[BUG] OTR leaks image and file uploads #7507
Comments
|
Same here. |
2 similar comments
|
Same here. |
|
Same here. |
|
same here. |
|
Still in 0.57.3 |
|
Still in 0.58.2 ;) |
|
we would also like to see this fixed.. |
|
Me too; without this feature Rocket.Chat makes no sense. |
|
Still in 0.58.4 |
|
Still a problem on 0.60.0-rc.1, tested on demo.rocket.chat |
|
Hi folks, I just re-tested this with @localguru and can still confirm this. It looks like - just like in a non-OTR session - a file upload just does a POST request to This does obviously undermine the DENIABILITY aspect of OTR. Without knowing the code, I would guess one of the following things should be done:
Cheers |
|
Not an easy problem to solve. For fileupload to really be considered part of OTR it would have to actually be encrypted before uploaded by client, and then some how decrypted on the other end. So really the only solution here until someone were able to solve the more complicated problem would be to actually disable file sharing on OTR sessions or warn them every time they send a file in an OTR session. |
|
@mrinaldhar This maybe something you may already be aware of and have fixed in your improved e2e implementation with GSOC? |
Yes, I agree with you on that. Either disable or show a crystal-clear warning, that this upload won't be part of OTR. Until it is fixed. Cheers & thanks for getting back |
|
Hi, the current implementation of OTR doesn't handle file uploads. I think we should display some sort of warning suggesting that file uploads will not be encrypted when people try to use OTR. #7181 is a new implementation of end to end encryption in rocket chat, and it handles direct messaging, private group messaging, as well as file uploads. Files are encrypted on the clients before they're sent. We're in the process of improving that implementation, and it should be ready soon! |
|
@mrinaldhar Great, thanks for your work! Would love to see that. @geekgonecrazy I vote for disable uploads on active OTR, because uploads are not shown; one have to reload. May be combined with a warning, that uploads are disabled, when selecting the upload function, so that it's clear to users that uploads on OTR are not offered. |
|
Still not working in 0.61.0. |
|
The merge there is misleading. It was merged from a personal repo to a main project branch. @mrinaldhar is there another PR we could link to this for people to track? |
|
Is there any fix for this yet? Any workaround? |
|
+1 same here, version 0.63.0 |
|
Can anyone confirm if this issue still exists in End-to-End-Encryption branch for Rocket Chat too, or can we confirm in which branch this issue is being fixed ? |
|
This issue doesn't exist in the End-to-End-Encryption branch, provided you use E2EE there and not OTR, as that implementation handles file uploads as well. |
|
Still does not work in version 2.2.0! |
|
Still does not work in version 2.4.5! |
|
Still/Again not work in version 4.8.3 ! |
Rocket.Chat Version: 0.56.0, 0.57.1, 0.57.3 0.58.2 0.58.4 0.60.0-rc.1 0.61.0, 0.69.2, 2.2.0, 2.4.5
Running Instances: 1
DB Replicaset OpLog: yes
Node Version: 4.5
When uploading an image or a file in a OTR session, those uploads are not displayed. After finishing the OTR session and reloading browser those uploads are displayed. Concerning the image part this is duplicate to #6151
There are several open bugs regarding OTR: #6907 #6526 #6151
OTR is a main security feature and should work as expected. Referring to the current discussion "State of Rocket.Chat?" #7476 these are some of the long unfixed no-go bugs, why the "sentiment is turning a little sour". I'm a SysAdmin not a programmer. So my feedback to the community is testing and reporting bugs. Ignoring those critical bugs over such a long time, absorbs the enthusiasm for RC I had when starting a few months ago.
The text was updated successfully, but these errors were encountered: