-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
E2E Device lists can get out of sync with the devices actually present in a room. #2411
Comments
an alternative could be to just store and relay device lists as a room (as well as other per-user profile info, presence lists, etc). |
was this ever addressed before it landed in the spec? |
i regularly have users that cannot decrypt messages from specific other users in encrypted rooms. the fix is often to use |
Related: element-hq/element-web#3846 |
it was not. |
This continues to be the sort of thing I'm thinking about to fix this. I'm not quite sure what the mechanism would be for transmitting that extra metadata alongside the message: in a large room including a device-list generation for each user could be a very large amount of data. |
I guess I'm failing to follow a bit. What exactly would be the expected effect or outcome of A sending this metadata? |
The idea is something along the lines of: If, by the time the message reaches B's server (or maybe even one of B's devices), the device list is now at generation # 124, it would send a notification back to A, who would re-fetch the device list and try again. |
I don't understand this. What does it mean "messages would only be sent to the invited user after they joined the room" ? Anyone any idea? |
The issue in the linked comment is talking about the scenario where Alice invites Bob to a room, says something in the room (so we encrypt for Bob's devices) but then a new device for Bob logs in, and Alice doesn't know about the new device so doesn't encrypt for it. This is mitigated by key backups because Bob's original device will be uploading keys to the backup which the new device can read. In this context, the sentence "messages would only be sent to the invited user after they joined the room" effectively means messages would only be sent to the new device after they joined the room, which I think is what he is trying to say? |
Oh right. Well, we can discuss that further on element-hq/synapse#3504 rather than trying to use this epic issue for it. |
Device lists can get out of sync for various reasons:
@richvdh mentioned in #e2e-dev the other day that he'd had some thoughts on how to address these:
However, this doesn't help solve the issue on element-hq/element-web#2713 (comment) where the messages would only be sent to the invited user after they joined the room (at which point it's too late for the sender to re-encrypt them for missing devices). I wonder if a solution could be to support subscribing to arbitrary user devices using simple pubsub semantics: Alice can subscribe to updates about Bob's device list (using an API which hopefully is resilient to unreliable connectivity between Alice & Bob's HSes). Updates could only be allowed if Alice can 'see' Bob (i.e. if Alice has invited Bob or shares a room with him), although this is a pretty weak security mechanism given anyone can invite anyone (although at least Bob would know that Alice was stalking him).
I've opened this issue to track the idea of rethinking how devicelists work (again) before they get baked into the spec.
The text was updated successfully, but these errors were encountered: