• Soatok Dreamseeker@pawb.socialOP
    link
    fedilink
    English
    arrow-up
    15
    ·
    edit-2
    8 hours ago

    Your instance admin subtitutes the public key in your profile with one they control.

    How do you stop this?

    Like, half the point of E2EE for DMs is to prevent instance admins from seeing what your messages say. The other half is to prevent instance admins from being able to surrender anything useful to government subpoenas.

    • Barbarian@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      5 hours ago

      As long as the admin doesn’t possess the private key, that solution still prevents the latter issue. If the admin swaps out your public key for one they control, they could technically impersonate you and read messages after the swap, but not read any messages from before. The user would be unable to use E2EE as soon as the key is swapped, so the only real issue here is impersonation.

      An admin could theoretically take over a user’s account today, so there’s not really a new vulnerability here. And with E2EE, there’d be a big clue about something funky happening with the public key changing.

      EDIT: Oh.

      These aren’t encapsulation keys (a.k.a., asymmetric or “public key encryption” keys). Encapsulation keys belong to the MLS KeyPackages, which are NOT planned to ever be logged in a key transparency system. The KeyPackages will be signed by the keypair whose public component is stored, however.

      That seems… strange? Not sure why that approach was chosen.

      • scratchee@feddit.uk
        cake
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 hours ago

        The user would be unable to use E2EE as soon as the key is swapped, so the only real issue here is impersonation.

        If an admin mitms all the messages then they can re-encrypt using the users original/real public key, leaving the user unaware that they have been hacked and able to use encryption as normal, or am I missing something?

      • Soatok Dreamseeker@pawb.socialOP
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        5 hours ago

        How much do you know about cryptography?

        I’ve written tons about why this approach was taken, but it might be inaccessible to someone with limited knowledge of modern cryptography protocol design. (Authenticated encryption, forward secrecy, context commitment, etc.)

        This was my earliest blog post on the topic, if you want a place to start.

        • Barbarian@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 hours ago

          How much do you know about cryptography?

          I’d describe myself as a relatively knowledgeable layman. Essentially I know enough to use it effectively in a sysadmin/dbadmin capacity, but not got a good grasp of the underlying math.

          This was my earliest blog post on the topic, if you want a place to start.

          Thank you, I’ll take you up on that.

          • Fluffy Kitty Cat@slrpnk.net
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 hours ago

            The biggest unsolved problem in public key cryptography is knowing that a public key belongs to a particular individual. Making sure an attacker hasn’t swapped out keys or is impersonating you is a problem.with a non trivial solution