Hacker News new | ask | show | jobs
by martinralbrecht 1281 days ago
This isn't correct. Several of our attacks succeeded without any warnings popping up.

Furthermore, you need to distinguish between what Element happened to do (which users may or may not watch out for) and what the standard demanded.

Note that at this point, as far as I understand it, there is no dispute between us - the authors of this research - and the Matrix developers about that leaving group membership under the control of the server was a bad and avoidable design decision. The Matrix developers are working on a spec change/fix which resolves this, linked elsewhere in this thread.
1 comments
Arathorn 1281 days ago
The problem is that the paper conflates legitimate implementation vulns (fixed back in Sept) which indeed allowed for practical attacks… with the “group membership controlled by server” issue, which is debatable. Hence folks writing off the remaining issues as ‘academic at best’.

It really would have been better to separate the legit vulns from the group membership question, as mixing them up just confuses people, as per this whole thread.

link
tptacek 1281 days ago
Can I ask what's debatable about the group membership issue? That it exists, or that it's as important as people like me say it is?
link