Re “Cryptographic Issues in Matrix’s Rust Library Vodozemac, s1.
-
So if you’re talking to me and I’m malicious, I can send you the ed25519 identity point and force the output of our ECDH agreement to all zeroes. That sounds bad, right? You think we’re having an encrypted conversation, but in fact that encryption is completely useless.
Now, have a ed25519 key pair:
pub 6a175eb9529f5fbbfcbb84b80e451ea8eb976653fd40da4b7b9f98d0db66031f prv c0bf3874dfa3032ce85cf75db06f0763a3b9296c957d1fe203a318ba63049d3c(I generated this with the Go playground)
I send you that public key. We negotiate a shared secret with each other. We’re secure right? Well, no, because anyone who’s read this post knows my private key and can compute the same key we just negotiated.
Should you be checking for that public key too? Of course not, that’s nonsense.
Soatok would of course recommend that you use Signal instead. This case is so critical that Signal checks for it, right? Yeah, it does… as of a week ago
(It’s a tad difficult to compare to what Signal is doing, because Signal has removed X3DH in favour of PQXDH, a post-quantumn hybrid replacement, and I can’t quite find the last version of libsignal that supports X3DH. But I don’t see it in an ancient version of their library which did do X3DH either)
I don’t even really like Matrix and there are certainly a lot of flaws in the protocol in general, but this vulnerability announcement feels like more hype than substance to me.
-
So if you’re talking to me and I’m malicious, I can send you the ed25519 identity point and force the output of our ECDH agreement to all zeroes. That sounds bad, right? You think we’re having an encrypted conversation, but in fact that encryption is completely useless.
Now, have a ed25519 key pair:
pub 6a175eb9529f5fbbfcbb84b80e451ea8eb976653fd40da4b7b9f98d0db66031f prv c0bf3874dfa3032ce85cf75db06f0763a3b9296c957d1fe203a318ba63049d3c(I generated this with the Go playground)
I send you that public key. We negotiate a shared secret with each other. We’re secure right? Well, no, because anyone who’s read this post knows my private key and can compute the same key we just negotiated.
Should you be checking for that public key too? Of course not, that’s nonsense.
Soatok would of course recommend that you use Signal instead. This case is so critical that Signal checks for it, right? Yeah, it does… as of a week ago
(It’s a tad difficult to compare to what Signal is doing, because Signal has removed X3DH in favour of PQXDH, a post-quantumn hybrid replacement, and I can’t quite find the last version of libsignal that supports X3DH. But I don’t see it in an ancient version of their library which did do X3DH either)
I don’t even really like Matrix and there are certainly a lot of flaws in the protocol in general, but this vulnerability announcement feels like more hype than substance to me.
Non-Contributory Keys in the Matrix, or: Why I think the reports of cryptographic issues in Matrix’s Vodozemac are somewhat overblown.
Some of you may have seen my earlier post on this. I thought it was worth a more comprehensive writeup.
-
Non-Contributory Keys in the Matrix, or: Why I think the reports of cryptographic issues in Matrix’s Vodozemac are somewhat overblown.
Some of you may have seen my earlier post on this. I thought it was worth a more comprehensive writeup.
RE: https://433.world/@Yuvalne/116092685984966878
@erincandescent it's not the vulnerability, it's the attitude.
-
RE: https://433.world/@Yuvalne/116092685984966878
@erincandescent it's not the vulnerability, it's the attitude.
@Yuvalne where's the CVE from the Signal project for exactly the same issue, then? -
@Yuvalne where's the CVE from the Signal project for exactly the same issue, then?@Yuvalne don't get me wrong, I think the handling of the libolm issue was terrible.
But I also think this is shouting fire in a crowded theatre because someone lit a lighter. -
@Yuvalne don't get me wrong, I think the handling of the libolm issue was terrible.
But I also think this is shouting fire in a crowded theatre because someone lit a lighter.@erincandescent more like "we definitely shouldn't go to this theatre" because the theatre told you they don't intend on having fire extinguishers and escape exits.
-
@erincandescent more like "we definitely shouldn't go to this theatre" because the theatre told you they don't intend on having fire extinguishers and escape exits.
@erincandescent i mean the blogpost opens exactly with that point.
> Two years ago, I glanced at Matrix’s Olm library and immediately found several side-channel vulnerabilities. After dragging their feet for 90 days, they ended up not bothering to fix any of it.
> ...
> So, at that point, my public stance on Matrix became, simply:
Don’t use Matrix.it then goes on to talk about the disclosure timeline and why it looks like it does, and only *then* does it dive into the issues.
-
N nocci@punk.cyber77.de shared this topic
