Wow. Cryptographic engineering has a very dangerous Dunning Kruger confidence curve. Smart enough to get happy path working, but not enough to cover critical cases.
I forget if you said it or someone else, but getting cryptography wrong can quite literally kill people if it’s assumed to work as expected but is broken in subtle ways. Thinking of the direction for Matrix, it’s hard to believe low hanging fruit was simply missed.
Another excellent writeup from you! Highly informative and educational.
Matrix (and their first party messaging app Element) has been suffering numerous issues throughout the years. With its recent massive rollout of encrypted video conferencing, I was hoping it would finally be a step closer to become a MS Teams substitute.
It is saddening to see how they react to your report and how they spin (distort) your findings and wordings in their favour. It is ironic to see they claim themselves to be “WhatsApp and Signal replacement“, “Alternative to Microsoft Teams“, “Secure by design“, while dismissing various critical flaws throughout the years.
Their response to your latest report is the final nail in the coffin, I will give up on that platform completely, and I will stop encouraging people within my community to ditch Telegram for Element, even though I have no better alternatives to offer to larger groups ( >1.5k members).
Should Matrix be removed? I’ll make a separate post and link your article.
I never understood why Matrix was considered a good alternative to Discord. And I’m not talking security-wise. To me, the UX was just not polished enough. I only used Element, so maybe the UX is different for other servers, but I never bothered to try other ones because it just felt like too much work and too complicated. Maybe that’s on me for not being willing to delve into something new and federated. But if a person like me can’t be bothered to use Matrix, I doubt the general public will either.
Edit: Remove Matrix/Element mentions from Real-Time Communication - #23 by anonymous544