E2EE clarifications in the aftermath of the 2022-09-28 disclosure #1275
Labels
A-E2EE
Issues about end-to-end encryption
clarification
An area where the expected behaviour is understood, but the spec could do with being more explicit
In the aftermath of https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients, we should make some spec clarifications so that it's harder for a new implementer to repeat the same mistakes. Listing some random ones I've thought of, feel free to edit more in.
Specify explicitly that all encrypted to-device messages must be encrypted with Olm, not Megolm.
Specify mitigations against SAS attack. Namely that
Specify that secrets should only be accepted from your own, trusted devices.
Note explicitly that when receiving a secret in an (Olm-encrypted) to-device message, the receiver must check that the device key of the other side of the Olm session ("sender key") matches an own, trusted device.
It's not enough to check the device ID.
Specify what it means for a device to be trusted (i.e. it's when it's verified using cross-signing. Is it anything else?)
The text was updated successfully, but these errors were encountered: