chatrix icon indicating copy to clipboard operation
chatrix copied to clipboard
verified publisher icon Automattic

Session verification

Open akirk opened this issue 3 years ago • 8 comments

It's currently not possible to verify sessions started in chatrix. Steps to reproduce:

  1. Log in in chatrix
  2. Log in in Element
  3. In Element, go to Settings -> Security
  4. Attempt to verify the session created by chatrix
  5. Session verification hangs since nothing happens in Chatrix

This feature is missing in hydrogen, see https://github.com/vector-im/hydrogen-web/issues?q=is%3Aissue+is%3Aopen+label%3Across-signing+.

akirk avatar Sep 07 '22 11:09 akirk

This would need to be implemented in hydrogen, as per https://github.com/vector-im/hydrogen-web/issues/518. Would you be ok with closing this issue in favour of https://github.com/vector-im/hydrogen-web/issues/518 @akirk ?

psrpinto avatar Jan 11 '23 15:01 psrpinto

I think the main concern here was whether DMs or encrypted chats that happened in Chatrix would be accessible via other client, since that requires client (Chatrix/Hydrogen in our case) to respond to such requests of old encryption keys being requested?

ashfame avatar Jan 11 '23 15:01 ashfame

I'm not sure I 100% understand the issue. Is the question whether hydrogen can act as a session verification device? As in, when logging in Element (or another client), the user would verify the Element session using the session already open in hydrogen?

psrpinto avatar Jan 23 '23 17:01 psrpinto

Here is how I would define the user story for it:

User Story 1: User starts using Chatrix, might eventually use DMs or private rooms with E2EE. But later switches/starts using another client like Element. Can they access old messages prior to Element in Element now?

User Story 2: Same as user story 1, but user who always used Element, now switches/starts using Chatrix, can they access old messages to prior to the switch?

Essentially, this is about what it takes to ensure successful sharing of encryption keys can take place. Whether that's currently supported in Hydrogen or not. Session verification might not be involved, at least not directly. It might be required implicitly when keys are being exchanged though, not sure about that.

ashfame avatar Jan 23 '23 17:01 ashfame

Thanks for the user stories @ashfame. User story 2 seems to work correctly, for story 1, it indeed doesn't work, Element is not able to decrypt the message sent from chatrix.

Screenshot 2023-01-23 at 17 57 44

Going into the sessions in Element shows the unverified session from chatrix:

Screenshot 2023-01-23 at 17 58 27

It's not possible to complete session verification since hydrogen does not show the session verification request:

Screenshot 2023-01-23 at 17 58 34

I believe this is the "cross-signing" features that are currently in development in hydrogen. This is the Epic for those features: https://github.com/vector-im/hydrogen-web/issues/827

psrpinto avatar Jan 23 '23 18:01 psrpinto

Thank you for testing this out! Would be good to try verifying the session manually via Element - https://github.com/vector-im/hydrogen-web/blob/master/FAQ.md#how-can-i-verify-my-session-from-element and then see if its only the unverified session that prevents it from getting the right keys to decrypt it or even the endpoints for requesting those keys is not present currently.

ashfame avatar Jan 24 '23 06:01 ashfame

Would be good to try verifying the session manually via Element

I just tested this and the latest version of Element does not seem to support verification by text, as described in the Hydrogen FAQ linked above. When clicking the Verify button for the session, it immediately goes into the "please accept the verification request on your other device" screen:

Screenshot 2023-01-23 at 17 58 34

psrpinto avatar Jan 24 '23 14:01 psrpinto

Might be fixed on Hydrogen already with https://github.com/vector-im/hydrogen-web/pull/1095

akirk avatar Oct 11 '23 11:10 akirk