually check that they agreed on the same keys - with normal Diffie-Hellman, this is enough to ensure no-one has MITMed the connection. Unfortunately, their protocol is modified from normal DH in a way that makes this check useless. The server can launch a MITM attack that causes both parties to agree on the same key, so they think they've securely agreed on a key that no-one else has when the server's got a copy too and is decrypting all their messages.
Seems like I had potatoes on my eyes. Your explanation made the whole thing quite a bit clearer to me than the original post, thanks for that. I think it's good that this weakness is now in the open - this will create some pressure on Telegram to solve it since, as I understand, it compromises one of the main features of their service. Their way of handling the fix will decide whether they should be taken seriously I think.
