Element-R: forwarded/backed-up megolm sessions replace non-forwarded ones, causing grey shields

[richvdh]

• Alice sends a message at megolm ratchet index 0
• Bob logs in on a new device
• Alice sends a message, Bob's new device receives megolm ratchet at index 1
• Bob tries to decrypt earlier message at index 0, and sends a room_key_request or tries to fetch from backup
• Bob receives the megolm ratchet at index 0 via keyshare/key backup, which replaces the original ratchet (because it's "better")
• All messages, including the one where the key was received directly, are flagged with grey shields

[richvdh]

This works the other way too: If Bob fetches the key from backup first, and then receives the key directly but with a later index, the new (direct) key will be ignored

[BillCarsonFr]

For context on legacy android there used to be a safety update for better unsafe keys that connect to a ratcheted safe key https://github.com/vector-im/element-android/blob/7073b1647c3897b5a30c4886db5975a26f16c6a1/matrix-sdk-android/src/kotlinCrypto/java/org/matrix/android/sdk/internal/crypto/MXOlmDevice.kt#L667

[BillCarsonFr]

Note that the root cause is that we are accepting potentially unsafe keys (authenticity cannot be guaranted), this is soon to be a deprectated behavior with:

• Authenticated backup
• Trusted key forwards
• Proper solution for key received from deleted device

As to be factored in before thinking about doing safety upgrade

[BillCarsonFr]

Closed until authenticated backup.

[richvdh]

I'm not convinced this should be closed -- it is, after all, still a problem, even if we have a plan to fix it for new messages in several months' time.