Immutable encryption and history visibility #2302
Description
End-to-end encryption plays a much more important role in today's Matrix than originally envisioned. However, only room messages are end-to-end encrypted and authenticated while room state is not. This impacts both confidentiality—exposing information to the homeserver that it should not possess—but also integrity, because the homeserver can also freely manipulate the room state and not just the rooms members. This issue will ignore the confidentiality aspect and focus on integrity.
For some types of state, this risk is somewhat acceptable. For example if the homeserver changes the room topic, that's not very exciting and is largely a nuisance. But for other state, like the room's encryption settings or history visibility (especially with MSC4268), it can be devastating because it provides the homeserver with a potential mechanism to also impact the confidentiality of messages.
In the absence of authenticated room state, we've developed a number of partial solutions to the problem. For example, once Matrix clients observe a m.room.encryption event, they will permanently enable decryption and prevent downgrade. However, these solutions are inherently somewhat flaky.
Recently, I (and others) have wondered how important it really is to support mutating these settings during the lifetime of a room. I propose that it isn't and that mutation would be better modelled by spawning a new room. This then presents another potential solution to the problem: making these settings immutable. Somewhat serendipitously, project Hydra has recently ensured that with new room versions the create event is bound to the room ID, allowing a joiner a way to be sure they got the genuine (and unique) create event for the room. The create event then provides a natural way to store important room settings in an authenticated way.
I therefore propose the idea that room encryption settings and history visibility should be made immutable by storing them in the m.room.create event in a future room version. Note that there is prior art for the encryption algorithm specifically, in the form of MSC4245, though it's framed there as an MLS-compatibility measure rather than a generic security mechanism.