User Soatok published a blog post that detailed security issues with Matrix’s OLM library.
In response, a lead dev complained about the criticism on HackerNews and ended up admitting that they didn’t fix known side-channel vulnerabilities for years. (See addendum-2024-08-14 in the blog post).
Not only is Matrix just a dogshit and confusing experience in general, it’s evident it has issues with security as well as problematic development. It’s not acceptable for a team working with message encryption and communication to just disregard vulnerabilities like this. If PrivacyGuides cares about only recommending the most trustworthy software, they should seriously consider removing Element and Matrix recommendations and mentions from their website.
While this does seem bad, I would rather contact matrix to hear their side of the story before picking up the pitchforks and torches. Ill try to make some time for this today.
User Soatok published a blog post that detailed security issues with Matrix’s OLM library.
It is deprecated, almost no popular clients uses it, you can see how the author linked affected Matrix clients which are all random forks that no ones uses.
This author really likes to pick up on small issues and make a big deal out of it.
if you actually look at % of impacted clients, it’s tiny.
it’s pretty much any client that has E2EE and is not Element. in my earlier quick look at Alpine Linux repos this included: Fluffychat, Nheko, gomuks, NeoChat, Chatty, weechat-matrix. then i already know that still didn’t catch at least Cinny, which also is in Alpine, but includes libolm as wasm.
it’s literally all “Featured clients” listed on Matrix.org except Element and Element X.
i’ll put it another way. if anything other than New Vector is “tiny” and doesn’t matter, is Matrix a “rich ecosystem”?
Quoted directly from the HN discussion. I don’t think this is a small issue. Decentralized protocols should:
Have secure defaults and not push insecure implementations
Have a method to enforce all clients to use the most secure default and not depend on the goodwill of the author of the client.
Currently, for this issue, it seems Matrix did neither. Also I dont think blaming the original article author is good faith unless you can point out the technical flaws in their arguments.
Can someone explain how bad this kind of omission is?
From the standpoint of a noob, I gathered that side channel attacks are bad enough to potentially cause the extraction of a secret key.
However, it is unclear to me how feasible it is with the given algorithm being used and in the context of the Matrix protocol.
Multiple years. they said it themselves. also, element isnt entitled to a spot or recommendation. even if this is just some misunderstanding, it is still the safer move to remove it until further notice until its cleared up.
also this is to jerm (i dont want to make yet another comment):
the fact that element is the only client really worked on and that people use, and yet its still awful, should only reinforce the need to remove it. it sucks to use, and its not worth recommending to anyone.
I’d rather get my friends off of Discord and into Matrix for gaming, communities, and voip calls. Like @Lukas and @Tech-Trooper said, it’s good for communities.
Realistically its the closest thing to discord that we have, which can help make transition away from discord easier.