Follow

@kirby
It's a price to pay for proper encryption that works with multiple sessions🤷
XMPP crowd was making fun of Matrix for this, but that is just how Double Ratchet works — now it got implemented in popular XMPP clients and it turned out that it's even worse than it was in Matrix and before that it "just worked" simply because nothing was encrypted.

@m0xee @kirby >turned out that it's even worse Basically false. Matrix is even worse because you can't turn it on and off by your self. It also is less secure.

@dcc
Of course you can, just create two person room with encryption disabled! If they weren't created with encryption enabled by default, few would be using it and it would defeat the purpose.
And how is it less secure? It's literally the same algorithm.
@kirby

@kirby
Leaking presence to the servers of participants of a multi-user room that I'm in is the thing I'm the least concerned about TBH, XMPP doesn't do it because the rooms aren't distributed and only exist on the server they were created on. A lot of people do not seem to understand this: XMPP doesn't have a more secure implementation of the feature — it simply doesn't have this feature at all.
@dcc

@kirby @dcc
And I believe they have even fixed it now, it is possible to prevent interacting with the sessions that you haven't personally authorized, but you have to enable it for each room and for every session of yours individually — far from perfect solution, could've been better, probably this way to prevent breaking compatibility.

@kirby @dcc
In any case, I'm more worried about Element only working in latest Firefox now than this.
And XMPP… jabber.ru/xmpp.ru have been being MITMed for months without anyone noticing because clients simply don't check the fingerprints — that's just laughable!

@m0xee @kirby >does he know about the media Matrix as a protocol is just worse than xmpp.

@dcc
No, it isn't. What could be worse than a protocol based on endless XML streams designed two decades ago by someone having zero experience with this and with hundreds of things slapped on top of it since then that no client implements in full and that never got widely adopted?
@kirby

@dcc
I get it, a lot of people had a warm and fuzzy feeling about XMPP because they were seeing these key exchange failure messages in Matrix client, but not in XMPP client and that made them assume that XMPP somehow just magically works — now that OMEMO is getting adopted, we can see that it's the same or worse — due to inconsistent client implementations.
@kirby

@m0xee @dcc @kirby
>It's literally the same algorithm
not really, that'd be olm, megolm (the one actually used in e2ee rooms) is double ratchet with extra steps, that may or may not weaken DR security assumptions

@romin @dcc @kirby
Yep, valid point! Same as different implementations might have deficiencies of their own — what I meant is that they are based on the same Double Ratchet.
Beside the point, OMEMO spec is pretty vague about multi-user rooms: xmpp.org/extensions/xep-0384.h it refers to a MUC-related XEP that doesn't mention OMEMO or ratchets at all.
As opposed to megolm spec which is rather thorough: gitlab.matrix.org/matrix-org/o

@romin @dcc @kirby
I'm not even sure current XMPP clients implement OMEMO for group chats, so I assume we're talking one-on-one chats here 🤷

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml