PFS warning in RTS catagory false

From my understanding, this warning above is kind of false. Matrix does not have perfect forward secrecy, but it does have partial (every 100 messages / two weeks), making the “all past communications” part false. Jonah explained it pretty well, unless I am misinterpreting it.

If I am wrong, please correct me, but it seems like the part of the warning that says:

“Any key compromise among message recipients would affect the confidentiality of all past communications.”

Is at least false for Matrix / Element. If this has already been discussed before, please link it to me. Otherwise, I would recommend clarifying it doesn’t completely apply to Matrix. Nit-picky, I know, but tryna help.

1 Like

That is true from my understanding as well. I think the logic in regard to Matrix was that key backup “backs up all your keys” but that is kind of by design.

1 Like

The purpose of forward secrecy is generally to prevent the decryption of previous messages should the main private keys be compromised. (Such as a compromised device).

Matrix does offer this, but with the key backup feature those session keys are also backed up. The purpose of that is so that if a user wants to add a new device, like a new phone they can read previous messages either by providing passphrase or doing verification with an older device.

With the passphrase for the backup, the original messages (all of them) could be restored which isn’t forward secrecy, but that’s really a convenience feature. You don’t have to back up session keys and can download it periodically locally to your device if you wish.

1 Like

Oh ok. If I understand, basically partial forward secrecy is optional, but not on by default, because the keys are still backed up for convenience. Does PG recommend not using this for privacy, or is it relatively safe for lower threat levels, like surveillance capitalism?

If you keep the security passphrase secret then there’s no risk. The alternative is to lose previous conversations which might be desirable for a short-term usage of an identity on Matrix.

1 Like

Somewhat unrelated, but in how many scenarios is PFS even helpful for it to warrant a warning?

If there’s a vulnerability in the client, if the attacker can get code execution they can read all messages that are stored in the client anyway. Has there been any vuln in these clients that leaked the secret key only?

I guess it’s helpful for those who need communication to be ephemeral and are targeted by state actors who can obtain access to past encrypted communications from the server?

Oh ok. So it is still secure to use? I have not personally used matrix, because of the aforementioned security concerns, but I will see into making one. Thank you dngray!

It doesn’t make sense to use Matrix for 1:1 chats.

Why?

Yes

They’re not really real issues besides not providing maximum security which often comes at the cost of usability, like this one, being able to read previous messages. Signal for example simply tells you “nope” when you add a new device.

Why not, that’s a perfectly acceptable use case.

1 Like

Thank you so much dngray!