There is nothing stopping users from lying about their identity keys when publishing their e2e keys

[ara4n]

We should include the identity key in the JSON plaintext of an olm message or something to prove that the identity key is actually associated to the person who owns the curve key used to encrypt an olm message

[richvdh]

To expand somewhat on the threat:

• Alice publishes her Ed25519 fingerprint key and Curve25519 identity key
• Eve publishes her own Ed25519 fingerprint key, but Alice's Curve25519 identity key
• Bob verifies Eve's device via the Ed25519 key, as normal.
• Alice sends a message to Bob
• Eve intercepts it before forwarding to Bob
• Bob now believes the message came from Eve rather than Alice.

[ara4n]

i believe this is fixed.

[richvdh]

I don't.

[richvdh]

To expand on my somewhat terse comment: matrix-org/matrix-js-sdk#206 laid some of the groundwork to fix this problem, but there is more to be done.

[richvdh]

Corollary for megolm:

• Alice publishes her Ed25519 fingerprint key and Curve25519 identity key
• Eve publishes her own Ed25519 fingerprint key, but Alice's Curve25519 identity key
• Alice starts a megolm session, and sends the ratchet key and Ed25519 key to Bob and Eve
• Alice sends a message via the megolm session
• Eve intercepts it before it reaches Bob, and forwards it
• Bob now believes the message came from Eve rather than Alice.

The fix for megolm is to remember the Ed25519 key claimed by the key sharing message, and check that it matches that of the sender.

[richvdh]

Fixed by matrix-org/matrix-js-sdk#215