Are there any plans to do a security audit on Riot? The useful report by NCC [1] looks at libolm (which implements the end-to-end encryption) but of course that's only part of the whole product.
Note that that report explains that the Double Ratchet E2E algorithm is used in Matrix, in large part because of the Open Whisper Systems implementation in Signal and subsequent licensing. So we're looking at an apples-to-apples comparison, at least with respect to this one piece.
Yes, it seems like a good choice of algorithm. And it seems like the implementation is also decent - they looked at that as well. It's a useful report and kudos to Open Technology Fund for funding it and to Matrix for making it public!
Still, this is only one piece of the overall security of Riot, so I'm still interested in knowing if there's any work going on looking at the bigger picture.
Yes. Once the E2E implementation is fully finished and out of beta, and once we have a non-beta homeserver (as Synapse is still technically in beta, albeit very late beta), we'll be going to NCC and working out how to do an audit of the whole enchilada (homeserver + olm + matrix-js-sdk + matrix-react-sdk + riot-{web,ios,android}). This may well end up being broken down into separate components, much as the Olm audit was limited to the Olm component. At the current rate this should happen at some point in 2017.