A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Stuff we protect against: | No mitigation | Good mitigation for those who verify | Good mitigation for all | ||||||||||||||||||||||
2 | ||||||||||||||||||||||||||
3 | Adversary | Action | Mitigation | |||||||||||||||||||||||
4 | Malicious server admins (aka compromised servers) | |||||||||||||||||||||||||
5 | HS admin insert messages in my Rooms | Enable E2E | Need to ensure unencrypted msgs in encrypted rooms are flagged clearly (given encrypted msgs no longer have badges) --M | |||||||||||||||||||||||
6 | Who add malicious devices into your account to receive new messages for your account | Private SSK required to sign new devices | ||||||||||||||||||||||||
7 | Who invite malicious users into your rooms to spy on you | Look at the member list; in future, clients will sign membership events to control room membership | ||||||||||||||||||||||||
8 | Who modify the /devices CS API to not report malicious devices on your account | Private SSK required for device to appear 'verified'. Own devices shown in client settings protects against send your own messages to malicious device. Your devices shown to others in your profile to prevent others sending messages to it (?) (Matthew: we should also track which devices the client is aware of at the client, rather than relying on /devices) | ||||||||||||||||||||||||
9 | Who modify the human-visible metadata on the /devices CS API to camouflage malicious devices | No mitigation? (uhoreg: The homeserver could tell other people about the phony device, but hide it from you. Which means that the attacker wouldn't be able to read messages that you sent, but they would still be able to read messages sent from others.) (Matthew: we could sign the metadata. If we also track device presence clientside to avoid the server withholding devices, this might help a lot) | ||||||||||||||||||||||||
10 | Who add malicious backups onto your account in order to intercept your keys | Backup signed by master key, devices only write to it if backup sig verified. | ||||||||||||||||||||||||
11 | [Verification] Who add malicious SAS verification event | Clients won't be able to generate same shared secret (DH) -> untrusted | ||||||||||||||||||||||||
12 | [Verification] Malicious Automatic QR code reciprocate | Two-way verification: users prompted to ensure success on partner's side | ||||||||||||||||||||||||
13 | who modify key/query to replace my public keys | other client won't trust my devices then (invalid signature chain). On login my new session will detect it after verification/passphrase and ask to replace keys | ||||||||||||||||||||||||
14 | Malicious default integration server (integration widget can modify room members, powerlevels,..) | Guarded by authorisation / accept terms? | ||||||||||||||||||||||||
15 | Malicious widget (ip leak) | Guarded by authorisation to open | ||||||||||||||||||||||||
16 | Publishing malicious OTKs on behalf of users to intercept Olm sessions | Guarded by OTKs being signed | ||||||||||||||||||||||||
17 | MITM HTTPS attacks | Message content protected by e2e | ||||||||||||||||||||||||
18 | Data from interception by a Global Passive Adversary (GPA) | HTTPS, message content encryption | ||||||||||||||||||||||||
19 | DNS hijack / reuse attacks | HTTPS X.509 for HS DNS hijack, user key verification prevents DNS resuse being same user (for e2e rooms only) | ||||||||||||||||||||||||
20 | Replay attacks | Only single message at each session index permitted | ||||||||||||||||||||||||
21 | Unknown keyshare attacks | OTKs signed? User is prompted | ||||||||||||||||||||||||
22 | Attacks on forward secrecy (i.e. being able to decrypt old messages based on a snapshot of current encryption state) | Ratcheting, although note Element stores all historic keys (but could choose not to store older keys, and instead 'restore' them in on demand) | ||||||||||||||||||||||||
23 | Interception/interference from cloned devices (e.g. restored from backups) | No mitigation? | ||||||||||||||||||||||||
24 | Attacks on deniability. (e.g. cryptographically speaking, whilst the sender should be authenticated time of sending, there should not be proof in retrospect of their identity. For instance, it could have been a malicious server admin.). | I think we sacrifice this by signing our OTKs? | ||||||||||||||||||||||||
25 | Timing side-channel attacks. | No mitigation? | ||||||||||||||||||||||||
26 | Passive Attacks on out-of-band verification (e.g. shouldersurfing a QR code or bugging an OOB SAS code) | Two-way verification: users prompted to ensure success on partner's side | ||||||||||||||||||||||||
27 | I left an opened session on a computer | Can't take control of account (re-auth needed to change pwd, add mail, upload new signing keys) Can logout session from another session (with re-auth) | ||||||||||||||||||||||||
28 | ||||||||||||||||||||||||||
29 | Stuff we don’t try to protect against: | |||||||||||||||||||||||||
30 | On-device attacks | |||||||||||||||||||||||||
31 | Malicious/buggy clients | |||||||||||||||||||||||||
32 | Metadata interception by a malicious server admin | |||||||||||||||||||||||||
33 | Metadata interception by a GPA | |||||||||||||||||||||||||
34 | Malicious servers withholding messages from being sent to clients or servers | |||||||||||||||||||||||||
35 | Transcript consistency attacks in general | |||||||||||||||||||||||||
36 | Attacks on post compromise secrecy within a given megolm session (i.e. being able to decrypt new messages based on a snapshot of current encryption state) | |||||||||||||||||||||||||
37 | Compromise of megolm keys (via interception on client, or intercepting recovery key/passphrase for an online/offline key backup) | |||||||||||||||||||||||||
38 | Evil maid or rubber hose attacks on megolm key backup keys/passphrases | |||||||||||||||||||||||||
39 | Brute force attacks on megolm key backups (offline & online) | |||||||||||||||||||||||||
40 | Active Attacks on out-of-band verification (e.g. using a speech synthesizer to fake text auth comparison, or an attacker tricking you to showing a screenshot of a compromised QR code on your phone to fake a QR verification) | |||||||||||||||||||||||||
41 | File size exposure of encrypted attachments to a malicious media repository owner or server admin | |||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | Glossary: | |||||||||||||||||||||||||
44 | GPA | Global Passive Adversary | ||||||||||||||||||||||||
45 | OTK | One-Time Key | ||||||||||||||||||||||||
46 | SAS | Short Authentication Strings | ||||||||||||||||||||||||
47 | DH | Diffie-Hellman | ||||||||||||||||||||||||
48 | MITM | Man-in-the-middle | ||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 |