-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
possible to run out of one-time-keys on rarely-used devices #3187
Comments
I'm a bit short on ideas of what to do about this. I'm not super-keen on the the signal-esque fallback-to-not-using-one-time-keys, because it significantly weakens the protocol - otoh it is a relatively simple fix. Other alternatives might involve getting the sender to share the sessions later (we might even be able to keep a list of devices we wanted to share with, but couldn't? Probably related to #3019?) #2494 might help here - we could give the sender the choice to fall back to a less secure method? |
I agree the Signal-style fallback is ming. Surely we can exploit megolm to help us out of this one: if we can't share megolm sessions to devices because Olm is dead, we'll need to queue the keys until that device is available again. This could be done by OOB negotiation with a poor-man's "hit retry to try this message again" on the sender side, or we could do the whole https://github.com/vector-im/riot-web/issues/2286 thing to let the receiving device plead to receive keys from elsewhere in the room when it comes back to life. Eitherway, it feels like we should just queue the session keys until we can send them. |
Interesting to note that Wire gives an explicit "You haven't used this device for a while" notice. |
@lampholder had this problem on a new device this evening. Hoping he and erik will share server logs to enlighten me. |
mastodon/mastodon#13820 (comment) has useful discussion about this. I think we should figure out whether it's a disaster or not to have an emergency key to wriggle out of OTK exhaustion or not. More conversation about this at https://matrix.to/#/!YRyTcRVrJzaHGZrsur:matrix.org/$zGea0UHt_Pp2DM9KsuDNl4O1bwFFsyE3OmI3zQuun08?via=matrix.org&via=ensofia.com&via=matrix.gibberfish.org I was trying to think of an attack like:
...but I guess the point is that by this point, Eve could also be populating up new non-backup OTKs. |
This is fixed by fallback keys now |
If you don't log into a device for ages, it is possible for the server to run out of one-time-keys, which means that new sender devices won't be able to send megolm keys to you
The text was updated successfully, but these errors were encountered: