KeySharing, DevicebasedStrategy | Exclude insecure dehydrated devices when sending messages

[uhoreg]

Don't encrypt to devices marked as dehydrated, if they are not cross-signed by the pinned/verified identity. (Per discussion below: we continue to send to the dehydrated device even if the identity changes)

Also, drop all incoming to-device messages from devices marked as dehydrated. Factored out to #4466

[andybalaam]

(Rust) We already have code to avoid encrypting for unsigned devices - we should do this unconditionally for any device with the dehydrated flag set.

[richvdh]

@uhoreg I don't see any mention of this behaviour in MSC3814 -- presumably it is something that should be called out there?

[richvdh]

Also: why are dehydrated devices being singled out for this special treatment?

[uhoreg]

@uhoreg I don't see any mention of this behaviour in MSC3814 -- presumably it is something that should be called out there?

It's buried in the middle of a paragraph: https://github.com/matrix-org/matrix-spec-proposals/pull/3814/files#diff-1e380a19a30044a5d4a387df67369612e4cdf4dc8b0bcba1853fd221f7dfeeb9R51-R53 I guess it should be called out more.

Also: why are dehydrated devices being singled out for this special treatment?

This was flagged by Denis at matrix-org/matrix-spec-proposals#3814 (comment) . The short version is: dehydrated devices are being singled out because clients may hide dehydrated devices or make them less visible, so it may be less noticeable if a dehydrated device is unsigned, compared with normal devices. Also because dehydrated devices are a new feature and our eventual goal is to drop insecure devices.

[richvdh]

ah great, thanks.

[richvdh]

(Rust) We already have code to avoid encrypting for unsigned devices - we should do this unconditionally for any device with the dehydrated flag set.

kinda, though that's implemented as a different CollectStrategy, which means we can't directly make use of the same logic. Also: CollectStrategy::IdentityBasedStrategy does not check whether the identity that the device is signed by is the pinned one, so if we want that behaviour, we need to do a bit more work.

[richvdh]

Don't encrypt to devices marked as dehydrated, if they are not cross-signed by the pinned/verified identity.

The implication of this is that we should not send encrypted messages to dehydrated devices if the user has a pinning violation. I remain slightly hesitant to do this: it is inconsistent with the way we treat regular devices (we show a warning "user's identity has changed", but continue to encrypt to all their devices. Per element-hq/element-meta#2492 (comment), the idea is that if you care about who you are encrypting to, you need to verify.)

@uhoreg / @dkasak / @mxandreas : would appreciate any further thoughts on this.