fsebugoutzone.org:9999

       Post AlKSIsGGjKybvk0WhM by m0xee@social.librem.one
 (DIR) More posts by m0xee@social.librem.one
 (DIR) Post #AlK7eFhweccPgxIzzc by kravietz@agora.echelon.pl
       2024-08-25T10:52:50.480658Z
       
       0 likes, 2 repeats
       
       #Telegram is a tricky ecosystem from security perspective, because it’s quite diverse and complex:Public groups and chats are widely used by both #Russia and #Ukraine. These include both publicly available and “private” (invite-only) chats neither can be really considered secret because……group chats can’t be end-to-end encrypted (E2EE), so their contents are readable to at least Telegram operators, probably as easily as running a single SQL query.Telegram bots don’t support E2EE either.So here’s an important distinction: while Telegram is great and highly usable for disseminating public or semi-public information (unencrypted public or invite-only groups), it’s quite poor for highly confidential communications. Yet, especially the Russian side uses it a lot for just that - there are reports of “secret groups” used for front-line command or control, correction of fire or as a channel for communication with spies and collaborators in Ukraine. Except these “secret groups” really aren’t, at least not in OPSEC and cryptographic sense (groups can’t use E2EE in Telegram).This is one purely marketing win for Telegram, because even mainstream journalists notoriously confuse these concepts.Yes, it is technically possible that a Russian operator opens an actual “secret chat” with each of his collaborator, but it’s highly impractical and I doubt majority of them do it. Which is further confirmed by the panic caused by detention of Durov in Russian military channels 🤷In any case, France taking over Telegram infrastructure is still highly speculative - the main point of the arrest is almost complete lack of moderation in Telegram, even for the most severe CSAM (child abuse) content. While in Russia arrest of Durov would likely lead to his genitals being connected to a field telephone in order to convince him to hand over the infrastructure (that’s why he ran away from Russia in the first place), in #France he will be likely just subject to a regular, boring law enforcement process that ends with a trial and suspended sentence, at best, if he agrees to improve content moderation. Part of the panic in Russia is that Russian routinely project the practices of their own law enforcement onto everyone else.
       
 (DIR) Post #AlK7eGigtKoEpYf6nI by m0xee@social.librem.one
       2024-08-25T11:11:26Z
       
       2 likes, 1 repeats
       
       @kravietz&gt; group chats can’t be end-to-end encrypted (E2EE), so their contents are readable to at least Telegram operatorsOnly today this came to me: little is known about it in the rest of the world, but due to sanctions, Russian enterprises and government organizations can&#39;t acquire proper security certificates recognised by most widely used browsers.
       
 (DIR) Post #AlK7uoAoHPL5DahXQe by m0xee@social.librem.one
       2024-08-25T11:14:26Z
       
       0 likes, 0 repeats
       
       @kravietzTo avoid the suspiciously looking warnings they have made their own certification authority and are actively encouraging users to install this CA certificate to their systems. With this cert in the system, MITMing anything gets relatively easy.
       
 (DIR) Post #AlK7wCOxgXl6eNz3QW by m0xee@social.librem.one
       2024-08-25T11:14:42Z
       
       1 likes, 0 repeats
       
       @kravietzThus communication of Russians, most of which have to have this cert installed (they still have to use banks and government-provided services) over non-E2E-encrypted messengers such as Telegram are in theory &quot;transparent&quot; to Russian &quot;law enforcement&quot;. I don&#39;t know though, if Telegram apps perform any checks and give you any warning if the non-expired certificate gets replaced all of a sudden.
       
 (DIR) Post #AlKHQnnC89e2tIzCCG by robryk@qoto.org
       2024-08-25T13:00:59Z
       
       0 likes, 0 repeats
       
       @m0xee @kravietz Huh? I see e.g. yandex using totally normal DV TLS certs from GlobalSign.Do you mean EV certs, or something other than TLS certs?
       
 (DIR) Post #AlKHVqTVaIsQetBOT2 by ackasaber@mathstodon.xyz
       2024-08-25T13:01:58Z
       
       0 likes, 0 repeats
       
       @m0xee @kravietz What prevents them from using a certificate issued for an... ahem... Armenian-based company?
       
 (DIR) Post #AlKJmZ060UalIHWbSK by m0xee@social.librem.one
       2024-08-25T13:27:25Z
       
       0 likes, 0 repeats
       
       @robryk Yandex might be compromised and has security services representatives on board — therefore should no be trusted, but it&#39;s not officially a state-owned company — they might be exempt to these sanctions, but they still distribute their own Yandex Browser with said CA baked in. Few others might be using certs that are still valid — those didn&#39;t get revoked, they just can&#39;t renew them.@kravietz
       
 (DIR) Post #AlKJqCGWTeQHwNwOnY by m0xee@social.librem.one
       2024-08-25T13:28:04Z
       
       0 likes, 0 repeats
       
       @robryk It was on the news in 2022, e.g. here: https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/In Russia it&#39;s a well known fact, maybe not so much outside of it, hence my remarkCheck out https://sberbank.ru/ for example, this is one of the biggest banks in Russia and their cert expired only just recently.@kravietz
       
 (DIR) Post #AlKLP2Sr0dl5dHt1aC by m0xee@social.librem.one
       2024-08-25T13:45:34Z
       
       0 likes, 0 repeats
       
       @ackasaberWell, Armenian company is unlikely to hold certificates issued to host names used by Telegram, with compromised CA you can do lots of interesting things. For example I hate ajax.googleapis.com so I&#39;ve made a local mirror of it (you can use Decentraleyes or other such extensions, but why bother if you can have a more fundamental solution), of course I can&#39;t legitimately issue a certificate to a host name owned by Google, so it uses my own cert.@kravietz
       
 (DIR) Post #AlKLTQNy0rT0ytgxjE by m0xee@social.librem.one
       2024-08-25T13:46:22Z
       
       0 likes, 0 repeats
       
       @ackasaberNormally a browser would detect that and refuse to connect giving you a warning or silently fail if such a host is only a source of scripts images, but as I have my own CA, all my computers have its cert installed, all the certificates I sign with it become trusted and it works 😁It&#39;s just something that I realised today (well, yesterday in fact, before Durov got apprehended). There might be other caveats, I&#39;m not a security researcher, otherwise I&#39;d do a proper writeup.@kravietz
       
 (DIR) Post #AlKRFNPkrWabRADGAy by robryk@qoto.org
       2024-08-25T14:51:02Z
       
       0 likes, 0 repeats
       
       @m0xee @kravietz Ah, got it -- it&#39;s about ~state-owned enterprises as opposed to all Russian ones.
       
 (DIR) Post #AlKSIsGGjKybvk0WhM by m0xee@social.librem.one
       2024-08-25T15:02:54Z
       
       0 likes, 0 repeats
       
       @robryk Yes, that statement was indeed too broad, sorry!I&#39;m not sure that Yandex is exempt BTW, not versed enough in this topic to tell. They did have to split off the operations in Russia into a separate company and distance the main one from it, maybe they are affected by a different set of sanctions and have problems of their own coming 🤷@kravietz