synapse icon indicating copy to clipboard operation
synapse copied to clipboard

Published 20 hours ago verified publisher icon element-hq

Invited users don't trigger device_list updates when their device lists change.

Open matrixbot opened this issue 1 year ago • 1 comments

This issue has been migrated from #3504.

If you invite a user to an E2E chat, you have no way of being told when its device list changes as it is not yet participating in the room. As a result, any added devices won't be encrypted for. Options to fix this include:

  • Have invited users participate in the room DAG. This poses a security issue however given you can obligate any user to unilaterally participate in a room DAG.
  • Synchronise device_lists using a different mechanism than basing it off DAG membership; e.g. a separate pubsub mechanism for tracking a given user's device updates (see the second half of https://github.com/vector-im/riot-web/issues/6989#issue-339179869)
  • Use cross-user KS reqs to recover the missing keys.
  • Refuse to share history with non-joined users.

Related to https://github.com/matrix-org/synapse/issues/3503.

This has been split out from https://github.com/vector-im/riot-web/issues/2713#issuecomment-402989021.

matrixbot avatar Dec 16 '23 12:12 matrixbot

This seems to be more of a protocol issue than a Synapse issue: the protocol simply doesn't specify a way for federated servers to be kept up to date with device-list changes for invited users.

richvdh avatar Apr 30 '24 13:04 richvdh

We think this is low impact

richvdh avatar May 28 '24 13:05 richvdh