m0xEE  

@kravietz
> group chats can’t be end-to-end encrypted (E2EE), so their contents are readable to at least Telegram operators
Only today this came to me: little is known about it in the rest of the world, but due to sanctions, Russian enterprises and government organizations can't acquire proper security certificates recognised by most widely used browsers.

1+
m0xEE
Follow

@kravietz
To avoid the suspiciously looking warnings they have made their own certification authority and are actively encouraging users to install this CA certificate to their systems. With this cert in the system, MITMing anything gets relatively easy.

· bloat · 2 · 0 · 5
m0xEE  

@kravietz
Thus communication of Russians, most of which have to have this cert installed (they still have to use banks and government-provided services) over non-E2E-encrypted messengers such as Telegram are in theory "transparent" to Russian "law enforcement". I don't know though, if Telegram apps perform any checks and give you any warning if the non-expired certificate gets replaced all of a sudden.

1
kravietz 🦇  

@m0xee

Normally this would be done by the clients using HTTP Public Key Pinning (now obsolete), DANE and CAA, all of which essentially allow checking that the end user certificate has been signed by a specific CA and thus it was not “reissued” by a local security agency. But this of course depends on the client actually doing this check :)

0
m0xEE  

@ackasaber@mathstodon.xyz
Well, Armenian company is unlikely to hold certificates issued to host names used by Telegram, with compromised CA you can do lots of interesting things. For example I hate ajax.googleapis.com so I've made a local mirror of it (you can use Decentraleyes or other such extensions, but why bother if you can have a more fundamental solution), of course I can't legitimately issue a certificate to a host name owned by Google, so it uses my own cert.
@kravietz

1
m0xEE  

@ackasaber@mathstodon.xyz
Normally a browser would detect that and refuse to connect giving you a warning or silently fail if such a host is only a source of scripts images, but as I have my own CA, all my computers have its cert installed, all the certificates I sign with it become trusted and it works 😁
It's just something that I realised today (well, yesterday in fact, before Durov got apprehended). There might be other caveats, I'm not a security researcher, otherwise I'd do a proper writeup.
@kravietz

0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml