[Arathorn]

The point is that if your threat model cares about interception, you have to verify the identity of users out of band - same as Signal or WhatsApp or whatever.

Then, if you've done that, and an unverified device is added to the conversation, the warning shows up and explicitly means "your group chat has been compromised" - just like a big red TLS warning on a webpage means "this certificate is bad". It does *NOT* mean that "it might just be bob bought a new phone"; if bob bought a new phone, he'll have verified it when he logged in, and so the warning doesn't show up.

Anyone who actually uses Matrix will be familiar with the fact that it's pretty rare to see a big red X on a user who you've verified, and when it happens, you go ping them to ask wtf is going on - much like you'd ping the webmaster of a site whose TLS certificate is bad. This is why the Matrix community is not up in arms about this "vulnerability" - it is literally following the intended design, right from the point that we announced verification back in https://element.io/blog/e2e-encryption-by-default-cross-sign....

Now, this design can absolutely be improved on - at the least, we could go back to freezing the room whenever there's an unverified device, forcing the users to decide how to flush out the old device. Or we could switch to TOFU, and block unverified devices by default. But we've chosen to prioritise migrating the clients onto a single E2EE codebase (matrix-rust-sdk-crypto) first, so we do that work in a single place, rather than in quadruplicate across matrix-{js,ios,android,rust}-sdk.

[dodgerdan]

> The point is that if your threat model cares about interception, you have to verify the identity of users out of band - same as Signal or WhatsApp or whatever.

I’ve read your blog posts and this comment, congratulations it seems to have satisfied most people. Howerver it is NOT the same as Signal. Signal servers cannot just add a device to a group chat.

I would challenge you to get one reputable cryptographer to back what you’re claiming about these vulnerabilities and your proposed fixes.

To me Matrix isn’t secure, the organizations responses to these disclosures has been poor and the “fixes” weak.

[Arathorn]

You are completely misinterpreting my quote, which makes me question whether you are acting in good faith.

Totally agreed that Signal servers cannot just add a device to a group chat.

What I saying was: in any system, you have to verify users for security in general. Having verified users in Matrix, you then get a massive red warning if an unverified device is added to their accounts. Given we have cross-signing (i.e. users are heavily encouraged to verify their own devices when they log in), you can be sure that such unverified devices are malicious and take appropriate action.

The obvious thing we could do is to go one step further (as we used to, until we backed it out in https://github.com/matrix-org/matrix-react-sdk/pull/3837) and stop messages from flowing until the unverified device has been dealt with. Even better would be to make group membership controlled by the clients, so the server can't add devices at all. And we're working on this, as part of shifting the implementations over to the audited matrix-rust-sdk-crypto implementation to avoid having to solve the problem in quadruplicate.

> I would challenge you to get one reputable cryptographer to back what you’re claiming about these vulnerabilities and your proposed fixes.

Hopefully someone will pop up here and confirm that I'm not talking shit :) Failing that, you'll have to wait for the next Least Authority audit - we have another independent public audit queued once this wave of work finishes to address the "To me Matrix isn't secure" polemicists. You can see the last one (on the crypto layer, rather than the group membership layer) at https://matrix.org/blog/2022/05/16/independent-public-audit-... fwiw.

[cvwright]

It’s encouraging to hear that you’re getting an audit of the new approach.

Reading over the new design doc for authenticating membership events, and the Github comments, it feels like this is a case for some sort of model checking or automated theorem proving. Manually verifying that the new system does everything we want seems… tough.

[tptacek]

Here I'll point out that Matrix had audits commissioned prior to this research as well. Audits are a good thing, but one reason the previous audits didn't hit on this stuff is that the scope of the audit was sharply limited.

[Arathorn]

Totally agreed. We didn’t have the $ to do more than libolm at first, and then we did vodozemac in May. That one was the first of 4 planned audits, the rest of which go up the rest of the stack (respectively matrix-rust-sdk-crypto, matrix-rust-sdk, and then end-to-end across the whole stack). It is very frustrating we couldn’t do the rest of the stack sooner - and this hopefully explains why we are consolidating on matrix-rust-sdk prior to getting it audited.

Ironically, the drama over this paper is now putting funding for the other audits at risk, however - as who wants to fund a project with a bunch of loud infosec folks declaring it shit?

[shaldengeki]

> Ironically, the drama over this paper is now putting funding for the other audits at risk, however - as who wants to fund a project with a bunch of loud infosec folks declaring it shit?

I'm not familiar with how the funding here works - can you describe the process by which audits would be abandoned as a result of internet commentary? Who is threatening to withhold funding for future audits? From my outsider's perspective, that would seem like _incredibly_ poor decision-making on behalf of the Matrix folks.

[martinralbrecht]

A quick comment on this, we did address this in our paper:

"In environments where cross-signing and verification are enabled, adding a new unverified user adds a warning to the room to indicate that unverified devices are present. However, it is possible for a homeserver to add a verified user to rooms without changing the security properties of the room. This allows a colluding homeserver and verified user to eavesdrop on rooms not intended for them. In other words, the warning regarding unverified devices is independent to whether the device is intended to participate in the specific room. Finally we note that users may, of course, simply ignore warnings." https://nebuchadnezzar-megolm.github.io/static/paper.pdf