Encryption

The Spec Core Team would like to remind everyone that, now that MSC4153 has been accepted, the Matrix spec recommends that “Encrypted to-device messages SHOULD NOT be sent to non-cross-signed devices”.

In short: if, as a user, you have client devices which haven’t been correctly cross-signed with your identity key, then you’re going to start finding yourself unable to read encrypted messages from other users on those devices.

If you missed Andy’s talk on this at the Matrix Conference, we strongly recommend watching it as he explains the hows and whys of this change, but to summarise: this is an important improvement to the security of end-to-end encryption in Matrix.

As Andy also mentions in his talk, Element is planning to change the defaults in its clients to follow MSC4153’s recommendations to exclude non-cross-signed devices in April 2026. In preparation, the Element clients will very soon start to force users to verify their own devices so that those users are not shut out come April.

If you are a client developer, we encourage you to take a similar approach of encouraging users to verify their devices, so that they are not excluded from the conversation as the ecosystem moves towards MSC4153 compliance. And if you are a user, make sure your devices are verified!

Hi all,

Given our commitment to open standards and interoperability, we’re delighted to see MLS be ratified by the IETF as RFC9420.

MLS is a new encryption standard defined by the IETF, the standards body that maintains much of what makes the internet work. In the same way that Transport Layer Security (TLS, another IETF standard) defines the way to provide encryption between users and servers, or between two different servers, MLS provides a standard way for users of a messaging service to communicate securely without servers being able to eavesdrop on their conversations.

Continue reading…