Merge pull request #32 from matrix-org/markjh/replay

Document the potential for message replays and possible mitigations

docs/megolm.rst

@@ -274,6 +274,17 @@ bytes preceding the signature.
 Limitations
 -----------
 
+Message Replays
+---------------
+
+A message can be decrypted successfully multiple times. This means that an
+attacker can re-send a copy of an old message, and the recipient will treat it
+as a new message.
+
+To mitigate this it is recommended that applications track the ratchet indices
+they have received and that they reject messages with a ratchet index that
+they have already decrypted.
+
 Lack of Transcript Consistency
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~