Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

e2ee by default + 3pid invite = fail #12902

Closed
ara4n opened this issue Mar 27, 2020 · 4 comments
Closed

e2ee by default + 3pid invite = fail #12902

ara4n opened this issue Mar 27, 2020 · 4 comments
Labels
A-3PIDs A-E2EE-Cross-Signing P2 S-Major Severely degrades major functionality or product features, with no satisfactory workaround T-Defect X-Needs-Community-Testing

Comments

@ara4n
Copy link
Member

ara4n commented Mar 27, 2020

as until the invitee has created an account, we can't encrypt for them

@jryans
Copy link
Collaborator

jryans commented Apr 14, 2020

@ara4n says: i think we can fix it with a warning in the composer saying messages sent in encrypted room before anyone has been invited or joined will be undecryptable

@ara4n
Copy link
Member Author

ara4n commented Nov 8, 2020

another approach could be to encrypt for a dehydrated device for the user until they exist, but given this breaks E2EE (given the bot driving the dehydrated device will be able to bug history), I think we might as well just send unencrypted and save the simplicity.

I don't think there is any formally cryptographically sound way to encrypt for nonexistent users otherwise, given you need to somehow send the keys to them, and if you send to the server in advance, the server could hand them out to anyone who claims to be that user (e.g. itself).

Alternatively, we could encrypt for the dehydrated device, and encourage the invited user to verify OOB as soon as they're online in order to prove that they are the rightful owner of that dehydrated device, so that even if the server tried to hijack the dehydrated device, the correspondents would know about it. But by this point it might be too late.

Alternatively, we could encrypt but rely on keyshare reqs to rescue the history (requiring the sender to come back online to resend the megolm keys once requested by the receiver, and requiring the keyshare req to bubble up as a notification to the sender, which they currently don't). This is horrible UX.

The least worst option right now feels to be send unencrypted messages until there's a device you can encrypt for.

@t3chguy
Copy link
Member

t3chguy commented Nov 12, 2020

But that only happens if someone manually creates a private room and 3pid invites, for DMs 3pid won't yield an e2ee room unless the account is already bound.

The least worst option right now feels to be send unencrypted messages until there's a device you can encrypt for.

So this is what we do now but with no automation to auto-encrypt after the 3pid fulfils.

For the case where a user manually makes an encrypted room and 3pid invites, the invite UX should probably tell them that they won't be able to decrypt until they follow the link and join

@jryans jryans added T-Defect P2 A-3PIDs S-Major Severely degrades major functionality or product features, with no satisfactory workaround and removed phase:4 labels Nov 20, 2020
@kittykat
Copy link
Contributor

kittykat commented Dec 9, 2021

Invited users should now get keys shared as part of the invite process. I'm going to close this issue for now as that should resolve it. If you feel that there are further improvements which could be made, please file a new issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-3PIDs A-E2EE-Cross-Signing P2 S-Major Severely degrades major functionality or product features, with no satisfactory workaround T-Defect X-Needs-Community-Testing
Projects
None yet
Development

No branches or pull requests

4 participants