Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Element-R: forwarded/backed-up megolm sessions replace non-forwarded ones, causing grey shields #26526

Open
richvdh opened this issue Nov 8, 2023 · 5 comments
Open

Element-R: forwarded/backed-up megolm sessions replace non-forwarded ones, causing grey shields #26526

richvdh opened this issue Nov 8, 2023 · 5 comments
Labels
A-Element-R Issues affecting the port of Element's crypto layer to Rust O-Occasional Affects or can be seen by some users regularly or most users rarely S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect Team: Crypto Z-Labs

Comments

@richvdh
Copy link
Member

richvdh commented Nov 8, 2023
edited
Loading

  • Alice sends a message at megolm ratchet index 0
  • Bob logs in on a new device
  • Alice sends a message, Bob's new device receives megolm ratchet at index 1
  • Bob tries to decrypt earlier message at index 0, and sends a room_key_request or tries to fetch from backup
  • Bob receives the megolm ratchet at index 0 via keyshare/key backup, which replaces the original ratchet (because it's "better")
  • All messages, including the one where the key was received directly, are flagged with grey shields
@richvdh richvdh added A-Element-R Issues affecting the port of Element's crypto layer to Rust T-Defect labels Nov 8, 2023
@github-actions github-actions bot added the Z-Labs label Nov 8, 2023
@dbkr dbkr added S-Minor Impairs non-critical functionality or suitable workarounds exist O-Occasional Affects or can be seen by some users regularly or most users rarely Team: Crypto labels Nov 8, 2023
@richvdh
Copy link
Member Author

richvdh commented Nov 9, 2023

This works the other way too: If Bob fetches the key from backup first, and then receives the key directly but with a later index, the new (direct) key will be ignored

@BillCarsonFr
Copy link
Member

BillCarsonFr commented Nov 9, 2023
edited
Loading

For context on legacy android there used to be a safety update for better unsafe keys that connect to a ratcheted safe key https://github.com/vector-im/element-android/blob/7073b1647c3897b5a30c4886db5975a26f16c6a1/matrix-sdk-android/src/kotlinCrypto/java/org/matrix/android/sdk/internal/crypto/MXOlmDevice.kt#L667

@BillCarsonFr
Copy link
Member

Note that the root cause is that we are accepting potentially unsafe keys (authenticity cannot be guaranted), this is soon to be a deprectated behavior with:

As to be factored in before thinking about doing safety upgrade

@ara4n ara4n mentioned this issue Dec 4, 2023
Closed
@BillCarsonFr
Copy link
Member

Closed until authenticated backup.

@richvdh richvdh mentioned this issue Apr 3, 2024
Closed
@richvdh
Copy link
Member Author

richvdh commented Apr 3, 2024

I'm not convinced this should be closed -- it is, after all, still a problem, even if we have a plan to fix it for new messages in several months' time.

@richvdh richvdh reopened this Apr 3, 2024
@BillCarsonFr BillCarsonFr mentioned this issue Jul 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Element-R Issues affecting the port of Element's crypto layer to Rust O-Occasional Affects or can be seen by some users regularly or most users rarely S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect Team: Crypto Z-Labs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dbkr @richvdh @BillCarsonFr