Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restoring a phone (or browser tab) from backup will break Olm if the other device still exists. #3822

Closed
Tracked by #2996
ara4n opened this issue May 5, 2017 · 7 comments
Closed
Tracked by #2996

Restoring a phone (or browser tab) from backup will break Olm if the other device still exists. #3822

ara4n opened this issue May 5, 2017 · 7 comments
Assignees
@dbkr
Labels
A-E2EE P2 T-Defect
Milestone
RW016

Comments

@ara4n
Copy link
Member

ara4n commented May 5, 2017
edited
Loading

the Double Ratchet is strictly 1:1 device, and if you have two devices trying to respond simultaneously everything will break, causing UISIs.
@ara4n
Copy link
Member Author

ara4n commented May 5, 2017

Not sure what the best mitigation is here other than user education.

@richvdh richvdh mentioned this issue May 5, 2017
Closed
25 tasks
This was referenced May 5, 2017
Closed
Closed
@richvdh
Copy link
Member

richvdh commented May 8, 2017

the Double Ratchet is strictly 1:1 device, and if you have two devices trying to respond simultaneously everything will break, causing UISIs.

The concern is less about having two devices trying to respond simultaneously (which would be a problem, but doesn't happen with a simple backup/restore), but that a backup/restore rolls back the olm session state, making it useless.

The main mitigation is (as per Sesame which considers this scenario) allowing devices to start a new session - and then allowing the user to actually do so (possibly with some sort of Panic button).

@ara4n ara4n mentioned this issue Sep 30, 2018
Closed
@dbkr dbkr self-assigned this Oct 30, 2018
@dbkr
Copy link
Member

dbkr commented Oct 30, 2018
edited by richvdh
Loading

The conclusion on this as of today is that we should do this: the caveat is that we lose the trust established by having the shared ratchet state, falling back to the trust from the identity keys, so if somehow the device identity keys were compromised but not the ratchet state, this would allow the attacker to intercept messages. I'm struggling to imagine a situation where this would be the case though.

This will involve implementing matrix-org/matrix-spec-proposals#1596

Convo: https://matrix.to/#/!uewiilduiDRfPomIha:matrix.org/$1540918172317069dhnme:matrix.org

dbkr added a commit to matrix-org/matrix-js-sdk that referenced this issue Nov 1, 2018
@dbkr
Use the last olm session that got a message
28540ad 
Implements matrix-org/matrix-spec-proposals#1596
For element-hq/element-web#3822
Requires matrix-org/olm-backup#77 (+release)
@dbkr dbkr mentioned this issue Nov 1, 2018
Merged
@lampholder lampholder added this to the RW016 milestone Nov 1, 2018
@dbkr
Copy link
Member

dbkr commented Nov 1, 2018
edited
Loading

My current plan for this goes as follows:

  • Make js-sdk obey specify how to handle multiple olm sessions with the same device matrix-org/matrix-spec-proposals#1596
  • Make js-sdk establish a new olm session with the opponent device when it fails to decrypt a message on a session. This should mean the next keyshare from that device will use the new session, but the session key in the failed message will still be lost forever.
  • Add nack messages to the spec and re-send keys to the device when we get a nack, We'd probably do this by checking against the list of device we've sent keys to, but this is only stored in memory atm, so would only work until you restarted the device. (Actually rather than inventing separate nacks, we could probably just use keyshare requests).
  • Save outbound session info to persistent storage so we can re-send keys even after we reload
  • Prune old sessions

I'll probably do the first two items now and leave the rest for another time

dbkr added a commit to matrix-org/matrix-js-sdk that referenced this issue Nov 8, 2018
@dbkr
Restart broken Olm sessions
d74ed50 
 * Start a new Olm sessions with a device when we get an undecryptable
   message on it.
 * Send a dummy message on that sessions such that the other end knows
   about it.
 * Re-send any outstanding keyshare requests for that device.

Also includes a unit test for megolm that isn't very related but came
out as a result anyway.

Includes #776
Fixes element-hq/element-web#3822
@dbkr dbkr mentioned this issue Nov 8, 2018
Merged
@lampholder lampholder mentioned this issue Nov 23, 2018
Closed
@dbkr
Copy link
Member

dbkr commented Nov 28, 2018

The solution for this ended up being matrix-org/matrix-spec-proposals#1719 (ie. rather than most of the checkboxes above)

@jryans
Copy link
Collaborator

jryans commented Dec 10, 2018

@dbkr, should this still be on the workflow board as In Test? It sounds like a different approach was taken...?

@jryans
Copy link
Collaborator

jryans commented Dec 10, 2018

Ah, or maybe it's fixed by matrix-org/matrix-js-sdk#780, which is linked from matrix-org/matrix-spec-proposals#1719.

@jryans jryans closed this as completed Dec 10, 2018
@richvdh richvdh mentioned this issue May 29, 2019
Merged
@woojoo666 woojoo666 mentioned this issue Jan 30, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dbkr dbkr

Labels
A-E2EE P2 T-Defect
Projects
None yet
Milestone
RW016
Development

No branches or pull requests
5 participants
@jryans @dbkr @ara4n @richvdh @lampholder