@soatok oh my god that really is a 10/10 on the stupidity scale for a vuln.

lol. lmao even. this is ridiculous. HOW.

(I mean I know how, they don't care as much as they want folks to believe they do, but STILL)

I want to include this excerpt from the Matrix response:

Your PoC correctly demonstrates that the Olm 3DH implementation in vodozemac does not currently perform the all-zero DH output check. As we're sure you're aware, the check for contributory behaviour in X25519 is a contentious topic among cryptographers, with some calling for it, but others like RFC 7748[1] calling it optional or even arguing against it (e.g. Trevor Perrin[2]). We've previously considered adding it but ultimately avoided it due to the conclusion that there's no practical security impact on Matrix. In other places like SAS/ECIES we explicitly reject non-contributory outputs because those handshakes can be used in unauthenticated contexts where an all-zero DH output could directly collapse channel security.

The [2] points to https://moderncrypto.org/mail-archive/curves/2017/000896.html

Which is talking about the Diffie-Hellman primitive, not what protocols building atop ECDH should do.

@soatok if I read this right... a server / home hub in matrix could MITM users,

and possibly(?) a malicious group client could MITM the group?

@soatok