Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EX: Messages sent after an identity reset can sometimes be flagged as sent from insecure device #2697

Open
Tracked by #2700
BillCarsonFr opened this issue Jan 20, 2025 · 4 comments
Open
Tracked by #2700

EX: Messages sent after an identity reset can sometimes be flagged as sent from insecure device #2697

BillCarsonFr opened this issue Jan 20, 2025 · 4 comments

Comments

@BillCarsonFr
Copy link
Member

BillCarsonFr commented Jan 20, 2025
edited by richvdh
Loading

Image

Steps to reproduce

  • Alice and Bob are talking in a room. Bob is using EX.
  • Put Bob in offline mode.
  • Logout Alice, then log-in again and reset the identity (as if you've forgot recovery)
  • Alice sends a new message
  • Wait a bit
  • Reopen Bob's session

The new message sent by Alice is marked as Sent from an device not verified by its owner. (Or, in "exclude insecure devices" mode, the message is hidden altogether.

This is an intermittent failure: it depends how long the /keys/query request takes to complete.

Note that:

  • Further messages sent by Alice after Bob comes back online are decrypted fine.
  • If Bob restarts his app after receiving Alice's messages, the timeline is updated and all messages are decrypted fine.

What happened:

When coming back online, Bob first receives the new room_key for the new message; the device_keys embedded in the to-device are are not signed with the identity we have for Alice (rather, they are signed by her new identity). The InboundGroupSession is therefore marked as insecure.

Meanwhile, Alice is marked as dirty, so the a new /keys/query is made; once that completes, we receive her new identity and devices. The device update triggers an update of the InboundGroupSession, meaning future messages are decrypted correctly; however the cached timeline is not updated on EX. (It is updated on EW.)

Related to matrix-org/matrix-rust-sdk#3890 and #2710.
@andybalaam andybalaam mentioned this issue Jan 21, 2025
Open
@richvdh
Copy link
Member

richvdh commented Jan 21, 2025

duplicate of #2710?

@richvdh
Copy link
Member

richvdh commented Jan 28, 2025

I was unable to reproduce this, as written, on either EX or EW.

If Bob logs out before Alice logs in, the symptoms are as written; but that makes this a duplicate of #2710.

@richvdh richvdh closed this as completed Jan 28, 2025
@richvdh
Copy link
Member

richvdh commented Jan 28, 2025

Wait wait wait.

I was able to reproduce it on EX (only) by adding a sleep(2) in the server-side handling of /keys/query.

@richvdh richvdh reopened this Jan 28, 2025
@richvdh richvdh changed the title Exclude Insecure Device | First message sent after an identity reset can sometimes be flagged as sent from insecure device EX: Messages sent after an identity reset can sometimes be flagged as sent from insecure device Jan 28, 2025
@richvdh richvdh self-assigned this Jan 28, 2025
@richvdh
Copy link
Member

richvdh commented Jan 29, 2025

In EW, whenever we get an update to an existing InboundGroupSession, such as an update to the SenderData, we trigger another decryption event, which may result in an update to the UI.

In EX, we only re-decrypt UTD messages (https://github.com/matrix-org/matrix-rust-sdk/blob/d755a8a3aa0ecf7b718487b0401b9f3cee7f3155/crates/matrix-sdk-ui/src/timeline/controller/mod.rs#L1048): I think we should remove this constraint.

@richvdh richvdh removed their assignment Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@richvdh @BillCarsonFr