@Yuvalne don't get me wrong, I think the handling of the libolm issue was terrible.

But I also think this is shouting fire in a crowded theatre because someone lit a lighter.

@Yuvalne where's the CVE from the Signal project for exactly the same issue, then?

Non-Contributory Keys in the Matrix, or: Why I think the reports of cryptographic issues in Matrix’s Vodozemac are somewhat overblown.

Some of you may have seen my earlier post on this. I thought it was worth a more comprehensive writeup.

Re “Cryptographic Issues in Matrix’s Rust Library Vodozemac, s1. Olm Diffie-Hellman Accepts the Identity Element”

So if you’re talking to me and I’m malicious, I can send you the ed25519 identity point and force the output of our ECDH agreement to all zeroes. That sounds bad, right? You think we’re having an encrypted conversation, but in fact that encryption is completely useless.

Now, have a ed25519 key pair:

pub 6a175eb9529f5fbbfcbb84b80e451ea8eb976653fd40da4b7b9f98d0db66031f
prv c0bf3874dfa3032ce85cf75db06f0763a3b9296c957d1fe203a318ba63049d3c

(I generated this with the Go playground)

I send you that public key. We negotiate a shared secret with each other. We’re secure right? Well, no, because anyone who’s read this post knows my private key and can compute the same key we just negotiated.

Should you be checking for that public key too? Of course not, that’s nonsense.

Soatok would of course recommend that you use Signal instead. This case is so critical that Signal checks for it, right? Yeah, it does… as of a week ago

(It’s a tad difficult to compare to what Signal is doing, because Signal has removed X3DH in favour of PQXDH, a post-quantumn hybrid replacement, and I can’t quite find the last version of libsignal that supports X3DH. But I don’t see it in an ancient version of their library which did do X3DH either)

I don’t even really like Matrix and there are certainly a lot of flaws in the protocol in general, but this vulnerability announcement feels like more hype than substance to me.

@manawyrm

• definitely
• you wrap the unmodified TLS bytestream in it
• yeah….

@manawyrm

EDIT: I don’t even know how they want to add this header in HTTPS traffic… Maybe (i hope?) this whole article really is just hallucinated

Hopefully they’re using the Proxy Protocol.

But I have this horrible suspicion they’re not…

@manawyrm when Mythic Beasts did an IPv4 to IPv6 proxy for VPSes/Pis without IPv4 addresses it was cute.

But this… This is horrific. This is a crime against all that is good in this world. How is your internal infrastructure so fucked up you need to do this. How is everyone involved in this not dying of embarassment.

@manawyrm i.. i’m speechless

@drscriptt @jhaas @alexband what would stopping a leak look like to you?

We’ve already seen a number of route leaks stopped or majorly suppressed by ROA validation, and ROA validation is far less capable in this regard than ASPA.