GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 18-Feb-2026 08:47:53 JST Soatok Dreamseeker Soatok Dreamseeker

    https://soatok.blog/2026/02/17/cryptographic-issues-in-matrixs-rust-library-vodozemac/

    #Matrix #infosec #vulnerabiltiy #cryptography #privacy

    In conversation about 5 months ago from furry.engineer permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: soatok.blog
      Cryptographic Issues in Matrix’s Rust Library Vodozemac
      from Soatok
      Two years ago, I glanced at Matrix’s Olm library and immediately found several side-channel vulnerabilities. After dragging their feet for 90 days, they ended up not bothering to fix any of i…
    • Embed this notice
      Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 18-Feb-2026 09:00:36 JST Soatok Dreamseeker Soatok Dreamseeker
      in reply to
      • Marsh Ray

      @marshray Yeah it's also called the point at infinity, but in X25519 it's a 32-byte sequence of NUL.

      In conversation about 5 months ago permalink
    • Embed this notice
      Marsh Ray (marshray@infosec.exchange)'s status on Wednesday, 18-Feb-2026 09:00:37 JST Marsh Ray Marsh Ray
      in reply to

      @soatok nice post, reading it now…
      My understanding is that
      the identity element for addition is zero
      the identity element for multiplication is one
      …?

      In conversation about 5 months ago permalink

      Attachments


      1. https://media.infosec.exchange/infosec.exchange/media_attachments/files/116/088/675/924/235/046/original/c2006b9c0477a163.png
    • Embed this notice
      Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 18-Feb-2026 09:53:17 JST Soatok Dreamseeker Soatok Dreamseeker
      in reply to
      • Risotto Bias

      @risottobias There's an Ed25519 in the middle of the end-to-end protocol that mitigate the MITM, but the identity element can leak the group key to the server lol

      In conversation about 5 months ago permalink
    • Embed this notice
      Risotto Bias (risottobias@toot.risottobias.org)'s status on Wednesday, 18-Feb-2026 09:53:18 JST Risotto Bias Risotto Bias
      in reply to

      @soatok if I read this right... a server / home hub in matrix could MITM users,

      and possibly(?) a malicious group client could MITM the group?

      In conversation about 5 months ago permalink
    • Embed this notice
      Thomas (horaynarea@chaos.social)'s status on Wednesday, 18-Feb-2026 09:59:14 JST Thomas Thomas
      in reply to

      @soatok your bottom line for the first misc issue…

      > But there’s no way anything important relies on this, so who cares?

      …reads like a "The monkey's paw curls"-type of sentence 🫣

      In conversation about 5 months ago permalink
    • Embed this notice
      Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 18-Feb-2026 10:01:06 JST Soatok Dreamseeker Soatok Dreamseeker
      in reply to

      I want to include this excerpt from the Matrix response:

      Your PoC correctly demonstrates that the Olm 3DH implementation in vodozemac does not currently perform the all-zero DH output check. As
      we're sure you're aware, the check for contributory behaviour in X25519 is a contentious topic among cryptographers, with some calling for it, but others like RFC 7748[1] calling it optional or even arguing against it (e.g. Trevor Perrin[2]). We've previously considered adding it but ultimately avoided it due to the conclusion that there's no practical security impact on Matrix. In other places like SAS/ECIES we explicitly reject non-contributory outputs because those handshakes can be used in unauthenticated contexts where an all-zero DH output could directly collapse channel security.

      The [2] points to https://moderncrypto.org/mail-archive/curves/2017/000896.html

      Which is talking about the Diffie-Hellman primitive, not what protocols building atop ECDH should do.

      In conversation about 5 months ago permalink

      Attachments


    • Embed this notice
      Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 18-Feb-2026 10:02:28 JST Soatok Dreamseeker Soatok Dreamseeker
      in reply to

      Echoed for emphasis:

      We've previously considered adding it but ultimately avoided it due to the conclusion that there's no practical security impact on Matrix.

      Once again, they are insisting "We already knew about this risk but decided it's okay to not fix it or tell anyone about it".

      Which is FUCKING BONKERS for a so-called secure messaging product!

      In conversation about 5 months ago permalink
    • Embed this notice
      Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 18-Feb-2026 10:07:33 JST Soatok Dreamseeker Soatok Dreamseeker
      in reply to
      • Thomas

      @HorayNarea If you do it right (i.e., using a constant-time compare)? It's basically free. There is no downside.

      Other protocols explicitly require it as a MUST.

      In conversation about 5 months ago permalink
    • Embed this notice
      Thomas (horaynarea@chaos.social)'s status on Wednesday, 18-Feb-2026 10:07:35 JST Thomas Thomas
      in reply to

      @soatok as someone with no deeper understanding of cryptography I am wondering: even if they are right, how bad would it have been to just do the fucking check anyway?

      In conversation about 5 months ago permalink
    • Embed this notice
      Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 18-Feb-2026 10:08:53 JST Soatok Dreamseeker Soatok Dreamseeker
      in reply to
      • Thomas

      @HorayNarea (The was_contributory() check does this securely.)

