-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is nothing stopping users from lying about their identity keys when publishing their e2e keys #2215
Labels
Comments
ara4n
added
ambiguous
P1
S-Critical
Prevents work, causes data loss and/or has no workaround
A-E2EE
and removed
ambiguous
labels
Sep 15, 2016
To expand somewhat on the threat:
|
i believe this is fixed. |
I don't. |
To expand on my somewhat terse comment: matrix-org/matrix-js-sdk#206 laid some of the groundwork to fix this problem, but there is more to be done. |
Corollary for megolm:
The fix for megolm is to remember the Ed25519 key claimed by the key sharing message, and check that it matches that of the sender. |
Fixed by matrix-org/matrix-js-sdk#215 |
richvdh
referenced
this issue
in matrix-org/matrix-spec-proposals
Jun 14, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
We should include the identity key in the JSON plaintext of an olm message or something to prove that the identity key is actually associated to the person who owns the curve key used to encrypt an olm message
The text was updated successfully, but these errors were encountered: