Matrix

3238 readers

1 users here now

An open network for secure, decentralized communication

founded 4 years ago

MODERATORS

k_o_t@lemmy.ml

E2EE vulnerabilities in matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2: if you use Element or (matrix.org)

submitted 2 years ago by cypherpunks@lemmy.ml to c/matrix@lemmy.ml

11 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] sexy_peach@feddit.de 3 points 2 years ago (2 children)

How does XMPP with omemo handle these situations?

[–] poVoq 4 points 2 years ago* (last edited 2 years ago) (1 children)

AFAIK they don't exist because OMEMO keys are device and not account specific, so this entire class of attack surface does not exist.

[–] jcast@mastodon.social 2 points 2 years ago (2 children)

@poVoq @sexy_peach

Isn't matrix also based on session keys?
I think the issue is more about how keys are shared between devices, and access to previous messages granted?

[–] poVoq 3 points 2 years ago

I am not an expert on the topic, but yes the key sharing seems to be the ultimate source of these issues.

[–] jcast@mastodon.social 1 points 2 years ago

@poVoq @sexy_peach

shared meaning cross-signed

[–] jcast@mastodon.social 3 points 2 years ago

@sexy_peach @cypherpunks

I'm a random user but I did hear some discussion on the potential for this kind of vulnerability a while ago in the XMPP Conversations group chat.

OMEMO does not allow access to previous messages when you add a new device. If the message wasn't originally encrypted for the target device, the device will not be able to read it. But the best place to ask this question is in that group chat.