[throwawayKiwi9]

It still looks like users that enable the previously mentioned option and/or verify sessions accordingly are fine. I'm just trying to clarify a simple guideline for users looking to continue using Matrix securely with confidence.

[tptacek]

It doesn't look remotely like that, given the description the previous comment provides.

[throwawayKiwi9]

"if you follow these instructions without fail, Matrix can provide you with confidentiality and authentication." I was hoping the researchers could clarify these simple mitigation instructions to protect users, assuming they already know how to use Element.

[tptacek]

Do you think saying things like "if you follow these instructions without fail" makes Matrix security look better?

[throwawayKiwi9]

Yes. I have used Matrix professionally for years and it's pretty simple for me to understand and follow what is unnecessarily editorialized here to keep my conversations safe. I don't understand why this language is not being simplified to keep Matrix users safe, as that should be the highest goal of this entire situation.

[pvg]

The typical standard for a system that purports to offer cryptographically secure communication to end-users is that it does it by default rather than 'only does it if the user does these specific things otherwise it doesn't'. This isn't some controversial thing or topic of particularly serious debate.

[throwawayKiwi9]

I agree wholeheartedly and this is why I use Matrix. The fact that a vulnerabilitiy of this magnitude can largely be defeated with precautions, albeit non ideal, are a real testament to the power of e2e. Hopefully we will see the fixes these non-default settings recommendations very soon.