      In conversation about 5 months ago permalink
    • Embed this notice
      JP (froztbyte@mastodon.social)'s status on Wednesday, 18-Feb-2026 10:14:53 JST JP JP
      in reply to

      @soatok what is it about these types that make them fuck up exponents like it’s a hazing ritual? nevermind them then doubling down with their fingers in their ears, going “nuh-uh-uh can’t heaaaaar youuuuu”…

      In conversation about 5 months ago permalink
    • Embed this notice
      Soatok Dreamseeker (soatok@furry.engineer)'s status on Wednesday, 18-Feb-2026 10:16:01 JST Soatok Dreamseeker Soatok Dreamseeker
      in reply to
      • Thomas

      @HorayNarea Nah, doing things right can still yield fun blog posts:

      https://soatok.blog/2026/01/15/software-assurance-that-warm-and-fuzzy-feeling/

      In conversation about 5 months ago permalink
    • Embed this notice
      Thomas (horaynarea@chaos.social)'s status on Wednesday, 18-Feb-2026 10:16:03 JST Thomas Thomas
      in reply to

      @soatok downside of doing things right: no fun fun fun fuuuuuun blogposts 😵💫

      In conversation about 5 months ago permalink
    • Embed this notice
      Thomas (horaynarea@chaos.social)'s status on Wednesday, 18-Feb-2026 10:28:53 JST Thomas Thomas
      in reply to

      @soatok different kind of fun, no "say mean things about my bad crypto implementation"-kinkshaming please! /s

      (I'm a long time RSS subscriber, came for the interesting crypto stuff, stayed because of the furry art in between the crypto stuff :D

      Actually "Why AES-GCM sucks" led to me not getting any sleep that night… I was locked in "trying to _really_ understand GCM"-hell /o\

      So yeah, thanks for doing all of this! 😽)

      In conversation about 5 months ago permalink
    • Embed this notice
      Dan Sugalski (wordshaper@weatherishappening.network)'s status on Wednesday, 18-Feb-2026 10:33:58 JST Dan Sugalski Dan Sugalski
      in reply to

      @soatok once again I’m reminded that you should never implement your own crypto. When you’re in a situation where you must implement crypto you always should assume you’re an idiot, that you will get things wrong, and plan the protocol to be able to shut off the versions where you screwed up. Then find people who can tell you how you screwed things up and believe what they say.

      In conversation about 5 months ago permalink
    • Embed this notice
      Daedalous Eros (daedalouseros@hollow.raccoon.quest)'s status on Wednesday, 18-Feb-2026 11:29:25 JST Daedalous Eros Daedalous Eros
      in reply to

      @soatok@furry.engineer really said "I'm about to end this platform's whole career!"

      I'm aware that, much like how this ID debacle isn't going to "kill Discord," this is hardly going to kill Matrix. It probably won't even stop the evangelists. But this was satisfying to see~

      Those closing thoughts... chefs kiss

      In conversation about 5 months ago permalink
    • Embed this notice
      Bret Towe (brettowe@fosstodon.org)'s status on Wednesday, 18-Feb-2026 13:38:05 JST Bret Towe Bret Towe
      in reply to

      @soatok its impressive how many levels of smell test they keep failing at

      In conversation about 5 months ago permalink
    • Embed this notice
      Botch Frivarg (deetwenty@todon.nl)'s status on Wednesday, 18-Feb-2026 21:37:04 JST Botch Frivarg Botch Frivarg
      in reply to

      @soatok really get the feeling even I as a crypto noob could do better, sure still won't be good, but better than what matrix has done here. (E.g. rust type system is strong enough that you could make a type that can't be zero, and you can enforce the use of that)

      In conversation about 5 months ago permalink
    • Embed this notice
      Piko Starsider :verified_paw: (starsider@valenciapa.ws)'s status on Wednesday, 18-Feb-2026 21:37:08 JST Piko Starsider :verified_paw: Piko Starsider :verified_paw:
      in reply to

      @soatok One of the worst parts of matrix's popularity is how they stained the reputation of E2EE: People _expect_ E2EE to be inherently buggy and user unfriendly, so they tend to delay or avoid trying alternatives that are E2EE.

      In conversation about 5 months ago permalink
    • Embed this notice
      Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 19-Feb-2026 08:03:01 JST Soatok Dreamseeker Soatok Dreamseeker
      in reply to

      I added more info to the blog post about what an attack would actually look like, because I'm tired of trying to explain it in parallel to dozens of people and doing a bad job as a result:

      https://soatok.blog/2026/02/17/cryptographic-issues-in-matrixs-rust-library-vodozemac/#vuln-1-attacker

      In conversation about 5 months ago permalink
    • Embed this notice
      jaKa Močnik (jkmcnk@mastodon.social)'s status on Friday, 20-Feb-2026 02:14:22 JST jaKa Močnik jaKa Močnik
      in reply to

      @soatok which clearly shows that even if they could do cryptography, they sure as hell can not do security. sadly, it's a rather common mix of incompetence and arrogance.

      In conversation about 5 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.