Discussion
Loading...
@soatok oh my god that really is a 10/10 on the stupidity scale for a vuln.
lol. lmao even. this is ridiculous. HOW.
(I mean I know how, they don't care as much as they want folks to believe they do, but STILL)
I want to include this excerpt from the Matrix response:
Your PoC correctly demonstrates that the Olm 3DH implementation in vodozemac does not currently perform the all-zero DH output check. As we're sure you're aware, the check for contributory behaviour in X25519 is a contentious topic among cryptographers, with some calling for it, but others like RFC 7748[1] calling it optional or even arguing against it (e.g. Trevor Perrin[2]). We've previously considered adding it but ultimately avoided it due to the conclusion that there's no practical security impact on Matrix. In other places like SAS/ECIES we explicitly reject non-contributory outputs because those handshakes can be used in unauthenticated contexts where an all-zero DH output could directly collapse channel security.
The [2] points to https://moderncrypto.org/mail-archive/curves/2017/000896.html
Which is talking about the Diffie-Hellman primitive, not what protocols building atop ECDH should do.
@soatok if I read this right... a server / home hub in matrix could MITM users,
and possibly(?) a malicious group client could MITM the group?
@risottobias There's an Ed25519 in the middle of the end-to-end protocol that mitigate the MITM, but the identity element can leak the group key to the server lol
@soatok so I can read the juicy, spicy data in a private group. neat.
![Closing Thoughts
The silver lining to the worst issue I’ve disclosed here is we finally have a solution for “Unable to decrypt message”: Just set your public key to zero.
[Soatok the dhole looking smug]
Art: valery91thunder](https://cdn.masto.host/num433world/media_attachments/files/116/088/751/257/124/021/original/80ba12685bf6bcda.jpg)