Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC3061: Sharing room keys for past messages #3061

Merged
merged 5 commits into from
Aug 14, 2023

Conversation

uhoreg
Copy link
Member

@uhoreg uhoreg commented Mar 12, 2021

@uhoreg uhoreg changed the title MSCxxxx: Sharing room keys for past messages MSC3061: Sharing room keys for past messages Mar 12, 2021
@uhoreg uhoreg added e2e proposal A matrix spec change proposal proposal-in-review labels Mar 12, 2021
@uhoreg
Copy link
Member Author

uhoreg commented Mar 16, 2021

Implemented by matrix-org/matrix-js-sdk#1640

@turt2live turt2live added the kind:core MSC which is critical to the protocol's success label Apr 8, 2021
jryans added a commit to matrix-org/matrix-react-sdk that referenced this pull request Apr 9, 2021
After discussion with Product, we're ready to enable this key sharing work from
#5763 (based on
matrix-org/matrix-spec-proposals#3061).
@turt2live turt2live added the needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. label Jun 8, 2021
@cvwright
Copy link

cvwright commented Aug 4, 2021

Implemented by matrix-org/matrix-js-sdk#1640

Is anyone working on this for matrix-ios-sdk?

## Security considerations

Clients should still ensure that keys are only shared with authorized users and
devices.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this work? How does the client know, that a user should be in the room and wasn't maliciously added by the homeserver? Even if you set a room to shared history, you probably only want members to read the history, that you accepted as having been allowed into the room. Considering the end aspect in e2ee, we want the client to approve of a member having joined the room, before sharing history. We don't want to automatically share keys with anyone, who joins the room, because the server could for a short time "fake" a user in the room and as such get access to all the history and then make the user disappear again. Then encrypting the room would be useless. Should we require prompting the user once before sharing past history with a new user in the room?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is sort of a generic "make sure that you don't accidentally over-share when you implement this". In this case, clients only share the keys with users that the client invites, so it's decided that the user should be authorized. For determining which devices are authorized, in general, the client should probably just do what it normally does for determining which devices to send keys to.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a really scary trap, because a client dev might forget, that the servers device list and member list isn't really that trustworthy. We somewhat get around that by warning for unverified devices, when sending a message, but that will never work for sharing past message keys.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proper solution here is to base the decision whether to share on the trust state of the user we're inviting.

If the invited user is untrusted (in cross-signing terms), the client should at least display a warning along with a list of devices that would get the keys. This would allow the inviter to at least review the list and consciously proceed with the action if they want to do so.

If the invited user is trusted, but some of their devices are not verified yet, the client should again display a warning with a list of those devices, again asking whether to proceed.

If the user is trusted and all of their devices are verified, then no warning is necessary.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So only the inviter will ever share keys?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't have to be just the inviter who shares keys; others can share keys as well, but it's up to them to ensure that they do so securely. Spec-wise, we try to avoid telling clients exactly how to handle keys, as different clients may wish to make different tradeoffs. But I will add a comment about checking device trust before sharing.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added some more words here. Hopefully it's clearer now.

@turt2live
Copy link
Member

This MSC has completed FCP per the above comment.

@turt2live turt2live added finished-final-comment-period and removed final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. labels Aug 14, 2023
@turt2live turt2live merged commit 5c19d4f into matrix-org:old_master Aug 14, 2023
@turt2live turt2live added spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec and removed finished-final-comment-period labels Aug 14, 2023
turt2live pushed a commit that referenced this pull request Aug 16, 2023
* initial version

* use MSC number

* address comments from review

* fix list

* fix markdown

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

---------

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
@uhoreg
Copy link
Member Author

uhoreg commented Oct 4, 2023

Spec PR: matrix-org/matrix-spec#1655

@dkasak
Copy link
Member

dkasak commented Oct 15, 2024

The spec text PR for this MSC was (in)famously blocked on a security concern. This concern is now disclosed at https://matrix.org/blog/2024/10/security-disclosure-matrix-js-sdk-and-matrix-react-sdk/.

@richvdh
Copy link
Member

richvdh commented Oct 29, 2024

Following the above disclosure, the Spec Core team have decided to revert the merging of this proposal. A future proposal is welcome to use this one as a basis.

richvdh added a commit that referenced this pull request Oct 29, 2024
@richvdh richvdh added abandoned A proposal where the author/shepherd is not responsive rejected A proposal which has been rejected for inclusion in the spec and removed spec-pr-in-review A proposal which has been PR'd against the spec and is in review abandoned A proposal where the author/shepherd is not responsive labels Oct 29, 2024
@HarHarLinks
Copy link
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
disposition-merge e2e kind:core MSC which is critical to the protocol's success proposal A matrix spec change proposal rejected A proposal which has been rejected for inclusion in the spec
Projects
None yet
Development

Successfully merging this pull request may close these issues.