Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Element-web sends, and responds to, hopeless m.room_key_request messages #23766

Closed
richvdh opened this issue Nov 14, 2022 · 2 comments · Fixed by matrix-org/matrix-js-sdk#2982
Closed

Element-web sends, and responds to, hopeless m.room_key_request messages #23766

richvdh opened this issue Nov 14, 2022 · 2 comments · Fixed by matrix-org/matrix-js-sdk#2982
Labels
A-E2EE O-Frequent Affects or can be seen by most users regularly or impacts most users' first experience S-Tolerable Low/no impact on users T-Defect Team: Crypto

Comments

@richvdh
Copy link
Member

richvdh commented Nov 14, 2022
edited by pmaier1
Loading

The mitigations to CVE-2022-39249 and friends mean that we will never trust an m.forwarded_room_key message from another user's device. Accordingly, there is no point sending m.room_key_request messages to other users.

Nevertheless we still send such messages, and indeed respond to them. Not doing so would reduce the volume of to-device messages that need to be sent around and processed, and might also make debugging UTD errors easier because of the reduced noise.
@uhoreg
Copy link
Member

uhoreg commented Nov 14, 2022

Also, since cleartext sender_key and device_id are deprecated (MSC3700), we eventually won't know the sending device, so won't be able to send the room key request.

@robertlong robertlong added A-E2EE O-Frequent Affects or can be seen by most users regularly or impacts most users' first experience S-Tolerable Low/no impact on users T-Task Tasks for the team like planning T-Defect and removed T-Task Tasks for the team like planning labels Nov 15, 2022
@richvdh richvdh mentioned this issue Feb 27, 2023
Closed
@richvdh
Copy link
Member Author

richvdh commented Feb 27, 2023

It's also problematic that we send out m.room_key_requests as soon as we receive a UTD event.

In practice, to-device messages may be delayed for a number of reasons (such as #24680, matrix-org/synapse#15161, or just the server being a bit busy), and sending out room-key requests so eagerly ends up exacerbating the situation due to increasing the network traffic and #24681.

@richvdh richvdh mentioned this issue Feb 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-E2EE O-Frequent Affects or can be seen by most users regularly or impacts most users' first experience S-Tolerable Low/no impact on users T-Defect Team: Crypto
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Stop requesting room keys from other users poljar/matrix-js-sdk
4 participants
@uhoreg @richvdh @robertlong @t3chguy