So if you’re talking to me and I’m malicious, I can send you the ed25519 identity point and force the output of our ECDH agreement to all zeroes. That sounds bad, right? You think we’re having an encrypted conversation, but in fact that encryption is completely useless.
Now, have a ed25519 key pair:
pub 6a175eb9529f5fbbfcbb84b80e451ea8eb976653fd40da4b7b9f98d0db66031f
prv c0bf3874dfa3032ce85cf75db06f0763a3b9296c957d1fe203a318ba63049d3c
(I generated this with the Go playground)
I send you that public key. We negotiate a shared secret with each other. We’re secure right? Well, no, because anyone who’s read this post knows my private key and can compute the same key we just negotiated.
Should you be checking for that public key too? Of course not, that’s nonsense.
Soatok would of course recommend that you use Signal instead. This case is so critical that Signal checks for it, right? Yeah, it does… as of a week ago
(It’s a tad difficult to compare to what Signal is doing, because Signal has removed X3DH in favour of PQXDH, a post-quantumn hybrid replacement, and I can’t quite find the last version of libsignal that supports X3DH. But I don’t see it in an ancient version of their library which did do X3DH either)
I don’t even really like Matrix and there are certainly a lot of flaws in the protocol in general, but this vulnerability announcement feels like more hype than substance to me.
