Same here.

Same here.

same here.

Still in 0.57.3

Still in 0.58.2 ;)

we would also like to see this fixed..

Me too; without this feature Rocket.Chat makes no sense.

Still in 0.58.4

Still a problem on 0.60.0-rc.1, tested on demo.rocket.chat

Hi folks,

I just re-tested this with @localguru and can still confirm this. It looks like - just like in a non-OTR session - a file upload just does a POST request to https://open.rocket.chat/ufs/GoogleCloudStorage:Uploads/SOMEOTHERID?token=TOKEN&progress=0.3057800339672645 and gets written to mongoDB.

This does obviously undermine the DENIABILITY aspect of OTR.

Without knowing the code, I would guess one of the following things should be done:

• also forward the OTR file upload to the websocket session that is OTR encrypted (which obviously isn't done right now)
• OR just don't offer the file upload feature in OTR sessions until this bug is fixed.

Cheers
Thomas

Not an easy problem to solve. For fileupload to really be considered part of OTR it would have to actually be encrypted before uploaded by client, and then some how decrypted on the other end.

So really the only solution here until someone were able to solve the more complicated problem would be to actually disable file sharing on OTR sessions or warn them every time they send a file in an OTR session.

@mrinaldhar This maybe something you may already be aware of and have fixed in your improved e2e implementation with GSOC?

So really the only solution here until someone were able to solve the more complicated problem would be to actually disable file sharing on OTR sessions or warn them every time they send a file in an OTR session.

Yes, I agree with you on that. Either disable or show a crystal-clear warning, that this upload won't be part of OTR. Until it is fixed.

Cheers & thanks for getting back
Thomas

Hi, the current implementation of OTR doesn't handle file uploads. I think we should display some sort of warning suggesting that file uploads will not be encrypted when people try to use OTR.

7181 is a new implementation of end to end encryption in rocket chat, and it handles direct messaging, private group messaging, as well as file uploads. Files are encrypted on the clients before they're sent.

We're in the process of improving that implementation, and it should be ready soon!

@mrinaldhar Great, thanks for your work! Would love to see that.

@geekgonecrazy I vote for disable uploads on active OTR, because uploads are not shown; one have to reload. May be combined with a warning, that uploads are disabled, when selecting the upload function, so that it's clear to users that uploads on OTR are not offered.

Still not working in 0.61.0.

The merge there is misleading. It was merged from a personal repo to a main project branch.

@mrinaldhar is there another PR we could link to this for people to track?

Is there any fix for this yet? Any workaround?

+1 same here, version 0.63.0

Can anyone confirm if this issue still exists in End-to-End-Encryption branch for Rocket Chat too, or can we confirm in which branch this issue is being fixed ?

This issue doesn't exist in the End-to-End-Encryption branch, provided you use E2EE there and not OTR, as that implementation handles file uploads as well.

see also https://forums.rocket.chat/t/end-to-end-encryption/204/7

Still does not work in version 2.2.0!

Still does not work in version 2.4.5!