Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 12 Sep 2018 09:33:19 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: Dhiraj Mishra <mishra.dhiraj95@...il.com>, oss-security@...ts.openwall.com
Subject: Re: tdesktop leaks user IP address

Hi Dhiraj--

On Tue 2018-09-11 17:25:47 +0530, Dhiraj Mishra wrote:
> tdesktop leaks user IP address
> 
> This is still not fix in telegram desktop  team says their is nothing to
> fix here and this is working has intended.

Thanks for this report -- it's good to have people looking at metadata
leakage and considering it as a security concern.  It is.

However, i'm not convinced that you've described the problem you're
seeing well enough to be actionable yet.  In particular, it's not clear
to me *whose IP address* you are concerned about leaking, and *where*
you are concerned about it leaking.  It's also not clear to me that
you've evaluated the impact/consequences of your proposed mitigation.

I've written out several questions below in the hopes of helping clarify
the concern, and figuring out what makes sense to do about it.  Please
take these questions in the spirit of constructive engagement!

> tdesktop: https://github.com/telegramdesktop/tdesktop
>
> *Steps to reproduce:*
> 1. ./Telegram
> 2. Call end user
> 3. The access log on CLI reveals the end user public IP address.

let's give the parties involved in this names so that it's easier to
reason about.  Let's say that the call Initiator is Inigo, and that the
call recipient is Rebecca.  So Inigo takes steps 1 and 2.  Whose public
IP address (Inigo's?  Rebecca's?) leaks into which access log
(Inigo's?  Rebecca's?  both?)?

Is the concern really the inclusion of the IP address in the access log,
or is it the fact that Rebecca's public IP address is visible to Inigo,
and vice versa?  To whom else is this IP address visible?  Another way
of asking this is: who is the adversary you're concerned about learning
this IP address information?

 * someone looking at some specific logfile in the future?

 * the other party on the call during the call? (i.e. Inigo is Rebecca's
   adversary, and vice versa)

 * the Telegram server operator?

 * a network monitor inspecting traffic?

 * …

> By default in tdesktop p2p is enable, which open a direct communication
> when calling to the other user, potentially seeing his/her IP. Telegram is
> supposedly is a secure messaging application but while calling another user
> leaks his/her public IP address in access log. However, by navigating to
> Settings and Privacy  > Calls > and set P2P to `nobody` in telegram apps in
> (iOS and android) will not allow others to view public IP of end user, but
> this option is still not available in tdesktop, which makes tdesktop
> vulnerable to this issue.

Who needs to set P2P to "nobody" to have this change?  If either party
makes this choice is it sufficient for a given call?

Presumably turning off P2P means routing the calls through a central
server (perhaps via STUN/TURN or some other relay/proxy equivalent).  If
that's not the case, how are calls completed when P2P is disabled?  Who
operates that central server?

What is the performance impact (on rates of successful connections, on
latency during calls) of such a change?

Is the central server operator already in a position to be able to force
this shift from P2P to a centralized fallback?  What cost(s) would they
pay if they force this shift?

How does the potential for centralized mass surveillance of call traffic
change if all calls are routed through the central server by default?

Regards,

       --dkg

Download attachment "signature.asc" of type "application/pgp-signature" (228 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.