Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Just a question, I haven't been paying attention, but where is Matrix on resolving the Nebuchadnezzar vulnerabilities, and is the project still tracking towards switching to MLS instead of Olm/Megolm?


The main remaining Nebuchadnezzar issue is mitigating server-controlled group membership. The first step has been to kill off the 1st gen E2EE implementations, which were responsible for the implementation vulns found by RHUL - and we should hopefully conclude that next week by moving everything into the matrix-rust-sdk crypto crate implmentation: https://github.com/vector-im/element-web/issues/21972#issuec... is the tracker.

Then, we can address the harder server-controlled group membership issue in one place. First step will be to improve device verification & trust so that trust is the default, not the exception, to make it easier to spot and warn about unexpected devices in the room. The full solution is then either MSC3917 (https://github.com/matrix-org/matrix-spec-proposals/blob/fay...) - or potentially to switch everything to MLS.

We're working on MLS anyway in parallel to RHUL mitigation work; you can see the progress at https://arewemlsyet.com, and it's looking good.

I'm guessing you're not interested in doing a podcast on "yay we converged our crypto implementations on a single robust Rust implementation so we can fix the remaining bugs in one place", but as soon as the server-controlled group membership thing is solved we'll be in touch. Work has also gone much slower than hoped on this, thanks to the joys of funding open source.


INCORRECT. The messier your situation is, the better the podcast will be. You're still in my top 3 subjects for us to do an episode on. I'm rooting for you! But also for sound messaging cryptography. So I'm one of your most complicated supporters. :)


> Outside of Matrix 2.0 work, other big items on the horizon include:

- Adding Rust matrix-sdk-crypto to matrix-js-sdk, at which point all the official Matrix.org client SDKs will (at last!) be using the same stable performant E2EE implementation

- Continuing to contribute Matrix input to the MIMI working group in IETF for > Digital Markets Act interoperability

- Working on MLS for next-generation E2EE

IIRC, the rust matrix-sdk-crypto was their intended fix for the vulnerabilities.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: