Notices by saxnot ➡️ HOA, GPN (saxnot@chaos.social)

@feld thanks for the source

last time I checked the mtproto had such an obvious flaw to diffie-hellman it would have been a beginner question in crypto 1 at my uni (and my uni is worst in the country for c.s.)

we're only talking about the secure chat feature here. Every other chat (nearly 100 %) is still unencrypted (and they're open about that).

They sometimes communicate this premise in a way very confusing to the uninitiiated

@feld of course I could say "it's not floss, thus can't be independantly audited, thus immediacy no go for people interested interested in information security.
But that would be too much of an easy W I should stay within my original claim of them having no encryption at all

@feld excuse me did you just say "unconventional choices" in regards to cryptography?

I am sorry there are ways that stand the test of time and everything else is flawed.
That's how cryptographers think about these things and for a good reason.

Do I want a heart surgeon to be known for their "unconventional choices"? No. That's like the ultimate flaw in that industry of knowing it better in an otherwise peer reviewed world

@feld that format verification is five years old
just saying that.

I was unaware that formal verification of such complex systems is even possible.

not even AES is formally verified and it's magnitude simpler in design

@feld i know this source is old but just look at the this 2017 blog article by Pavel Durov: https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-by-Default-08-14

it immediately opens with the most far-fetched and niche argument ever. All of E2EE is not what you truly want because... some users to unencrypted backups.
The same users would do the same backups for telegram but let's ignore that.
All of Telegram shall have no E2EE because they leak it anyway.
Signal is niche and cringe (didn't use the latter word) because they encrypt backups

@feld it's a funny read and it's certainly an important building block when that was his opinion in 2017.

It's correct that not having #E2EE is more convenient. And that in itself is a valid reason. But then advertise as "simple and hassle free" and don't pretend to offer any security in #Telegram

In case I wasn't clear: I am finished looking at the formal proof because I don't have that software and I see no link to the results / paper / etc.

According to german security expert…

@feld According to german security expert @kuketz in his blog article from 2020 there is at the time no audit for the Telegram MTProto 2.0 protocol.
https://www.kuketz-blog.de/telegram-sicherheit-gibt-es-nur-auf-anfrage-messenger-teil3/

Correct me if that is wrong. The first MTProto was broken in a very amateurish way. The second not audited at all to my knowledge.

I like to believe Telegram being an unattractive target for audits anyways since it's closed source and publicly criticizing tools of the russian state might be bad for your health
#telegram

@feld the claim of them using the same E2EE with communicating to the server is laughable.

They most likely use TLS like every other sane person.
In fact using TLS for secret chats would be a much smarter idea in the first place rather than rolling their own crypto which is known in the industry to be a failure only the most inept security engineers do.

Every crypto is insecure unless shown otherwise.
AES, GPG, EC, … have been spotless since decades and that's why they're trusted

I don't understand why #Telegram is so popular
it's the worst messanger in regards to security by far.

There's no encryption, even 'secure chats' have a broken impl since years and russian gov reads and manipulates all.

Lots of nice features though

Empathy and reason is punk as fuck these days

mir zu viel Mühe geben meine Rasierklinge sicher zu verpacken vorm wegwerfen: check

Diese Dosen von EXTRA Kaugummi sind transparent und dickwandig. Plus es war Müll den ich eh im Müll hatte. Perfekt also!

@helix ne weiß ich nicht

meine Rasierklingen kommen in einer kleinen Plastikhülle. Ich könnte die stumpfen in der selben Hülle ganz unten lagern. Meinst du das?

@helix hm das scheint wirklich zwei Öffnungen und zwei separate Kammern zu haben

@helix ja, da sind so zwei Kammern mit separaten Eingängen.
Und das ist Absicht?
Wow wusste ich nicht, #TIL.

Danke!

@djsumdog @melonhusk ngl while shitposting it did make some sense:

you wrote about vaccines and this dewormer stuff
= lost contact to reality / medical wisdom

The morning star (lucifer) is the bringer of light, the embodiment of enlightenment.

Thus despite me writing it as a shitpost it makes sense to hope that you get to your senses and accept the effectiveness of vaccines among other things you are lost on

@djsumdog @melonhusk great rational argument from the person who injected himself into an already ongoing conversation and claimed I was having trouble of faith.

@djsumdog @melonhusk you said nobody cares
you cared enough to write me
Put together: you say you are a nobody.

I don't know why you said that but I will include you in my thoughts and prayers. I will mention you by name in my communication with our lord and savior satan. Perhaps the morning star will see you and reach out to you and help you with your struggles

@melonhusk @boghan @djsumdog I want to make it clear that me favouriting your toots is currently used as a read receipt and does not imply me (dis)liking a specific toot.

Here's the announcement of that https://chaos.social/@saxnot/113976425057529436
Usually I favourite what I like but then you would have seen it sparingly in this convo. Speaking to all three of you

@obrhoff die memes sind ja durchaus teilweise funny. das hat er schon drauf, wenn auch seine Politik beschissen ist

@drwho you mean djsumdog.com and new.asbestos.cafe?

djsumdog.com is a single user instance of someone we would call Queerdenker here in germany. Someone who lost contact to reality during corona and now is against vaccines or something.

i have no idea about the other instance