Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation on user and group end to end encryption #16153

Closed
jmpsf opened this issue Jan 8, 2020 · 3 comments
Closed

Add documentation on user and group end to end encryption #16153

jmpsf opened this issue Jan 8, 2020 · 3 comments
Labels
stat: stale Stale issues will be automatically closed if no activity

Comments

@jmpsf
Copy link

jmpsf commented Jan 8, 2020

Hi,

I've read the docs and the following issues: #9999, #36, #15095 and the description of the PR: #10094 and found no documentation on how e2e encryption is handled either in groups or single chats.

I think this information should be easily reachable for anyone trying to decide to use the application.

@Gummikavalier
Copy link

Gummikavalier commented Jan 11, 2020

More documentation is needed indeed.

These are my own speculations on the subject:

  • Both public and private keys of users are saved into the database (I checked both can be found in the database)
  • Private key is protected by a password (you are asked for this with a new clean browser session)
  • In group chats particularly the messages are encrypted with the public keys of all members (to all members to be able to see their contents)

I suppose the need to save the private keys into the server database stems from the usability standpoint; It is used to distribute the keys between all client devices of the user.
If the keys were saved only in the client end, the users would have to move these keys manually between their devices using camera (QR-code), USB-stick etc. Now client can simply query them directly from the server (in password protected format) instead.

The private key is encrypted in the database and is opened with the password in the client end browser using the password provided by the user. The password gets saved only into the cache of the browser and is not transferred to the server.

In group chats all messages are encrypted by all members' public keys separately. If one is removed from the group, they cannot see any new messages in clear text as his/her key has not been used in encrypting it anymore.

In case that the server database gets compromised, and regardless whether a chat is direct or group one (does not matter; two persons is practically a group already), effective encryption is as strong as is the weakest password in the whole chain of trust.

@GoetheG
Copy link

GoetheG commented Jan 23, 2020

I had a similar issue bus it was closed. I think your issue and mine should be merged:
#14829

@github-actions
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stat: stale Stale issues will be automatically closed if no activity
Projects
None yet
Development

No branches or pull requests

3 participants