jbz
jbz boosted
activity timestamp 19 hours ago

🔐 Project Hydra: Improving state resolution in Matrix

「 Given the security-sensitive nature of this work, it was done under embargo by the backend team at Element, the Matrix.org Security Team, the Spec Core Team, alongside Timo Kösters (who privately reported a related vulnerability, helping jumpstart the project) and Florian Jacob (at Karlsruher Institut für Technologie) 」

https://matrix.org/blog/2025/08/project-hydra-improving-state-res/

#matrix #opensource #cybersecurity
jbz
@jbz@indieweb.social  ·  activity timestamp 19 hours ago

🔐 Project Hydra: Improving state resolution in Matrix

「 Given the security-sensitive nature of this work, it was done under embargo by the backend team at Element, the Matrix.org Security Team, the Spec Core Team, alongside Timo Kösters (who privately reported a related vulnerability, helping jumpstart the project) and Florian Jacob (at Karlsruher Institut für Technologie) 」

https://matrix.org/blog/2025/08/project-hydra-improving-state-res/

#matrix #opensource #cybersecurity
Strypey
@strypey@mastodon.nzoss.nz  ·  activity timestamp 2 days ago
@tbernard
> the main reason this never happened

That's a shame. I cite your blog post about it often. It's a rare case of a software dev blog post that's both technically and socially insightful, worded in a way that can be read and understood by almost anyone.

> using a client with a different feature set is gong to be a problem

I can see why you'd think so, but I haven't found it to be a problem in practice. You are right that it doesn't really work with 1 account.

@cassidy @Sturmflut
Strypey
@strypey@mastodon.nzoss.nz replied  ·  activity timestamp 2 days ago

Curiously, @element seems to have pivoted their free client towards being more of a BBQ app. Presumably they offer more of a banquet version to enterprise users of their hosted service? Given the licensing of the Element apps, they could do that without publishing source code for it.

#chat#Matrix#Element
Martin Dougiamas
@martin@openedtech.social replied  ·  activity timestamp 2 days ago
@ben I’m not privy to the details but what I picked up from a recent video from Matthew the CEO of Element.io is that the French government uses #Matrix extensively and contributes nothing back at all.

Matrix could really use more support in order to fix the problems currently happening as outlined in his video https://youtu.be/OyuqM7RbX5E?si=TkS7HeT8eQdGPmLL
Strypey
@strypey@mastodon.nzoss.nz  ·  activity timestamp 2 days ago

While I'm harping on about Matrix, does anyone know if the GNOME plan to split Fractal into two apps (team chat/ instant messenger) ever went ahead?

https://blogs.gnome.org/tbernard/2018/05/16/banquets-and-barbecues/

GNOME announced in 2022 that they were using Matrix for their official team chat groups;

https://blogs.gnome.org/foundation/2022/06/02/gnome-chat-moves-to-matrix/

So presumably they've put some serious effort into bringing their own Matrix apps to maturity?

#Matrix#GNOME
Strypey
@strypey@mastodon.nzoss.nz replied  ·  activity timestamp 2 days ago
@tuxsec
> I'll see if I can remember to use it for rooms without threads

I use ElementX almost exclusively for 1:1 DMs, and I suspect this is the market they're pivoting to. Leaving the team chat uses cases to other outfits like Gitter;

https://blog.gitter.im/2023/02/13/gitter-has-fully-migrated-to-matrix/

... ProcessOne (eJabberD);

https://www.process-one.net/blog/matrix-gateway-setup-with-ejabberd/

... RocketChat;

https://www.rocket.chat/blog/federation-at-rocket-chat-the-shift-to-a-native-solution

... and so on.

#Matrix#Element#ElementX

jbz
jbz boosted
activity timestamp 3 days ago

⚠️ Alarm raised over 'high-severity' vulnerabilities in Matrix messaging protocol•The Record

「 The description suggests the bug affects the way rooms are controlled, by allowing a malicious administrator — for instance within a government agency’s IT system — to remove the permissions set by the official who created the channel 」

https://therecord.media/matrix-messaging-protocol-high-severity-vulnerabilities

#matrix #opensource #cybersecurity
jbz
@jbz@indieweb.social  ·  activity timestamp 3 days ago

⚠️ Alarm raised over 'high-severity' vulnerabilities in Matrix messaging protocol•The Record

「 The description suggests the bug affects the way rooms are controlled, by allowing a malicious administrator — for instance within a government agency’s IT system — to remove the permissions set by the official who created the channel 」

https://therecord.media/matrix-messaging-protocol-high-severity-vulnerabilities

#matrix #opensource #cybersecurity
Carlos Solís
@csolisr@hub.azkware.net  ·  activity timestamp 5 days ago

Apparently the latest #Matrix security vulnerability was so major, that the server implementers had to abide to an embargo before receiving details about it. I wonder how many #Matrix -related projects had to decline, due to e.g. their CI not being set up to build code not publicly on the main branch, and had to dash to implement the patch after the embargo was lifted. @matrix

The Matrix.org Foundation
Michael Downey 🧢
The Matrix.org Foundation and 1 other boosted
Strypey
@strypey@mastodon.nzoss.nz  ·  activity timestamp 7 days ago

If you want to get a sense of what the Matrix network will be like once Matrix 2.0 is fully rolled out, get yourself ElementX, and try it with an account on the matrix.org homeserver. I haven't had a chance to really stress test it yet. But from what I've experienced so far, it's a *huge* improvement on Matrix 1.0.

EDIT 2: ElementX is the Matrix 2.0 version of Element. Despite the fact that it remains significantly incomplete, and may not meet all your needs 🤦‍♂️

DeepBlue V7.X
@deepbluev7@nheko.io  ·  activity timestamp 6 days ago

We released version 0.12.1 of #nheko! This release includes a few security fixes around html escaping into the UI and properly attaching a mark of the web on Windows. I highly recommend you upgrade!

This release also takes the first steps to room version 12 compatibility regarding the upcoming #matrix security release.

You can find the release here: https://github.com/Nheko-Reborn/nheko/releases/tag/v0.12.1

Enjoy! 😊