The reason of redactions is in clear-text even for E2EE messages

[davidegirardi]

Redactions are clear-text events and they can contain an optional reason, also in clear text. This can lead at a partial content leak if a user writes something related to the ongoing discussion in the reason of a redaction of a message in an E2EE room.

Suggestion Handle the context of m.room.redaction as m.room.encrypted so there's no clear-text information except the needed details of the reaction event. This is probably in conflict with the move of redacts into content by MSC2174.

Workaround Explicitly tell to the client developers to inform their users that redaction reasons are in clear-text.

[jplatte]

Is this really in conflict w/ MSC2174 (which landed with room v11)? We already have m.room.encrypted events with m.relates_to existing next to the encrypted payload, I don't see what would prevent redactions from getting the same treatment for the redacts field.

[davidegirardi]

Because the homeserver has to to copy the redacts property from inside content to outside of it and needs to make sure they are the same.

We already have m.room.encrypted events with m.relates_to existing next to the encrypted payload, I don't see what would prevent redactions from getting the same treatment for the redacts field.

I think this is what I was trying to say with:

Suggestion Handle the context of m.room.redaction as m.room.encrypted so there's no clear-text information except the needed details of the reaction event.