-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warning "Encrypted by a deleted session" #13701
Comments
I believe this makes perfect sense. At first I didn't know what it meant. But after reading from
I understood the meaning of the message now. Kinda hard for new users to know. Maybe something that should be addressed in FTUE. @jryans: Edited to remove link to unrelated issue |
We have been discussing a bit about this, and decided to suggest that maybe a small exclamation mark (!) of green or yellow colour without a shield might, or perhaps just letter (i) be better to use within this context of INFO more than WARNING. |
I also found this issue and #13086 because application context—specifically this warning shield—and what I know about encryption hygiene were in tension with regards to whether it is "safe" or "good" to delete old sessions. A few points with regards to the security implications of session deletion:
A few points with regards to the selection of a visual icon to indicate messages tied to a deleted session:
|
I disagree that it makes sense to display warnings to all your peers when you follow the best-case of a covered use-case of cross-signing. This undermines the only purposes of cross-signing:
"Throw up our hands and let the users sort it out" was the status quo before cross-signing. User verification was effectively useless for >90% of the userbase. There should be a strong presumption against warnings of any kind. In this case, I think there should be no change to the decoration on a past message received from a device with a valid session at the time it was sent unless the sender has disavowed that message. Strawman:
I understand the middle case is controversial, but in a group setting it is certainly the right tradeoff. Until we burn down spammy warnings users will not be secure because they will continue to correctly view the overall security system as an infeasible joke. This is already well-studied in browser certificate warnings. Unlike browsers, we should probably aim to take less than two decades to accomplish sane exception handling. I don't think it matters what colour the warnings are. Until the warnings are very rare they will be disregarded, no matter what their colour. If there is more than one warning colour, that's a strong sign the warnings are too spammy to contribute to security. Instead the overall use-case needs to be thought through, and the users guided so no warning exists when no attacker is present. Cross-signing doesn't deliver value unless this is mostly achieved, and in the case of this warning it isn't. |
If this information needs to be shown to users, I definitely prefer this idea more than the red shield. I find the red shield conveys that something has gone wrong. Edit: In fact, I'd probably prefer a grey !/i so long as the session had been cross-signed before deletion. |
I'd vote for removing this info completely. I logged out and in and all my historical messages had that warning icon next to them => Massive information overload and a jarring visual experience. No way for the user to do anything about this, so if there's no action that users can take anyway, why warn them in the first place? |
Exactly, I was concerned for the first time what is the problem, some security issue. If it's by design to get rid of old sessions and there is no harm to messages, why to even inform about this.
|
If that's still being discussed, this warning should be removed completely as it makes no sense and even annoying end user. Perhaps one-time warning or maybe a "show always" setting. |
I'm all in for having better ways to indicate this info to user, but this info needs to be shown somehow, and never be "not show it to user" as this is vital information. There has been some good suggestions in this issue how it could be improved. Either show messages normally timeline before key got rejected, if that can be reliably be known all the time, or if not possible, some less intimidating and/or specific indicator for exactly this happenstance. |
For me matrix-org/matrix-react-sdk#6119 would be definitely an improvement (and I could live with it as a fix for this issue). Considering @brandoncurtis comment I am not sure, however, if it fixes the core problem: If a message from an already retired session is a security problem, then this case should be caught and a warning should be displayed. If that is no security issue, then the warning should be eliminated completely. |
@harmathy The whole thing all this pondering hinges is that participants can't know why the session was retired... Bulk of the times it is just logged out sessions by user, but it could also be bad guy gotten into session and that is then dropped by proper user, in which case it is security issue of high importance, which is more or less the whole reasoning it shows as it shows. I know this is still irritating to most of peoples, but at this very moment I don't know how it could be made any better... Only other thing in theory there could be an method which differentiates normal logout and dropping the session with other client, but that still doesn't exactly answer much anything about the reasons behind.. |
Every security warning has a benefit in exposing security problems and a cost in creating warning blindness. The warning-blindness cost applies not only to valid warnings from the feature in question, but all security warnings throughout Element. It's a form of spam. This isn't a negligible cost. What is the benefit we get in exchange for it? I understand not wanting to give up the feature, "other users are warned when stolen devices are disavowed," but I don't think Element currently has this feature because the warning that's supposed to provide it is almost entirely spam. Even if you only consider the warning's undermining confidence in itself, not its undermining confidence in Element's entire security model, the warning is basically totally undermined. The warnings appear in any room where people are changing devices (unless they aren't deleting their old devices). The most secure way to use Element currently is to never delete old devices to avoid this warning. Coincidentally, that's how unsophisticated people tend to use it, and they end up with >20 devices associated to their account, most of them dead web logins, and a few abandoned phones. One good (not "worse than nothing") feature implementation might need the sender to explicitly and ceremonially (modal warnings or something) disavow a device instead of deleting it to clean things up, and the disavowal would come with a timestamp enforced cryptographically by PFS or ratchet-chain or both somehow. User: "I disavow messages that were:
This could be implemented by adding a "review your recent messages" modal/wizard complex thing to the device-deletion path. A good reason to delete a device is to stop it from sending future messages under your name if the device is recovered by an adversary un-wiped, or if an old backup of the device's durable storage is recovered by an adversary. A normal deletion is a special case, "I disavow all messages sent by this device after I deleted it." An emergency disavowal is "I disavow all messages sent by this device a little earlier than when I deleted it, and here is the first bad message." A more cynical not-worse-than-nothing implementation would nag users to clean up unused devices and treat those deletions as ordinary, while continuing to (ab)use the normal deletion path as security-emergency disavowal and continue to mark all the messages the disavowed device ever sent as bad not just the ones in the ratchet after it turned evil. This would leave no outlet for people who "clean up" their accounts because they want to defang decomissioned devices immediately, but if there are so few of those users in the normal population maybe this is the right call, especially if we feel normal users ought to be nagged to clean up stale sessions for other reasons. I don't know how many manual-tidying users there are in the population. |
As people noted several times, too many warnings - and they'll work the opposite way. Perhaps, maybe they can be grouped by a thin bar instead of creating a visual rubbish with these multiple icons? |
Content is provided exactly in the PR explaining what was done etc, no need to repeat everythign already existing there(?) |
Just saw it, nice! (Damn, what's with my eyesight today? Sorry.) |
I think the grey shield is an issue for deleted and unverified sessions. For sessions that were unverified and deleted, the grey shield with "Encrypted by a deleted session" still shows. This should not be the case as the source is unverified. |
I'm so tired of this issue , wtf every time a newbie login this happens , this is an overkill feature |
This issue was seemingly reintroduced by the adoption of the cryptography module from matrix-rust-sdk #21972. |
Description
Warning "Encrypted by a deleted session" is misleading.
Steps to reproduce
The waring suggests, that something is wrong with the message. However, as stated in #13086 (in this comment), this seems not the case.
I was wondering if this information should be displayed for the user at all.
Version information
For the web app:
For the desktop app:
The text was updated successfully, but these errors were encountered: