top | item 33012156

(no title)

dkasak | 3 years ago

It's true Matrix today doesn't implement end-to-end auth for room control messages, but it's a bit of a stretch to say you can spy on conversations in this way.

In a room where participants are verified with each other, you'd be warned of this with a loud red shield with an exclamation mark in the room header. Additionally, if you're extra worried about a room, there's a "Never send encrypted messages to unverified sessions in this room from this session" setting you can flip in the Element clients.

That said, this can and will be improved in the future, by signing room state events and implementing TOFU (trust-on-first-use) for user identities, so that you can have a large amount of protection even before you perform manual verification with other users.

discuss

dodgerdan|3 years ago

> In a room where participants are verified with each other, you'd be warned of this with a loud red shield with an exclamation mark in the room header.

Really? Are you sure there would be this banner in the case of a malicious device being added to an existing user in the room rather than a malicious user?

throwawayKiwi9|3 years ago

Yes, Element is very loud about unverified device participants in an encrypted room.