Comment by angry_octet
3 years ago
Matrix has fundamental security problems that they seem unwilling to fix. Almost a polar opposite to Signal.
3 years ago
Matrix has fundamental security problems that they seem unwilling to fix. Almost a polar opposite to Signal.
This is categorically not true, as per https://matrix.org/blog/2022/09/28/upgrade-now-to-address-en....
The only practical issue raised by https://nebuchadnezzar-megolm.github.io/ which we didn’t already fix is the question over whether servers or clients should control group membership. Our position is that it’s okay for the server to control it as long as clients are warned if malicious users/devices are added. Fixing it properly is Hard: for instance, if you are chatting in a room and it turns out that a remote user kicked another remote user, but the kick was delayed in reaching you, you could keep chatting away encrypting messages for a user who is no longer in the room and theoretically should not be receiving them. Is this a security flaw? Or is this just how causality works? So we’re dealing with problems similar to that; hopefully we will be able to switch to client controlled membership by end of year.
tptacek’s derision is not very constructive.
What security problems?
Genuinely curious, not trying to be antagonistic.
Commentry from tptacek: https://twitter.com/tqbf/status/1575259743278563329
on this paper: https://nebuchadnezzar-megolm.github.io/
Thanks.
Worth reading the response from Matrix as well (https://matrix.org/blog/category/security).
My first reactions are to wonder how many of these issues are associated with federated (as opposed to fundamentally decentralized) group chat in general. Matrix seems to be taking the position that some of these issues ultimately relate to trust vs lack thereof in the homeserver as a bottleneck.
I also wondered if there was a good security model for federated or decentralized group chat at all at the moment. I can't remember offhand if Briar was adding groups or not, but that's not federated.
What do you mean by "unwilling to fix"? They published a blog post addressing the exact issues you brought up.
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-en...
1 reply →
https://arstechnica.com/information-technology/2022/09/matri...