(no title)
dodgerdan | 3 years ago
And a “warning” that says something like “your group chat has been compromised by someone with access to the server or it might just be bob bought a new phone” is laughable as a status quo.
dodgerdan | 3 years ago
And a “warning” that says something like “your group chat has been compromised by someone with access to the server or it might just be bob bought a new phone” is laughable as a status quo.
Arathorn|3 years ago
Then, if you've done that, and an unverified device is added to the conversation, the warning shows up and explicitly means "your group chat has been compromised" - just like a big red TLS warning on a webpage means "this certificate is bad". It does *NOT* mean that "it might just be bob bought a new phone"; if bob bought a new phone, he'll have verified it when he logged in, and so the warning doesn't show up.
Anyone who actually uses Matrix will be familiar with the fact that it's pretty rare to see a big red X on a user who you've verified, and when it happens, you go ping them to ask wtf is going on - much like you'd ping the webmaster of a site whose TLS certificate is bad. This is why the Matrix community is not up in arms about this "vulnerability" - it is literally following the intended design, right from the point that we announced verification back in https://element.io/blog/e2e-encryption-by-default-cross-sign....
Now, this design can absolutely be improved on - at the least, we could go back to freezing the room whenever there's an unverified device, forcing the users to decide how to flush out the old device. Or we could switch to TOFU, and block unverified devices by default. But we've chosen to prioritise migrating the clients onto a single E2EE codebase (matrix-rust-sdk-crypto) first, so we do that work in a single place, rather than in quadruplicate across matrix-{js,ios,android,rust}-sdk.
dodgerdan|3 years ago
I’ve read your blog posts and this comment, congratulations it seems to have satisfied most people. Howerver it is NOT the same as Signal. Signal servers cannot just add a device to a group chat.
I would challenge you to get one reputable cryptographer to back what you’re claiming about these vulnerabilities and your proposed fixes.
To me Matrix isn’t secure, the organizations responses to these disclosures has been poor and the “fixes” weak.
martinralbrecht|3 years ago
"In environments where cross-signing and verification are enabled, adding a new unverified user adds a warning to the room to indicate that unverified devices are present. However, it is possible for a homeserver to add a verified user to rooms without changing the security properties of the room. This allows a colluding homeserver and verified user to eavesdrop on rooms not intended for them. In other words, the warning regarding unverified devices is independent to whether the device is intended to participate in the specific room. Finally we note that users may, of course, simply ignore warnings." https://nebuchadnezzar-megolm.github.io/static/paper.pdf
DyslexicAtheist|3 years ago
https://securitycryptographywhatever.buzzsprout.com/1822302/...
Arathorn|3 years ago
Honestly, this whole thing shows the infosec community at its worst: optimising for sensationalism/drama/press-coverage over constructive criticism and research. And it's particularly grating when the target is a mission-driven non-profit FOSS project, rather than a bungling megacorp vendor or whatever. Meanwhile things like OpenSSL RCEs or even Signal RCEs like https://thehackerblog.com/i-too-like-to-live-dangerously-acc... fly past without the researchers doing the podcast circuit(!)