-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KeySharing, DevicebasedStrategy | Exclude insecure dehydrated devices when sending messages #4313
Comments
(Rust) We already have code to avoid encrypting for unsigned devices - we should do this unconditionally for any device with the dehydrated flag set. |
Also: why are dehydrated devices being singled out for this special treatment? |
It's buried in the middle of a paragraph: https://github.com/matrix-org/matrix-spec-proposals/pull/3814/files#diff-1e380a19a30044a5d4a387df67369612e4cdf4dc8b0bcba1853fd221f7dfeeb9R51-R53 I guess it should be called out more.
This was flagged by Denis at matrix-org/matrix-spec-proposals#3814 (comment) . The short version is: dehydrated devices are being singled out because clients may hide dehydrated devices or make them less visible, so it may be less noticeable if a dehydrated device is unsigned, compared with normal devices. Also because dehydrated devices are a new feature and our eventual goal is to drop insecure devices. |
ah great, thanks. |
kinda, though that's implemented as a different |
Per #4313, we should not send outgoing messages to dehydrated devices that are not signed by the current pinned/verified identity.
Per #4313, we should not send outgoing messages to dehydrated devices that are not signed by the current pinned/verified identity.
The implication of this is that we should not send encrypted messages to dehydrated devices if the user has a pinning violation. I remain slightly hesitant to do this: it is inconsistent with the way we treat regular devices (we show a warning "user's identity has changed", but continue to encrypt to all their devices. Per element-hq/element-meta#2492 (comment), the idea is that if you care about who you are encrypting to, you need to verify.) @uhoreg / @dkasak / @mxandreas : would appreciate any further thoughts on this. |
Per #4313, we should not send outgoing messages to dehydrated devices that are not signed by the current pinned/verified identity.
Per #4313, we should not send outgoing messages to dehydrated devices that are not signed by the current pinned/verified identity.
Which is already the case for "normal" devices, right? E.g. if I reset my identity on device A, the device B will receive no messages/keys until I have re/verified B. |
Yes, but that's not quite the point. Here, Alice and Bob share a room. Bob resets his identity and verifies his devices with that new identity. Alice sees that Bob's identity has changed - a "pin violation". We show a banner above the composer warning her of this and allowing her to confirm. The question is what happens if Alice sends a message before clicking "OK" in that identity-change warning banner.
There are reasonable arguments for having a different behaviour for dehydrated devices, but I'm just not convinced that we've thought it through properly. For example:
If that is the goal, then, per the above, we are doing the wrong thing here. As things stand, I've implemented the behaviour specified in this issue. |
Revisiting this, I can't think of a great argument of why we should special-case dehydrated devices to require signatures by the pinned identity. The sender is still in control, and as long as we should them a timely banner/warning, they still have time to react by not sending the message. Mind you, it still feels somewhat iffy, especially because identity rotation should be relatively rare, so I think we could afford to force the user to be a bit more careful. But I'm unable to pinpoint a particular failure mode specific to dehydrated devices. |
Per #4313, we should not send outgoing messages to dehydrated devices that are not signed by the current pinned/verified identity.
Per #4313, we should not send outgoing messages to dehydrated devices that are not signed by the current pinned/verified identity.
Don't encrypt to devices marked as dehydrated, if they are not cross-signed by the
pinned/verifiedidentity. (Per discussion below: we continue to send to the dehydrated device even if the identity changes)Also, drop all incoming to-device messages from devices marked as dehydrated.Factored out to #4466The text was updated successfully, but these errors were encountered: