Comment by hobobaggins
2 years ago
It's not really a bug. It's a design decision.
There's no clear solution for it from an encryption perspective without a big tradeoffs (like requiring all participants to be online at the same time).
Besides, the larger the group, the more likely that one of the nodes has been compromised anyway. Everything's a tradeoff -- don't depend on the security of a single solution if you're really trying to keep a secret; defense in depth.
You haven’t shown that this flaw is in Signal in addition to Matrix.
I heard about Matrix having that exact flaw, and if Signal had the same flaw, it would be big news. I remember Signal saying that they are not vulnerable.
> There's no clear solution for it from an encryption perspective without a big tradeoffs (like requiring all participants to be online at the same time).
I wonder if that's why Telegram's secret chats do in fact require users to be online at the same time for key exchange. I've used it before and I had to wait a while for the other party to come online.
If this was true I would expect there were additional sources besides a random anonymous HN comment.
It depends. One good discussion.
https://crypto.stackexchange.com/questions/77319/triple-diff...
That is also valid for 1:1 chats, not specific to groups. It says "if you don't check the key if the remote party via a secondary channel you are vulnerable to MITM attack of the server is owned"
Which is obvious, every single E2EE encryption tool which is centralised is susceptible to it, but I would wager that decentralised too, although maybe harder to realise.