KeySharing, DevicebasedStrategy | Exclude insecure dehydrated devices when sending messages #4313
Comments
|
(Rust) We already have code to avoid encrypting for unsigned devices - we should do this unconditionally for any device with the dehydrated flag set. |
|
Also: why are dehydrated devices being singled out for this special treatment? |
richvdh
changed the title
It's buried in the middle of a paragraph: https://github.com/matrix-org/matrix-spec-proposals/pull/3814/files#diff-1e380a19a30044a5d4a387df67369612e4cdf4dc8b0bcba1853fd221f7dfeeb9R51-R53 I guess it should be called out more.
This was flagged by Denis at matrix-org/matrix-spec-proposals#3814 (comment) . The short version is: dehydrated devices are being singled out because clients may hide dehydrated devices or make them less visible, so it may be less noticeable if a dehydrated device is unsigned, compared with normal devices. Also because dehydrated devices are a new feature and our eventual goal is to drop insecure devices. |
|
ah great, thanks. |
Don't encrypt to devices marked as dehydrated, if they are not cross-signed by the pinned/verified identity.
Also, drop all incoming to-device messages from devices marked as dehydrated.Factored out to #4466The text was updated successfully, but these errors were encountered: