Two years ago, I glanced at Matrix’s Olm library and immediately found several side-channel vulnerabilities. After dragging their feet for 90 days, they ended up not bothering to fix any of i…
3 year old subpackage blob. Maybe it’s from before the switch to PQC? They have a published threat model that helped guide the audits and seemed well reasoned. I’m not sure where that version of curve would be used in the current client or server.
you can message the developers directly from the client. Ask, if they dont know why it’s there it’ll get stripped out. I would guess it’s legacy compatibility but it could be zombie code that needs pruned
Where? It’s all TLS and NTRU prime now to my knowledge. They have a couple audits now.
https://github.com/simplex-chat/simplex-chat/blob/stable/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.md
https://github.com/simplex-chat/crypton/blob/90e1a0f46a2adb30feb3222b417ddef41b1feee1/Crypto/PubKey/Curve448.hs
3 year old subpackage blob. Maybe it’s from before the switch to PQC? They have a published threat model that helped guide the audits and seemed well reasoned. I’m not sure where that version of curve would be used in the current client or server.
Either way, it’s just… weird.
you can message the developers directly from the client. Ask, if they dont know why it’s there it’ll get stripped out. I would guess it’s legacy compatibility but it could be zombie code that needs pruned
Why would I want to use the client? :S
I’m just here to criticize cryptographic open source software. I don’t actually want to use these programs.