Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC1719: olm session unwedging #1719

Merged
merged 10 commits into from
Jun 4, 2019
Merged

Conversation

uhoreg
Copy link
Member

@uhoreg uhoreg commented Nov 14, 2018

@dbkr
Copy link
Member

dbkr commented Nov 14, 2018

Yep, this looks like a good summary. Thanks!

@dbkr
Copy link
Member

dbkr commented Nov 14, 2018

Actually the kicker here is that we don't know what session an incoming olm message was intended for if we can't decrypt it, so we can't mark that session as 'replaced'. Thinking about how else we could do it.

@uhoreg
Copy link
Member Author

uhoreg commented Nov 14, 2018

An example implementation of this is https://github.com/matrix-org/matrix-js-sdk/pull/780/files

@uhoreg uhoreg added e2e proposal A matrix spec change proposal T-Core labels Nov 14, 2018
@uhoreg uhoreg changed the title MSC: olm session unwedging MSC1719: olm session unwedging Nov 15, 2018
should assume that the olm session has become corrupted and create a new olm
session to replace it. It should then send a dummy message, using that
session, to the other party in order to inform them of the new session. To
send a dummy message, clients may send an event with type `m.dummy`, and with
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can m.dummy only be sent in the context of unwedging? If not, how should the client handle it? By ignoring the event the client opens itself up to problems similar to https://github.com/vector-im/riot-web/issues/3261

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably doesn't necessarily need to be in the context of unwedging, but I can't really think of any other reason a client would send a dummy message, and I think we could just define m.dummy as "Ignore this message". This is a to_device message, and won't be displayed in any way to the user, so I don't think it will introduce any problems in the timeline.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I thought this was a timeline event. Would be good to clarify that it is a to_device event (if it isn't already - I'm willing to believe I just missed that).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's kind of hidden in the fact that the message is olm-encrypted. I guess that technically, it could be a timeline event, if you used olm for your room encryption rather than megolm, but ... let's just say that people won't do that. ;)

proposals/1719-olm_unwedging.md Outdated Show resolved Hide resolved
@uhoreg
Copy link
Member Author

uhoreg commented May 22, 2019

@mscbot fcp merge

@mscbot
Copy link
Collaborator

mscbot commented May 22, 2019

Team member @uhoreg has proposed to merge this. The next step is review by the rest of the tagged people:

No concerns currently listed.

Once a majority of reviewers approve (and none object), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for info about what commands tagged team members can give me.

@mscbot mscbot added proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. disposition-merge labels May 22, 2019
## Proposal

When a device receives an olm-encrypted message that it cannot decrypt, it
should assume that the olm session has become corrupted and create a new olm
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing this is already working in practice - but sometimes I receive undecryptable messages that I can decrypt after a little why. Possibly this MSC is the reason it does eventually become decrypted? But I was always chalking it up to server lag. If the latter is the case, shouldn't we wait a little bit before attempting to start another session? Or does rate limiting make this all ok anyways?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With megolm, if you receive a message that you can't decrypt, then it could be that the key will come in later, and then you'll be able to decrypt it. With olm, if you receive a message that you can't decrypt, then there's no way to recover, and waiting for a while won't help.

send a dummy message, clients may send an event with type `m.dummy`, and with
empty contents.

In order to avoid creating too many extra sessions, a client should rate-limit
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can a client DoS another client by ignoring this rate limit? Does the server protect against this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A client could drain another client's one-time keys, preventing others from starting sessions. There isn't really a good way of fixing that. Note that this MSC doesn't change what a client is able to do, so any DoS that one client can perform with this MSC could also be done without the MSC.

Co-Authored-By: Andrew Morgan <[email protected]>
@anoadragon453
Copy link
Member

LGTM

@mscbot reviewed

@mscbot mscbot removed the proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. label May 30, 2019
@mscbot
Copy link
Collaborator

mscbot commented May 30, 2019

🔔 This is now entering its final comment period, as per the review above. 🔔

@turt2live turt2live self-assigned this May 30, 2019
turt2live added a commit that referenced this pull request May 30, 2019
As per [MSC1719](#1719)

No known alterations have been made to the proposal.

Implementation proof: matrix-org/matrix-js-sdk#780
@turt2live turt2live mentioned this pull request May 30, 2019
@turt2live turt2live added spec-pr-in-review A proposal which has been PR'd against the spec and is in review and removed proposal-in-review labels May 30, 2019
@turt2live
Copy link
Member

Spec PR for when this leaves FCP: #2059 (assuming no last minute comments)

@mscbot
Copy link
Collaborator

mscbot commented Jun 4, 2019

The final comment period, with a disposition to merge, as per the review above, is now complete.

@mscbot mscbot removed the final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. label Jun 4, 2019
@turt2live turt2live merged commit b92b147 into matrix-org:master Jun 4, 2019
@turt2live
Copy link
Member

merged 🎉

@turt2live turt2live added merged A proposal whose PR has merged into the spec! and removed finished-final-comment-period spec-pr-in-review A proposal which has been PR'd against the spec and is in review labels Jun 4, 2019
bmarty added a commit to element-hq/element-android that referenced this pull request Apr 20, 2020
bmarty added a commit to element-hq/element-android that referenced this pull request Apr 20, 2020
@turt2live turt2live added the kind:core MSC which is critical to the protocol's success label Apr 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
disposition-merge e2e kind:core MSC which is critical to the protocol's success merged A proposal whose PR has merged into the spec! proposal A matrix spec change proposal
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants