Security Issues in Matrix's Olm Library
The Matrix's Olm library has critical cryptographic vulnerabilities, including cache-timing attacks and malleable signatures. The security team will not address these issues, advising users to switch to the vodozemac library.
Read original article
The Matrix's Olm library has been found to contain several cryptographic vulnerabilities, as disclosed by a researcher who identified these issues with minimal effort. The vulnerabilities include a cache-timing attack in the AES implementation, malleability in Ed25519 signatures, and timing leakage in base64 decoding of private key material. The researcher reported these findings to the Matrix security team, which confirmed receipt but ultimately decided not to address the issues due to the library's deprecation. The AES vulnerability allows attackers to infer sensitive values based on timing differences, while the malleability of Ed25519 signatures could potentially lead to issues in specific use cases, particularly in cryptocurrency contexts. The base64 decoding flaw similarly exposes sensitive data through timing attacks. The Matrix team has recommended that clients transition to a new library, vodozemac, instead of fixing the existing issues in libolm. The researcher emphasizes that clients still using libolm should consider these vulnerabilities as critical until they transition to a more secure alternative.
- Matrix's Olm library has multiple cryptographic vulnerabilities.
- Vulnerabilities include cache-timing attacks, malleable signatures, and timing leakage.
- The Matrix security team will not fix these issues due to the library's deprecation.
- Users are advised to transition to the vodozemac library for improved security.
- The researcher highlights the importance of addressing these vulnerabilities promptly.
Related
Against XMPP+omemo
XMPP's integration of OMEMO for encryption has been criticized for inadequate security standards, outdated implementations, and complexity, leaving it less secure than alternatives like Signal for private messaging.
Hacking a Virtual Power Plant
Ryan Castellucci identified vulnerabilities in GivEnergy's API related to a 512-bit RSA key, allowing unauthorized access. GivEnergy promptly upgraded to a 4096-bit key, emphasizing the need for secure cryptographic practices.
512-bit RSA key in home energy system gives control of "virtual power plant"
Ryan Castellucci discovered a vulnerability in GivEnergy's system, allowing access to a 200 MW virtual power plant. GivEnergy fixed the issue within 24 hours, highlighting risks of outdated cryptographic standards.
Researchers discover potentially catastrophic exploit present in AMD chips
Researchers have found a serious vulnerability in AMD processors, affecting chips since 2006, allowing deep firmware access. AMD is developing patches, with risks primarily for corporations and government entities.
Serious flaw in critical applications: Plaintext passwords in process memory
Security experts found a vulnerability in applications like OpenVPN, Bitwarden, and 1Password, allowing plaintext passwords to remain in memory post-logout, posing risks of exploitation by malware.
4 commentsThis soesn't bode well for it as an option for secure messaging. Wouldn't be a problem if I didn't see people suggesting it as one.
For example, if I add a sleep after a non-constant-time operation to ensure it always takes 1s, would that prevent timing attacks? At least with this you can use a faster algorithm, and let the OS do useful work with the rest of the time.
Related
Against XMPP+omemo
XMPP's integration of OMEMO for encryption has been criticized for inadequate security standards, outdated implementations, and complexity, leaving it less secure than alternatives like Signal for private messaging.
Hacking a Virtual Power Plant
Ryan Castellucci identified vulnerabilities in GivEnergy's API related to a 512-bit RSA key, allowing unauthorized access. GivEnergy promptly upgraded to a 4096-bit key, emphasizing the need for secure cryptographic practices.
512-bit RSA key in home energy system gives control of "virtual power plant"
Ryan Castellucci discovered a vulnerability in GivEnergy's system, allowing access to a 200 MW virtual power plant. GivEnergy fixed the issue within 24 hours, highlighting risks of outdated cryptographic standards.
Researchers discover potentially catastrophic exploit present in AMD chips
Researchers have found a serious vulnerability in AMD processors, affecting chips since 2006, allowing deep firmware access. AMD is developing patches, with risks primarily for corporations and government entities.
Serious flaw in critical applications: Plaintext passwords in process memory
Security experts found a vulnerability in applications like OpenVPN, Bitwarden, and 1Password, allowing plaintext passwords to remain in memory post-logout, posing risks of exploitation by malware.