@soatok nice post, reading it now… My understanding is that the identity element for addition is zero the identity element for multiplication is one …?
@risottobias There's an Ed25519 in the middle of the end-to-end protocol that mitigate the MITM, but the identity element can leak the group key to the server lol
I want to include this excerpt from the Matrix response:
Your PoC correctly demonstrates that the Olm 3DH implementation in vodozemac does not currently perform the all-zero DH output check. As we're sure you're aware, the check for contributory behaviour in X25519 is a contentious topic among cryptographers, with some calling for it, but others like RFC 7748[1] calling it optional or even arguing against it (e.g. Trevor Perrin[2]). We've previously considered adding it but ultimately avoided it due to the conclusion that there's no practical security impact on Matrix. In other places like SAS/ECIES we explicitly reject non-contributory outputs because those handshakes can be used in unauthenticated contexts where an all-zero DH output could directly collapse channel security.
@soatok as someone with no deeper understanding of cryptography I am wondering: even if they are right, how bad would it have been to just do the fucking check anyway?
@soatok what is it about these types that make them fuck up exponents like it’s a hazing ritual? nevermind them then doubling down with their fingers in their ears, going “nuh-uh-uh can’t heaaaaar youuuuu”…
@soatok once again I’m reminded that you should never implement your own crypto. When you’re in a situation where you must implement crypto you always should assume you’re an idiot, that you will get things wrong, and plan the protocol to be able to shut off the versions where you screwed up. Then find people who can tell you how you screwed things up and believe what they say.
I'm aware that, much like how this ID debacle isn't going to "kill Discord," this is hardly going to kill Matrix. It probably won't even stop the evangelists. But this was satisfying to see~
@soatok really get the feeling even I as a crypto noob could do better, sure still won't be good, but better than what matrix has done here. (E.g. rust type system is strong enough that you could make a type that can't be zero, and you can enforce the use of that)
@soatok One of the worst parts of matrix's popularity is how they stained the reputation of E2EE: People _expect_ E2EE to be inherently buggy and user unfriendly, so they tend to delay or avoid trying alternatives that are E2EE.
I added more info to the blog post about what an attack would actually look like, because I'm tired of trying to explain it in parallel to dozens of people and doing a bad job as a result:
@soatok which clearly shows that even if they could do cryptography, they sure as hell can not do security. sadly, it's a rather common mix of incompetence and arrogance.