RE: https://furry.engineer/@soatok/116088639302283341
Chewing on Soatok's last commentary on matrix crypto. I haven't implemented DH in a while, but:
If the system allows the other user to use the point at Infinity as their public key... Doesn't that mean if I'm in a position to tamper with both sides of the connection, I could tell each party separately that the other chose it, and they'd be none the wiser because they'd independently derive the same session key? But their traffic would be effectively unencrypted for any observer, not just me.
I sure hope there's some other feature of the protocol that prevents this.
