Two years ago, I glanced at Matrix’s Olm library and immediately found several side-channel vulnerabilities. After dragging their feet for 90 days, they ended up not bothering to fix any of i…
It’s not a good discord alternative but simplex has been a solid secure chat option PQC working by default. It and mumble or jitsi serve my gaming needs.
XMPP would need one hell of an upgrade but it might be easier to refactor than the years of lazy bullshit in matrix’s code. Time will tell. Flux could hackathon and venture captial into the lead
3 year old subpackage blob. Maybe it’s from before the switch to PQC? They have a published threat model that helped guide the audits and seemed well reasoned. I’m not sure where that version of curve would be used in the current client or server.
you can message the developers directly from the client. Ask, if they dont know why it’s there it’ll get stripped out. I would guess it’s legacy compatibility but it could be zombie code that needs pruned
It’s not a good discord alternative but simplex has been a solid secure chat option PQC working by default. It and mumble or jitsi serve my gaming needs.
https://simplex.chat/
XMPP would need one hell of an upgrade but it might be easier to refactor than the years of lazy bullshit in matrix’s code. Time will tell. Flux could hackathon and venture captial into the lead
I haven’t reviewed SimpleX, but it does some weird things (Curve448? Really??) that make me wonder about the author’s capacity for threat modeling.
Where? It’s all TLS and NTRU prime now to my knowledge. They have a couple audits now.
https://github.com/simplex-chat/simplex-chat/blob/stable/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.md
https://github.com/simplex-chat/crypton/blob/90e1a0f46a2adb30feb3222b417ddef41b1feee1/Crypto/PubKey/Curve448.hs
3 year old subpackage blob. Maybe it’s from before the switch to PQC? They have a published threat model that helped guide the audits and seemed well reasoned. I’m not sure where that version of curve would be used in the current client or server.
Either way, it’s just… weird.
you can message the developers directly from the client. Ask, if they dont know why it’s there it’ll get stripped out. I would guess it’s legacy compatibility but it could be zombie code that needs pruned
Why would I want to use the client? :S
I’m just here to criticize cryptographic open source software. I don’t actually want to use these programs.