[martinralbrecht]

Since Matrix (and thus BundesMessenger?) currently doesn't provide standard security guarantees for its end-to-end encryption (the mitigation to the "Simple confidentiality break" from https://nebuchadnezzar-megolm.github.io/ is still in the design phase; same for the IND-CCA break, but that doesn't seem exploitable in practice) I wonder how much the German government cares about E2EE for its civil servants? The blog post mentions E2EE prominently, but any insights to share on whether that mattered for this particular adoption?

[Arathorn]

Gematik co-funded the most recent Matrix audit of vodozemac[1], and is poised to fund 3 more (of matrix-rust-sdk-crypto, matrix-rust-sdk and the whole stack end-to-end) to ensure the E2EE is where it needs to be. So I'd say that the German government definitely cares about E2EE for its civil servants, and we're very grateful for them funding security research.

Meanwhile, BWI is helping fund the work needed to address clientside controlled room membership (https://github.com/matrix-org/matrix-spec-proposals/pull/391...) as highlighted in your paper, as well as TOFU... and they're also funding work to provide MLS as an option for E2EE in Matrix too[2].

Unsure why you're talking about the unexploitable IND-CCA break :)

[1] https://matrix.org/blog/2022/05/16/independent-public-audit-...

[2] https://www.golem.de/news/bwmessenger-vom-messenger-der-bund...

[martinralbrecht]

Cool, thanks! That's interesting to know. Do you know how they deal with FOI and auditable communications in this case?

PS: I talked about the seemingly unexploitable IND-CCA vulnerability because it means Matrix can't give you some security guarantees: It should be fine - we don't have an exploit, only a vulnerability - but it is not clear how to reason to arrive at "there cannot be an exploit". If you care about security guarantees, you care about it.

[Arathorn]

Good question about FOI and audit; unsure for their deployment. In general we use audit bots when needed (which are visible in the member list), and even in a client-controlled-membership world, they would complain bitterly if they saw traffic which they didn’t have the keys for.

Fair enough on IND-CCA; as you know, we are fixing it anyway.

[walterbell]

> BWI.. also funding work to provide MLS as an option for E2EE in Matrix, https://www.golem.de/news/bwmessenger-vom-messenger-der-bund...

Good news that BWI is funding a Matrix implementation of the multi-vendor IETF standard MLS group messaging E2EE protocol.

The (translated to English) linked reference doesn't mention MLS, is it correct?

[Arathorn]

oops, https://www.golem.de/news/bwmessenger-vom-messenger-der-bund... might be the right link