search

wireapp / wire-webapp

👽 Wire for web
https://app.wire.com
GNU General Public License v3.0
1.14k stars 291 forks source link

Running Out Of Sessions #1777

Closed muellert closed 7 years ago

muellert commented 7 years ago

Wire for Web Version

Browser Version

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

Installed Browser Addons

Operating System

Linux (Debian Stretch/amd64)

What steps will reproduce the problem?

  1. Go to https://app.wire.com
  2. Enter email address and password, press login

What is the expected result?

The expected result is that my roster opens, and that I can browse the various conversations that I have.

What happens instead?

At this point, Wire always tells me that I have too many devices and asks me to remove one of my "devices", although I am always only logging in with my two phones and one of my two browsers. Then I need to select a profile to delete, which requires me to enter my password. If I delete the profile, the web page reloads and proceeds to load my roster.

mythsunwind commented 7 years ago

As far as I can tell from your description, the described behavior is not a bug. Wire is using the Double Ratchet Algorithm in its cryptographic protocol. This gives the application many advantages over PGP/GPG (for e.g. forward secrecy and initialization of messaging sessions without the presence of the remote peer), but it also need to save the current cryptographic state to be able to decrypt later messages. Tied to it is also a unique cryptographic identity that can be used to authenticate with other peers in person. In Wire you can do this by checking the device ids and verify the devices. Wire saves both (the state and the identity) in the local storage of the browser. If you have set your browser to delete the local storage on exiting, you will loose the state and the identity. This means that next time you login, a new device entity is created in the local storage (with a new cryptographic state and the cryptographic identity). The new device entity has a new id that you then have to re-verify your devices with your peers. All messages are send into a conversation are individually encrypted for each device entity in this conversion. For performance reasons we limit the number to 8 devices (Otherwise in a conversation of several people one of them could create an almost infinite number of devices and make sending impossible). For me it seems like you always delete your local storage when closing the browser. Because we do not know (and do not want to know) which device is active and for security reasons, you have to delete your devices manually.

There are two solutions for your problem: 1) Configure your browser to not delete local storage (especially indexeddb) for app.wire.com 2) Use the checkbox "This is a public computer" which creates a temporary device that is overwritten on the next login

You can learn more about the Double Ratchet Algorithm here: https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm

Please feel free to contact us again if you have additional questions.