[Arathorn]

You are completely misinterpreting my quote, which makes me question whether you are acting in good faith.

Totally agreed that Signal servers cannot just add a device to a group chat.

What I saying was: in any system, you have to verify users for security in general. Having verified users in Matrix, you then get a massive red warning if an unverified device is added to their accounts. Given we have cross-signing (i.e. users are heavily encouraged to verify their own devices when they log in), you can be sure that such unverified devices are malicious and take appropriate action.

The obvious thing we could do is to go one step further (as we used to, until we backed it out in https://github.com/matrix-org/matrix-react-sdk/pull/3837) and stop messages from flowing until the unverified device has been dealt with. Even better would be to make group membership controlled by the clients, so the server can't add devices at all. And we're working on this, as part of shifting the implementations over to the audited matrix-rust-sdk-crypto implementation to avoid having to solve the problem in quadruplicate.

> I would challenge you to get one reputable cryptographer to back what you’re claiming about these vulnerabilities and your proposed fixes.

Hopefully someone will pop up here and confirm that I'm not talking shit :) Failing that, you'll have to wait for the next Least Authority audit - we have another independent public audit queued once this wave of work finishes to address the "To me Matrix isn't secure" polemicists. You can see the last one (on the crypto layer, rather than the group membership layer) at https://matrix.org/blog/2022/05/16/independent-public-audit-... fwiw.

[cvwright]

It’s encouraging to hear that you’re getting an audit of the new approach.

Reading over the new design doc for authenticating membership events, and the Github comments, it feels like this is a case for some sort of model checking or automated theorem proving. Manually verifying that the new system does everything we want seems… tough.

[tptacek]

Here I'll point out that Matrix had audits commissioned prior to this research as well. Audits are a good thing, but one reason the previous audits didn't hit on this stuff is that the scope of the audit was sharply limited.

[Arathorn]

Totally agreed. We didn’t have the $ to do more than libolm at first, and then we did vodozemac in May. That one was the first of 4 planned audits, the rest of which go up the rest of the stack (respectively matrix-rust-sdk-crypto, matrix-rust-sdk, and then end-to-end across the whole stack). It is very frustrating we couldn’t do the rest of the stack sooner - and this hopefully explains why we are consolidating on matrix-rust-sdk prior to getting it audited.

Ironically, the drama over this paper is now putting funding for the other audits at risk, however - as who wants to fund a project with a bunch of loud infosec folks declaring it shit?

[shaldengeki]

> Ironically, the drama over this paper is now putting funding for the other audits at risk, however - as who wants to fund a project with a bunch of loud infosec folks declaring it shit?

I'm not familiar with how the funding here works - can you describe the process by which audits would be abandoned as a result of internet commentary? Who is threatening to withhold funding for future audits? From my outsider's perspective, that would seem like _incredibly_ poor decision-making on behalf of the Matrix folks.

[Arathorn]

The process is:

* Audits cost $$$K

* The Matrix project doesn’t have pots of money sitting around to spend on audits. We get around $8K/month of donations on Patreon, which currently doesn’t even cover the running costs of matrix.org.

* Therefore, to get an audit done, we need to find a someone who is so excited about Matrix that they’ll fund it. For instance, the most recent audit was funded by Gematik, the German healthcare interoperability agency.

* However, the reason that folks like this get excited about Matrix is because they want a secure decentralised open communication platform. If the perception of Matrix shifts that its security is “killed dead” or other such hyperbole due to the infosec community reacting to the overclaims in the paper, then it obviously undermines that interest in Matrix. Who wants to use a protocol whose security is declared dead by cryptographers? And so who would want burn money funding audits?

This may sound dramatic, but unfortunately it’s really how it works. Just as academic papers rely on presenting the most dramatic interpretation to get attention and boost their visibility and help them get funding… similarly, open source projects get disproportionately harmed by dramatic overclaims.

[tptacek]

It would behoove you to stop saying that the paper "overclaims" things. Maybe you believe I've "overclaimed" things, by saying that the paper killed your protocol as dead as TLS 1.0. I stand by that argument, but the paper's authors made no such claim. It's a dry, detailed, factual paper that just happens to rattle off a bunch of vulnerabilities both in your protocol and in Element's implementation of it.

[shaldengeki]

Thank you for the clarification! Appreciate the candor here re: Element not being able to afford audits on its own. I get now why you might perceive commentary about security research as an existential threat.

For whatever it's worth, the specific thing you're doing with calling the discussion hyperbole and "overclaims" makes it harder for me to take you seriously.

[progval]

Can't Element (the company) fund audits?

[matrigno]

What is the cost of a comprehensive audit?