Security Issues in Matrix’s Olm Library (Including ongoing discussion)
Security Issues in Matrix’s Olm Library (Including ongoing discussion)
I don’t consider myself exceptional in any regard, but I stumbled upon a few cryptography vulnerabilities in Matrix’s Olm library with so little effort that it was nearly accidental. It…
I'm reposting the article with the developing discussions around it as it probably deserves more reach. Devs are 50% "it's impossible to do anyways, sensationalism it's FUD", the other 50% is in disarray and being wtf. I'm not a cryptographer though
More discussion here, where Nheko devs refuse to update to Vodozemac: https://github.com/Nheko-Reborn/nheko/issues/1786
Others discussions: https://github.com/quotient-im/libQuotient/issues/780
https://github.com/mautrix/go/issues/262
https://github.com/NixOS/nixpkgs/pull/334638
https://github.com/krille-chan/fluffychat/issues/1258
https://github.com/NixOS/nixpkgs/pull/334638/commits/e4767b4727589567da29a90a71947c2bdbe43988
OP's old gist about Matrix: https://web.archive.org/web/20240606031827/https://gist.github.com/soatok/8aef6f67fec9c702f510ee24d19ef92b
Matrix developer reply: https://news.ycombinator.com/item?id=41249371
From what I understand, for now, Vodozemac, the new Rust implementation, is unusable in other languages than Rust because its bindings are broken. FluffyChat developers seem to be working on fixing them, though.
I think what's more worrying than the exploits is the attitude of the client developers, and the Matrix developer that replied.
Many years ago, security meant association with groups powerful enough to ensure it.
As the simple field sabotage methods applied to open source projects reach their culmination, consider ensuring that any security you rely on is backed up by that old concept.