Friday, December 2, 2022
Home TECH Serious vulnerabilities in Matrix end-to-end encryption being patched

Serious vulnerabilities in Matrix end-to-end encryption being patched

matrix.org

The developers of the open source Matrix messaging protocol will release an update Thursday to fix critical end-to-end encryption vulnerabilities that subvert the confidentiality and authentication guarantees that have been key to the platform’s meteoric rise.

Matrix is ​​a sprawling ecosystem of proprietary and open source chat and collaboration clients and servers that are fully interoperable. The best-known app in this family is Element, a chat client for Windows, macOS, iOS, and Android, but there are a wide variety of other members as well.

Hodgson

The Matrix aims to do for real-time communication what the SMTP Default does for email, which is to provide a federated protocol that allows client users connected to different servers to exchange messages with each other. However, unlike SMTP, Matrix offers strong end-to-end encryption, or E2EE, designed to ensure that messages cannot be forged and that only the senders and receivers of the messages can read the content.

Matthew Hodgson, co-founder and project lead of Matrix and CEO and CTO of Element, the maker of Element’s flagship app, said in an email that, according to conservative estimates, there are about 69 million Matrix accounts spread across about 100 000 servers. The company currently sees around 2.5 million monthly active users using its Matrix.org server, though he said this is also likely an underestimate. Among the hundreds of organizations announcing plans to build internal messaging systems based on the Matrix are Mozilla, KDE, and the governments of France and Germany.

On Wednesday, a team of researchers published research which reports a number of vulnerabilities that undermine Matrix’s authentication and confidentiality guarantees. All of the attacks described by the researchers require the help of a malicious or compromised home server that targets users who connect to it. In some cases, there are ways for experienced users to detect that an attack is taking place.

Researchers privately reported the vulnerabilities to Matrix earlier this year and agreed to a coordinated disclosure scheduled for Matrix’s Wednesday release of updates addressing the most serious flaws.

“Our attacks allow a malicious server operator or someone who gains control of a Matrix server to read user messages and impersonate them,” the researchers wrote in an email. “The Matrix aims to protect against such behavior by providing end-to-end encryption, but our attacks highlight design flaws in its protocol and flagship Client Implementation Element.”

Hodgson said he disagrees with the researchers’ assertion that some of the vulnerabilities reside in the Matrix protocol itself, saying they are all implementation bugs in the first generation of Matrix applications, which includes Element. He said that a newer generation of Matrix apps, including ElementX, Hydrogen and Third Room, are not affected. There is no indication that the vulnerabilities have ever been actively exploited, he added.

RELATED ARTICLES

How a small electoral business became a conspiracy theory target

At an invitation-only conference in August at a secret location southeast of Phoenix, a group of election deniers revealed a new conspiracy theory about...

A huge new data set pushes the limits of neuroscience

So neuroscientists use an approach called "dimensionality reduction" to make such a visualization possible: They take data from thousands of neurons and, by applying...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

4 Ways to Make Your Office Reception Area More Comfortable for Clients

Reception areas are the first thing your clients see when they visit your office, so you want to make sure it gives...

Top Tips for a Good Night’s Sleep

A good night's sleep is essential for our overall health and well-being, yet many people struggle to get the rest they need....

The Top Three Things You Can Do to Make Your Carnival Event More Spectacular

All kids love carnivals, and most adults do, too. What can be more thrilling and exciting than the...

The Importance of the Court Reporter’s Neutrality

The Importance of the Court Reporter’s Neutrality To listen and record with bias or judgement is a skill that’s...