Session verification

[akirk]

It's currently not possible to verify sessions started in chatrix. Steps to reproduce:

1. Log in in chatrix
2. Log in in Element
3. In Element, go to Settings -> Security
4. Attempt to verify the session created by chatrix
5. Session verification hangs since nothing happens in Chatrix

This feature is missing in hydrogen, see https://github.com/vector-im/hydrogen-web/issues?q=is%3Aissue+is%3Aopen+label%3Across-signing+.

[psrpinto]

This would need to be implemented in hydrogen, as per element-hq/hydrogen-web#518. Would you be ok with closing this issue in favour of element-hq/hydrogen-web#518 @akirk ?

[ashfame]

I think the main concern here was whether DMs or encrypted chats that happened in Chatrix would be accessible via other client, since that requires client (Chatrix/Hydrogen in our case) to respond to such requests of old encryption keys being requested?

[psrpinto]

I'm not sure I 100% understand the issue. Is the question whether hydrogen can act as a session verification device? As in, when logging in Element (or another client), the user would verify the Element session using the session already open in hydrogen?

[ashfame]

Here is how I would define the user story for it:

User Story 1: User starts using Chatrix, might eventually use DMs or private rooms with E2EE. But later switches/starts using another client like Element. Can they access old messages prior to Element in Element now?

User Story 2: Same as user story 1, but user who always used Element, now switches/starts using Chatrix, can they access old messages to prior to the switch?

Essentially, this is about what it takes to ensure successful sharing of encryption keys can take place. Whether that's currently supported in Hydrogen or not. Session verification might not be involved, at least not directly. It might be required implicitly when keys are being exchanged though, not sure about that.

[psrpinto]

Thanks for the user stories @ashfame. User story 2 seems to work correctly, for story 1, it indeed doesn't work, Element is not able to decrypt the message sent from chatrix.

Going into the sessions in Element shows the unverified session from chatrix:

It's not possible to complete session verification since hydrogen does not show the session verification request:

I believe this is the "cross-signing" features that are currently in development in hydrogen. This is the Epic for those features: element-hq/hydrogen-web#827

[ashfame]

Thank you for testing this out! Would be good to try verifying the session manually via Element - https://github.com/vector-im/hydrogen-web/blob/master/FAQ.md#how-can-i-verify-my-session-from-element and then see if its only the unverified session that prevents it from getting the right keys to decrypt it or even the endpoints for requesting those keys is not present currently.

[psrpinto]

Would be good to try verifying the session manually via Element

I just tested this and the latest version of Element does not seem to support verification by text, as described in the Hydrogen FAQ linked above. When clicking the Verify button for the session, it immediately goes into the "please accept the verification request on your other device" screen:

[akirk]

Might be fixed on Hydrogen already with element-hq/hydrogen-web#1095