Why I Don't Trust Matrix Developers to Produce a Secure Protocol

Lukas · July 5, 2024, 1:17pm

gist.github.com

https://gist.github.com/soatok/8aef6f67fec9c702f510ee24d19ef92b

matrix.md

## Update (2024-05-17)

Oh hey, this rant of mine is making the rounds.

After I wrote this, one of the Matrix leads commented on it, which prompted me to look at their code. I have since found, uh, ~~4~~ 3 different cryptographic issues in Matrix's Olm and Megolm code. 

Expect a blog post on [Dhole Moments](https://soatok.blog) at some point in August.

~~One of them is extremely bad, and will put a lot of burden on Matrix users to mitigate effectively.~~  _False alarm_: I was mistaken about this one. I'll include it in the write-up, though.

This file has been truncated. show original

securitybrahh · July 11, 2024, 7:42pm

I have been thinking about this, here I documented my investigation:

Topic		Replies	Views
Remove Matrix/Element mentions from Real-Time Communication Tool Suggestions rejected	20	1252	August 17, 2024
Matrix bridge for sms? Off Topic	7	471	December 18, 2023
I spent all weekend reviewing Signal's cryptography and just published my write-up, AMA General software	14	2811	April 24, 2025
Why not XMPP? Tool Suggestions	27	3167	August 29, 2024
Matrix 2.0 Is Here! General software	0	397	November 3, 2024

Why I Don't Trust Matrix Developers to Produce a Secure Protocol

Related topics