Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn user if an unverified device turns up #2143

Closed
richvdh opened this issue Sep 9, 2016 · 7 comments
Closed

Warn user if an unverified device turns up #2143

richvdh opened this issue Sep 9, 2016 · 7 comments
Labels
A-E2EE P1 T-Enhancement

Comments

@richvdh
Copy link
Member

richvdh commented Sep 9, 2016

When a new unverified device turns up in a room, and the user sends a message, we should warn them and let them check the device list.

This is going to be tricky to get right, without races: it would be easy for a malicious homeserver to engineer a race so that a new device turns up milliseconds before you press enter, so we must make sure we deal with that race robustly.
@richvdh richvdh added the A-E2EE label Sep 9, 2016
@richvdh
Copy link
Member Author

richvdh commented Sep 22, 2016

Related to #2313

@remram44
Copy link
Contributor

Does everyone have to approve the new device? Only one? Only the owner (from other device)?

@ara4n ara4n added P1 and removed P2 labels Dec 7, 2016
@ara4n ara4n mentioned this issue Dec 7, 2016
Closed
@maralorn
Copy link

I’d actually suggest making this an opt-in option, because this is protection against active attackers. The majority of the population will get drowned in false positives they don’t understand.

@remram44
Copy link
Contributor

This is the only way to protect against any homeserver of any participating user snooping in on the conversation. In my opinion it is not worth implementing end-to-end encryption at all without this, if you trust the homeservers just rely on TLS.

@maralorn
Copy link

maralorn commented Jan 11, 2017
edited

I see the difference between a passive and an active attacker. If you don’t use E2E anyone who can one day get access to the homeserver logs (or break tls) can read the message. The active attacker scenario would actually require malicious code in the homeserver (today. without anyone noticing. which will be hard, if users who know, what they are doing, are actually verifying their keys). I totally understand that the security is lower, but E2E crypto is much more important than verified E2E crypto. Confusing users with misplaced warnings lowers security and does not raise it.

(I will not push this point any further, this has to be decided by the developers. We can discuss it on matrix, if you want.)

@pierce403
Copy link

I think these warnings should pop up per room. Something like:

<nick> (<id>) has added a new device "<device name>" [verify] [blacklist]

Presumably, whoever added the key would also message the room with an older verified key/device saying something to the effect of "Hey, just got a new phone" or something. This will also encourage users to have descriptive device names.

ara4n added a commit to matrix-org/matrix-js-sdk that referenced this issue Jan 21, 2017
@ara4n
experimental support for warning users when unknown devices show up i…
fb820fa 
…n a room.

hopefully a step towards fixing element-hq/element-web#2143
This was referenced Jan 21, 2017
Merged
Merged
@ara4n
Copy link
Member

ara4n commented Feb 2, 2017

this has just merged to /develop. @pierce403 - the implementation is very similar to what you suggest (although the verify/blacklist buttons are going to land shortly in a later PR)

@ara4n ara4n closed this as completed Feb 2, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-E2EE P1 T-Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pierce403 @jryans @remram44 @ara4n @richvdh @maralorn