this post was submitted on 14 Aug 2024
40 points (90.0% liked)

Technology

58009 readers
3007 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
40
Security Issues in Matrix’s Olm Library. (soatok.blog)
submitted 4 weeks ago by ModerateImprovement@sh.itjust.works to c/technology@lemmy.world
4 comments fedilink hide all child comments
 

I don’t consider myself exceptional in any regard, but I stumbled upon a few cryptography vulnerabilities in Matrix’s Olm library with so little effort that it was nearly accidental.

It should not be this easy to find these kind of issues in any product people purportedly rely on for private messaging, which many people evangelize incorrectly as a Signal alternative.

you are viewing a single comment's thread
view the rest of the comments
[–] mox@lemmy.sdf.org 24 points 4 weeks ago* (last edited 3 weeks ago) (3 children)

FWIW, current versions of the reference client (Element) don't use the Olm library (libolm), which is now deprecated.

From the README:

libolm was Matrix's first implementation of the Double Ratchet algorithm, dating back to 2015. It is not written in memory-safe langauges (C and C++11), resulting in several CVEs over the years (e.g. CVE-2021-34813 and CVE-2021-44538). It also depends on simplistic cryptography primitive implementations which are intended for pragmatic and education purposes rather than security - e.g. Brad Conte's crypto-algorithms.

As a result, we rewrote libolm in Rust in December 2021 - the result being vodozemac, and announced it as the recommended successor to libolm after its audit by Least Authority in May 2022

Also, from the latest weekly update:

We’re not aware of any way to actually exploit these weaknesses over the network, but we continue to strongly recommend developers to migrate to vodozemac (or fork libolm to add better primitives).

Nevertheless, if you're using a third-party Matrix client that depends on libolm, you might want to contact its developers, or switch.

[–] Apollo2323@lemmy.dbzer0.com 2 points 4 weeks ago (2 children)

How I know if Fractal the gnome app use that library?

[–] mox@lemmy.sdf.org 3 points 4 weeks ago

I doubt Fractal uses libolm, since it's a Rust app, but you could ask the developers to be certain.

https://gitlab.gnome.org/World/fractal

[–] nethad@discuss.tchncs.de 3 points 4 weeks ago* (last edited 4 weeks ago)

It uses matrix-rust-sdk (written by Element) and that uses the new vodozemac, so you're safe