Session
Schedule FOSDEM 2020
Miscellaneous

Making & Breaking Matrix's E2E encryption

In which we exercise the threat model for Matrix's E2E encrypted decentralised communication
K.1.105 (La Fontaine)
Matthew Hodgson
Matrix is an open protocol and open network for decentralised real-time communication; shifting control over communication from the big proprietary silos back to the general population of the Internet. In 2016 we added E2E Encryption based on the Double Ratchet, and since then have been working away on getting the encryption so polished that we can transparently turn it on by default everywhere. In this talk, we'll show how we have finally done this, what the blockers were, and then try to smash the encryption to pieces to illustrate the potential attacks and how we mitigate them.

Matrix is an ambitious project to build a open decentralised real-time communication network; providing an open standard protocol and open source reference implementations, letting anyone and everyone spin up a Matrix server and retake control of their real-time communication. Matrix is looked after by the non-profit Matrix.org Foundation, and as of Oct 2019 we have over 11.5M addressable users and around 40K servers on the public network.

Over the course of 2019 we spent a huge amount of time finalising Matrix's end-to-end encryption so we could finally turn it on by default without compromising any of the behaviour users had grown accustomed to in non-encrypted rooms. Specifically, the main remaining blockers were:

Ability to search in E2E encrypted rooms (now solved by Seshat: a Rust-based full-text-search engine embedded into Matrix clients)

Ability to get compatibility with non-E2E clients, bots and bridges (now solved by pantalaimon: a daemon which offloads E2E encryption)

Reworking the whole encryption UI to expose cross-signing to radically simplify key verification (including QR-code scanning for simplicity)

Ability to receive notifications in E2E encrypted rooms.

However, we have finally got there, and this talk will demonstrate how the final E2EE implementation works; the final problems we had to solve; the threat model we have implemented; and how we're doing on rolling it out across the whole network. More interestingly, we will then demonstrate a variety of attacks against the encryption (e.g. shoulder-surfing QR codes during device verification; MITMing TLS; acting as a malicious server implementation; global passive adversary) to demonstrate how well we handle them.

Additional information

Type maintrack

More sessions

2/1/20
Community and Ethics
Danese Cooper
K.1.105 (La Fontaine)
Free and Open Source software has revolutionized the Software Industry and nearly all other areas of human endeavor, but until now its reach into actual governance at the municipal citizen level has not been very deep. Initiatives like Code for America have encountered challenges driving acceptance for FOSS alternatives to proprietary software for citizen governance. At the same time the gap between citizen need and cities’ capabilities as widened. But several new projects are aiming to change ...
2/1/20
History
Michael Meeks
Janson
From ten years of LibreOffice, how can you apply what we learned to your project ? What is going on in LibreOffice today, and where is it going ? and How can you re-use or contribute to the story.
2/1/20
Community and Ethics
James Bottomley
K.1.105 (La Fontaine)
It has become very popular in the last several years to think of free and open source as a community forward activity, indeed the modern approach is to try and form a community or foundation first and do code second. There is also much talk about maintainer burn out and community exploitation. However, the same people who talk about this still paraphrase the most famous quote from the Cathedral and the Bazaar "Scratching your own itch". They forget this is your own itch not everyone else's ...
2/1/20
History
James Shubin
Janson
Over the past twenty years, the automation landscape has changed dramatically. As our hunger for complex technical infrastructure increased, and our inability to keep up with these demands faltered, we've outsourced a lot of the work to third-parties and cloud providers. We'll step backwards and show where we came from, and where we're going. If we don't understand this future, and step up to the challenge, then we eventually won't control our own computers anymore. We'll discuss this timeline ...
2/1/20
Community and Ethics
Molly de Blanc
K.1.105 (La Fontaine)
Internet of Things (IoT) devices are part of the future we were promised. Armed with our mobile devices, we can control everything from our cars to our toasters to the doors of our homes. Along with convenience, IoT devices bring us ethical quandaries, as designers and users. We need to consider the ethical implicates of the technologies we are building and ask ourselves not just about the ways they are being used, for both good and evil, but the potential use cases we might encounter in the ...
2/1/20
History
Ton Roosendaal
Janson
The presentation is going to be audiovisual and entertaining; based on a number of short videos I want to tell the story of Blender. Starting in late 90s, how Blender became open source, going over the big milestones for Blender, end ending with the fast growth of our project and the interest of the film and game industry. Blender now is a more mature project now, which involves a different dynamics than it used to be. How are we going to tackle the challenges of the industry, while not losing ...
2/1/20
Community and Ethics
K.1.105 (La Fontaine)
Despite the number of working groups, advisory committees, and coordination roundtables, there is little progress towards creating more ethical and safe AI systems. AI systems are deployed in increasingly fragile contexts. From law enforcement to humanitarian aid, several organizations use AI powered systems to make or inform critical decisions with increasingly outsized side effects. What is a rights-based approach for designing minimally safe and transparent guidelines for AI systems? In this ...