Message-Id: 202109301322
Time: since 12:30 pm, 30.09.2021
Affected: user of Rocket.Chat
Impact: changes of use

Today around 12.30 am the “end-to-end encryption E2E” was activated for the service
Rocket.Chat
(https://docs.rocket.chat/guides/user-guides/security-bundle/end-to-end-encryption):
This enables users who own channels to mark them as encrypted. Channel contents will then
be stored encrypted with a *local* password chosen by the user, which is *independent* of
the GWDG account password.
With the activation all users received a notification in the service.

The following is important to understand:
– Users have to remember and save this local password. Nobody can retrieve this password!
– Content of encrypted channels can *only* be read with this password. Without this
password channel contents are *unreadable* and *unrecoverable*, for anybody.
– Encrypted content is also inaccessible or unintelligible for the operators of the
service, even with full access to the service, servers and its databases. This is a high
degree of privacy but also show the dependence on said *local password*. Otherwise
contents are inaccessible.
– Users are prompted to choose and store a local password. This will be saved with this
browser on this device *only* and has to be re-entered on every browser on every device in
order to access encrypted messages. For this reason said password is *inaccessible* and
*unrecoverable* for us operators. Without this password access to this content is lost
forever.
– Users are encouraged to *only* use this functionality if they fully understand the
implications and function of this mechanism. GWDG is *incapable* of retrieving lost
password or content of this kind, by design.