Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invited users don't trigger device_list updates when their device lists change. #3504

Open
Tracked by #2411
matrixbot opened this issue Dec 16, 2023 · 2 comments
Open
Tracked by #2411

Comments

@matrixbot
Copy link
Collaborator

matrixbot commented Dec 16, 2023

This issue has been migrated from #3504.


If you invite a user to an E2E chat, you have no way of being told when its device list changes as it is not yet participating in the room. As a result, any added devices won't be encrypted for. Options to fix this include:

  • Have invited users participate in the room DAG. This poses a security issue however given you can obligate any user to unilaterally participate in a room DAG.
  • Synchronise device_lists using a different mechanism than basing it off DAG membership; e.g. a separate pubsub mechanism for tracking a given user's device updates (see the second half of https://github.com/vector-im/riot-web/issues/6989#issue-339179869)
  • Use cross-user KS reqs to recover the missing keys.
  • Refuse to share history with non-joined users.

Related to matrix-org/synapse#3503.

This has been split out from element-hq/element-web#2713 (comment).

@matrixbot matrixbot changed the title Dummy issue Invited users don't trigger device_list updates when their device lists change. Dec 21, 2023
@matrixbot matrixbot reopened this Dec 21, 2023
@richvdh richvdh added the A-E2EE label Apr 30, 2024
@richvdh
Copy link
Member

richvdh commented Apr 30, 2024

This seems to be more of a protocol issue than a Synapse issue: the protocol simply doesn't specify a way for federated servers to be kept up to date with device-list changes for invited users.

@richvdh
Copy link
Member

richvdh commented May 28, 2024

We think this is low impact

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants