Yes, and they are working on it. It's just harder than it seems, and it is not as important as people seem to think. I value much more the work Signal did on metadata than the username vs phone number debate.
This protocol was deployed for years before anyone even thought to check whether group messaging was secure (we just found out now that it isn't). Is Signal working on secure group messaging? Well, they won the Levchin Prize at RWC for the work they're doing on it.
I completely understand the difficulty, but so far I haven't heard of whether or not Signal is even working on getting rid of phone numbers.
Also worth mentioning that Matrix isn't just working on encrypting contacts databases. They are also working on decentralization, which is a much more difficult problem. So I'm not surprised that they are running into issues every once and a while (though Signal has had security problems in the past too [1])
It sure seems to be a much more difficult problem, because they're working right now to recover from disastrous protocol breaks that allow servers to decrypt messages in groups. I'm not so interested in what novel stuff they're working on; they don't have the table stakes stuff nailed down.
This is secure messaging. It has to work, or it's just LARPing. Can the Matrix team honestly say that their system is ready to handle life-or-death secrets?
Hackers were able to get at least one person via the Twilio hack in OP's article (which wouldn't have happened if Signal was not reliant on phone numbers). So I wouldn't say Signal is great for life-or-death either. And afaik the Matrix vulnerability we are discussing was not actually shown to have been exploited
Do you mind elaborating? I think OPs article was pretty clear
> By default, Registration Lock is disabled, as was the case for at least one of the hacked accounts. As such, the cybercriminals managed to pull off the attack by impersonating the victim of the attack for roughly 13 hours
