Conversation

Notices

1. Embed this notice
   Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 12:55:15 JST Soatok Dreamseeker

   People can't help but try to evangelize Matrix in response to things I wrote, so I just disclosed a few more issues in Matrix's cryptography to their security@ email address.

   This time, the issues were in their Rust library, vodozemac.

   One of them was pretty fucking stupid.

   I'll do a better write-up than I was initially planning when they've had time to fix it.

   • Embed this notice
     Vincent Sparks 🔙 Further Confusion (avincentinspace@furry.engineer)'s status on Thursday, 12-Feb-2026 12:55:14 JST Vincent Sparks 🔙 Further Confusion

     in reply to

     @soatok even this aside, vulnerable cryptography is the *least* of matrix's issues.

     anyone seriously proposing it as a discord alternative needs to take their rose tinted glasses off and look at the 30 second message round trips, the chat history easily being lost if one of a user's clients has a key synchronization bug, and the holes in their moderation tooling big enough to drive a truck through (and listen to the stories from trans people of the conga lines of trucks actively being driven through them on a daily basis)

     i don't like discord. but even if your threat model does not require encryption at all, nothing about matrix is salvageable

   • Embed this notice
     [object Object] (zzt@mas.to)'s status on Thursday, 12-Feb-2026 22:14:03 JST [object Object]

     in reply to

     @soatok time for matrix to hurriedly deprecate vodozemac and switch to a third horribly broken encryption library right before the disclosure grace period ends! again!

   • Embed this notice
     Brick Duck (woltiv@mastodon.social)'s status on Thursday, 12-Feb-2026 23:09:50 JST Brick Duck

     in reply to

     @soatok Matrix answers the bold question of “could we make IRC slower and less reliable while also making it more unfriendly” with a resounding “yes”